Edit tour

Windows Analysis Report
0DrqlQ4JfZ.exe

Overview

General Information

Sample name:	0DrqlQ4JfZ.exe renamed because original name is a hash value
Original sample name:	de3f0f8cbac7723e54298baec915e2ba.exe
Analysis ID:	1583300
MD5:	de3f0f8cbac7723e54298baec915e2ba
SHA1:	0bc6ae31882e2856b2ea52c56985409a58920b36
SHA256:	6e797fb47dd3d5bb42fb578ea9dcd64a11af9e82902bffd1aa5ea3226498f1f0
Tags:	exeValleyRATuser-abuse_ch
Infos:

Detection

GhostRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected GhostRat

AI detected suspicious sample

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Found evasive API chain (may stop execution after checking mutex)

Found stalling execution ending in API Sleep call

Sample is not signed and drops a device driver

Sigma detected: Potentially Suspicious Malware Callback Communication

Tries to detect sandboxes / dynamic malware analysis system (QueryWinSAT)

AV process strings found (often used to terminate AV products)

Checks for available system drives (often done to infect USB drives)

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to clear windows event logs (to hide its activities)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Creates driver files

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain checking for process token information

Installs a global mouse hook

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sigma detected: Execution of Suspicious File Type Extension

Spawns drivers

Stores large binary data to the registry

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

0DrqlQ4JfZ.exe (PID: 2564 cmdline: "C:\Users\user\Desktop\0DrqlQ4JfZ.exe" MD5: DE3F0F8CBAC7723E54298BAEC915E2BA)

LogonUI.exe (PID: 5824 cmdline: "LogonUI.exe" /flags:0x4 /state0:0xa3f52855 /state1:0x41c64e6d MD5: 893144FE49AA16124B5BD3034E79BBC6)

cdd.dll (PID: 4 cmdline: MD5: 9B684213A399B4E286982BDAD6CF3D07)

LogonUI.exe (PID: 3744 cmdline: "LogonUI.exe" /flags:0x2 /state0:0xa3f5c855 /state1:0x41c64e6d MD5: 893144FE49AA16124B5BD3034E79BBC6)

fontdrvhost.exe (PID: 5596 cmdline: "fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)

cdd.dll (PID: 4 cmdline: MD5: 9B684213A399B4E286982BDAD6CF3D07)

LogonUI.exe (PID: 2720 cmdline: "LogonUI.exe" /flags:0x2 /state0:0xa3f64055 /state1:0x41c64e6d MD5: 893144FE49AA16124B5BD3034E79BBC6)

fontdrvhost.exe (PID: 6240 cmdline: "fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)

cdd.dll (PID: 4 cmdline: MD5: 9B684213A399B4E286982BDAD6CF3D07)

LogonUI.exe (PID: 7076 cmdline: "LogonUI.exe" /flags:0x2 /state0:0xa3f6b855 /state1:0x41c64e6d MD5: 893144FE49AA16124B5BD3034E79BBC6)

fontdrvhost.exe (PID: 5088 cmdline: "fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)

cdd.dll (PID: 4 cmdline: MD5: 9B684213A399B4E286982BDAD6CF3D07)

LogonUI.exe (PID: 2496 cmdline: "LogonUI.exe" /flags:0x2 /state0:0xa3f7b055 /state1:0x41c64e6d MD5: 893144FE49AA16124B5BD3034E79BBC6)

fontdrvhost.exe (PID: 6328 cmdline: "fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)

cdd.dll (PID: 4 cmdline: MD5: 9B684213A399B4E286982BDAD6CF3D07)

LogonUI.exe (PID: 5816 cmdline: "LogonUI.exe" /flags:0x2 /state0:0xa3f02855 /state1:0x41c64e6d MD5: 893144FE49AA16124B5BD3034E79BBC6)

fontdrvhost.exe (PID: 3548 cmdline: "fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: 0DrqlQ4JfZ.exe PID: 2564	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security

Sigma Signatures

System Summary

Sigma detected: Potentially Suspicious Malware Callback Communication

Source: Network Connection

Author: Florian Roth (Nextron Systems): Data: DestinationIp: 23.226.57.67, DestinationIsIpv6: false, DestinationPort: 4433, EventID: 3, Image: C:\Users\user\Desktop\0DrqlQ4JfZ.exe, Initiated: true, ProcessId: 2564, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\cdd.dll, NewProcessName: C:\Windows\System32\cdd.dll, OriginalFileName: C:\Windows\System32\cdd.dll, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: cdd.dll

Suricata Signatures

ET MALWARE Anonymous RAT CnC Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T12:07:04.869764+0100	2052875	1	A Network Trojan was detected	192.168.2.4	49730	23.226.57.67	4433	TCP
2025-01-02T12:08:08.084808+0100	2052875	1	A Network Trojan was detected	192.168.2.4	49730	23.226.57.67	4433	TCP
2025-01-02T12:09:12.069235+0100	2052875	1	A Network Trojan was detected	192.168.2.4	49730	23.226.57.67	4433	TCP
2025-01-02T12:10:18.743756+0100	2052875	1	A Network Trojan was detected	192.168.2.4	50006	23.226.57.67	10443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 0DrqlQ4JfZ.exe	Virustotal: Detection: 65%			Perma Link
Source: 0DrqlQ4JfZ.exe	ReversingLabs: Detection: 52%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: 0DrqlQ4JfZ.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	File opened: z:	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	File opened: x:	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	File opened: v:	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	File opened: t:	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	File opened: r:	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	File opened: p:	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	File opened: n:	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	File opened: l:	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	File opened: j:	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	File opened: h:	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	File opened: f:	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	File opened: b:	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	File opened: y:	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	File opened: w:	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	File opened: u:	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	File opened: s:	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	File opened: q:	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	File opened: o:	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	File opened: m:	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	File opened: k:	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	File opened: i:	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	File opened: g:	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	File opened: e:	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	File opened: [:	Jump to behavior

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600ACF410 GetLastInputInfo,GetTickCount,wsprintfW,GetForegroundWindow,GetWindowTextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,SHGetFolderPathW,lstrcatW,CreateFileW,lstrlenW,WriteFile,CloseHandle,FindFirstFileW,FindClose,_invalid_parameter_noinfo_noreturn,		0_2_00007FF600ACF410
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600AF4190 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,		0_2_00007FF600AF4190

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe

Code function: 0_2_00007FF600AC6370 gethostname,gethostbyname,inet_ntoa,inet_ntoa,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,LoadLibraryW,GetProcAddress,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,FreeLibrary,GetSystemInfo,wsprintfW,GetDriveTypeW,GetDiskFreeSpaceExW,GlobalMemoryStatusEx,GetForegroundWindow,GetWindowTextW,lstrlenW,GetLocalTime,wsprintfW,lstrlenW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,OpenProcess,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,lstrcpyW,CloseHandle,CoInitializeEx,CoCreateInstance,SysFreeString,CoUninitialize,RegOpenKeyExW,RegQueryInfoKeyW,RegEnumKeyExW,lstrlenW,lstrlenW,RegCloseKey,lstrlenW,GetTickCount,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW,lstrcpyW,lstrcatW,lstrlenW,GetLocalTime,wsprintfW,RegOpenKeyExW,RegDeleteValueW,RegCloseKey,RegCreateKeyW,lstrlenW,RegSetValueExW,RegCloseKey,RegCloseKey,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,

0_2_00007FF600AC6370

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:49730 -> 23.226.57.67:4433
Source: Network traffic	Suricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:50006 -> 23.226.57.67:10443

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 23.226.57.67:4433

Source: Joe Sandbox View

ASN Name: XIAOZHIYUN1-AS-APICIDCNETWORKUS XIAOZHIYUN1-AS-APICIDCNETWORKUS

Source: unknown	TCP traffic detected without corresponding DNS query: 23.226.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 23.226.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 23.226.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 23.226.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 23.226.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 23.226.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 23.226.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 23.226.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 23.226.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 23.226.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 23.226.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 23.226.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 23.226.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 23.226.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 23.226.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 23.226.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 23.226.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 23.226.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 23.226.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 23.226.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 23.226.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 23.226.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 23.226.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 23.226.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 23.226.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 23.226.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 23.226.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 23.226.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 23.226.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 23.226.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 23.226.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 23.226.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 23.226.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 23.226.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 23.226.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 23.226.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 23.226.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 23.226.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 23.226.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 23.226.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 23.226.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 23.226.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 23.226.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 23.226.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 23.226.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 23.226.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 23.226.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 23.226.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 23.226.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 23.226.57.67

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe

Code function: 0_2_00007FF600AC3B00 select,recv,timeGetTime,

0_2_00007FF600AC3B00

Source: global traffic	DNS traffic detected: DNS query: api.msn.com
Source: global traffic	DNS traffic detected: DNS query: tse1.mm.bing.net

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture and log keystrokes

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe

Code function: [esc]

0_2_00007FF600ACADB0

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe

Code function: 0_2_00007FF600ACADB0 Sleep,GetTickCount,GetTickCount,OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,wsprintfW,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,GlobalUnlock,CloseClipboard,GetForegroundWindow,GetWindowTextW,lstrlenW,GetLocalTime,wsprintfW,GetKeyState,lstrlenW,lstrlenW,lstrlenW,wsprintfW,wsprintfW,wsprintfW,lstrlenW,

0_2_00007FF600ACADB0

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe

Code function: 0_2_00007FF600AD0DA0 _invalid_parameter_noinfo_noreturn,lstrlenW,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,CloseClipboard,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF600AD0DA0

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe

0_2_00007FF600ACADB0

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe

Code function: 0_2_00007FF600ACFD10 GetDesktopWindow,GetDC,CreateCompatibleDC,GetDC,GetDeviceCaps,GetDeviceCaps,ReleaseDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CreateCompatibleBitmap,SelectObject,SetStretchBltMode,GetSystemMetrics,GetSystemMetrics,StretchBlt,GetDIBits,DeleteObject,DeleteObject,ReleaseDC,DeleteObject,DeleteObject,ReleaseDC,_invalid_parameter_noinfo_noreturn,

0_2_00007FF600ACFD10

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe

Code function: 0_2_00007FF600AC72D0 MultiByteToWideChar,MultiByteToWideChar,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,CreateMutexExW,GetLastError,Sleep,CreateMutexW,GetLastError,lstrlenW,lstrcmpW,SleepEx,GetModuleHandleW,GetConsoleWindow,SHGetFolderPathW,lstrcatW,CreateMutexW,WaitForSingleObject,CreateFileW,GetFileSize,CloseHandle,DeleteFileW,ReleaseMutex,DirectInput8Create,GetTickCount,GetKeyState,

0_2_00007FF600AC72D0

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe

Windows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dll

Jump to behavior

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe

Code function: 0_2_00007FF600ADC2D0: CreateFileA,DeviceIoControl,

0_2_00007FF600ADC2D0

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600ACE3E9 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,ExitWindowsEx,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,	0_2_00007FF600ACE3E9
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600ACE4EE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,ExitWindowsEx,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,	0_2_00007FF600ACE4EE
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600ACE46D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,ExitWindowsEx,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,	0_2_00007FF600ACE46D

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe

File created: C:\ProgramData\kernelquick.sys

Jump to behavior

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_3_0000000180001000	0_3_0000000180001000
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600AC72D0	0_2_00007FF600AC72D0
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600AC7A60	0_2_00007FF600AC7A60
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600ACB410	0_2_00007FF600ACB410
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600ACF410	0_2_00007FF600ACF410
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600AC6370	0_2_00007FF600AC6370
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600ACFD10	0_2_00007FF600ACFD10
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600AC1500	0_2_00007FF600AC1500
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600ADB5E0	0_2_00007FF600ADB5E0
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600ACCD40	0_2_00007FF600ACCD40
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600ADAE60	0_2_00007FF600ADAE60
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600AE8EB0	0_2_00007FF600AE8EB0
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600ADA680	0_2_00007FF600ADA680
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600AC80C0	0_2_00007FF600AC80C0
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600AF2048	0_2_00007FF600AF2048
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600AF29E4	0_2_00007FF600AF29E4
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600AE71DC	0_2_00007FF600AE71DC
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600AD79D0	0_2_00007FF600AD79D0
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600AE5A1C	0_2_00007FF600AE5A1C
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600AF3A00	0_2_00007FF600AF3A00
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600AE51FC	0_2_00007FF600AE51FC
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600AEF950	0_2_00007FF600AEF950
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600AF4190	0_2_00007FF600AF4190
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600AF22C4	0_2_00007FF600AF22C4
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600AD9330	0_2_00007FF600AD9330
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600AF73EC	0_2_00007FF600AF73EC
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600ACD410	0_2_00007FF600ACD410
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600AE5408	0_2_00007FF600AE5408
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600AE64C8	0_2_00007FF600AE64C8
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600AEF4BC	0_2_00007FF600AEF4BC
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600AC9480	0_2_00007FF600AC9480
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600AEB5F0	0_2_00007FF600AEB5F0
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600AE75E0	0_2_00007FF600AE75E0
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600AED5C0	0_2_00007FF600AED5C0
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600AE560C	0_2_00007FF600AE560C
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600ACADB0	0_2_00007FF600ACADB0
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600AEAF20	0_2_00007FF600AEAF20
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600AC2E50	0_2_00007FF600AC2E50
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600AF5FD4	0_2_00007FF600AF5FD4
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600AEFFD0	0_2_00007FF600AEFFD0
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600AEC7BC	0_2_00007FF600AEC7BC
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600AF8824	0_2_00007FF600AF8824
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600AE5818	0_2_00007FF600AE5818
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600AE4FF8	0_2_00007FF600AE4FF8
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600AD2FA0	0_2_00007FF600AD2FA0
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600AEA798	0_2_00007FF600AEA798
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600AC9900	0_2_00007FF600AC9900
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600AE684C	0_2_00007FF600AE684C
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600AD0880	0_2_00007FF600AD0880

Source: unknown

Driver loaded: C:\Windows\System32\cdd.dll

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@12/1@2/1

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600ACE3E9 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,ExitWindowsEx,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,	0_2_00007FF600ACE3E9
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600ADB5E0 SleepEx,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,OpenProcess,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,AllocateAndInitializeSid,CheckTokenMembership,FreeSid,RegOpenKeyExW,RegDeleteValueW,RegSetValueExW,RegCloseKey,SleepEx,CreateEventA,Sleep,Sleep,CloseHandle,_invalid_parameter_noinfo_noreturn,IsDebuggerPresent,LoadLibraryW,GetProcAddress,FreeLibrary,GetLocalTime,wsprintfW,CreateFileW,FreeLibrary,GetCurrentThreadId,GetCurrentProcessId,GetCurrentProcess,CloseHandle,FreeLibrary,	0_2_00007FF600ADB5E0
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600ACE4EE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,ExitWindowsEx,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,	0_2_00007FF600ACE4EE
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600ACE46D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,ExitWindowsEx,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,	0_2_00007FF600ACE46D
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600AC9480 GetSystemDirectoryA,CreateProcessA,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,OpenProcess,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,GetModuleFileNameA,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,ResumeThread,	0_2_00007FF600AC9480

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe

0_2_00007FF600AC6370

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe

Code function: 0_2_00007FF600AC7A60 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CoCreateInstance,wsprintfW,RegOpenKeyExW,RegQueryValueExW,lstrcatW,lstrcatW,RegCloseKey,lstrlenW,lstrcatW,CloseHandle,lstrcatW,lstrcatW,

0_2_00007FF600AC7A60

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe

0_2_00007FF600AC7A60

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe

Mutant created: \Sessions\1\BaseNamedObjects\????

Source: 0DrqlQ4JfZ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 0DrqlQ4JfZ.exe	Virustotal: Detection: 65%
Source: 0DrqlQ4JfZ.exe	ReversingLabs: Detection: 52%

Source: unknown	Process created: C:\Users\user\Desktop\0DrqlQ4JfZ.exe "C:\Users\user\Desktop\0DrqlQ4JfZ.exe"
Source: unknown	Process created: C:\Windows\System32\LogonUI.exe "LogonUI.exe" /flags:0x4 /state0:0xa3f52855 /state1:0x41c64e6d
Source: unknown	Process created: C:\Windows\System32\LogonUI.exe "LogonUI.exe" /flags:0x2 /state0:0xa3f5c855 /state1:0x41c64e6d
Source: unknown	Process created: C:\Windows\System32\fontdrvhost.exe "fontdrvhost.exe"
Source: unknown	Process created: C:\Windows\System32\LogonUI.exe "LogonUI.exe" /flags:0x2 /state0:0xa3f64055 /state1:0x41c64e6d
Source: unknown	Process created: C:\Windows\System32\fontdrvhost.exe "fontdrvhost.exe"
Source: unknown	Process created: C:\Windows\System32\LogonUI.exe "LogonUI.exe" /flags:0x2 /state0:0xa3f6b855 /state1:0x41c64e6d
Source: unknown	Process created: C:\Windows\System32\fontdrvhost.exe "fontdrvhost.exe"
Source: unknown	Process created: C:\Windows\System32\LogonUI.exe "LogonUI.exe" /flags:0x2 /state0:0xa3f7b055 /state1:0x41c64e6d
Source: unknown	Process created: C:\Windows\System32\fontdrvhost.exe "fontdrvhost.exe"
Source: unknown	Process created: C:\Windows\System32\LogonUI.exe "LogonUI.exe" /flags:0x2 /state0:0xa3f02855 /state1:0x41c64e6d
Source: unknown	Process created: C:\Windows\System32\fontdrvhost.exe "fontdrvhost.exe"

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Section loaded: dinput8.dll	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: logoncontroller.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: windows.ui.logon.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: wincorlib.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: windows.ui.xamlhost.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: languageoverlayutil.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: windows.ui.xaml.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: directmanipulation.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: windows.ui.xaml.controls.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: logoncontroller.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: logoncontroller.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: logoncontroller.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: logoncontroller.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: logoncontroller.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: winsta.dll	Jump to behavior

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62BE5D10-60EB-11d0-BD3B-00A0C911CE86}\InprocServer32

Jump to behavior

Source: 0DrqlQ4JfZ.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 0DrqlQ4JfZ.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 0DrqlQ4JfZ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe

0_2_00007FF600AC6370

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_3_0000000180007C73 push 6FFDC5D5h; iretd	0_3_0000000180007C79
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_3_000000018000508E push 6FFDC5D5h; iretd	0_3_0000000180005094
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_3_0000000180007F23 push 6FFDC5CAh; ret	0_3_0000000180007F29
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_3_000000018000553E push 6FFDC5CAh; ret	0_3_0000000180005544
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_3_0000000180007F6F push 6FFDC5C3h; iretd	0_3_0000000180007F75
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_3_000000018000558A push 6FFDC5C3h; iretd	0_3_0000000180005590
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_3_00000001800079C5 push 60F5C5F1h; iretd	0_3_00000001800079CD
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_3_0000000180004BE0 push 60F5C5F1h; iretd	0_3_0000000180004BE8

Persistence and Installation Behavior

Sample is not signed and drops a device driver

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe

File created: C:\ProgramData\kernelquick.sys

Jump to behavior

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe

Code function: 0_2_00007FF600ACE36A OpenEventLogW,ClearEventLogW,CloseEventLog,

0_2_00007FF600ACE36A

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE VenkernalData_info

Jump to behavior

Source: C:\Windows\System32\LogonUI.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

graph_0-21647

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe

Stalling execution: Execution stalls by calling Sleep

graph_0-22022

Tries to detect sandboxes / dynamic malware analysis system (QueryWinSAT)

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{05DF8D13-C355-47F4-A11E-851B338CEFB8}

Jump to behavior

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe

0_2_00007FF600AC6370

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Window / User API: threadDelayed 3269			Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Window / User API: threadDelayed 5394			Jump to behavior

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-21580

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe TID: 2080	Thread sleep count: 58 > 30	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe TID: 2080	Thread sleep time: -58000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe TID: 4296	Thread sleep count: 3269 > 30	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe TID: 4296	Thread sleep time: -32690s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe TID: 4048	Thread sleep count: 339 > 30	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe TID: 2080	Thread sleep count: 5394 > 30	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe TID: 2080	Thread sleep time: -5394000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600ACF410 GetLastInputInfo,GetTickCount,wsprintfW,GetForegroundWindow,GetWindowTextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,SHGetFolderPathW,lstrcatW,CreateFileW,lstrlenW,WriteFile,CloseHandle,FindFirstFileW,FindClose,_invalid_parameter_noinfo_noreturn,		0_2_00007FF600ACF410
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600AF4190 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,		0_2_00007FF600AF4190

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe

0_2_00007FF600AC6370

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe

Code function: 0_2_00007FF600AC9300 GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,

0_2_00007FF600AC9300

Source: 0DrqlQ4JfZ.exe, 00000000.00000002.3973837012.000002141BA5C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\cdd.dll

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe

Code function: 0_2_00007FF600ADB5E0 SleepEx,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,OpenProcess,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,AllocateAndInitializeSid,CheckTokenMembership,FreeSid,RegOpenKeyExW,RegDeleteValueW,RegSetValueExW,RegCloseKey,SleepEx,CreateEventA,Sleep,Sleep,CloseHandle,_invalid_parameter_noinfo_noreturn,IsDebuggerPresent,LoadLibraryW,GetProcAddress,FreeLibrary,GetLocalTime,wsprintfW,CreateFileW,FreeLibrary,GetCurrentThreadId,GetCurrentProcessId,GetCurrentProcess,CloseHandle,FreeLibrary,

0_2_00007FF600ADB5E0

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe

Code function: 0_2_00007FF600ADC82C GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_00007FF600ADC82C

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe

0_2_00007FF600AC6370

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe

0_2_00007FF600AC6370

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe

Code function: 0_2_00007FF600ADAD40 VirtualFree,GetProcessHeap,HeapFree,

0_2_00007FF600ADAD40

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600ADBDF0 SetUnhandledExceptionFilter,GetConsoleWindow,ShowWindow,GetCurrentThreadId,PostThreadMessageA,GetInputState,CreateThread,WaitForSingleObject,CloseHandle,Sleep,	0_2_00007FF600ADBDF0
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600ADB5E0 SleepEx,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,OpenProcess,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,AllocateAndInitializeSid,CheckTokenMembership,FreeSid,RegOpenKeyExW,RegDeleteValueW,RegSetValueExW,RegCloseKey,SleepEx,CreateEventA,Sleep,Sleep,CloseHandle,_invalid_parameter_noinfo_noreturn,IsDebuggerPresent,LoadLibraryW,GetProcAddress,FreeLibrary,GetLocalTime,wsprintfW,CreateFileW,FreeLibrary,GetCurrentThreadId,GetCurrentProcessId,GetCurrentProcess,CloseHandle,FreeLibrary,	0_2_00007FF600ADB5E0
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600ADEA00 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF600ADEA00
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600AE3D0C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF600AE3D0C
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600ADE66C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF600ADE66C
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: 0_2_00007FF600ADE814 SetUnhandledExceptionFilter,	0_2_00007FF600ADE814

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe

Code function: 0_2_00007FF600ACCD40 GetSystemDirectoryA,CreateProcessA,VirtualAllocEx,WriteProcessMemory,GetThreadContext,SetThreadContext,ResumeThread,

0_2_00007FF600ACCD40

Contains functionality to inject threads in other processes

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe

Code function: 0_2_00007FF600AC9480 GetSystemDirectoryA,CreateProcessA,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,OpenProcess,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,GetModuleFileNameA,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,ResumeThread,

0_2_00007FF600AC9480

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe

Code function: GetSystemDirectoryA,CreateProcessA,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,OpenProcess,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,GetModuleFileNameA,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\System32\svchost.exe

0_2_00007FF600AC9480

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe

0_2_00007FF600ADB5E0

Source: 0DrqlQ4JfZ.exe, 00000000.00000002.3973837012.000002141BA92000.00000004.00000020.00020000.00000000.sdmp, 0DrqlQ4JfZ.exe, 00000000.00000002.3973837012.000002141BA5C000.00000004.00000020.00020000.00000000.sdmp, 0DrqlQ4JfZ.exe, 00000000.00000002.3973837012.000002141BAFC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0 minProgram Manager
Source: 0DrqlQ4JfZ.exe, 00000000.00000003.3627831841.000002141BB2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe

Code function: 0_3_00000001800015A0 cpuid

0_3_00000001800015A0

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: gethostname,gethostbyname,inet_ntoa,inet_ntoa,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,LoadLibraryW,GetProcAddress,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,FreeLibrary,GetSystemInfo,wsprintfW,GetDriveTypeW,GetDiskFreeSpaceExW,GlobalMemoryStatusEx,GetForegroundWindow,GetWindowTextW,lstrlenW,GetLocalTime,wsprintfW,lstrlenW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,OpenProcess,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,lstrcpyW,CloseHandle,CoInitializeEx,CoCreateInstance,SysFreeString,CoUninitialize,RegOpenKeyExW,RegQueryInfoKeyW,RegEnumKeyExW,lstrlenW,lstrlenW,RegCloseKey,lstrlenW,GetTickCount,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW,lstrcpyW,lstrcatW,lstrlenW,GetLocalTime,wsprintfW,RegOpenKeyExW,RegDeleteValueW,RegCloseKey,RegCreateKeyW,lstrlenW,RegSetValueExW,RegCloseKey,RegCloseKey,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,	0_2_00007FF600AC6370
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00007FF600AF81E0
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_00007FF600AF797C
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: EnumSystemLocalesW,	0_2_00007FF600AF0AD8
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: GetLocaleInfoW,	0_2_00007FF600AF8290
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00007FF600AF83C4
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: EnumSystemLocalesW,	0_2_00007FF600AF7CD8
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: EnumSystemLocalesW,	0_2_00007FF600AF7DA8
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00007FF600AF7E40
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: GetLocaleInfoW,	0_2_00007FF600AF0FB0
Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe	Code function: GetLocaleInfoW,	0_2_00007FF600AF8088

Source: C:\Windows\System32\LogonUI.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation			Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Queries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe

Code function: 0_3_000000018004CBA8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_3_000000018004CBA8

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe

Code function: 0_2_00007FF600AF2048 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF600AF2048

Source: C:\Users\user\Desktop\0DrqlQ4JfZ.exe

Code function: 0_2_00007FF600AC8A40 GetCurrentProcessId,OpenProcess,OpenProcessToken,CloseHandle,SysStringLen,SysStringLen,CloseHandle,CloseHandle,SysFreeString,SysFreeString,GetCurrentProcessId,wsprintfW,GetVersionExW,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,wsprintfW,

0_2_00007FF600AC8A40

Source: 0DrqlQ4JfZ.exe, 00000000.00000000.1684425201.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmp, 0DrqlQ4JfZ.exe, 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: KSafeTray.exe

Stealing of Sensitive Information

Yara detected GhostRat

Source: Yara match

File source: Process Memory Space: 0DrqlQ4JfZ.exe PID: 2564, type: MEMORYSTR

Remote Access Functionality

Yara detected GhostRat

Source: Yara match

File source: Process Memory Space: 0DrqlQ4JfZ.exe PID: 2564, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	12 Native API	1 LSASS Driver	1 LSASS Driver	1 Obfuscated Files or Information	121 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 DLL Side-Loading	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	1 Screen Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Windows Service	1 Access Token Manipulation	1 Modify Registry	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	121 Input Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Windows Service	1 Virtualization/Sandbox Evasion	NTDS	37 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 Access Token Manipulation	LSA Secrets	151 Security Software Discovery	SSH	Keylogging	1 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	212 Process Injection	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Indicator Removal	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
0DrqlQ4JfZ.exe	65%	Virustotal		Browse
0DrqlQ4JfZ.exe	53%	ReversingLabs	Win64.Trojan.SpywareX

Name	IP	Active	Malicious	Reputation
ax-0001.ax-msedge.net	150.171.28.10	true	false	high
tse1.mm.bing.net	unknown	unknown	false	high
api.msn.com	unknown	unknown	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
23.226.57.67	unknown	United States		136800	XIAOZHIYUN1-AS-APICIDCNETWORKUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583300
Start date and time:	2025-01-02 12:06:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	36
Number of new started drivers analysed:	5
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	0DrqlQ4JfZ.exe renamed because original name is a hash value
Original Sample Name:	de3f0f8cbac7723e54298baec915e2ba.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@12/1@2/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 86% Number of executed functions: 55 Number of non-executed functions: 113
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Connection to analysis system has been lost, crash info: Unknown
Exclude process from analysis (whitelisted): MpCmdRun.exe, smss.exe, dwm.exe, WMIADAP.exe, SIHClient.exe, csrss.exe, winlogon.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27, 184.28.90.96, 204.79.197.203, 104.102.63.47, 2.23.209.181, 2.23.209.150, 2.23.209.160, 2.23.209.177, 2.23.209.149, 2.23.209.185, 2.23.209.182, 2.23.209.176, 2.23.209.179, 40.126.32.76, 40.126.32.140, 40.126.32.133, 40.126.32.138, 40.126.32.134, 20.190.160.17, 20.190.160.20, 40.126.32.68, 2.23.209.130, 2.23.209.133, 2.23.209.187, 2.23.209.189, 2.23.209.140, 2.23.209.148, 51.132.193.105, 20.223.35.26, 2.23.209.158, 20.109.210.53, 13.107.246.45
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, p-static.bing.trafficmanager.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, cdn.onenote.net.edgekey.net, e86303.dscx.akamaiedge.net, ocsp.digicert.com, www.bing.com.edgekey.net, wildcard.weather.microsoft.com.edgekey.net, login.live.com, e16604.g.akamaiedge.net, r.bing.com, arc.trafficmanager.net, prod.fs.microsoft.com.akadns.net, cdn.onenote.net, www.bing.com, self-events-data.trafficmanager.net, prdv4a.aadg.msidentity.com, fs.microsoft.com, otelrules.azureedge.net, e15275.d.akamaiedge.net, r.bing.com.edgekey.net, www.tm.v4.a.prd.aadg.akadns.net, self.events.data.microsoft.com, a-0003.a-msedge.net, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, www-www.bing.com.trafficmanager.net, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, onedscolprduks05.uksouth.cloudapp.azure.com, mm-mm.bing.net.trafficmanager.net, e1553.dspg.akamaiedge.net, iris-de
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:07:31	API Interceptor	5568475x Sleep call for process: 0DrqlQ4JfZ.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ax-0001.ax-msedge.net	https://tr171139818.amoliani.com/c/mm14r39/e-v_xxa-/imz77nt3nps	Get hash	malicious	Unknown	Browse	150.171.28.10
	http://img1.wsimg.com/blobby/go/9b6ed793-452c-4f8f-8f80-6847f4d114d7/downloads/71318864754.pdf	Get hash	malicious	Unknown	Browse	150.171.28.10
	FW_ Carr & Jeanne Biggerstaff has sent you an ecard.msg	Get hash	malicious	Unknown	Browse	150.171.27.10
	SecuredOnedrive.ClientSetup.exe	Get hash	malicious	ScreenConnect Tool	Browse	150.171.27.10
	installer64v3.2.0.msi	Get hash	malicious	Unknown	Browse	150.171.28.10
	https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102	Get hash	malicious	Unknown	Browse	150.171.28.10
	skript.bat	Get hash	malicious	Vidar	Browse	150.171.28.10
	ERTL09tA59.exe	Get hash	malicious	LummaC	Browse	150.171.28.10
	vJPhYDClT5.exe	Get hash	malicious	Unknown	Browse	150.171.27.10
	GtEVo1eO2p.exe	Get hash	malicious	LummaC	Browse	150.171.28.10

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
XIAOZHIYUN1-AS-APICIDCNETWORKUS	RXxeYma4d5.exe	Get hash	malicious	GhostRat	Browse	23.235.165.54
	vcimanagement.armv7l.elf	Get hash	malicious	Gafgyt, Mirai	Browse	156.253.103.137
	vcimanagement.mipsel.elf	Get hash	malicious	Gafgyt, Mirai	Browse	156.254.252.201
	vcimanagement.mips.elf	Get hash	malicious	Gafgyt, Mirai	Browse	156.234.199.209
	vcimanagement.x86.elf	Get hash	malicious	Gafgyt, Mirai	Browse	156.255.154.138
	vcimanagement.m68k.elf	Get hash	malicious	Gafgyt, Mirai	Browse	156.241.23.75
	Wk6IMAhBNF.exe	Get hash	malicious	GhostRat	Browse	103.199.100.130
	aQ7bSXduYp.exe	Get hash	malicious	GhostRat, Nitol	Browse	156.225.22.155
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	103.199.102.178
	nsharm.elf	Get hash	malicious	Mirai	Browse	156.234.199.255

Process:	C:\Users\user\Desktop\0DrqlQ4JfZ.exe
File Type:	data
Category:	dropped
Size (bytes):	30
Entropy (8bit):	2.6616157143988106
Encrypted:	false
SSDEEP:	3:tblM6lEjln:tbhEZn
MD5:	AE50B29A0B8DCC411F24F1863B0EAFDE
SHA1:	D415A55627B1ADED8E4B2CBBA402F816B0461155
SHA-256:	6B4BBBCE480FBC50D39A8EC4B72CDB7D781B151921E063DD899FD9B736ADCF68
SHA-512:	D9A9BA42D99BE32D26667060BE1D523DCD20EAFA187A67F7919002CC6DA349FD058053C9C6F721D6FDB730EA02FBAA3013E51C0C653368BD6B3F57A4C0FCABA8
Malicious:	true
Preview:	C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.060220895795208
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	0DrqlQ4JfZ.exe
File size:	390'656 bytes
MD5:	de3f0f8cbac7723e54298baec915e2ba
SHA1:	0bc6ae31882e2856b2ea52c56985409a58920b36
SHA256:	6e797fb47dd3d5bb42fb578ea9dcd64a11af9e82902bffd1aa5ea3226498f1f0
SHA512:	3cce067c130d28a1d90f63f03372b6e0fcc8db9a15f2bd7a2cdd3024af200b29969e5a6e01665ade5b451847eeab029bdf1dc9fca1e5078f8553c8ff62093c82
SSDEEP:	6144:Wvy/g/Oe2CZNHfXmv9m7tvT7DYewsPJimwi9vrBP2kjLjNy:v/KlpTXmv9mpvv0iPJPtr9bNy
TLSH:	FB847E49FB9409F8E467C138C9A34916EBB27C5913A09BDF33A4466A2F237D05D3EB11
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B..R............M.......M.......M.......M........O.......O.......O..S...M.......M...........3...MN......MN......Rich...........

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x14001e25c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6763E623 [Thu Dec 19 09:23:47 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	1db3bac59c066f9b53b8b3b6b99b874b

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F4D4CC732E0h
dec eax
add esp, 28h
jmp 00007F4D4CC72B37h
int3
int3
dec eax
sub esp, 28h
dec ebp
mov eax, dword ptr [ecx+38h]
dec eax
mov ecx, edx
dec ecx
mov edx, ecx
call 00007F4D4CC72CD2h
mov eax, 00000001h
dec eax
add esp, 28h
ret
int3
int3
int3
inc eax
push ebx
inc ebp
mov ebx, dword ptr [eax]
dec eax
mov ebx, edx
inc ecx
and ebx, FFFFFFF8h
dec esp
mov ecx, ecx
inc ecx
test byte ptr [eax], 00000004h
dec esp
mov edx, ecx
je 00007F4D4CC72CD5h
inc ecx
mov eax, dword ptr [eax+08h]
dec ebp
arpl word ptr [eax+04h], dx
neg eax
dec esp
add edx, ecx
dec eax
arpl ax, cx
dec esp
and edx, ecx
dec ecx
arpl bx, ax
dec edx
mov edx, dword ptr [eax+edx]
dec eax
mov eax, dword ptr [ebx+10h]
mov ecx, dword ptr [eax+08h]
dec eax
mov eax, dword ptr [ebx+08h]
test byte ptr [ecx+eax+03h], 0000000Fh
je 00007F4D4CC72CCDh
movzx eax, byte ptr [ecx+eax+03h]
and eax, FFFFFFF0h
dec esp
add ecx, eax
dec esp
xor ecx, edx
dec ecx
mov ecx, ecx
pop ebx
jmp 00007F4D4CC72CDAh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
cmp ecx, dword ptr [00036D39h]
jne 00007F4D4CC72CD2h
dec eax
rol ecx, 10h
test cx, FFFFh
jne 00007F4D4CC72CC3h
ret
dec eax
ror ecx, 10h
jmp 00007F4D4CC733DBh
int3
int3
dec eax
mov dword ptr [esp+00h], ebx

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x52400	0x104	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x60000	0x3450	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x64000	0xc8c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x4c7c0	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4c980	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x4c680	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3f000	0x920	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3df70	0x3e000	2b6c6c8b93239d65e2449c4cc33eda20	False	0.5452683971774194	data	6.461526088950339	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x3f000	0x151e8	0x15200	ad010f8391ca2f1e0867e51f80b4b406	False	0.4156804733727811	data	4.936188857579959	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x55000	0xaa9c	0x7c00	9fdc2e38fdd2e633e5add479069c6669	False	0.10657132056451613	DOS executable (block device driver \377\3)	1.5860246065129546	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x60000	0x3450	0x3600	b6a68cd5b1e86136baf9e34e01cfad8b	False	0.4622395833333333	data	5.530289196450094	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x64000	0xc8c	0xe00	a952b87812e4781581800f8699e0d5a4	False	0.49302455357142855	data	5.228153224182403	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	QueryDosDeviceW, WriteProcessMemory, GetCommandLineW, GetCurrentProcess, WriteFile, OutputDebugStringA, GetModuleFileNameW, GetProcessId, CreateMutexW, GetLocaleInfoW, LocalAlloc, CreateFileW, GetVersionExW, K32GetProcessImageFileNameW, GetSystemDirectoryW, ResumeThread, GetModuleHandleA, OpenProcess, GetLogicalDriveStringsW, CreateToolhelp32Snapshot, MultiByteToWideChar, Process32NextW, GetDiskFreeSpaceExW, GetSystemDirectoryA, LoadLibraryA, lstrcatW, GlobalAlloc, Process32FirstW, GlobalFree, GetSystemInfo, LoadLibraryW, GetLocalTime, VirtualProtectEx, GetThreadContext, GetProcAddress, VirtualAllocEx, LocalFree, ExitProcess, GetCurrentProcessId, GlobalMemoryStatusEx, CreateProcessW, GetModuleHandleW, FreeLibrary, GetConsoleWindow, lstrcpyW, CreateRemoteThread, CreateProcessA, SetThreadContext, GetModuleFileNameA, GetTickCount, lstrcmpW, GetDriveTypeW, GetExitCodeProcess, SetFilePointer, ReleaseMutex, GlobalSize, DeleteFileW, GlobalLock, GetFileSize, GlobalUnlock, FindFirstFileW, ExpandEnvironmentStringsW, FindClose, GetFileAttributesW, TerminateThread, VirtualProtect, IsBadReadPtr, CreateThread, IsDebuggerPresent, SetUnhandledExceptionFilter, WriteConsoleW, GetCurrentThreadId, GetConsoleMode, GetConsoleOutputCP, FlushFileBuffers, SetFilePointerEx, SetStdHandle, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, GetTimeZoneInformation, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, LCMapStringW, CompareStringW, FlsFree, FlsSetValue, GetStartupInfoW, CreateWaitableTimerW, SetWaitableTimer, TryEnterCriticalSection, WideCharToMultiByte, ResetEvent, CreateEventW, lstrlenW, CancelIo, GetNativeSystemInfo, SetLastError, lstrcmpiW, CreateEventA, CloseHandle, SetEvent, Sleep, WaitForSingleObject, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, EnterCriticalSection, HeapCreate, HeapFree, GetProcessHeap, DeleteCriticalSection, HeapDestroy, DecodePointer, HeapAlloc, HeapReAlloc, GetLastError, HeapSize, InitializeCriticalSectionEx, VirtualAlloc, VirtualFree, FlsGetValue, FlsAlloc, GetFileType, GetCommandLineA, GetStdHandle, VirtualQuery, GetModuleHandleExW, FreeLibraryAndExitThread, ExitThread, LoadLibraryExW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, RtlPcToFileHeader, RtlUnwindEx, lstrcpyA, CreateFileA, GetSystemDefaultLangID, DeviceIoControl, TerminateProcess, InitializeSListHead, GetSystemTimeAsFileTime, QueryPerformanceCounter, IsProcessorFeaturePresent, UnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, SleepConditionVariableSRW, WakeAllConditionVariable, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, GetCPInfo, LCMapStringEx, EncodePointer, CompareStringEx, GetStringTypeW, RaiseException, OutputDebugStringW, SwitchToThread
USER32.dll	GetForegroundWindow, GetLastInputInfo, GetClipboardData, GetWindowTextW, GetKeyState, ReleaseDC, GetDesktopWindow, SetClipboardData, CloseClipboard, wsprintfW, ExitWindowsEx, ShowWindow, PostThreadMessageA, GetInputState, GetDC, GetSystemMetrics, EmptyClipboard, MsgWaitForMultipleObjects, DispatchMessageW, PeekMessageW, TranslateMessage, OpenClipboard
GDI32.dll	CreateCompatibleBitmap, SelectObject, CreateDIBSection, SetDIBColorTable, CreateCompatibleDC, StretchBlt, GetDIBits, GetDeviceCaps, GetObjectW, SetStretchBltMode, DeleteObject, DeleteDC
ADVAPI32.dll	RegQueryInfoKeyW, RegQueryValueExW, AllocateAndInitializeSid, FreeSid, CheckTokenMembership, ClearEventLogW, CloseEventLog, OpenEventLogW, LookupPrivilegeValueW, AdjustTokenPrivileges, GetCurrentHwProfileW, RegCloseKey, GetSidSubAuthorityCount, GetSidSubAuthority, RegEnumKeyExW, RegSetValueExW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, LookupAccountSidW, GetTokenInformation
SHELL32.dll	SHGetFolderPathW
ole32.dll	CreateStreamOnHGlobal, GetHGlobalFromStream, CoCreateInstance, CoUninitialize, CoInitialize
OLEAUT32.dll	SysFreeString, SysAllocString, SysStringLen
WS2_32.dll	select, WSAStartup, send, socket, connect, recv, htons, setsockopt, WSAIoctl, gethostbyname, WSAGetLastError, WSAEnumNetworkEvents, WSAWaitForMultipleEvents, WSAResetEvent, WSAEventSelect, WSASetLastError, WSACloseEvent, shutdown, gethostname, inet_ntoa, WSACleanup, closesocket, WSACreateEvent
WINMM.dll	timeGetTime
gdiplus.dll	GdipDisposeImage, GdipCreateBitmapFromHBITMAP, GdipGetImagePixelFormat, GdiplusShutdown, GdipDrawImageI, GdipFree, GdipSaveImageToStream, GdipGetImageWidth, GdipGetImagePalette, GdipDeleteGraphics, GdipGetImageEncodersSize, GdipGetImageGraphicsContext, GdipBitmapLockBits, GdipCreateBitmapFromScan0, GdipAlloc, GdiplusStartup, GdipGetImageHeight, GdipGetImageEncoders, GdipGetImagePaletteSize, GdipCloneImage, GdipBitmapUnlockBits, GdipCreateBitmapFromStream
dxgi.dll	CreateDXGIFactory
DINPUT8.dll	DirectInput8Create

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-02T12:07:04.869764+0100	2052875	ET MALWARE Anonymous RAT CnC Checkin	1	192.168.2.4	49730	23.226.57.67	4433	TCP
2025-01-02T12:08:08.084808+0100	2052875	ET MALWARE Anonymous RAT CnC Checkin	1	192.168.2.4	49730	23.226.57.67	4433	TCP
2025-01-02T12:09:12.069235+0100	2052875	ET MALWARE Anonymous RAT CnC Checkin	1	192.168.2.4	49730	23.226.57.67	4433	TCP
2025-01-02T12:10:18.743756+0100	2052875	ET MALWARE Anonymous RAT CnC Checkin	1	192.168.2.4	50006	23.226.57.67	10443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 12:07:03.368633032 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:03.373617887 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:03.373713017 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:04.124125004 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:04.129090071 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:04.129102945 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:04.129111052 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:04.129122019 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:04.440392017 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:04.490853071 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:04.864835978 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:04.869721889 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:04.869735956 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:04.869745016 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:04.869764090 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:04.874536991 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:19.631607056 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:19.636398077 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:19.934623003 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:19.975195885 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:35.678464890 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:35.683270931 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:35.981189013 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:36.022090912 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:36.393193960 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:36.393209934 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:36.393219948 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:36.393285036 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:36.393724918 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:36.398546934 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:36.398555994 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:36.398566008 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:36.711783886 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:36.711797953 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:36.711818933 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:36.711829901 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:36.711841106 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:36.711848021 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:36.711905956 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:36.711939096 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:36.711951971 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:36.711962938 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:36.711982012 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:36.712012053 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:36.712704897 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:36.712718010 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:36.712769032 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:36.712954998 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:36.712969065 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:36.712982893 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:36.713000059 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:36.713007927 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:36.713012934 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:36.713037014 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:36.756469011 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:36.922961950 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:36.922985077 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:36.922996044 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:36.923058033 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:36.923082113 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:36.923135042 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:36.923319101 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:36.923331022 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:36.923342943 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:36.923374891 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:36.923383951 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:36.923388004 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:36.923402071 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:36.923422098 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:36.923441887 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:36.924149990 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:36.924160004 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:36.924170971 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:36.924197912 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:36.924243927 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:36.924254894 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:36.924266100 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:36.924288988 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:36.924309015 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:36.925081968 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:36.925093889 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:36.925103903 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:36.925132036 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:36.925141096 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:36.925152063 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:36.925162077 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:36.925192118 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:36.925213099 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:36.925997972 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:36.926009893 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:36.926021099 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:36.926048994 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:36.975331068 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.134181976 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.134196043 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.134283066 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.134318113 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.134351969 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.134363890 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.134396076 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.134438038 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.134449959 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.134462118 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.134483099 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.134506941 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.134568930 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.134579897 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.134589911 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.134618998 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.134712934 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.134754896 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.134758949 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.134771109 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.134800911 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.134896994 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.134908915 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.134918928 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.134931087 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.134943962 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.134970903 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.135481119 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.135493040 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.135502100 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.135531902 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.135545969 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.135557890 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.135566950 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.135580063 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.135590076 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.135627985 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.135663986 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.135704041 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.136384010 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.136394978 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.136409044 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.136441946 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.136456013 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.136466980 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.136476040 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.136488914 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.136504889 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.136543036 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.136639118 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.136687040 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.137201071 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.137226105 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.137237072 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.137269020 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.137382030 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.137392998 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.137403965 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.137415886 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.137425900 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.137449980 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.178494930 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.344844103 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.344883919 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.344897985 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.344928026 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.345000982 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.345012903 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.345022917 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.345046997 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.345071077 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.345108986 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.345120907 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.345175982 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.345201969 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.345213890 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.345237017 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.345243931 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.345426083 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.345436096 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.345479965 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.345480919 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.345525026 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.345541954 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.345552921 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.345587015 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.345650911 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.345662117 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.345671892 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.345684052 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.345698118 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.345733881 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.345767975 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.346054077 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.346062899 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.346096992 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.346187115 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.346198082 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.346210003 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.346230984 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.346259117 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.346281052 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.346291065 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.346302032 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.346314907 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.346363068 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.346363068 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.346472025 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.346482992 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.346497059 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.346508980 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.346518993 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.346524954 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.346529007 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.346548080 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.346577883 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.347079992 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.347090960 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.347100973 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.347122908 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.347158909 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.347171068 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.347181082 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.347193003 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.347218037 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.347373962 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.347385883 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.347397089 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.347407103 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.347420931 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.347453117 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.347778082 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.347824097 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.347834110 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.347876072 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.347887039 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.347923040 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.347965002 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.347980022 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.347991943 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.348032951 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.348057032 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.348112106 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.348123074 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.348133087 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.348159075 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.348218918 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.348229885 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.348239899 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.348268032 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.348279953 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.348699093 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.348756075 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.348766088 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.348800898 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.348855972 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.348866940 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.348876953 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.348898888 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.348915100 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.349013090 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.349025011 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.349034071 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.349045038 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.349060059 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.349066019 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.349073887 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.349082947 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.349112988 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.349240065 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.349682093 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.349699020 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.349709988 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.349724054 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.349761963 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.555775881 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.555849075 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.555860043 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.555869102 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.555891037 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.555907011 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.555913925 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.555938005 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.555948973 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.555964947 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.555974960 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.555999994 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.556071997 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.556082964 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.556092978 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.556121111 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.556133986 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.556145906 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.556170940 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.556210995 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.556250095 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.556263924 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.556276083 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.556308031 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.556344032 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.556355953 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.556365967 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.556389093 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.556493044 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.556504011 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.556514025 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.556538105 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.556555986 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.556586981 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.556597948 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.556607962 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.556627989 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.556662083 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.556708097 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.556782961 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.556826115 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.556837082 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.556847095 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.556864023 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.556889057 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.556922913 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.556934118 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.556973934 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.556983948 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.556996107 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.557034016 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.557079077 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.557090044 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.557101011 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.557112932 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.557125092 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.557126045 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.557161093 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.557266951 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.557279110 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.557316065 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.557481050 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.557492018 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.557502985 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.557528019 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.557543993 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.557554960 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.557565928 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.557575941 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.557588100 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.557602882 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.557627916 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.557740927 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.557751894 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.557760954 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.557773113 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.557801008 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.557811975 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.557892084 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.557904005 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.557923079 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.557933092 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.557935953 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.557944059 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.557955027 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.557965994 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.557965994 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.557977915 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.557990074 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.557997942 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.558021069 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.558052063 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.558067083 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.558089972 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.558461905 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.558474064 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.558482885 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.558504105 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.558521986 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.558528900 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.558533907 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.558545113 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.558557034 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.558568954 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.558595896 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.558753014 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.558764935 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.558775902 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.558794975 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.558805943 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.558805943 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.558819056 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.558826923 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.558830976 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.558842897 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.558847904 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.558854103 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.558877945 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.560827971 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.560838938 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.560849905 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.560866117 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.560880899 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.560957909 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.560969114 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.560978889 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.560990095 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.561001062 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.561002016 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.561028004 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.561151981 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.561161995 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.561172009 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.561182022 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.561183929 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.561194897 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.561202049 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.561208010 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.561232090 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.561294079 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.561304092 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.561316013 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.561328888 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.561336040 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.561348915 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.561383009 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.561398029 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.561408997 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.561428070 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.561444044 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.561456919 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.561469078 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.561477900 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.561489105 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.561501980 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.561525106 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.561801910 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.561813116 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.561822891 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.561834097 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.561845064 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.561847925 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.561856031 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.561870098 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.561870098 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.561899900 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.561928988 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.561940908 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.561952114 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.561969995 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.561981916 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.642678022 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.642700911 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.642709970 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.642769098 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.642769098 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.642792940 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.642805099 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.642811060 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.642838955 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.642852068 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.642900944 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.642940044 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.642963886 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.642972946 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.642980099 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.643003941 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.643028975 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.643039942 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.643069983 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.643100023 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.643110991 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.643137932 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.643165112 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.643176079 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.643187046 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.643197060 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.643205881 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.643232107 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.643309116 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.643325090 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.643336058 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.643347025 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.643356085 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.643358946 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.643371105 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.643383026 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.643387079 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.643409014 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.643430948 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.643548012 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.643558979 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.643568993 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.643579006 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.643590927 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.643598080 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.643620968 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.643631935 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.643644094 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.643654108 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.643663883 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.643676996 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.643677950 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.643687963 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.643702984 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.643738031 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.766844988 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.766891003 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.766922951 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.766937971 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.766977072 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.766988993 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.766999960 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.767013073 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.767038107 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.767054081 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.767066002 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.767095089 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.767117977 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.767143011 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.767177105 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.767201900 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.767256975 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.767292023 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.767355919 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.767436028 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.767476082 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.767482996 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.767515898 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.767525911 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.767545938 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.767632961 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.767672062 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.767682076 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.767731905 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.767765999 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.767800093 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.767833948 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.767873049 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.767935991 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.767990112 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.768002033 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.768013954 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.768028975 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.768055916 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.768074989 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.768085003 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.768129110 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.768160105 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.768170118 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.768181086 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.768207073 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.768361092 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.768373013 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.768382072 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.768390894 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.768398046 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.768402100 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.768414021 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.768424988 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.768440008 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.768470049 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.768552065 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.768563032 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.768600941 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.768688917 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.768699884 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.768709898 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.768721104 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.768733025 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.768737078 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.768752098 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.768757105 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.768764973 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.768776894 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.768788099 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.768788099 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.768802881 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.768815041 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.768815041 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.768826962 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.768837929 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.768840075 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.768851042 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.768872023 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.768888950 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.769372940 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.769385099 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.769395113 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.769412041 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.769423008 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.769426107 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.769433975 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.769444942 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.769450903 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.769455910 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.769467115 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.769471884 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.769479036 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.769490004 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.769490004 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.769501925 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.769512892 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.769524097 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.769524097 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.769536972 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.769543886 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.769550085 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.769562006 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.769567013 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.769577026 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.769587994 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.769593954 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.769598961 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.769610882 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.769623995 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.769620895 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.769635916 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.769639969 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.769654989 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.770278931 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.770289898 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.770299911 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.770309925 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.770317078 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.770320892 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.770332098 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.770344019 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.770353079 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.770355940 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.770365000 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.770376921 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.770387888 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.770390034 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.770400047 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.770411015 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.770417929 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.770421982 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.770433903 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.770437002 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.770446062 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.770456076 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.770456076 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.770469904 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.770483971 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.770483971 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.770498037 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.770509005 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.770509005 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.770522118 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.770534039 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.770539999 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.770546913 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.770562887 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.770586967 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.771281004 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.771291971 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.771301985 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.771322012 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.771331072 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.771333933 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.771346092 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.771358013 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.771358967 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.771369934 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.771378994 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.771389961 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.771389961 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.771403074 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.771413088 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.771415949 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.771423101 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.771433115 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.771433115 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.771444082 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.771451950 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.771456003 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.771467924 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.771475077 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.771478891 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.771490097 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.771493912 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.771503925 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.771512985 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.771550894 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.853801012 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.853878021 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.853903055 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.853914976 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.853919983 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.853952885 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.853975058 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.854058027 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.854100943 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.854191065 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.854289055 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.854327917 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.854329109 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.854391098 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.854403019 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.854434013 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.854446888 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.854482889 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.854515076 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.854526043 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.854537964 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.854549885 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.854562044 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.854563951 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.854590893 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.854693890 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.854706049 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.854717970 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.854737997 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.854751110 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.854840994 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.854852915 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.854863882 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.854875088 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.854887962 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.854888916 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.854901075 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.854928970 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.854957104 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.855122089 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.855133057 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.855144024 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.855150938 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.855156898 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.855161905 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.855173111 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.855184078 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.855200052 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.855205059 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.855227947 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.855597019 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.855607986 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.855618000 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.855631113 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.855637074 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.855643034 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.855654001 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.855659962 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.855665922 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.855679035 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.855688095 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.855696917 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.855710030 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.855710983 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.855721951 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.855735064 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.855740070 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.855747938 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.855761051 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.855772018 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.855801105 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.855964899 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.855977058 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.855988979 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.856009960 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.856025934 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.856148005 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.856159925 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.856172085 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.856192112 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.856204987 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.856204987 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.856219053 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.856230974 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.856234074 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.856244087 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.856256962 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.856260061 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.856268883 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.856287003 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.856288910 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.856300116 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.856307030 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.856313944 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.856327057 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.856339931 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.856344938 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.856357098 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.856363058 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.856368065 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.856379032 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.856390953 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.856400967 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.856404066 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.856420040 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.856451035 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.857059002 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.857070923 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.857081890 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.857095957 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.857104063 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.857115984 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.857127905 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.857137918 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.857141018 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.857153893 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.857165098 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.857170105 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.857177973 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.857188940 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.857193947 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.857202053 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.857212067 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.857213974 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.857228994 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.857240915 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.857245922 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.857253075 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.857264996 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.857280016 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.857291937 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.857302904 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.857302904 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.857304096 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.857316971 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.857319117 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.857323885 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.857336998 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.857347965 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.857355118 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.857373953 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.857389927 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.857903957 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.857914925 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.857923985 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.857939005 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.857949972 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.857961893 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.857971907 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.857975006 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.857984066 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.857995987 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.858027935 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.940711021 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.977770090 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.977782011 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.977792025 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.977816105 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.977826118 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.977838039 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.977839947 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.977850914 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.977860928 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.977880001 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.977890968 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.977907896 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.977947950 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.977988958 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.978008986 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.978018999 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.978029966 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.978051901 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.978060961 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.978075981 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.978085041 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.978096008 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.978121996 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.978125095 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.978137970 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.978147030 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.978176117 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.978277922 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.978290081 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.978317976 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.978436947 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.978446960 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.978465080 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.978475094 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.978476048 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.978486061 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.978498936 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.978501081 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.978509903 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.978523970 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.978527069 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.978538036 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.978547096 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.978593111 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.978779078 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.978789091 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.978794098 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.978806973 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.978816986 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.978823900 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.978828907 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.978841066 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.978849888 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.978852034 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.978863955 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.978871107 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.978874922 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.978884935 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.978889942 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.978929996 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.979099035 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.979110003 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.979119062 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:37.979140043 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.979166985 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.996493101 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:37.997548103 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:38.001256943 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:38.002403975 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:38.002470016 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:38.029980898 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:38.034796000 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:38.904067993 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:38.959713936 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:39.209784031 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:39.214534044 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.277931929 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:39.282838106 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.282847881 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.282893896 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.282895088 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:39.282912970 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.282936096 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:39.282963037 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:39.282984018 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.282991886 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.283030987 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:39.283099890 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.283109903 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.283123970 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.283133030 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.283153057 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:39.283183098 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:39.287686110 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.287736893 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.287736893 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:39.287744999 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.287792921 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:39.287817001 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.287826061 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.287854910 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.287868977 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:39.287898064 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:39.287902117 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.287941933 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:39.287966967 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.288007975 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:39.288105965 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.288152933 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:39.288407087 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.288485050 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:39.292525053 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.292577982 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:39.292655945 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.292699099 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.292706013 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:39.292747021 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.292748928 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:39.292788029 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.292798996 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:39.292834044 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:39.292859077 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.292887926 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.292949915 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.292983055 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.293034077 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.293044090 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.293112040 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.293121099 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.293129921 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.293292046 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.293299913 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.293318033 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.293328047 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.293397903 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.293406963 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.293463945 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.293546915 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.293555021 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.293610096 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.293621063 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.293644905 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.293653011 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.293658018 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.297388077 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.297396898 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.297435045 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.297451973 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.297544003 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.297553062 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.297604084 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.297612906 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.297647953 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.297657013 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.297700882 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.297708988 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.297753096 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.297797918 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.297852993 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.297862053 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.297873020 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.337064028 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:39.341880083 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.405667067 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:39.410521030 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.410530090 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.410546064 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.410727978 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.410737038 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.448646069 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:39.453537941 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.453552008 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.453560114 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.453646898 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.453656912 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.453671932 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.496028900 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:39.502701998 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.502713919 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.502722025 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.502994061 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.503001928 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.503010035 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.559616089 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:39.566365957 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.566375017 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.566382885 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.566390991 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.566500902 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.566509962 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.615959883 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:39.620794058 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.645566940 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:39.650454998 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.686075926 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:39.690853119 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.742532015 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:39.747402906 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.747479916 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.770711899 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:39.775499105 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.786393881 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:39.791222095 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.817914963 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:39.822758913 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.848525047 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:39.853411913 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.888464928 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:39.893409014 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.928616047 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:39.933562994 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.957580090 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:39.962388992 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:39.997762918 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:40.002723932 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:40.046606064 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:40.051462889 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:40.084404945 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:40.089221954 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:40.116761923 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:40.121633053 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:40.146693945 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:40.151546001 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:40.177629948 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:40.182480097 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:40.220405102 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:40.225233078 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:40.265697002 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:40.270633936 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:40.303904057 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:40.308785915 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:40.352960110 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:40.357831001 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:40.377258062 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:40.382105112 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:40.404376984 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:40.409224033 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:40.444221020 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:40.449039936 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:40.482353926 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:40.487262964 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:40.514352083 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:40.520543098 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:40.545738935 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:40.550604105 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:40.608810902 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:40.613595009 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:40.639219046 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:40.644097090 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:40.669639111 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:40.674520016 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:40.710108995 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:40.714921951 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:40.747462034 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:40.752305031 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:40.787897110 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:40.792716980 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:40.826674938 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:40.831556082 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:40.857072115 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:40.861871004 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:40.889347076 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:40.894182920 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:40.937077999 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:40.941936970 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:40.975713015 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:40.981816053 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:41.015925884 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:41.020791054 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:41.053564072 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:41.058312893 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:41.100498915 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:41.105638027 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:41.139015913 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:41.143812895 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:41.178546906 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:41.183360100 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:41.217113018 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:41.222021103 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:41.249783993 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:41.255382061 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:41.284473896 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:41.290091991 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:41.311042070 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:41.317401886 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:41.341607094 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:41.346512079 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:41.381721973 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:41.386554003 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:41.428642988 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:41.433439970 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:41.475471020 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:41.481893063 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:41.522245884 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:41.527209997 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:41.570277929 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:41.575083017 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:41.616372108 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:41.621251106 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:41.663100958 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:41.667865992 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:41.701838017 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:41.706640959 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:41.741173983 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:41.746031046 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:41.780694008 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:41.785530090 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:41.810868979 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:41.815676928 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:41.850430012 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:41.855247021 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:41.897314072 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:41.902209044 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:41.937158108 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:41.941968918 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:41.973118067 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:41.977900028 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:42.006618977 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:42.011461973 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:42.053495884 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:42.058377981 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:42.100450039 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:42.105258942 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:42.147382021 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:42.152179956 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:42.194259882 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:42.199067116 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:42.241017103 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:42.245839119 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:42.287905931 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:42.292746067 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:42.334955931 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:42.339801073 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:42.374066114 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:42.378858089 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:42.404452085 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:42.409338951 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:42.437094927 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:42.441900015 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:42.475528002 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:42.480370998 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:42.514311075 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:42.519156933 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:42.544658899 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:42.549473047 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:42.584773064 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:42.589668036 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:42.632036924 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:42.636847973 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:42.678620100 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:42.683434963 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:42.725527048 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:42.730325937 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:42.772313118 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:42.777076960 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:42.819247007 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:42.824223995 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:42.859891891 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:42.864675045 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:42.890583992 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:42.895360947 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:42.928513050 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:42.933382988 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:42.975687981 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:42.981093884 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:43.022336006 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:43.027163982 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:43.069184065 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:43.074032068 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:43.116134882 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:43.120924950 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:43.162914038 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:43.167808056 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:43.209800959 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:43.359159946 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:43.359252930 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:43.364011049 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:43.389334917 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:43.394144058 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:43.421112061 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:43.425923109 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:43.452795982 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:43.457631111 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:43.491038084 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:43.495840073 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:43.538065910 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:43.542980909 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:43.542990923 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:43.542998075 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:43.543020010 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:43.593833923 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:43.598649979 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:43.598663092 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:43.598671913 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:43.598798990 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:43.598808050 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:43.631931067 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:43.636743069 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:43.678617001 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:43.684520006 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:43.709822893 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:43.714596987 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:43.756719112 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:43.761534929 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:43.812612057 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:43.817429066 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:43.817437887 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:43.817473888 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:43.817584038 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:43.817595959 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:43.850560904 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:43.855400085 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:43.889573097 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:43.894610882 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:43.904797077 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:43.909605026 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:43.944152117 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:43.948995113 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:43.991036892 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:43.995955944 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:44.031505108 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:44.036422014 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:44.061219931 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:44.066031933 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:44.100415945 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:44.105284929 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:44.147363901 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:44.152128935 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:44.188652039 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:44.193492889 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:44.219343901 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:44.224208117 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:44.256649971 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:44.261719942 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:44.303518057 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:44.308337927 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:44.350545883 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:44.355422020 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:44.397439003 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:44.402261019 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:44.436793089 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:44.441673994 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:44.484357119 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:44.489535093 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:44.489542961 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:44.489553928 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:44.522387028 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:44.527154922 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:44.569148064 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:44.573944092 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:44.616111994 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:44.620997906 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:44.654565096 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:44.659409046 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:44.694298983 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:44.699111938 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:44.741131067 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:44.745950937 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:44.788075924 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:44.792948008 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:44.834970951 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:44.839898109 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:44.874603987 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:44.879455090 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:44.904433966 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:44.909321070 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:44.944302082 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:44.949150085 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:44.991127968 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:44.995955944 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:45.043665886 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:45.048444986 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:45.072010994 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:45.250853062 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:45.264307976 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:45.264317989 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:45.264324903 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:45.264503956 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:45.264513016 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:45.264516115 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:45.313432932 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:45.319644928 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:45.319655895 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:45.319663048 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:45.319674015 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:45.319681883 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:45.319691896 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:45.360521078 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:45.367161989 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:45.367180109 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:45.367580891 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:45.369469881 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:45.369478941 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:45.369642973 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:45.431435108 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:45.438093901 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:45.438107014 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:45.438116074 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:45.440324068 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:45.440331936 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:45.440335035 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:45.446573973 CET	4433	49737	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:45.446696997 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:45.446809053 CET	49737	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:46.753889084 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:46.758723021 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:52.053503990 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:07:52.058347940 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:52.356215954 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:07:52.397205114 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:08:08.084808111 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:08:08.089641094 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:08:08.387383938 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:08:08.428409100 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:08:24.444128990 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:08:24.448879957 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:08:24.746865988 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:08:24.834688902 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:08:40.069246054 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:08:40.074079990 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:08:40.518789053 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:08:40.569125891 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:08:55.959826946 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:08:55.964811087 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:08:56.262536049 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:08:56.303507090 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:09:12.069235086 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:09:12.074172020 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:09:12.372181892 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:09:12.428565025 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:09:28.230220079 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:09:28.230384111 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:09:28.235205889 CET	4433	49730	23.226.57.67	192.168.2.4
Jan 2, 2025 12:09:28.235263109 CET	49730	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:09:33.382406950 CET	50004	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:09:33.387336969 CET	10443	50004	23.226.57.67	192.168.2.4
Jan 2, 2025 12:09:33.387398958 CET	50004	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:09:34.476470947 CET	50004	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:09:34.481393099 CET	10443	50004	23.226.57.67	192.168.2.4
Jan 2, 2025 12:09:34.481406927 CET	10443	50004	23.226.57.67	192.168.2.4
Jan 2, 2025 12:09:34.481419086 CET	10443	50004	23.226.57.67	192.168.2.4
Jan 2, 2025 12:09:34.481571913 CET	10443	50004	23.226.57.67	192.168.2.4
Jan 2, 2025 12:09:35.041724920 CET	10443	50004	23.226.57.67	192.168.2.4
Jan 2, 2025 12:09:35.084837914 CET	50004	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:09:35.195769072 CET	50004	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:09:35.200592041 CET	10443	50004	23.226.57.67	192.168.2.4
Jan 2, 2025 12:09:35.200603962 CET	10443	50004	23.226.57.67	192.168.2.4
Jan 2, 2025 12:09:35.200615883 CET	10443	50004	23.226.57.67	192.168.2.4
Jan 2, 2025 12:09:35.200643063 CET	50004	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:09:35.205373049 CET	10443	50004	23.226.57.67	192.168.2.4
Jan 2, 2025 12:09:49.835047007 CET	50004	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:09:49.835117102 CET	50004	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:09:49.841543913 CET	10443	50004	23.226.57.67	192.168.2.4
Jan 2, 2025 12:09:49.841593027 CET	50004	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:09:54.804070950 CET	50005	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:09:54.809000015 CET	4433	50005	23.226.57.67	192.168.2.4
Jan 2, 2025 12:09:54.810734034 CET	50005	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:09:55.611442089 CET	50005	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:09:55.616508007 CET	4433	50005	23.226.57.67	192.168.2.4
Jan 2, 2025 12:09:55.616544008 CET	4433	50005	23.226.57.67	192.168.2.4
Jan 2, 2025 12:09:55.616559982 CET	4433	50005	23.226.57.67	192.168.2.4
Jan 2, 2025 12:09:55.616580009 CET	4433	50005	23.226.57.67	192.168.2.4
Jan 2, 2025 12:09:55.968511105 CET	4433	50005	23.226.57.67	192.168.2.4
Jan 2, 2025 12:09:56.022406101 CET	50005	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:09:56.094578981 CET	50005	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:09:56.099737883 CET	4433	50005	23.226.57.67	192.168.2.4
Jan 2, 2025 12:09:56.099791050 CET	4433	50005	23.226.57.67	192.168.2.4
Jan 2, 2025 12:09:56.099822998 CET	4433	50005	23.226.57.67	192.168.2.4
Jan 2, 2025 12:09:56.099858999 CET	50005	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:09:56.104732990 CET	4433	50005	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:11.616270065 CET	50005	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:11.616368055 CET	50005	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:11.621400118 CET	4433	50005	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:11.622323036 CET	50005	4433	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:16.713884115 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:16.718921900 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:16.719011068 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:18.067531109 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:18.072599888 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:18.072671890 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:18.072715044 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:18.072757959 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:18.643193960 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:18.694303989 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:18.738641024 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:18.743709087 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:18.743756056 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:18.743777037 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:18.743817091 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:18.748661041 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:23.912121058 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:23.912192106 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:23.912242889 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:23.912311077 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:23.912345886 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:23.912400961 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:23.912683964 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:23.917536020 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:23.917696953 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:23.917737961 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.237920046 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.237972975 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.238039970 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.238073111 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.238115072 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.238162994 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.238209963 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.238240957 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.238291025 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.238308907 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.238362074 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.238416910 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.238430023 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.238471985 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.238519907 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.238728046 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.238775015 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.238845110 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.238857985 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.238903046 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.238950968 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.239335060 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.243396997 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.243457079 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.243484974 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.243526936 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.243613958 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.457086086 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.457186937 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.457253933 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.457313061 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.457376957 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.457422972 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.457472086 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.457485914 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.457524061 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.457552910 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.457598925 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.457643032 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.457698107 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.457712889 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.457748890 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.457777977 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.457859039 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.457906008 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.457952023 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.457969904 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.458023071 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.458034992 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.458221912 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.458287001 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.458337069 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.458353996 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.458410025 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.458422899 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.458466053 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.458512068 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.458571911 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.458982944 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.459036112 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.459063053 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.459110022 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.459156036 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.459209919 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.459223032 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.459260941 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.459285975 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.459361076 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.459408045 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.459469080 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.459856033 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.459927082 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.459939957 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.506808996 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.675980091 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.676076889 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.676146030 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.676167965 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.676214933 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.676280975 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.676327944 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.676347971 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.676419020 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.676448107 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.676492929 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.676538944 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.676598072 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.676618099 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.676671028 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.676697969 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.676759958 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.676808119 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.676856041 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.676868916 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.676898003 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.676953077 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.677000046 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.677046061 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.677090883 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.677110910 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.677156925 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.677175045 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.677220106 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.677263021 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.677288055 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.677328110 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.677542925 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.677594900 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.677623034 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.677670002 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.677690029 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.677748919 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.677795887 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.677840948 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.677859068 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.677902937 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.677923918 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.677968025 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.678014040 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.678056002 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.678077936 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.678138018 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.678394079 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.678440094 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.678503036 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.678555012 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.678569078 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.678601027 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.678631067 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.678690910 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.678738117 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.678782940 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.678801060 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.678847075 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.678865910 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.678913116 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.679234028 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.679289103 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.679332972 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.679385900 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.679413080 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.679459095 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.679503918 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.679554939 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.679582119 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.679627895 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.679646969 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.679692030 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.679735899 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.679780006 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.679801941 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.679843903 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.680191040 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.680238008 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.683264971 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.766983032 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.767052889 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.767136097 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.895391941 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.895482063 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.895530939 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.895561934 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.895613909 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.895679951 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.895730972 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.895750046 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.895808935 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.895823002 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.895849943 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.895869970 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.895889044 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.895910978 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.895917892 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.895940065 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.895947933 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.895966053 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.895987034 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.896002054 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.896009922 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.896028996 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.896039009 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.896070004 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.896075964 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.896095037 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.896111965 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.896132946 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.896157026 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.896172047 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.896178961 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.896198034 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.896218061 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.896234989 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.896259069 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.896265984 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.896281958 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.896300077 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.896320105 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.896346092 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.896356106 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.896373034 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.896382093 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.896399021 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.896418095 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.896437883 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.896452904 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.896482944 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.896498919 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.896517038 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.896538973 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.896559000 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.896573067 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.896583080 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.896599054 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.896605968 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.896905899 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.896934986 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.896949053 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.896958113 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.896975040 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.897085905 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.897104979 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.897129059 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.897135973 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.897152901 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.897192955 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.897377014 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.897396088 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.897418022 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.897437096 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.897448063 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.897458076 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.897475004 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.897492886 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.897515059 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.897530079 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.897558928 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.897727966 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.897746086 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.897768974 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.897789955 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.897804022 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.897813082 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.897829056 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.897839069 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.897859097 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.897871971 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.897881031 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.897901058 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.897943020 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.898341894 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.898360014 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.898380995 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.898399115 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.898412943 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.898420095 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.898437977 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.898457050 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.898477077 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.898489952 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.898523092 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.898538113 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.898672104 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.898689985 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.898711920 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.898727894 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.898741007 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.898756027 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.898766994 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.898786068 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.898799896 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.898808002 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.898825884 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.898864031 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.899228096 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.899266005 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.899283886 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.899305105 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.899393082 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.899413109 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.899430037 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.899440050 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.899454117 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.899540901 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.899555922 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.899578094 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.899594069 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.899620056 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.899673939 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.899703026 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.899729967 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.899744987 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.899753094 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.899771929 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.899794102 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.899807930 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.899821043 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.899828911 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.900274038 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.900291920 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.900319099 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.900327921 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.900355101 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.986027956 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.986140966 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.986164093 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.986202002 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.986219883 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.986241102 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.986258030 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.986270905 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.986290932 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.986304045 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.986321926 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.986342907 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.986361980 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.986377954 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:24.986390114 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:24.986404896 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.038184881 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.114166975 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.114253998 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.114321947 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.114392996 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.114420891 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.114489079 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.114521027 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.114578962 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.114640951 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.114697933 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.114722013 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.114774942 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.114800930 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.114845991 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.114905119 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.114949942 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.114969969 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.115015984 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.115032911 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.115093946 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.115140915 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.115190983 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.115217924 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.115266085 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.115283966 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.115390062 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.115437031 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.115483999 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.115502119 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.115552902 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.115578890 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.115638971 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.115684032 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.115730047 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.115748882 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.115794897 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.115812063 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.115855932 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.115900040 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.115950108 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.115977049 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.116019964 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.116039991 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.116085052 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.116130114 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.116174936 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.116192102 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.116225004 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.116242886 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.116290092 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.116333961 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.116380930 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.116401911 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.116445065 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.116465092 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.116509914 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.116554022 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.116595984 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.116616011 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.116661072 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.116679907 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.116724968 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.116769075 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.116807938 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.116832018 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.116873980 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.116893053 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.116936922 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.116981983 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.117026091 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.117044926 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.117086887 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.117108107 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.117153883 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.117197990 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.117238045 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.117260933 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.117306948 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.117352962 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.117372036 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.117418051 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.117438078 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.117481947 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.117526054 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.117567062 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.117590904 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.117634058 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.117655993 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.117700100 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.117743969 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.117788076 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.117808104 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.117850065 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.117872953 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.117918015 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.122843027 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.122884989 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.122909069 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.122936010 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.122984886 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.123028994 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.123090029 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.123136044 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.123153925 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.123207092 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.123239040 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.123285055 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.123353004 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.123399973 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.123461008 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.123522043 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.123574972 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.123588085 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.123619080 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.123666048 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.123728991 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.123773098 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.123825073 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.123846054 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.123873949 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.123919964 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.123961926 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.124021053 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.124068975 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.124085903 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.124176025 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.124196053 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.124258995 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.124304056 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.124347925 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.124372005 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.124397993 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.124442101 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.124488115 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.124531984 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.124583960 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.124597073 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.124629021 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.124658108 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.124702930 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.124746084 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.124799013 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.124810934 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.124839067 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.124869108 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.124913931 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.124958038 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.125005007 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.125021935 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.125072956 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.125086069 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.125129938 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.125174046 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.125219107 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.125238895 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.125293016 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.125305891 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.125349045 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.125392914 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.125442028 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.125466108 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.125508070 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.125529051 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.125574112 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.125617027 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.125663996 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.125683069 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.125725985 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.125746012 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.125790119 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.125833988 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.125879049 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.125896931 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.125938892 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.125962019 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.126007080 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.126271963 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.205085039 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.205142975 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.205224037 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.205282927 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.205348969 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.205396891 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.205435991 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.205523014 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.205573082 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.205631971 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.205674887 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.205704927 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.205749035 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.205796957 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.205837011 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.205895901 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.205924034 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.205965996 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.206001043 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.206043959 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.206088066 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.206130981 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.206172943 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.206223965 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.206249952 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.206311941 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.206357956 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.206408024 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.206434011 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.206478119 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.206499100 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.206541061 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.206607103 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.206648111 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.206671953 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.206724882 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.206738949 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.206795931 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.206840992 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.206885099 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.206906080 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.206950903 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.206969023 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.207014084 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.207077026 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.207123041 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.207142115 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.207195044 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.207221985 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.207269907 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.207334042 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.207376957 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.207416058 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.207458019 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.207473993 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.207516909 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.207580090 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.207634926 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.207648039 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.207676888 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.207722902 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.207767963 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.207812071 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.207858086 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.207875967 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.207921028 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.207940102 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.207983971 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.208029985 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.208081007 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.208107948 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.208151102 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.208173990 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.208226919 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.208276987 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.208323002 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.208340883 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.208380938 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.208405972 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.208451033 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.208494902 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.208534956 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.208559036 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.208605051 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.208622932 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.208667040 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.208713055 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.208754063 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.208775043 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.208821058 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.208838940 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.208884001 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.208929062 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.208972931 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.208992958 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.209039927 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.209060907 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.209105015 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.209150076 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.209202051 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.209214926 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.209244967 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.209275007 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.209321022 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.209363937 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.209383965 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.209429026 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.209472895 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.209517002 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.209541082 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.209558010 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.209594965 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.209654093 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.209697008 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.209749937 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.209763050 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.209801912 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.209830046 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.209878922 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.209923983 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.209948063 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.209985018 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.210030079 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.210052967 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.210082054 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.210135937 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.210148096 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.210191011 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.210243940 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.210257053 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.210299015 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.210331917 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.210390091 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.210432053 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.210458994 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.210484028 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.210520029 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.210566044 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.210588932 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.210633993 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.210685968 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.210702896 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.210747957 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.210793972 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.210846901 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.210860014 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.210906982 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.210923910 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.256835938 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.332829952 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.332917929 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.332973003 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.333003044 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.333051920 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.333097935 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.333118916 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.333158970 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.333209991 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.333237886 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.333301067 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.333339930 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.333380938 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.333424091 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.333487988 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.333524942 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.333568096 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.333630085 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.333657026 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.333730936 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.333792925 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.333822012 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.333879948 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.333934069 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.333961010 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.334007025 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.334059954 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.334073067 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.334131956 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.334186077 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.334213018 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.334260941 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.334307909 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.334331036 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.334431887 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.334481001 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.334510088 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.334544897 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.334608078 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.334628105 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.334672928 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.334721088 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.334774017 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.334800959 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.334851027 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.334870100 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.334932089 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.334985971 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.335000038 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.335042000 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.335098982 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.335128069 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.335187912 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.335232019 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.335256100 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.335303068 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.335362911 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.335386992 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.335439920 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.335484982 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.335506916 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.335551977 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.335613966 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.335634947 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.335676908 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.335725069 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.335741043 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.335803032 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.335850954 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.335867882 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.335916042 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.335963011 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.335983992 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.336028099 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.336085081 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.336097956 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.336158991 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.336198092 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.336224079 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.336289883 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.336334944 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.336354971 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.336395979 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.336447954 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.336460114 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.336503029 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.336549044 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.336569071 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.336612940 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.336663008 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.336682081 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.336741924 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.336796999 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.336810112 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.336853981 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.336909056 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.336921930 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.336965084 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.337009907 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.337035894 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.337074041 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.337122917 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.337138891 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.337184906 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.337230921 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.337259054 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.337296009 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.337341070 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.337367058 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.337404013 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.337455034 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.337474108 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.337512016 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.337555885 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.337577105 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.337624073 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.337676048 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.337692976 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.337737083 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.337781906 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.337804079 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.337846994 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.337891102 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.337909937 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.337953091 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.338006020 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.338020086 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.338061094 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.338104963 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.338125944 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.338171005 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.338222980 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.338236094 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.338278055 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.338325024 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.338345051 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.338387966 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.338440895 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.338454008 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.338495970 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.338541031 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.338566065 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.338596106 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.338629961 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.338659048 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.338704109 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.338757992 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.338771105 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.338814020 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.338864088 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.338896036 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.338929892 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.338974953 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.339013100 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.339040995 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.339085102 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.339123011 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.339152098 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.339198112 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.339240074 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.339263916 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.339309931 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.339361906 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.339385986 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.339426994 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.339452028 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.339498043 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.339540005 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.339564085 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.339610100 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.339653969 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.339684963 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.339720011 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.339806080 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.423794031 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.423846006 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.423902988 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.423933983 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.423980951 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.424036026 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.424048901 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.424091101 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.424134970 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.424158096 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.424197912 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.424253941 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.424267054 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.424310923 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.424385071 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.424417973 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.424463987 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.424511909 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.424535990 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.424590111 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.424624920 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.424653053 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.424704075 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.424761057 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.424802065 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.424850941 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.424890041 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.424915075 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.424959898 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.425004959 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.425029039 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.425059080 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.425101995 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.425124884 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.438288927 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.439619064 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.443136930 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.444552898 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:25.444632053 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.476169109 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:25.481046915 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.342257023 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.397438049 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:26.647563934 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:26.652512074 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.719913960 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:26.724773884 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.724796057 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.724827051 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:26.724838972 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.724847078 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:26.724858999 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.724878073 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.724895000 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:26.724915981 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:26.724947929 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.724978924 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.724994898 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.725013018 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.725022078 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:26.725043058 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:26.725054026 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.725063086 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:26.725101948 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:26.729610920 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.729655027 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:26.729718924 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.729737043 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.729773045 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:26.729829073 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.729852915 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.729871988 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:26.729891062 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:26.729893923 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.729931116 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.729969025 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:26.729978085 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.729985952 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:26.730019093 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.730029106 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:26.730058908 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:26.730093956 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.730110884 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.730130911 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:26.730139017 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.730149031 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:26.730185032 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:26.734468937 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.734515905 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:26.734528065 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.734563112 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.734581947 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:26.734611034 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:26.734636068 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.734709978 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.734714985 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:26.734755039 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:26.734814882 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.734834909 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.734869957 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:26.734911919 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.734992981 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.735080004 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.735105991 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.735205889 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.735224962 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.735280037 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.735296965 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.735357046 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.735373974 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.735389948 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.735405922 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.735466957 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.735482931 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.735498905 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.735515118 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.735531092 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.735547066 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.735563993 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.735579967 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.739372969 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.739389896 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.739415884 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.739432096 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.739464998 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.739480972 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.739506006 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.739533901 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.739609003 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.739626884 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.739653111 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.739667892 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.739713907 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.739729881 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.739748001 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.739805937 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.739823103 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.739839077 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.739865065 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.739878893 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.739906073 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.739922047 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.800003052 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:26.804860115 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.804888010 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.804904938 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.804924011 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.805002928 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.805020094 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.828789949 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:26.833648920 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.833667994 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.833686113 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.833720922 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.833738089 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.923448086 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:26.928302050 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.928322077 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.928340912 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.928423882 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.971204996 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:26.975963116 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:26.976063967 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:27.003215075 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:27.007997036 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:27.038674116 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:27.043428898 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:27.088291883 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:27.093087912 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:27.135448933 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:27.140265942 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:27.192611933 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:27.197469950 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:27.247960091 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:27.252775908 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:27.276489973 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:27.281246901 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:27.305610895 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:27.310411930 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:27.338248968 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:27.343075037 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:27.381012917 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:27.385807991 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:27.511348009 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:27.516225100 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:27.639259100 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:27.644139051 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:27.743343115 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:27.748492002 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:27.772530079 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:27.777446985 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:27.809304953 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:27.814182043 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:27.841275930 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:27.846240997 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:27.901384115 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:27.906194925 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:27.940047026 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:27.944860935 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:27.974265099 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:27.979082108 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:28.002985954 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:28.007890940 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:28.036005974 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:28.040813923 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:28.076508045 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:28.081357956 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:28.207248926 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:28.212064028 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:28.306935072 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:28.311877012 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:28.332115889 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:28.336988926 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:28.379771948 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:28.384685040 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:28.407248974 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:28.412144899 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:28.421890974 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:28.426685095 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:28.437433004 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:28.442275047 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:28.488050938 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:28.493045092 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:28.493077040 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:28.493094921 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:28.493290901 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:28.493319988 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:28.533642054 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:28.538676023 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:28.538738966 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:28.538779020 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:28.538841009 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:28.538880110 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:28.538939953 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:28.567212105 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:28.572228909 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:28.572274923 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:28.572315931 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:28.572380066 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:28.572417021 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:28.572457075 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:28.618002892 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:28.623004913 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:28.623049974 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:28.623090029 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:28.623169899 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:28.623212099 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:28.623267889 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:28.676712990 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:28.681642056 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:28.681706905 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:28.681746006 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:28.681859016 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:28.681899071 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:28.681941986 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:28.705919981 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:28.710841894 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:28.718627930 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:28.723540068 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:28.752171993 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:28.757162094 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:28.768729925 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:28.773685932 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:28.784362078 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:28.789272070 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:28.798533916 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:28.803391933 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:28.812310934 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:28.817147017 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:28.827367067 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:28.832340956 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:28.858803988 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:28.863862038 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:28.874455929 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:28.879367113 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:28.892219067 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:28.897250891 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:29.008758068 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:29.013886929 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:29.013930082 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:29.070924997 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:29.076105118 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:29.110129118 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:29.115053892 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:29.144464970 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:29.149509907 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:29.175339937 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:29.180238962 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:29.229033947 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:29.233891010 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:29.297125101 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:29.302161932 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:29.323340893 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:29.328231096 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:29.357105017 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:29.361947060 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:29.376899958 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:29.381831884 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:29.390847921 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:29.395704031 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:29.420706987 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:29.425677061 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:29.451373100 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:29.456223965 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:29.467147112 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:29.472088099 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:29.498461008 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:29.503360987 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:29.529891014 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:29.534768105 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:29.545855045 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:29.550789118 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:29.560894012 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:29.565799952 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:29.593734980 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:29.598683119 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:29.641634941 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:29.646526098 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:29.671155930 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:29.676120043 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:29.686454058 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:29.691376925 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:29.701790094 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:29.706665039 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:29.733449936 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:29.738313913 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:29.748907089 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:29.753818989 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:29.780491114 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:29.785408974 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:29.795383930 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:29.800307035 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:29.811131001 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:29.816050053 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:29.842696905 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:29.847589970 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:29.873490095 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:29.878433943 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:29.889144897 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:29.894040108 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:29.905661106 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:29.910554886 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:29.938044071 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:29.942986012 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:29.973807096 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:29.978666067 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:29.983844995 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:29.988744020 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:30.015258074 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:30.020117044 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:30.045557022 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:30.050503016 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:30.060625076 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:30.065499067 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:30.098725080 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:30.103682041 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:30.127413034 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:30.132280111 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:30.155004978 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:30.159935951 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:30.189933062 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:30.194844007 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:30.217324018 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:30.222167015 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:30.233023882 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:30.237848997 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:30.248394966 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:30.253235102 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:30.282479048 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:30.287350893 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:30.317568064 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:30.322422981 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:30.327357054 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:30.332226038 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:30.358587027 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:30.363483906 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:30.373719931 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:30.378567934 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:30.389147997 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:30.394011021 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:30.421957970 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:30.426856995 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:30.451586962 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:30.456448078 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:30.487816095 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:30.492734909 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:30.518851995 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:30.523756981 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:30.545991898 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:30.550899029 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:30.576878071 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:30.582164049 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:30.611799955 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:30.616739988 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:30.648245096 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:30.653182983 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:30.687480927 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:30.692451000 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:30.703634024 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:30.708460093 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:30.719532013 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:30.724354982 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:30.751238108 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:30.756181002 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:30.766355038 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:30.771195889 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:30.780939102 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:30.785909891 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:30.813939095 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:30.818861961 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:30.828979969 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:30.833901882 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:30.845494986 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:30.850368023 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:30.874946117 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:30.879801989 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:30.906299114 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:30.911365032 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:30.936845064 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:30.941663027 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:30.953613043 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:30.958580017 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:30.988933086 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:30.993822098 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:30.999407053 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:31.004779100 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:31.030147076 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:31.035083055 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:31.045598030 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:31.050587893 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:31.076174974 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:31.081242085 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:31.092838049 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:31.097774029 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:31.108831882 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:31.113627911 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:31.124706030 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:31.129468918 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:31.156287909 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:31.161067009 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:31.186228037 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:31.191014051 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:31.201529026 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:31.206382036 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:31.233618975 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:31.238481045 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:31.270354033 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:31.275181055 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:31.280409098 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:31.285271883 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:31.312916040 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:31.317789078 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:31.360049963 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:31.364917994 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:31.391155958 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:31.395912886 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:31.455883980 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:31.460678101 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:31.483282089 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:31.488130093 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:31.515686989 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:31.520709991 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:31.545878887 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:31.551107883 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:31.561306953 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:31.566309929 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:31.592097044 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:31.597029924 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:31.608177900 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:31.613087893 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:31.624171972 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:31.629103899 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:31.736615896 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:31.741569996 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:31.751121044 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:31.756052017 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:31.792525053 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:31.797465086 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:31.828278065 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:31.833188057 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:31.846442938 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:31.851366997 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:31.897459030 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:31.902379990 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:31.921977997 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:31.926801920 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:31.958937883 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:31.968859911 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:32.025821924 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:32.030842066 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:32.063182116 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:32.068125010 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:32.077233076 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:32.082091093 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:32.108207941 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:32.113125086 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:32.140160084 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:32.145044088 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:32.171801090 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:32.176783085 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:32.186028957 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:32.190939903 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:32.217955112 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:32.222899914 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:32.232953072 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:32.237817049 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:32.248903990 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:32.253729105 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:32.280260086 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:32.285093069 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:32.311598063 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:32.316436052 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:32.344046116 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:32.348856926 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:32.395374060 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:32.400198936 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:32.405267000 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:32.410048962 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:32.420870066 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:32.425705910 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:32.451786995 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:32.456635952 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:32.483867884 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:32.488677979 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:32.498470068 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:32.503266096 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:32.532598019 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:32.537437916 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:32.563239098 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:32.568104982 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:32.578658104 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:32.583530903 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:32.594198942 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:32.599028111 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:32.626390934 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:32.631187916 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:32.642621040 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:32.647406101 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:32.675486088 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:32.680289984 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:32.726874113 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:32.731697083 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:32.766221046 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:32.771081924 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:32.781184912 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:32.785954952 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:32.811135054 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:32.816034079 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:32.842547894 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:32.847346067 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:32.857695103 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:32.862492085 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:32.873370886 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:32.878190994 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:32.904910088 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:32.909823895 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:32.920581102 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:32.925453901 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:32.935970068 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:32.940841913 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:32.951898098 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:32.956737995 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:32.967385054 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:32.972254038 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:32.998424053 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:33.003451109 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:33.016216040 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:33.021024942 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:33.066134930 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:33.071037054 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:33.092770100 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:33.097657919 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:33.108134985 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:33.113099098 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:33.123610020 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:33.128544092 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:33.155045033 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:33.159976959 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:33.170646906 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:33.175563097 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:33.186182976 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:33.203016043 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:33.203063011 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:33.207875013 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:33.217909098 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:33.222687006 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:33.235016108 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:33.239864111 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:33.249836922 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:33.258390903 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:33.280337095 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:33.285186052 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:33.311702013 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:33.316575050 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:33.343977928 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:33.348875999 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:33.359407902 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:33.364326000 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:33.412545919 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:33.417406082 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:33.421410084 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:33.426265955 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:33.452445984 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:33.457328081 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:33.468952894 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:33.473790884 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:33.499258995 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:33.504066944 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:33.529877901 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:33.534718037 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:33.545700073 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:33.550496101 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:33.561392069 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:33.566252947 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:33.592967033 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:33.597839117 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:33.623871088 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:33.628829956 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:33.639326096 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:33.644208908 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:33.670747995 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:33.675688982 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:33.705236912 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:33.710129976 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:33.738014936 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:33.742845058 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:33.748303890 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:33.753118992 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:33.763873100 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:33.768773079 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:33.795533895 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:33.800373077 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:33.811131001 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:33.815937042 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:33.842510939 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:33.847348928 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:33.857800007 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:33.862603903 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:33.889552116 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:33.894366980 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:33.905878067 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:33.910698891 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:33.936105013 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:33.940943003 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:33.951626062 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:33.956487894 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:33.967437983 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:33.972227097 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:33.998538017 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:34.003401995 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:34.014405012 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:34.019176006 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:34.030225992 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:34.035000086 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:34.046926022 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:34.051703930 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:34.098268986 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:34.103106022 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:34.141632080 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:34.146554947 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:34.155172110 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:34.159948111 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:34.186121941 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:34.190995932 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:34.201690912 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:34.207974911 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:34.217600107 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:34.222410917 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:34.248672009 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:34.253505945 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:34.264854908 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:34.269630909 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:34.279908895 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:34.284702063 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:34.311356068 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:34.316190958 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:34.326728106 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:34.331572056 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:34.337662935 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:34.342477083 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:34.342516899 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:34.347328901 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:34.374350071 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:34.379249096 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:34.388144970 CET	10443	50007	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:34.388211012 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:34.388309956 CET	50007	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:34.652780056 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:34.694331884 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:35.663234949 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:35.668133974 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:45.776554108 CET	10443	50006	23.226.57.67	192.168.2.4
Jan 2, 2025 12:10:45.819375992 CET	50006	10443	192.168.2.4	23.226.57.67
Jan 2, 2025 12:10:46.341161013 CET	50006	10443	192.168.2.4	23.226.57.67

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 12:10:55.496804953 CET	57497	53	192.168.2.4	1.1.1.1
Jan 2, 2025 12:12:56.500883102 CET	53738	53	192.168.2.4	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 2, 2025 12:10:55.496804953 CET	192.168.2.4	1.1.1.1	0x50e9	Standard query (0)	api.msn.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 12:12:56.500883102 CET	192.168.2.4	1.1.1.1	0x65e0	Standard query (0)	tse1.mm.bing.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 2, 2025 12:10:55.503990889 CET	1.1.1.1	192.168.2.4	0x50e9	No error (0)	api.msn.com	api-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 2, 2025 12:12:56.507643938 CET	1.1.1.1	192.168.2.4	0x65e0	No error (0)	tse1.mm.bing.net	mm-mm.bing.net.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 2, 2025 12:12:56.507643938 CET	1.1.1.1	192.168.2.4	0x65e0	No error (0)	ax-0001.ax-msedge.net		150.171.28.10	A (IP address)	IN (0x0001)	false
Jan 2, 2025 12:12:56.507643938 CET	1.1.1.1	192.168.2.4	0x65e0	No error (0)	ax-0001.ax-msedge.net		150.171.27.10	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	06:06:56
Start date:	02/01/2025
Path:	C:\Users\user\Desktop\0DrqlQ4JfZ.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\0DrqlQ4JfZ.exe"
Imagebase:	0x7ff600ac0000
File size:	390'656 bytes
MD5 hash:	DE3F0F8CBAC7723E54298BAEC915E2BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	06:10:44
Start date:	02/01/2025
Path:	C:\Windows\System32\LogonUI.exe
Wow64 process (32bit):	false
Commandline:	"LogonUI.exe" /flags:0x4 /state0:0xa3f52855 /state1:0x41c64e6d
Imagebase:	0x7ff75ff10000
File size:	13'824 bytes
MD5 hash:	893144FE49AA16124B5BD3034E79BBC6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	06:10:46
Start date:	02/01/2025
Path:	C:\Windows\System32\cdd.dll
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff6c74c0000
File size:	267'264 bytes
MD5 hash:	9B684213A399B4E286982BDAD6CF3D07
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	06:10:46
Start date:	02/01/2025
Path:	C:\Windows\System32\LogonUI.exe
Wow64 process (32bit):	false
Commandline:	"LogonUI.exe" /flags:0x2 /state0:0xa3f5c855 /state1:0x41c64e6d
Imagebase:	0x7ff75ff10000
File size:	13'824 bytes
MD5 hash:	893144FE49AA16124B5BD3034E79BBC6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	06:10:46
Start date:	02/01/2025
Path:	C:\Windows\System32\fontdrvhost.exe
Wow64 process (32bit):	true
Commandline:	"fontdrvhost.exe"
Imagebase:	0xc0000
File size:	827'408 bytes
MD5 hash:	BBCB897697B3442657C7D6E3EDDBD25F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	06:10:47
Start date:	02/01/2025
Path:	C:\Windows\System32\cdd.dll
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	267'264 bytes
MD5 hash:	9B684213A399B4E286982BDAD6CF3D07
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	06:10:47
Start date:	02/01/2025
Path:	C:\Windows\System32\LogonUI.exe
Wow64 process (32bit):	false
Commandline:	"LogonUI.exe" /flags:0x2 /state0:0xa3f64055 /state1:0x41c64e6d
Imagebase:	0x7ff75ff10000
File size:	13'824 bytes
MD5 hash:	893144FE49AA16124B5BD3034E79BBC6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	06:10:47
Start date:	02/01/2025
Path:	C:\Windows\System32\fontdrvhost.exe
Wow64 process (32bit):	false
Commandline:	"fontdrvhost.exe"
Imagebase:	0x7ff72c440000
File size:	827'408 bytes
MD5 hash:	BBCB897697B3442657C7D6E3EDDBD25F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	06:10:49
Start date:	02/01/2025
Path:	C:\Windows\System32\cdd.dll
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	267'264 bytes
MD5 hash:	9B684213A399B4E286982BDAD6CF3D07
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	06:10:49
Start date:	02/01/2025
Path:	C:\Windows\System32\LogonUI.exe
Wow64 process (32bit):	false
Commandline:	"LogonUI.exe" /flags:0x2 /state0:0xa3f6b855 /state1:0x41c64e6d
Imagebase:	0x7ff75ff10000
File size:	13'824 bytes
MD5 hash:	893144FE49AA16124B5BD3034E79BBC6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	06:10:49
Start date:	02/01/2025
Path:	C:\Windows\System32\fontdrvhost.exe
Wow64 process (32bit):	false
Commandline:	"fontdrvhost.exe"
Imagebase:	0x7ff72c440000
File size:	827'408 bytes
MD5 hash:	BBCB897697B3442657C7D6E3EDDBD25F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	06:10:50
Start date:	02/01/2025
Path:	C:\Windows\System32\cdd.dll
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	267'264 bytes
MD5 hash:	9B684213A399B4E286982BDAD6CF3D07
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	32
Start time:	06:10:50
Start date:	02/01/2025
Path:	C:\Windows\System32\LogonUI.exe
Wow64 process (32bit):	false
Commandline:	"LogonUI.exe" /flags:0x2 /state0:0xa3f7b055 /state1:0x41c64e6d
Imagebase:	0x7ff75ff10000
File size:	13'824 bytes
MD5 hash:	893144FE49AA16124B5BD3034E79BBC6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	06:10:50
Start date:	02/01/2025
Path:	C:\Windows\System32\fontdrvhost.exe
Wow64 process (32bit):	false
Commandline:	"fontdrvhost.exe"
Imagebase:	0x7ff72c440000
File size:	827'408 bytes
MD5 hash:	BBCB897697B3442657C7D6E3EDDBD25F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	06:10:52
Start date:	02/01/2025
Path:	C:\Windows\System32\cdd.dll
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	267'264 bytes
MD5 hash:	9B684213A399B4E286982BDAD6CF3D07
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	39
Start time:	06:10:52
Start date:	02/01/2025
Path:	C:\Windows\System32\LogonUI.exe
Wow64 process (32bit):	false
Commandline:	"LogonUI.exe" /flags:0x2 /state0:0xa3f02855 /state1:0x41c64e6d
Imagebase:	0x7ff75ff10000
File size:	13'824 bytes
MD5 hash:	893144FE49AA16124B5BD3034E79BBC6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	06:10:52
Start date:	02/01/2025
Path:	C:\Windows\System32\fontdrvhost.exe
Wow64 process (32bit):	false
Commandline:	"fontdrvhost.exe"
Imagebase:	0x7ff72c440000
File size:	827'408 bytes
MD5 hash:	BBCB897697B3442657C7D6E3EDDBD25F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	42.6%
Total number of Nodes:	1325
Total number of Limit Nodes:	57

Executed Functions

Function 00007FF600AC6370 Relevance: 193.3, APIs: 81, Strings: 29, Instructions: 845
registrystringprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

gethostname.WS2_32 ref: 00007FF600AC6414
gethostbyname.WS2_32 ref: 00007FF600AC641E
inet_ntoa.WS2_32 ref: 00007FF600AC643B
inet_ntoa.WS2_32 ref: 00007FF600AC648B
MultiByteToWideChar.KERNEL32 ref: 00007FF600AC64E9
MultiByteToWideChar.KERNEL32 ref: 00007FF600AC650D
GetLastInputInfo.USER32 ref: 00007FF600AC6525
GetTickCount.KERNEL32 ref: 00007FF600AC652B
wsprintfW.USER32 ref: 00007FF600AC655E
MultiByteToWideChar.KERNEL32 ref: 00007FF600AC659F
LoadLibraryW.KERNEL32 ref: 00007FF600AC65AC
GetProcAddress.KERNEL32 ref: 00007FF600AC65C8
RegOpenKeyExW.KERNEL32 ref: 00007FF600AC666D
RegQueryValueExW.KERNEL32 ref: 00007FF600AC6698
RegCloseKey.KERNEL32 ref: 00007FF600AC66C5
FreeLibrary.KERNEL32 ref: 00007FF600AC66D6
GetSystemInfo.KERNEL32 ref: 00007FF600AC66EF
wsprintfW.USER32 ref: 00007FF600AC6707
GetDriveTypeW.KERNEL32 ref: 00007FF600AC6736
GetDiskFreeSpaceExW.KERNEL32 ref: 00007FF600AC6759
GlobalMemoryStatusEx.KERNEL32 ref: 00007FF600AC679D
GetForegroundWindow.USER32 ref: 00007FF600AC6819
GetWindowTextW.USER32 ref: 00007FF600AC6834
lstrlenW.KERNEL32 ref: 00007FF600AC6844
GetLocalTime.KERNEL32 ref: 00007FF600AC6883
wsprintfW.USER32 ref: 00007FF600AC689D
MultiByteToWideChar.KERNEL32 ref: 00007FF600AC657B

Part of subcall function 00007FF600AE8A40: _invalid_parameter_noinfo.LIBCMT ref: 00007FF600AE8A66

lstrlenW.KERNEL32 ref: 00007FF600AC68C5
GetModuleHandleW.KERNEL32 ref: 00007FF600AC690E
GetProcAddress.KERNEL32 ref: 00007FF600AC691E
GetNativeSystemInfo.KERNEL32 ref: 00007FF600AC692D
GetSystemInfo.KERNEL32 ref: 00007FF600AC6931
wsprintfW.USER32 ref: 00007FF600AC6978
GetCurrentProcessId.KERNEL32 ref: 00007FF600AC698D
OpenProcess.KERNEL32 ref: 00007FF600AC69AB
K32GetProcessImageFileNameW.KERNEL32 ref: 00007FF600AC69CD
GetLogicalDriveStringsW.KERNEL32 ref: 00007FF600AC69E7
lstrcmpiW.KERNEL32 ref: 00007FF600AC6A28
lstrcmpiW.KERNEL32 ref: 00007FF600AC6A3C
QueryDosDeviceW.KERNEL32 ref: 00007FF600AC6A76

Part of subcall function 00007FF600ADDFB8: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF600ADDFE8
Part of subcall function 00007FF600ADDFB8: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF600ADDFEE

Part of subcall function 00007FF600AC9300: GetModuleHandleW.KERNEL32 ref: 00007FF600AC931D
Part of subcall function 00007FF600AC9300: GetProcAddress.KERNEL32 ref: 00007FF600AC932D
Part of subcall function 00007FF600AC9300: GetNativeSystemInfo.KERNEL32 ref: 00007FF600AC933D

lstrlenW.KERNEL32 ref: 00007FF600AC6A87
lstrcpyW.KERNEL32 ref: 00007FF600AC6AC8
CloseHandle.KERNEL32 ref: 00007FF600AC6AD1
CoInitializeEx.COMBASE ref: 00007FF600AC6AE2
CoCreateInstance.COMBASE ref: 00007FF600AC6B07
SysFreeString.OLEAUT32 ref: 00007FF600AC6BBC
CoUninitialize.OLE32 ref: 00007FF600AC6BFE
RegOpenKeyExW.KERNEL32 ref: 00007FF600AC6C67
RegQueryInfoKeyW.ADVAPI32 ref: 00007FF600AC6CC7
RegEnumKeyExW.ADVAPI32 ref: 00007FF600AC6D5F
lstrlenW.KERNEL32 ref: 00007FF600AC6D6C
lstrlenW.KERNEL32 ref: 00007FF600AC6D7E
RegCloseKey.ADVAPI32 ref: 00007FF600AC6DCC
lstrlenW.KERNEL32 ref: 00007FF600AC6DD9

Part of subcall function 00007FF600AE94E8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF600AE951B

Part of subcall function 00007FF600AC7A60: CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF600AC7AEB
Part of subcall function 00007FF600AC7A60: Process32FirstW.KERNEL32 ref: 00007FF600AC7B08
Part of subcall function 00007FF600AC7A60: Process32NextW.KERNEL32 ref: 00007FF600AC7B43
Part of subcall function 00007FF600AC7A60: CloseHandle.KERNEL32 ref: 00007FF600AC7B50
Part of subcall function 00007FF600AC7A60: CoCreateInstance.COMBASE ref: 00007FF600AC7B9F

GetTickCount.KERNEL32 ref: 00007FF600AC6E21

Part of subcall function 00007FF600AE8E3C: GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF600AE8E50

wsprintfW.USER32 ref: 00007FF600AC6E99
GetLocaleInfoW.KERNEL32 ref: 00007FF600AC6EB6
GetSystemDirectoryW.KERNEL32 ref: 00007FF600AC6EC8
GetCurrentHwProfileW.ADVAPI32 ref: 00007FF600AC6EDC
lstrlenW.KERNEL32 ref: 00007FF600AC6F5B
GetLocalTime.KERNEL32 ref: 00007FF600AC6F97
wsprintfW.USER32 ref: 00007FF600AC6FB1
RegOpenKeyExW.KERNEL32 ref: 00007FF600AC6FD6
RegDeleteValueW.KERNEL32 ref: 00007FF600AC6FEA
RegCloseKey.ADVAPI32 ref: 00007FF600AC6FF7
RegCreateKeyW.ADVAPI32 ref: 00007FF600AC700E
lstrlenW.KERNEL32 ref: 00007FF600AC701B
RegSetValueExW.KERNEL32 ref: 00007FF600AC7043
RegCloseKey.ADVAPI32 ref: 00007FF600AC7054
RegCloseKey.ADVAPI32 ref: 00007FF600AC7061
CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF600AC706E
Process32FirstW.KERNEL32 ref: 00007FF600AC70A9
Process32NextW.KERNEL32 ref: 00007FF600AC70FE
CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF600AC7118
Process32FirstW.KERNEL32 ref: 00007FF600AC7153
Process32NextW.KERNEL32 ref: 00007FF600AC71AE
CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF600AC71C8
Process32FirstW.KERNEL32 ref: 00007FF600AC7203
Process32NextW.KERNEL32 ref: 00007FF600AC725A

Strings

kernel32.dll, xrefs: 00007FF600AC68FB
WeChat.exe, xrefs: 00007FF600AC715D
RtlGetNtVersionNumbers, xrefs: 00007FF600AC65BE
ProductName, xrefs: 00007FF600AC667F
VenNetwork, xrefs: 00007FF600AC6860
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 00007FF600AC6645
A:\, xrefs: 00007FF600AC6A1A
%d min, xrefs: 00007FF600AC6557
AppEvents, xrefs: 00007FF600AC6F61
Network, xrefs: 00007FF600AC6F70
GetNativeSystemInfo, xrefs: 00007FF600AC6917
X64 %s, xrefs: 00007FF600AC696A
%sFree%d Gb , xrefs: 00007FF600AC67EE
HDD:%d, xrefs: 00007FF600AC67A7
VenGROUP, xrefs: 00007FF600AC686B
FriendlyName, xrefs: 00007FF600AC6BA2
%d.%d, xrefs: 00007FF600AC688E, 00007FF600AC6FA2
WxWork.exe, xrefs: 00007FF600AC70B3
INSTALLTIME, xrefs: 00007FF600AC6F77, 00007FF600AC6FE3, 00007FF600AC7028
Telegram.exe, xrefs: 00007FF600AC720D
x86, xrefs: 00007FF600AC695F
Software\Tencent\Plugin\VAS, xrefs: 00007FF600AC6C59
B:\, xrefs: 00007FF600AC6A32
x64, xrefs: 00007FF600AC6958
c23cba79-a592-4af7-a500-4fcf6bee8efd, xrefs: 00007FF600AC63D2
%d.%d.%d, xrefs: 00007FF600AC65FD
Software, xrefs: 00007FF600AC6851
VenREMARK, xrefs: 00007FF600AC68CB
ntdll.dll, xrefs: 00007FF600AC65A5

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: Process32lstrlen$CloseCreateInfo$Systemwsprintf$ByteCharFirstHandleMultiNextOpenSnapshotTimeToolhelp32Wide$AddressFreeProcProcessQueryValue$Concurrency::cancel_current_taskCountCurrentDriveFileInstanceLibraryLocalModuleNativeTickWindow_invalid_parameter_noinfoinet_ntoalstrcmpi$DeleteDeviceDirectoryDiskEnumForegroundGlobalImageInitializeInputLastLoadLocaleLogicalMemoryNameProfileSpaceStatusStringStringsTextTypeUninitializegethostbynamegethostnamelstrcpy
String ID: %d min$%d.%d$%d.%d.%d$%sFree%d Gb $A:\$AppEvents$B:\$FriendlyName$GetNativeSystemInfo$HDD:%d$INSTALLTIME$Network$ProductName$RtlGetNtVersionNumbers$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Software$Software\Tencent\Plugin\VAS$Telegram.exe$VenGROUP$VenNetwork$VenREMARK$WeChat.exe$WxWork.exe$X64 %s$c23cba79-a592-4af7-a500-4fcf6bee8efd$kernel32.dll$ntdll.dll$x64$x86
API String ID: 4136965836-2820081605
Opcode ID: ea268c65bd0354d68f3c4d4cf1f9f1f92df9778dd25e6bbadd2adbf6ee75f2b0
Instruction ID: 0d7a3f3a673a9fa3833a8128ab059668a60a891ccca533a4f6edcf46eb4a7819
Opcode Fuzzy Hash: ea268c65bd0354d68f3c4d4cf1f9f1f92df9778dd25e6bbadd2adbf6ee75f2b0
Instruction Fuzzy Hash: 6B926133A08A82A6EB20DF65D8446F93364FF84754FA54632DA4E877A9EF3CD645C700

Function 00007FF600ADB5E0 Relevance: 103.7, APIs: 41, Strings: 18, Instructions: 429
registrylibrarysleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 00007FF600ADB611
CloseHandle.KERNEL32 ref: 00007FF600ADB64D
GetCurrentProcess.KERNEL32 ref: 00007FF600ADB660
OpenProcessToken.ADVAPI32 ref: 00007FF600ADB675
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF600ADB695
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF600ADB6C1
CloseHandle.KERNEL32 ref: 00007FF600ADB6CE
GetModuleHandleA.KERNEL32 ref: 00007FF600ADB6DB
GetProcAddress.KERNEL32 ref: 00007FF600ADB6EB
GetCurrentProcessId.KERNEL32 ref: 00007FF600ADB703
OpenProcess.KERNEL32 ref: 00007FF600ADB712
GetLocalTime.KERNEL32 ref: 00007FF600ADB734
wsprintfW.USER32 ref: 00007FF600ADB77A
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF600ADB787
CloseHandle.KERNEL32 ref: 00007FF600ADB7AD
AllocateAndInitializeSid.ADVAPI32 ref: 00007FF600ADB850

Part of subcall function 00007FF600AE8BE0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF600AE8C0B

CheckTokenMembership.KERNELBASE ref: 00007FF600ADB86A
FreeSid.ADVAPI32 ref: 00007FF600ADB882
RegOpenKeyExW.KERNEL32 ref: 00007FF600ADB8B4
RegDeleteValueW.KERNEL32 ref: 00007FF600ADB8C8
RegSetValueExW.KERNEL32 ref: 00007FF600ADB8F9
RegCloseKey.ADVAPI32 ref: 00007FF600ADB906
SleepEx.KERNEL32 ref: 00007FF600ADBA29
CreateEventA.KERNEL32 ref: 00007FF600ADBAA5
Sleep.KERNEL32 ref: 00007FF600ADBB4E
Sleep.KERNEL32 ref: 00007FF600ADBB84
CloseHandle.KERNEL32 ref: 00007FF600ADBBF2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF600ADBBFD
IsDebuggerPresent.KERNEL32 ref: 00007FF600ADBC1C
LoadLibraryW.KERNEL32 ref: 00007FF600ADBC48
GetProcAddress.KERNEL32 ref: 00007FF600ADBC72
FreeLibrary.KERNEL32 ref: 00007FF600ADBC83

Strings

23.226.57.67, xrefs: 00007FF600ADB954
loginconfig, xrefs: 00007FF600ADB8D6
!analyze -v, xrefs: 00007FF600ADBCFE
10443, xrefs: 00007FF600ADB940, 00007FF600ADB96C, 00007FF600ADB9CD, 00007FF600ADBA39, 00007FF600ADBA6D
SeDebugPrivilege, xrefs: 00007FF600ADB68C
23.226.57.67, xrefs: 00007FF600ADB928
4433, xrefs: 00007FF600ADB934
%4d.%2d.%2d-%2d:%2d:%2d, xrefs: 00007FF600ADB76C
DbgHelp.dll, xrefs: 00007FF600ADBC39
10443, xrefs: 00007FF600ADB960
23.226.57.67, xrefs: 00007FF600ADB918, 00007FF600ADB9B5, 00007FF600ADBA48, 00007FF600ADBADE
MiniDumpWriteDump, xrefs: 00007FF600ADBC60
VenkernalData_info, xrefs: 00007FF600ADB8BA, 00007FF600ADB8EB
NtDll.dll, xrefs: 00007FF600ADB6D4
23.226.57.67, xrefs: 00007FF600ADB9A9
SOFTWARE, xrefs: 00007FF600ADB8A6
%s-%04d%02d%02d-%02d%02d%02d.dmp, xrefs: 00007FF600ADBCF2
NtSetInformationProcess, xrefs: 00007FF600ADB6E4

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: CloseHandle$ProcessSleep$OpenTokenValue$AddressCurrentFreeLibraryProc$AdjustAllocateCheckCreateDebuggerDeleteEventExceptionFilterInitializeLoadLocalLookupMembershipModulePresentPrivilegePrivilegesTimeUnhandled_invalid_parameter_noinfo_invalid_parameter_noinfo_noreturnwsprintf
String ID: !analyze -v$%4d.%2d.%2d-%2d:%2d:%2d$%s-%04d%02d%02d-%02d%02d%02d.dmp$10443$10443$23.226.57.67$23.226.57.67$23.226.57.67$23.226.57.67$4433$DbgHelp.dll$MiniDumpWriteDump$NtDll.dll$NtSetInformationProcess$SOFTWARE$SeDebugPrivilege$VenkernalData_info$loginconfig
API String ID: 2641691789-2867827147
Opcode ID: f576be90ff469620f617f425041ccbfd0283bf6011902f711b93bc7817aa8828
Instruction ID: 093abc1a326b135687ea38f5cec9d35020b04de1cd60acf439d045f4c389f262
Opcode Fuzzy Hash: f576be90ff469620f617f425041ccbfd0283bf6011902f711b93bc7817aa8828
Instruction Fuzzy Hash: 27226032A18B82EAE7209F61E8442B973A5FF89754F600136D95E87BADDF3DE544C700

Function 00007FF600ACF410 Relevance: 81.0, APIs: 35, Strings: 11, Instructions: 532
registryprocessfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastInputInfo.USER32 ref: 00007FF600ACF45C
GetTickCount.KERNEL32 ref: 00007FF600ACF462
wsprintfW.USER32 ref: 00007FF600ACF490
GetForegroundWindow.USER32 ref: 00007FF600ACF496
GetWindowTextW.USER32 ref: 00007FF600ACF4AE
CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF600ACF4C3
Process32FirstW.KERNEL32 ref: 00007FF600ACF4F7
Process32NextW.KERNEL32 ref: 00007FF600ACF54B
CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF600ACF565
Process32FirstW.KERNEL32 ref: 00007FF600ACF59F
Process32NextW.KERNEL32 ref: 00007FF600ACF5EE
CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF600ACF608
Process32FirstW.KERNEL32 ref: 00007FF600ACF642
Process32NextW.KERNEL32 ref: 00007FF600ACF69E
RegOpenKeyExW.ADVAPI32 ref: 00007FF600ACF6EC
RegQueryValueExW.KERNEL32 ref: 00007FF600ACF71F
RegQueryValueExW.KERNEL32 ref: 00007FF600ACF783
RegCloseKey.ADVAPI32 ref: 00007FF600ACF90D
RegOpenKeyExW.ADVAPI32 ref: 00007FF600ACF943
RegQueryValueExW.KERNEL32 ref: 00007FF600ACF976
RegQueryValueExW.ADVAPI32 ref: 00007FF600ACF9D5
RegCloseKey.ADVAPI32 ref: 00007FF600ACF9EC
RegOpenKeyExW.ADVAPI32 ref: 00007FF600ACFA22
RegQueryValueExW.KERNEL32 ref: 00007FF600ACFA55
RegCloseKey.ADVAPI32 ref: 00007FF600ACFACB

Part of subcall function 00007FF600ADDFB8: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF600ADDFE8
Part of subcall function 00007FF600ADDFB8: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF600ADDFEE

RegQueryValueExW.ADVAPI32 ref: 00007FF600ACFAB4
SHGetFolderPathW.SHELL32 ref: 00007FF600ACFAEF
lstrcatW.KERNEL32 ref: 00007FF600ACFB03
CreateFileW.KERNEL32 ref: 00007FF600ACFB34
lstrlenW.KERNEL32 ref: 00007FF600ACFB44
WriteFile.KERNEL32 ref: 00007FF600ACFB61
CloseHandle.KERNEL32 ref: 00007FF600ACFB6A
FindFirstFileW.KERNEL32 ref: 00007FF600ACFB7E
FindClose.KERNEL32 ref: 00007FF600ACFB94
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF600ACFCFE

Strings

WXWork.exe, xrefs: 00007FF600ACF501
%d min, xrefs: 00007FF600ACF489
Startup, xrefs: 00007FF600ACF718, 00007FF600ACF77C
C:\ProgramData\Mylnk, xrefs: 00007FF600ACF896
\kernelquick.sys, xrefs: 00007FF600ACFAF5
WeChat.exe, xrefs: 00007FF600ACF5A9
Telegram.exe, xrefs: 00007FF600ACF64C
OpenAi_Service, xrefs: 00007FF600ACF96F, 00007FF600ACF9CE, 00007FF600ACFA4E, 00007FF600ACFAAD
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, xrefs: 00007FF600ACF6B1
C:\Users, xrefs: 00007FF600ACF812
SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 00007FF600ACF935, 00007FF600ACFA14

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: Process32QueryValue$Close$CreateFirst$FileNextOpenSnapshotToolhelp32$Concurrency::cancel_current_taskFindWindow$CountFolderForegroundHandleInfoInputLastPathTextTickWrite_invalid_parameter_noinfo_noreturnlstrcatlstrlenwsprintf
String ID: %d min$C:\ProgramData\Mylnk$C:\Users$OpenAi_Service$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$Startup$Telegram.exe$WXWork.exe$WeChat.exe$\kernelquick.sys
API String ID: 3029130142-1423135667
Opcode ID: 67a6eca3fa8730ed3e89a175e2743e3b53aeda9d2a050e997ae5ff35e344876b
Instruction ID: 37538a5752677b8eec4689e028235b74b42bff525f4703e7a46e5b5153263171
Opcode Fuzzy Hash: 67a6eca3fa8730ed3e89a175e2743e3b53aeda9d2a050e997ae5ff35e344876b
Instruction Fuzzy Hash: 5632C233B08686A9EB208F64D404AFD77A5FB85B84F654532DA5E8779AEF3CE144C700

Function 00007FF600ADAE60 Relevance: 75.8, APIs: 27, Strings: 16, Instructions: 529stringregistryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32 ref: 00007FF600ADAE95
RegQueryValueExW.KERNEL32 ref: 00007FF600ADAEC6
RegQueryValueExW.ADVAPI32 ref: 00007FF600ADAF25
lstrlenW.KERNEL32 ref: 00007FF600ADAF32
lstrlenW.KERNEL32 ref: 00007FF600ADAF53
lstrlenW.KERNEL32 ref: 00007FF600ADAF66
lstrlenW.KERNEL32 ref: 00007FF600ADAFFF
lstrlenW.KERNEL32 ref: 00007FF600ADB020
lstrlenW.KERNEL32 ref: 00007FF600ADB033
lstrlenW.KERNEL32 ref: 00007FF600ADB0CB
lstrlenW.KERNEL32 ref: 00007FF600ADB0DE
lstrlenW.KERNEL32 ref: 00007FF600ADB161
lstrlenW.KERNEL32 ref: 00007FF600ADB182
lstrlenW.KERNEL32 ref: 00007FF600ADB195
lstrlenW.KERNEL32 ref: 00007FF600ADB22F
lstrlenW.KERNEL32 ref: 00007FF600ADB250
lstrlenW.KERNEL32 ref: 00007FF600ADB263
lstrlenW.KERNEL32 ref: 00007FF600ADB2FB
lstrlenW.KERNEL32 ref: 00007FF600ADB30E
lstrlenW.KERNEL32 ref: 00007FF600ADB391
lstrlenW.KERNEL32 ref: 00007FF600ADB3B2
lstrlenW.KERNEL32 ref: 00007FF600ADB3C5
lstrlenW.KERNEL32 ref: 00007FF600ADB45F
lstrlenW.KERNEL32 ref: 00007FF600ADB480
lstrlenW.KERNEL32 ref: 00007FF600ADB493
lstrlenW.KERNEL32 ref: 00007FF600ADB52B
lstrlenW.KERNEL32 ref: 00007FF600ADB53E

Strings

23.226.57.67, xrefs: 00007FF600ADB15A, 00007FF600ADB169, 00007FF600ADB219
p3:, xrefs: 00007FF600ADB3B8
23.226.57.67, xrefs: 00007FF600ADAF2B, 00007FF600ADAF3A, 00007FF600ADAFE9
t1:, xrefs: 00007FF600ADB0D1
4433, xrefs: 00007FF600ADAFF8, 00007FF600ADB007, 00007FF600ADB0B9
o2:, xrefs: 00007FF600ADB256
Vendata, xrefs: 00007FF600ADAEBF, 00007FF600ADAF1E
t2:, xrefs: 00007FF600ADB301
t3:, xrefs: 00007FF600ADB531
10443, xrefs: 00007FF600ADB228, 00007FF600ADB237, 00007FF600ADB2E9
p1:, xrefs: 00007FF600ADAF59
Console, xrefs: 00007FF600ADAE87
p2:, xrefs: 00007FF600ADB188
o3:, xrefs: 00007FF600ADB486
23.226.57.67, xrefs: 00007FF600ADB38A, 00007FF600ADB399, 00007FF600ADB449
o1:, xrefs: 00007FF600ADB026

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: lstrlen$QueryValue$Open
String ID: 10443$23.226.57.67$23.226.57.67$23.226.57.67$4433$Console$Vendata$o1:$o2:$o3:$p1:$p2:$p3:$t1:$t2:$t3:
API String ID: 1772312705-1238094545
Opcode ID: e9763d1a573506a6c5f52fab13ecf1f8c208e4fec7a72f7b0df219955d443a2f
Instruction ID: ca06c5369a25dc142ec74a104a0736a158d69542940a2c7cda231c152d54851d
Opcode Fuzzy Hash: e9763d1a573506a6c5f52fab13ecf1f8c208e4fec7a72f7b0df219955d443a2f
Instruction Fuzzy Hash: 4B22D363E2952BE1EA249B14E5546BD73A1FF94745FA64032C90FC2B9BEF3CB1458310

Function 00007FF600AC72D0 Relevance: 54.7, APIs: 26, Strings: 5, Instructions: 457
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF600ACA300: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF600ACA4A0
Part of subcall function 00007FF600ACA300: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF600ACA4A6

MultiByteToWideChar.KERNEL32 ref: 00007FF600AC767F
MultiByteToWideChar.KERNEL32 ref: 00007FF600AC76A6

Strings

\DisplaySessionContainers.log, xrefs: 00007FF600AC78A3
open, xrefs: 00007FF600AC7826
X64, xrefs: 00007FF600AC74F1, 00007FF600AC750E
<, xrefs: 00007FF600AC79DD
key, xrefs: 00007FF600AC7832

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: ByteCharMultiWide$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: <$X64$\DisplaySessionContainers.log$key$open
API String ID: 143101810-941791203
Opcode ID: f29b99b45b118f5f79a42678ca975ff307e5e61cf3b77914cf71b692731fc63f
Instruction ID: 1fd36d3be218a17a3168e3611233ce443e3a217457da5dee78e2b428d16434a7
Opcode Fuzzy Hash: f29b99b45b118f5f79a42678ca975ff307e5e61cf3b77914cf71b692731fc63f
Instruction Fuzzy Hash: D422A133B18A86A6EB10CB65E4006AE7365FB84B94F604632EE5E87B9DDF3CD544C740

Function 00007FF600ACFD10 Relevance: 54.6, APIs: 26, Strings: 5, Instructions: 318
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDesktopWindow.USER32 ref: 00007FF600ACFD3C
GetDC.USER32 ref: 00007FF600ACFD45
CreateCompatibleDC.GDI32 ref: 00007FF600ACFD51
GetDC.USER32 ref: 00007FF600ACFD5C
GetDeviceCaps.GDI32 ref: 00007FF600ACFD6D
GetDeviceCaps.GDI32 ref: 00007FF600ACFD7D
ReleaseDC.USER32 ref: 00007FF600ACFD9A
GetSystemMetrics.USER32 ref: 00007FF600ACFDC3
GetSystemMetrics.USER32 ref: 00007FF600ACFDFE
GetSystemMetrics.USER32 ref: 00007FF600ACFE4C
GetSystemMetrics.USER32 ref: 00007FF600ACFE66
CreateCompatibleBitmap.GDI32 ref: 00007FF600ACFE84
SelectObject.GDI32 ref: 00007FF600ACFE98
SetStretchBltMode.GDI32 ref: 00007FF600ACFEA6
GetSystemMetrics.USER32 ref: 00007FF600ACFEB1
GetSystemMetrics.USER32 ref: 00007FF600ACFECB
StretchBlt.GDI32 ref: 00007FF600ACFF0C
GetDIBits.GDI32 ref: 00007FF600ACFFD2

Part of subcall function 00007FF600ADDFB8: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF600ADDFE8
Part of subcall function 00007FF600ADDFB8: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF600ADDFEE

Part of subcall function 00007FF600AD0220: GlobalAlloc.KERNEL32 ref: 00007FF600AD0258
Part of subcall function 00007FF600AD0220: GlobalLock.KERNEL32 ref: 00007FF600AD0264
Part of subcall function 00007FF600AD0220: GlobalUnlock.KERNEL32 ref: 00007FF600AD027B
Part of subcall function 00007FF600AD0220: CreateStreamOnHGlobal.OLE32 ref: 00007FF600AD0291
Part of subcall function 00007FF600AD0220: EnterCriticalSection.KERNEL32 ref: 00007FF600AD02DF
Part of subcall function 00007FF600AD0220: LeaveCriticalSection.KERNEL32 ref: 00007FF600AD02EC
Part of subcall function 00007FF600AD0220: GdipCreateBitmapFromStream.GDIPLUS ref: 00007FF600AD031A
Part of subcall function 00007FF600AD0220: GdipDisposeImage.GDIPLUS ref: 00007FF600AD0330
Part of subcall function 00007FF600AD0220: DeleteObject.GDI32 ref: 00007FF600AD05A4
Part of subcall function 00007FF600AD0220: EnterCriticalSection.KERNEL32 ref: 00007FF600AD05B6
Part of subcall function 00007FF600AD0220: EnterCriticalSection.KERNEL32 ref: 00007FF600AD05C6
Part of subcall function 00007FF600AD0220: GdiplusShutdown.GDIPLUS ref: 00007FF600AD05D4

DeleteObject.GDI32 ref: 00007FF600AD0091
DeleteObject.GDI32 ref: 00007FF600AD009A
ReleaseDC.USER32 ref: 00007FF600AD00A5
DeleteObject.GDI32 ref: 00007FF600AD0165
DeleteObject.GDI32 ref: 00007FF600AD016E
ReleaseDC.USER32 ref: 00007FF600AD0179
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF600AD020D

Strings

, xrefs: 00007FF600ACFED1
gfff, xrefs: 00007FF600ACFDE2
6, xrefs: 00007FF600ACFF72
gfff, xrefs: 00007FF600ACFE08
(, xrefs: 00007FF600ACFF15

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: MetricsObjectSystem$Delete$CreateCriticalGlobalSection$EnterRelease$BitmapCapsCompatibleConcurrency::cancel_current_taskDeviceGdipStreamStretch$AllocBitsDesktopDisposeFromGdiplusImageLeaveLockModeSelectShutdownUnlockWindow_invalid_parameter_noinfo_noreturn
String ID: $($6$gfff$gfff
API String ID: 1610826097-2922166585
Opcode ID: 396a75d9fa9336e9a4e12c0fdd0907e1ba5330701357c04f5d803b12fdb2bbf9
Instruction ID: 90dba681dcf4fea173a80862f47bbba1eb5f4d7b2517ea486e4ec3aa5de6f41f
Opcode Fuzzy Hash: 396a75d9fa9336e9a4e12c0fdd0907e1ba5330701357c04f5d803b12fdb2bbf9
Instruction Fuzzy Hash: 0CD1E473A1878186E7159F35E40437AB6A5FF89B84F208236EA4E9775AEF3CD484C740

Function 00007FF600AC8A40 Relevance: 49.3, APIs: 24, Strings: 4, Instructions: 255
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32(00001334,00000000,00000000,00001334,?,00007FF600AC8C70), ref: 00007FF600AC8A53
OpenProcess.KERNEL32 ref: 00007FF600AC8A63
OpenProcessToken.ADVAPI32 ref: 00007FF600AC8A86
CloseHandle.KERNEL32 ref: 00007FF600AC8A93
SysStringLen.OLEAUT32 ref: 00007FF600AC8AE1
SysStringLen.OLEAUT32 ref: 00007FF600AC8AF9
CloseHandle.KERNEL32 ref: 00007FF600AC8B5F
CloseHandle.KERNEL32 ref: 00007FF600AC8B68
SysFreeString.OLEAUT32 ref: 00007FF600AC8BA1
SysFreeString.OLEAUT32 ref: 00007FF600AC8BE5
GetCurrentProcessId.KERNEL32 ref: 00007FF600AC8C4B
wsprintfW.USER32 ref: 00007FF600AC8C62

Part of subcall function 00007FF600AC8A40: GetVersionExW.KERNEL32 ref: 00007FF600AC8C91
Part of subcall function 00007FF600AC8A40: GetCurrentProcess.KERNEL32 ref: 00007FF600AC8CBD
Part of subcall function 00007FF600AC8A40: OpenProcessToken.ADVAPI32 ref: 00007FF600AC8CD3
Part of subcall function 00007FF600AC8A40: GetTokenInformation.KERNELBASE ref: 00007FF600AC8D08
Part of subcall function 00007FF600AC8A40: GetLastError.KERNEL32 ref: 00007FF600AC8D16
Part of subcall function 00007FF600AC8A40: LocalAlloc.KERNEL32 ref: 00007FF600AC8D35
Part of subcall function 00007FF600AC8A40: GetTokenInformation.KERNELBASE ref: 00007FF600AC8D68
Part of subcall function 00007FF600AC8A40: GetSidSubAuthorityCount.ADVAPI32 ref: 00007FF600AC8D75
Part of subcall function 00007FF600AC8A40: GetSidSubAuthority.ADVAPI32 ref: 00007FF600AC8D83
Part of subcall function 00007FF600AC8A40: LocalFree.KERNEL32 ref: 00007FF600AC8D8E
Part of subcall function 00007FF600AC8A40: CloseHandle.KERNEL32 ref: 00007FF600AC8DA4
Part of subcall function 00007FF600AC8A40: wsprintfW.USER32 ref: 00007FF600AC8E03

Strings

None/%s, xrefs: 00007FF600AC8DF2
VenNetwork, xrefs: 00007FF600AC8C30
-N/, xrefs: 00007FF600AC8DE0
NO/, xrefs: 00007FF600AC8DE9

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: Process$CloseHandleStringToken$CurrentFreeOpen$AuthorityInformationLocalwsprintf$AllocCountErrorLastVersion
String ID: -N/$NO/$None/%s$VenNetwork
API String ID: 166307840-819860926
Opcode ID: 6c7887b962d608019f703872167c8e7ce94f955a74d8e987f4e99f87a0c40281
Instruction ID: 10d0499f6671913561b0e767359b5d79588e40743d07ff87034eb89e45267500
Opcode Fuzzy Hash: 6c7887b962d608019f703872167c8e7ce94f955a74d8e987f4e99f87a0c40281
Instruction Fuzzy Hash: 06B18F33A0DA42A6FB619B61E4506B963A4FF84B80F254835DE4E8779EDF3CE845C700

Function 00007FF600AC7A60 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 216
stringregistrycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF600AC7AEB
Process32FirstW.KERNEL32 ref: 00007FF600AC7B08
Process32NextW.KERNEL32 ref: 00007FF600AC7B43
CloseHandle.KERNEL32 ref: 00007FF600AC7B50
CoCreateInstance.COMBASE ref: 00007FF600AC7B9F
wsprintfW.USER32 ref: 00007FF600AC7CA5
RegOpenKeyExW.ADVAPI32 ref: 00007FF600AC7CD5
RegQueryValueExW.KERNEL32 ref: 00007FF600AC7D36
lstrcatW.KERNEL32 ref: 00007FF600AC7D4A
lstrcatW.KERNEL32 ref: 00007FF600AC7D5A
RegCloseKey.ADVAPI32 ref: 00007FF600AC7D67
lstrlenW.KERNEL32 ref: 00007FF600AC7DA4
lstrcatW.KERNEL32 ref: 00007FF600AC7DB8
CloseHandle.KERNEL32 ref: 00007FF600AC7DE5
lstrcatW.KERNEL32 ref: 00007FF600AC7DFD
lstrcatW.KERNEL32 ref: 00007FF600AC7E0D

Strings

CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}, xrefs: 00007FF600AC7C97
Windows Defender IOfficeAntiVirus implementation , xrefs: 00007FF600AC7A84

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: lstrcat$Close$CreateHandleProcess32$FirstInstanceNextOpenQuerySnapshotToolhelp32Valuelstrlenwsprintf
String ID: CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}$Windows Defender IOfficeAntiVirus implementation
API String ID: 582347850-1583895642
Opcode ID: 172064aca06d7bab2ac812725ebad370c198c4fa5686a0e3f00f667ec9231332
Instruction ID: c753ffea2071d7fbde9c86799a50149e1c74534664936f8d761cdc8669b8e525
Opcode Fuzzy Hash: 172064aca06d7bab2ac812725ebad370c198c4fa5686a0e3f00f667ec9231332
Instruction Fuzzy Hash: CAA18233A08A829AE7608F65E8406BE77A5FB85B88F644131DE4E87B5DDF3DD544CB00

Function 00007FF600ACCD40 Relevance: 26.7, APIs: 7, Strings: 8, Instructions: 406
threadinjectionprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32 ref: 00007FF600ACCF12
CreateProcessA.KERNEL32 ref: 00007FF600ACCF6E
VirtualAllocEx.KERNEL32 ref: 00007FF600ACCF97
WriteProcessMemory.KERNEL32 ref: 00007FF600ACCFBC
GetThreadContext.KERNEL32 ref: 00007FF600ACCFE0
SetThreadContext.KERNEL32 ref: 00007FF600ACD001
ResumeThread.KERNEL32 ref: 00007FF600ACD014

Strings

c23cba79-a592-4af7-a500-4fcf6bee8efd, xrefs: 00007FF600ACD262
nlyloadinmyself, xrefs: 00007FF600ACCD94
%s%s, xrefs: 00007FF600ACCF27
@, xrefs: 00007FF600ACCF8A
Windows\System32\svchost.exe, xrefs: 00007FF600ACCF18
%s %s, xrefs: 00007FF600ACD05B, 00007FF600ACD1EF, 00007FF600ACD2D3, 00007FF600ACD369
plugmark, xrefs: 00007FF600ACCE43
h, xrefs: 00007FF600ACCEE6

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: Thread$ContextProcess$AllocCreateDirectoryMemoryResumeSystemVirtualWrite
String ID: %s %s$%s%s$@$Windows\System32\svchost.exe$c23cba79-a592-4af7-a500-4fcf6bee8efd$h$nlyloadinmyself$plugmark
API String ID: 4033188109-1433058259
Opcode ID: e40124f47e0616d75d64940926f98e35d274e86a272478ae1ea058fe275ad7e0
Instruction ID: 8c32ff02187ab2b143c68daa3ef732dbfbcdfedbd52d33c163547095992962d3
Opcode Fuzzy Hash: e40124f47e0616d75d64940926f98e35d274e86a272478ae1ea058fe275ad7e0
Instruction Fuzzy Hash: EE12A063B08A8292E720CF25D4446BD77A1FB99B84F558536DB4E87B9ADF3CD185C300

Function 00007FF600ACE3E9 Relevance: 26.3, APIs: 14, Strings: 1, Instructions: 64
shutdownCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF600ACE3E9
OpenProcessToken.ADVAPI32 ref: 00007FF600ACE3FE
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF600ACE426
AdjustTokenPrivileges.KERNELBASE ref: 00007FF600ACE44A
GetLastError.KERNEL32 ref: 00007FF600ACE450
CloseHandle.KERNEL32 ref: 00007FF600ACE45D
ExitWindowsEx.USER32 ref: 00007FF600ACE56F
GetCurrentProcess.KERNEL32 ref: 00007FF600ACE575
OpenProcessToken.ADVAPI32 ref: 00007FF600ACE58A
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF600ACE5B2
AdjustTokenPrivileges.KERNELBASE ref: 00007FF600ACE5D6
GetLastError.KERNEL32 ref: 00007FF600ACE5DC
CloseHandle.KERNEL32 ref: 00007FF600ACE5F1

Strings

SeShutdownPrivilege, xrefs: 00007FF600ACE415, 00007FF600ACE5A5

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue$ExitWindows
String ID: SeShutdownPrivilege
API String ID: 1423298842-3733053543
Opcode ID: 40da0a47c9c7c1cc3a1aa31b778f4d13c03be2ed2b90204a7f89449c4a5765b5
Instruction ID: c474e7c0c2ddd0440d17d4da610c4bdbe800c6d7abbb943aef46bff36be2d9fb
Opcode Fuzzy Hash: 40da0a47c9c7c1cc3a1aa31b778f4d13c03be2ed2b90204a7f89449c4a5765b5
Instruction Fuzzy Hash: FE315E36908E82A9E720CF64E8147BA6364FF84B56F204435DA4E937ADDF3DD189C704

Function 00007FF600ADA680 Relevance: 25.8, APIs: 17, Instructions: 347
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF600ACD242), ref: 00007FF600ADA6C5
GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF600ACD242), ref: 00007FF600ADA74A
VirtualAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF600ACD242), ref: 00007FF600ADA79F
VirtualAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF600ACD242), ref: 00007FF600ADA7BE
VirtualAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF600ACD242), ref: 00007FF600ADA821
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF600ACD242), ref: 00007FF600ADA842
HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF600ACD242), ref: 00007FF600ADA856
VirtualFree.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF600ACD242), ref: 00007FF600ADA873
VirtualFree.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF600ACD242), ref: 00007FF600ADA88F
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF600ACD242), ref: 00007FF600ADA8AC
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF600ACD242), ref: 00007FF600ADAB92

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: Virtual$Alloc$ErrorLast$FreeHeap$InfoNativeProcessSystem
String ID:
API String ID: 1282860858-0
Opcode ID: 06589e85d6050c9ef5a7f7933ce4176366c98d370b168bd1ab009fbc31871bc3
Instruction ID: 43adf64a866aa08139c05e57d4d2df31441d5e58171ee449a5604689867f8e34
Opcode Fuzzy Hash: 06589e85d6050c9ef5a7f7933ce4176366c98d370b168bd1ab009fbc31871bc3
Instruction Fuzzy Hash: 05D1A033B09A4296EB608F16E45477973A5EF64B84F294036CE4FC779AEE3CE9419301

Function 00007FF600ACE46D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 62shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF600ACE46D
OpenProcessToken.ADVAPI32 ref: 00007FF600ACE482
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF600ACE4AA
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF600ACE4CE
GetLastError.KERNEL32 ref: 00007FF600ACE4D4
CloseHandle.KERNEL32 ref: 00007FF600ACE4E1
ExitWindowsEx.USER32 ref: 00007FF600ACE56F
GetCurrentProcess.KERNEL32 ref: 00007FF600ACE575
OpenProcessToken.ADVAPI32 ref: 00007FF600ACE58A
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF600ACE5B2
AdjustTokenPrivileges.KERNELBASE ref: 00007FF600ACE5D6
GetLastError.KERNEL32 ref: 00007FF600ACE5DC
CloseHandle.KERNEL32 ref: 00007FF600ACE5F1

Strings

SeShutdownPrivilege, xrefs: 00007FF600ACE499, 00007FF600ACE5A5

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue$ExitWindows
String ID: SeShutdownPrivilege
API String ID: 1423298842-3733053543
Opcode ID: a792fc21bd502bb1f53feba3e0ea592908ea8fd6b5dd88df7bff687d3cdc374e
Instruction ID: 83f9f935a6ba5e80137068bf972ba4ec6533d49aa6e27f3c9594319423cf0f1d
Opcode Fuzzy Hash: a792fc21bd502bb1f53feba3e0ea592908ea8fd6b5dd88df7bff687d3cdc374e
Instruction Fuzzy Hash: 24317F36608E8299E720CF64E8147BA6364FF84B56F204036DA4E93BADDF3DD189C704

Function 00007FF600ACE4EE Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 61shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF600ACE4EE
OpenProcessToken.ADVAPI32 ref: 00007FF600ACE503
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF600ACE52B
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF600ACE54F
GetLastError.KERNEL32 ref: 00007FF600ACE555
CloseHandle.KERNEL32 ref: 00007FF600ACE562
ExitWindowsEx.USER32 ref: 00007FF600ACE56F
GetCurrentProcess.KERNEL32 ref: 00007FF600ACE575
OpenProcessToken.ADVAPI32 ref: 00007FF600ACE58A
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF600ACE5B2
AdjustTokenPrivileges.KERNELBASE ref: 00007FF600ACE5D6
GetLastError.KERNEL32 ref: 00007FF600ACE5DC
CloseHandle.KERNEL32 ref: 00007FF600ACE5F1

Strings

SeShutdownPrivilege, xrefs: 00007FF600ACE51A, 00007FF600ACE5A5

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue$ExitWindows
String ID: SeShutdownPrivilege
API String ID: 1423298842-3733053543
Opcode ID: c4512c4a51b1fe7d902806900a56825f16f8507878c75a96d79f3f5efe7084bf
Instruction ID: 638bdfc8d1ea8877388744cd94630e7273e565b062a509de2b133c1dcdfddb30
Opcode Fuzzy Hash: c4512c4a51b1fe7d902806900a56825f16f8507878c75a96d79f3f5efe7084bf
Instruction Fuzzy Hash: 2B316D36608E8299E7208F64E8147BA6364FF84B56F204035DA4D93BA9DF3DD189C704

Function 00007FF600ACB410 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 232memorytimeCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32 ref: 00007FF600ACB444

Part of subcall function 00007FF600AC1200: GetProcessHeap.KERNEL32 ref: 00007FF600AC1236

HeapCreate.KERNEL32 ref: 00007FF600ACB50F
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF600ACB56F
CreateEventW.KERNEL32 ref: 00007FF600ACB5A2
CreateEventW.KERNEL32 ref: 00007FF600ACB5C2
CreateEventW.KERNEL32 ref: 00007FF600ACB5E2
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF600ACB6B3
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF600ACB6C7
timeGetTime.WINMM ref: 00007FF600ACB739
CreateEventW.KERNEL32 ref: 00007FF600ACB74F
CreateEventW.KERNEL32 ref: 00007FF600ACB763

Strings

<, xrefs: 00007FF600ACB484
<, xrefs: 00007FF600ACB47D

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: Create$Event$CountCriticalInitializeSectionSpin$Heap$ProcessTimetime
String ID: <$<
API String ID: 2446585644-213342407
Opcode ID: 29193acc1e1e8e4bf0335a70b56dbaf268a2d87dce0c9aa4dadcc0b3d1545946
Instruction ID: ac55b7ecbd970056656956bc233c5691c0ed3e8d29b7d2bb1ff1906657b28a20
Opcode Fuzzy Hash: 29193acc1e1e8e4bf0335a70b56dbaf268a2d87dce0c9aa4dadcc0b3d1545946
Instruction Fuzzy Hash: AEB15A73605B819AE7548F35E4857A933A8FB44B08F684538CB4D4B79ADF39A0A0C728

Function 00007FF600ADBDF0 Relevance: 15.0, APIs: 10, Instructions: 33threadsleepsynchronizationCOMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF600ADBDFB
GetConsoleWindow.KERNEL32 ref: 00007FF600ADBE01
ShowWindow.USER32 ref: 00007FF600ADBE0C
GetCurrentThreadId.KERNEL32 ref: 00007FF600ADBE12
PostThreadMessageA.USER32 ref: 00007FF600ADBE22
GetInputState.USER32 ref: 00007FF600ADBE28
CreateThread.KERNEL32 ref: 00007FF600ADBE47
WaitForSingleObject.KERNEL32 ref: 00007FF600ADBE5C
CloseHandle.KERNEL32 ref: 00007FF600ADBE69
Sleep.KERNEL32 ref: 00007FF600ADBE74

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: Thread$Window$CloseConsoleCreateCurrentExceptionFilterHandleInputMessageObjectPostShowSingleSleepStateUnhandledWait
String ID:
API String ID: 2277684705-0
Opcode ID: 1f499c150cbe33159222533ec4b742c736879ee302e7e86ebc66b87cb5efa357
Instruction ID: 62faf7e9957242f4773691718653b6b78fb9758cdd5125461d3b884c7b51e59b
Opcode Fuzzy Hash: 1f499c150cbe33159222533ec4b742c736879ee302e7e86ebc66b87cb5efa357
Instruction Fuzzy Hash: 21012C36E58A42A6E314ABB1FC1457A32A6FF88B12B614135C91FC2379DF3CA445C304

Function 00007FF600AF2048 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF600AF208D

Part of subcall function 00007FF600AF1704: _invalid_parameter_noinfo.LIBCMT ref: 00007FF600AF1718

Part of subcall function 00007FF600AEE95C: RtlFreeHeap.NTDLL(?,?,?,00007FF600AF6862,?,?,?,00007FF600AF6BDF,?,?,00000000,00007FF600AF7025,?,?,?,00007FF600AF6F57), ref: 00007FF600AEE972
Part of subcall function 00007FF600AEE95C: GetLastError.KERNEL32(?,?,?,00007FF600AF6862,?,?,?,00007FF600AF6BDF,?,?,00000000,00007FF600AF7025,?,?,?,00007FF600AF6F57), ref: 00007FF600AEE97C

Part of subcall function 00007FF600AE4028: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF600AE3FD7,?,?,?,?,?,00007FF600AE3EC2), ref: 00007FF600AE4031
Part of subcall function 00007FF600AE4028: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF600AE3FD7,?,?,?,?,?,00007FF600AE3EC2), ref: 00007FF600AE4056

Part of subcall function 00007FF600AFA1B4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF600AFA0FF

_get_daylight.LIBCMT ref: 00007FF600AF207C

Part of subcall function 00007FF600AF1764: _invalid_parameter_noinfo.LIBCMT ref: 00007FF600AF1778

_get_daylight.LIBCMT ref: 00007FF600AF22F2
_get_daylight.LIBCMT ref: 00007FF600AF2303
_get_daylight.LIBCMT ref: 00007FF600AF2314
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF600AF2554), ref: 00007FF600AF233B

Strings

Eastern Standard Time, xrefs: 00007FF600AF23E1
Eastern Summer Time, xrefs: 00007FF600AF23F9

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 4070488512-239921721
Opcode ID: 5190737fcedb8824ad4a2f5adc1dd419c442ee6d8cf329e1688e58de2abb36f5
Instruction ID: 38bf88d18febea4b1931d95aec433a4c9686db20d96c7c5d0e36d567f3492ba3
Opcode Fuzzy Hash: 5190737fcedb8824ad4a2f5adc1dd419c442ee6d8cf329e1688e58de2abb36f5
Instruction Fuzzy Hash: FCD1BF73A48242A6EB20EFA6D4502B96769EF94784F648135EE4DC7B8EDF3CE441C740

Function 00007FF600AC80C0 Relevance: 10.9, APIs: 7, Instructions: 424COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF600ADC400: wsprintfW.USER32 ref: 00007FF600ADC42F
Part of subcall function 00007FF600ADC400: CreateFileW.KERNEL32 ref: 00007FF600ADC45A
Part of subcall function 00007FF600ADC400: DeviceIoControl.KERNEL32 ref: 00007FF600ADC4AA
Part of subcall function 00007FF600ADC400: DeviceIoControl.KERNEL32 ref: 00007FF600ADC511
Part of subcall function 00007FF600ADC400: DeviceIoControl.KERNEL32 ref: 00007FF600ADC571
Part of subcall function 00007FF600ADC400: DeviceIoControl.KERNEL32 ref: 00007FF600ADC5D0

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF600AC86F0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF600AC86F6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF600AC86FC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF600AC8702

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: ControlDevice_invalid_parameter_noinfo_noreturn$CreateFilewsprintf
String ID:
API String ID: 3155671162-0
Opcode ID: c18f319fa9844628c6a677c07185de3de66ec9a391fe99c9b2b033250b86490b
Instruction ID: e1897eaa49f7d881f187e269123a1a1ed8d1df07f8b2186fdce322a75205f190
Opcode Fuzzy Hash: c18f319fa9844628c6a677c07185de3de66ec9a391fe99c9b2b033250b86490b
Instruction Fuzzy Hash: CD028F23F18B82A5EB00DBA1E5106BD23A1AB45B98F614635EE5E97BDEDF3CD445C300

Function 00007FF600AF22C4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF600AF22F2

Part of subcall function 00007FF600AF1764: _invalid_parameter_noinfo.LIBCMT ref: 00007FF600AF1778

_get_daylight.LIBCMT ref: 00007FF600AF2303

Part of subcall function 00007FF600AF1704: _invalid_parameter_noinfo.LIBCMT ref: 00007FF600AF1718

_get_daylight.LIBCMT ref: 00007FF600AF2314

Part of subcall function 00007FF600AF1734: _invalid_parameter_noinfo.LIBCMT ref: 00007FF600AF1748

Part of subcall function 00007FF600AEE95C: RtlFreeHeap.NTDLL(?,?,?,00007FF600AF6862,?,?,?,00007FF600AF6BDF,?,?,00000000,00007FF600AF7025,?,?,?,00007FF600AF6F57), ref: 00007FF600AEE972
Part of subcall function 00007FF600AEE95C: GetLastError.KERNEL32(?,?,?,00007FF600AF6862,?,?,?,00007FF600AF6BDF,?,?,00000000,00007FF600AF7025,?,?,?,00007FF600AF6F57), ref: 00007FF600AEE97C

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF600AF2554), ref: 00007FF600AF233B

Strings

Eastern Standard Time, xrefs: 00007FF600AF23E1
Eastern Summer Time, xrefs: 00007FF600AF23F9

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 3458911817-239921721
Opcode ID: 2133f9b6c4e90f95ebb1c2c4b763d73db315d9997485f014e8f6b7b9b98ca04f
Instruction ID: d9ca5c2365bdd277bea2bfd169fd71d600e4f4418b66333962782fd71e4e39fd
Opcode Fuzzy Hash: 2133f9b6c4e90f95ebb1c2c4b763d73db315d9997485f014e8f6b7b9b98ca04f
Instruction Fuzzy Hash: 24519E73A48642A6E720EF62E8906B97764BF48784FA44135EA5EC779ADF3CE4008740

Function 00007FF600AC9300 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF600AC931D
GetProcAddress.KERNEL32 ref: 00007FF600AC932D
GetNativeSystemInfo.KERNEL32 ref: 00007FF600AC933D
GetSystemInfo.KERNEL32 ref: 00007FF600AC9341

Strings

kernel32.dll, xrefs: 00007FF600AC9307
GetNativeSystemInfo, xrefs: 00007FF600AC9326

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: InfoSystem$AddressHandleModuleNativeProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 3433367815-192647395
Opcode ID: 06b04ae401ee5d5c7cc9b92bd00cef418c8d008ef26561d2b8b72a7f6fbba0c7
Instruction ID: 33c8ba6887b50af1411a7301d7452455d6e35469f03e7f8287f54801bc03e663
Opcode Fuzzy Hash: 06b04ae401ee5d5c7cc9b92bd00cef418c8d008ef26561d2b8b72a7f6fbba0c7
Instruction Fuzzy Hash: D9F09617E1CBC293EA61A710D8002B63361FFA8700FA15735E98E8179AEF1CE6D4C700

Function 00007FF600AE8EB0 Relevance: 9.2, APIs: 6, Instructions: 249COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF600AE8ED2
_get_daylight.LIBCMT ref: 00007FF600AE8F32
_get_daylight.LIBCMT ref: 00007FF600AE8F43
_get_daylight.LIBCMT ref: 00007FF600AE8F54
_isindst.LIBCMT ref: 00007FF600AE8FA5
_isindst.LIBCMT ref: 00007FF600AE8FF8

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: _get_daylight$_isindst$_invalid_parameter_noinfo
String ID:
API String ID: 1405656091-0
Opcode ID: 94003a780ed234a965d2311ace6d53ea410cbd1e40622ac1b689e0d0deb2975f
Instruction ID: e2dd7549004448a7b327af81c10de39cf68d7488352929e5e9e7e8d465eb7d67
Opcode Fuzzy Hash: 94003a780ed234a965d2311ace6d53ea410cbd1e40622ac1b689e0d0deb2975f
Instruction Fuzzy Hash: 1491D5B3B043869BEB588F65C9012B963A5EB54B88F548139DA0DCB78EFF3CE5418700

Function 00007FF600ADC2D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 71fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 00007FF600ADC379
DeviceIoControl.KERNEL32 ref: 00007FF600ADC3C1

Strings

L, xrefs: 00007FF600ADC3A9
\\.\, xrefs: 00007FF600ADC31E

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: ControlCreateDeviceFile
String ID: L$\\.\
API String ID: 107608037-1891537229
Opcode ID: 21bc0f6301598303c13827e0319026f3a4049949566ec9a53abc1aeea47cf04e
Instruction ID: ea2457b511ba57c8b1146a5e8cdaf2a48deca04f66c7f008258112f6661ccba3
Opcode Fuzzy Hash: 21bc0f6301598303c13827e0319026f3a4049949566ec9a53abc1aeea47cf04e
Instruction Fuzzy Hash: 2D31A26260D78195EB508F11B450379BB94EB85BE4F588335EBAA4BBCADF3CD505C700

Function 00007FF600AC3B00 Relevance: 4.7, APIs: 3, Instructions: 151timenetworkCOMMON

Download Yara Rule

APIs

select.WS2_32 ref: 00007FF600AC3BF5
recv.WS2_32 ref: 00007FF600AC3C1B

Part of subcall function 00007FF600AC1500: VirtualAlloc.KERNEL32 ref: 00007FF600AC1575
Part of subcall function 00007FF600AC1500: VirtualFree.KERNELBASE ref: 00007FF600AC15AF

timeGetTime.WINMM ref: 00007FF600AC3D04

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: Virtual$AllocFreeTimerecvselecttime
String ID:
API String ID: 1996171534-0
Opcode ID: d85a249508b5bedee75b0bfb18c11ed9529f242c5de80f6903cc256f38a76d27
Instruction ID: 778b1c2af71a3c49c0af6416722e147ca9d56c152b3afa2a6beb89179625d5d6
Opcode Fuzzy Hash: d85a249508b5bedee75b0bfb18c11ed9529f242c5de80f6903cc256f38a76d27
Instruction Fuzzy Hash: 40719073A18A8592EB219F28D4047BD73A0FB95B88F259635CF4D8375AEF38E584C740

Function 00007FF600ADAD40 Relevance: 3.8, APIs: 3, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,?,00000000,00007FF600ADA9C2,?,?,?,?,?,?,?,?,?,00007FF600ACD242), ref: 00007FF600ADADE0
GetProcessHeap.KERNEL32(?,?,00000000,00007FF600ADA9C2,?,?,?,?,?,?,?,?,?,00007FF600ACD242), ref: 00007FF600ADAE25
HeapFree.KERNEL32(?,?,00000000,00007FF600ADA9C2,?,?,?,?,?,?,?,?,?,00007FF600ACD242), ref: 00007FF600ADAE33

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: FreeHeap$ProcessVirtual
String ID:
API String ID: 190046822-0
Opcode ID: 89341820e01ce081605b96941eb1c7c686150c012882ba8243d161a74a304d71
Instruction ID: d1be2cb2424facbb6bebd2eff3c9f1330014b710222c7dfff1d4bbdda041d40f
Opcode Fuzzy Hash: 89341820e01ce081605b96941eb1c7c686150c012882ba8243d161a74a304d71
Instruction Fuzzy Hash: CD317E37B05B41A6EB54DB56E1402697370FB98B81F585032DF8E93B59CF38E4A2C700

Function 00007FF600AC1500 Relevance: 2.6, APIs: 2, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00007FF600AC1575
VirtualFree.KERNELBASE ref: 00007FF600AC15AF

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: bdec6c309521b78e3869a161020c8be31cfe41798d2485b5db3fb8b25cd2d730
Instruction ID: 62f7847ad6b8ccf8f5f32185296bb3c915a40d6518f26f8ab7aa07c0c17a34d3
Opcode Fuzzy Hash: bdec6c309521b78e3869a161020c8be31cfe41798d2485b5db3fb8b25cd2d730
Instruction Fuzzy Hash: 0D41E333708A459AEB09CF2AE450A79A795FB85F84F254539EE0EC774AEF38D841C740

Function 00007FF600AD0220 Relevance: 45.3, APIs: 30, Instructions: 260
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNEL32 ref: 00007FF600AD0258
GlobalLock.KERNEL32 ref: 00007FF600AD0264
GlobalUnlock.KERNEL32 ref: 00007FF600AD027B
CreateStreamOnHGlobal.OLE32 ref: 00007FF600AD0291
GlobalFree.KERNEL32 ref: 00007FF600AD05F4

Part of subcall function 00007FF600AC61E0: InitializeCriticalSectionEx.KERNEL32 ref: 00007FF600AC6231
Part of subcall function 00007FF600AC61E0: GetLastError.KERNEL32 ref: 00007FF600AC623B

EnterCriticalSection.KERNEL32 ref: 00007FF600AD02DF
LeaveCriticalSection.KERNEL32 ref: 00007FF600AD02EC
GdipCreateBitmapFromStream.GDIPLUS ref: 00007FF600AD031A
GdipDisposeImage.GDIPLUS ref: 00007FF600AD0330
GdipDisposeImage.GDIPLUS ref: 00007FF600AD034E
CreateStreamOnHGlobal.OLE32 ref: 00007FF600AD036B
GetHGlobalFromStream.OLE32 ref: 00007FF600AD0392
GlobalLock.KERNEL32 ref: 00007FF600AD039C
GlobalFree.KERNEL32 ref: 00007FF600AD03BB
DeleteObject.GDI32 ref: 00007FF600AD03EB
EnterCriticalSection.KERNEL32 ref: 00007FF600AD03FD
EnterCriticalSection.KERNEL32 ref: 00007FF600AD040D
GdiplusShutdown.GDIPLUS ref: 00007FF600AD041B
LeaveCriticalSection.KERNEL32 ref: 00007FF600AD0428
LeaveCriticalSection.KERNEL32 ref: 00007FF600AD0432
DeleteObject.GDI32 ref: 00007FF600AD05A4
EnterCriticalSection.KERNEL32 ref: 00007FF600AD05B6
EnterCriticalSection.KERNEL32 ref: 00007FF600AD05C6
GdiplusShutdown.GDIPLUS ref: 00007FF600AD05D4
LeaveCriticalSection.KERNEL32 ref: 00007FF600AD05E1
LeaveCriticalSection.KERNEL32 ref: 00007FF600AD05EB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF600AD0618

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: CriticalSection$Global$EnterLeave$Stream$CreateGdip$DeleteDisposeFreeFromGdiplusImageLockObjectShutdown$AllocBitmapErrorInitializeLastUnlock_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 953580087-0
Opcode ID: 371ea4069b5b3ca6924937f5e99e0e9cdbd069c4b4962dec36c48b59051ce9fd
Instruction ID: 272ac774a5d6b30dbab0fd12556cc923ecc8cbdea42e908baeafa27e4dc6ecac
Opcode Fuzzy Hash: 371ea4069b5b3ca6924937f5e99e0e9cdbd069c4b4962dec36c48b59051ce9fd
Instruction Fuzzy Hash: E8C11927B04B42A9EB00DBA5E4142AD3375FB44B99F204236CE5E97B9ADF38D459C344

Function 00007FF600ACC340 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 297
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GdipGetImagePixelFormat.GDIPLUS ref: 00007FF600ACC377
GdipGetImageHeight.GDIPLUS ref: 00007FF600ACC3F4
GdipGetImageWidth.GDIPLUS ref: 00007FF600ACC41A
GdipGetImagePaletteSize.GDIPLUS ref: 00007FF600ACC470
GdipGetImagePalette.GDIPLUS ref: 00007FF600ACC4F1
CreateCompatibleDC.GDI32 ref: 00007FF600ACC588
SelectObject.GDI32 ref: 00007FF600ACC599
SetDIBColorTable.GDI32 ref: 00007FF600ACC5B7
SelectObject.GDI32 ref: 00007FF600ACC5CC
DeleteDC.GDI32 ref: 00007FF600ACC5F6
GdipBitmapLockBits.GDIPLUS ref: 00007FF600ACC646
GdipBitmapUnlockBits.GDIPLUS ref: 00007FF600ACC6D3
GdipCreateBitmapFromScan0.GDIPLUS ref: 00007FF600ACC702
GdipGetImageGraphicsContext.GDIPLUS ref: 00007FF600ACC71D
GdipDrawImageI.GDIPLUS ref: 00007FF600ACC737
GdipDeleteGraphics.GDIPLUS ref: 00007FF600ACC740
GdipDisposeImage.GDIPLUS ref: 00007FF600ACC74D
_invalid_parameter_noinfo.LIBCMT ref: 00007FF600ACC79F

Strings

&, xrefs: 00007FF600ACC3D4

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: Gdip$Image$Bitmap$BitsCreateDeleteGraphicsObjectPaletteSelect$ColorCompatibleContextDisposeDrawFormatFromHeightLockPixelScan0SizeTableUnlockWidth_invalid_parameter_noinfo
String ID: &
API String ID: 4034434136-3042966939
Opcode ID: 239e805813e04336424a29340b1b3b4cd56234119952a51b41bc6ad9426f54d6
Instruction ID: ebb55ff8fda1e3b1df77286b07b77f13037188c4ce9b61e8c86d84261b1bd88e
Opcode Fuzzy Hash: 239e805813e04336424a29340b1b3b4cd56234119952a51b41bc6ad9426f54d6
Instruction Fuzzy Hash: F8D1E273604782AAEB608F21D544ABD37A4FB04BA8F128435DF1D97B4ADF38E541C740

Function 00007FF600AC8710 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 244
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32 ref: 00007FF600AC8782
SysAllocString.OLEAUT32 ref: 00007FF600AC87DF
GetTokenInformation.KERNELBASE ref: 00007FF600AC8829
GetLastError.KERNEL32 ref: 00007FF600AC8833
GetProcessHeap.KERNEL32 ref: 00007FF600AC8849
HeapAlloc.KERNEL32 ref: 00007FF600AC885A
GetTokenInformation.KERNELBASE ref: 00007FF600AC888C
LookupAccountSidW.ADVAPI32 ref: 00007FF600AC88CA
GetLastError.KERNEL32 ref: 00007FF600AC88D4
SysAllocString.OLEAUT32 ref: 00007FF600AC895C
SysAllocString.OLEAUT32 ref: 00007FF600AC89C6
GetProcessHeap.KERNEL32 ref: 00007FF600AC89EB
HeapFree.KERNEL32 ref: 00007FF600AC89F9
GetCurrentProcessId.KERNEL32(00001334,00000000,00000000,00001334,?,00007FF600AC8C70), ref: 00007FF600AC8A53
OpenProcess.KERNEL32 ref: 00007FF600AC8A63
OpenProcessToken.ADVAPI32 ref: 00007FF600AC8A86
CloseHandle.KERNEL32 ref: 00007FF600AC8A93

Strings

NONE_MAPPED, xrefs: 00007FF600AC88E1

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: AllocProcess$HeapString$Token$ErrorInformationLastOpen$AccountCloseCurrentFreeHandleLookup
String ID: NONE_MAPPED
API String ID: 1410310566-2950899194
Opcode ID: 153f7837cc86bcbbc492fb4a375331227a21e9cb239b2b2f7dd34d1ee50442fc
Instruction ID: a27cae985f5404e046c15b37c16ac8eabaa48a70a30f8c3677c8dcac90807c57
Opcode Fuzzy Hash: 153f7837cc86bcbbc492fb4a375331227a21e9cb239b2b2f7dd34d1ee50442fc
Instruction Fuzzy Hash: F1A1A533609B42A6FA659B51E41067962E5FF84B80F6A4836DE4D8779AEF3CE844C310

Function 00007FF600AC3820 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 157
networkstringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResetEvent.KERNEL32 ref: 00007FF600AC3840
timeGetTime.WINMM ref: 00007FF600AC384F
socket.WS2_32 ref: 00007FF600AC387C
lstrlenW.KERNEL32 ref: 00007FF600AC389E
WideCharToMultiByte.KERNEL32 ref: 00007FF600AC38C2
lstrlenW.KERNEL32 ref: 00007FF600AC38DA
WideCharToMultiByte.KERNEL32 ref: 00007FF600AC38FD
gethostbyname.WS2_32 ref: 00007FF600AC390A
htons.WS2_32 ref: 00007FF600AC3938
connect.WS2_32 ref: 00007FF600AC3962
setsockopt.WS2_32 ref: 00007FF600AC399E
setsockopt.WS2_32 ref: 00007FF600AC39D1
setsockopt.WS2_32 ref: 00007FF600AC3A04
setsockopt.WS2_32 ref: 00007FF600AC3A2D
WSAIoctl.WS2_32 ref: 00007FF600AC3A80

Strings

0u, xrefs: 00007FF600AC39EB

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: setsockopt$ByteCharMultiWidelstrlen$EventIoctlResetTimeconnectgethostbynamehtonssockettime
String ID: 0u
API String ID: 3082052849-3203441087
Opcode ID: b00b2f847c602c05c07fd1ee8bf7bb8e34ca4a0b5b9ccfebd140f7c7f5224909
Instruction ID: 8c61ffa97022679a295123a0cf95cd0db2a262a1093f26d517b8680a12e605c6
Opcode Fuzzy Hash: b00b2f847c602c05c07fd1ee8bf7bb8e34ca4a0b5b9ccfebd140f7c7f5224909
Instruction Fuzzy Hash: 33715C73608B819AD720DF61F44076AB7A5FB88794F104239EA9E43B69DF3DD119CB04

Function 00007FF600AC8C30 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 101
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF600AC8C4B
wsprintfW.USER32 ref: 00007FF600AC8C62

Part of subcall function 00007FF600AC8A40: GetCurrentProcessId.KERNEL32(00001334,00000000,00000000,00001334,?,00007FF600AC8C70), ref: 00007FF600AC8A53
Part of subcall function 00007FF600AC8A40: OpenProcess.KERNEL32 ref: 00007FF600AC8A63
Part of subcall function 00007FF600AC8A40: OpenProcessToken.ADVAPI32 ref: 00007FF600AC8A86
Part of subcall function 00007FF600AC8A40: CloseHandle.KERNEL32 ref: 00007FF600AC8A93

GetVersionExW.KERNEL32 ref: 00007FF600AC8C91
GetCurrentProcess.KERNEL32 ref: 00007FF600AC8CBD
OpenProcessToken.ADVAPI32 ref: 00007FF600AC8CD3
GetTokenInformation.KERNELBASE ref: 00007FF600AC8D08
GetLastError.KERNEL32 ref: 00007FF600AC8D16
LocalAlloc.KERNEL32 ref: 00007FF600AC8D35
GetTokenInformation.KERNELBASE ref: 00007FF600AC8D68
GetSidSubAuthorityCount.ADVAPI32 ref: 00007FF600AC8D75
GetSidSubAuthority.ADVAPI32 ref: 00007FF600AC8D83
LocalFree.KERNEL32 ref: 00007FF600AC8D8E
CloseHandle.KERNEL32 ref: 00007FF600AC8DA4
wsprintfW.USER32 ref: 00007FF600AC8E03

Strings

VenNetwork, xrefs: 00007FF600AC8C30

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: Process$Token$CurrentOpen$AuthorityCloseHandleInformationLocalwsprintf$AllocCountErrorFreeLastVersion
String ID: VenNetwork
API String ID: 4155081256-3057682757
Opcode ID: d41af07cb10934b93d4f2e6b218dfa9c01e9023e3730c69632eb9c3a1c3d5fce
Instruction ID: a635f27bd738db33cef6ef12f4c19819e0b090ad017bdc8ea9870474d18cf80a
Opcode Fuzzy Hash: d41af07cb10934b93d4f2e6b218dfa9c01e9023e3730c69632eb9c3a1c3d5fce
Instruction Fuzzy Hash: DF417F33A0C682A6FB619B61E4447BA6364FF95B81F644435CA4F8379ADF3CE445C704

Function 00007FF600ADBEF0 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 223memoryCOMMON

Download Yara Rule

APIs

DeviceIoControl.KERNEL32 ref: 00007FF600ADBF94
DeviceIoControl.KERNEL32 ref: 00007FF600ADC003
GlobalAlloc.KERNEL32 ref: 00007FF600ADC032
DeviceIoControl.KERNEL32 ref: 00007FF600ADC07C
GlobalFree.KERNEL32 ref: 00007FF600ADC09E
DeviceIoControl.KERNEL32 ref: 00007FF600ADC0ED
GlobalAlloc.KERNEL32 ref: 00007FF600ADC115
DeviceIoControl.KERNEL32 ref: 00007FF600ADC157
GlobalFree.KERNEL32 ref: 00007FF600ADC170
GlobalFree.KERNEL32 ref: 00007FF600ADC18F

Strings

%s-%s|, xrefs: 00007FF600ADC1FB
- External Hub, xrefs: 00007FF600ADC17B

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: ControlDeviceGlobal$Free$Alloc
String ID: - External Hub$%s-%s|
API String ID: 3253977144-729331614
Opcode ID: 8542d015694a4c052021583ada6e3cfa5bd229d79c2476f491f3809817a3115c
Instruction ID: 63677df5598c51420e3e140661a915effba29b9af61fe154a3e6d64990ca2869
Opcode Fuzzy Hash: 8542d015694a4c052021583ada6e3cfa5bd229d79c2476f491f3809817a3115c
Instruction Fuzzy Hash: FDB1C273A08B8295E760CF60E8403AA77A4FB847A4FA44236DB4E9779ADF3CD545C700

Function 00007FF600ACD9C0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 137registryCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF600ACDA44
GetLastInputInfo.USER32 ref: 00007FF600ACDAAB
GetTickCount.KERNEL32 ref: 00007FF600ACDAB1
wsprintfW.USER32 ref: 00007FF600ACDAE4
RegOpenKeyExW.KERNEL32 ref: 00007FF600ACDB72
RegQueryValueExW.KERNEL32 ref: 00007FF600ACDBA3

Strings

%d min, xrefs: 00007FF600ACDADD
Console, xrefs: 00007FF600ACDB64
IpDatespecial, xrefs: 00007FF600ACDB9C

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: CountInfoInputLastOpenQueryTickValue_invalid_parameter_noinfo_noreturnwsprintf
String ID: %d min$Console$IpDatespecial
API String ID: 357503962-2712035571
Opcode ID: 56be587995ba83f121b7bd3a612907d66a221bc6c75ef673ca1255c1a7ca8465
Instruction ID: 12a786ca5fafaef614b5a8ad4b1f014304cddcb16b98f354305eae191a284b7c
Opcode Fuzzy Hash: 56be587995ba83f121b7bd3a612907d66a221bc6c75ef673ca1255c1a7ca8465
Instruction Fuzzy Hash: FC510E33608E81A9EB208F24EC447B933A5FB48B99F654131CA0D8779AEF3DC589C700

Function 00007FF600ADC400 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 128fileCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00007FF600ADC42F
CreateFileW.KERNEL32 ref: 00007FF600ADC45A
DeviceIoControl.KERNEL32 ref: 00007FF600ADC4AA
DeviceIoControl.KERNEL32 ref: 00007FF600ADC511

Part of subcall function 00007FF600ADC640: WideCharToMultiByte.KERNEL32 ref: 00007FF600ADC675
Part of subcall function 00007FF600ADC640: WideCharToMultiByte.KERNEL32 ref: 00007FF600ADC6B0

DeviceIoControl.KERNEL32 ref: 00007FF600ADC571
DeviceIoControl.KERNEL32 ref: 00007FF600ADC5D0

Part of subcall function 00007FF600ADC2D0: CreateFileA.KERNEL32 ref: 00007FF600ADC379
Part of subcall function 00007FF600ADC2D0: DeviceIoControl.KERNEL32 ref: 00007FF600ADC3C1

CloseHandle.KERNEL32 ref: 00007FF600ADC5FE
CloseHandle.KERNEL32 ref: 00007FF600ADC623

Strings

\\.\HCD%d, xrefs: 00007FF600ADC423

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: ControlDevice$ByteCharCloseCreateFileHandleMultiWide$wsprintf
String ID: \\.\HCD%d
API String ID: 2324936672-2696249065
Opcode ID: fba3a6acf6e72ed7b72618c4283ac656f0c243164c030697ae0719591fc402df
Instruction ID: 72b031634c79600f0540d9c52265c07fd037ded18c5d6b25ca22814754ccddee
Opcode Fuzzy Hash: fba3a6acf6e72ed7b72618c4283ac656f0c243164c030697ae0719591fc402df
Instruction Fuzzy Hash: D8518133A0C782A6EB609F10B44077AB794FB85794F642135DA8E87B9AEF3CD505CB00

Function 00007FF600ACC7B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

GdipGetImageEncodersSize.GDIPLUS ref: 00007FF600ACC7E4
GdipGetImageEncoders.GDIPLUS ref: 00007FF600ACC871
GdipCreateBitmapFromScan0.GDIPLUS ref: 00007FF600ACC915
GdipCreateBitmapFromHBITMAP.GDIPLUS ref: 00007FF600ACC92D
GdipSaveImageToStream.GDIPLUS ref: 00007FF600ACC944
GdipDisposeImage.GDIPLUS ref: 00007FF600ACC951
GdipDisposeImage.GDIPLUS ref: 00007FF600ACC95E

Strings

&, xrefs: 00007FF600ACC8FD

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: Gdip$Image$BitmapCreateDisposeEncodersFrom$SaveScan0SizeStream
String ID: &
API String ID: 370471037-3042966939
Opcode ID: 28b2eeaec2d98f14f4e8f3b60e7ba4f1bea8e24f035ccc537625c12df49cfb7a
Instruction ID: 39d51b232b2f5ff945abb3afa400d8e84b693539482f192bc81fc93c9b2fa57e
Opcode Fuzzy Hash: 28b2eeaec2d98f14f4e8f3b60e7ba4f1bea8e24f035ccc537625c12df49cfb7a
Instruction Fuzzy Hash: 5251A633B08742A6EB109F6598009B923A5FF44BA4F664631DE1D87B9ADF3CE546C340

Function 00007FF600AC8E30 Relevance: 9.1, APIs: 6, Instructions: 67registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32 ref: 00007FF600AC8E92
RegQueryValueExW.KERNEL32 ref: 00007FF600AC8EE9
lstrcmpW.KERNEL32 ref: 00007FF600AC8EFF
RegCloseKey.KERNEL32 ref: 00007FF600AC8F2F
RegCloseKey.ADVAPI32 ref: 00007FF600AC8F3D

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: Close$OpenQueryValuelstrcmp
String ID:
API String ID: 4288439342-0
Opcode ID: 9757e75af8232627abeb9f8389a1c3797a9351f61d8f1bccc733d4b1246574e8
Instruction ID: 04153feca29367558ed90310afce68047182454cb2723c4401d1bd04729d9a78
Opcode Fuzzy Hash: 9757e75af8232627abeb9f8389a1c3797a9351f61d8f1bccc733d4b1246574e8
Instruction Fuzzy Hash: 68318633618B8196E760CB65E888AAA73A4FB84B90F604635DA5D83BDDDF3DD804C740

Function 00007FF600AC8F60 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 239COMMON

Download Yara Rule

APIs

CreateDXGIFactory.DXGI ref: 00007FF600AC8FAC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF600AC92F1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF600AC92F7

Strings

%s%s %d*%d , xrefs: 00007FF600AC91F4
%s%s %d %d , xrefs: 00007FF600AC909F

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CreateFactory
String ID: %s%s %d %d $%s%s %d*%d
API String ID: 2331002265-1924168580
Opcode ID: fe652329a2bccab07e07443f04fbc38bc44c37eb9ecce26c36fb009454b80e6c
Instruction ID: 5b54cc817c268d62dde6d3c0eb0255af4d93e48e8b74ee3c1b78d5c36d120b28
Opcode Fuzzy Hash: fe652329a2bccab07e07443f04fbc38bc44c37eb9ecce26c36fb009454b80e6c
Instruction Fuzzy Hash: C9A19C33B04A85A5EB10CF69D4446EE7761FB89B98F610632EE9D97B99CF38D041C700

Function 00007FF600AE8BE0 Relevance: 7.6, APIs: 5, Instructions: 60threadCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF600AE8C0B
CreateThread.KERNEL32 ref: 00007FF600AE8C4C
GetLastError.KERNEL32 ref: 00007FF600AE8C5A
CloseHandle.KERNEL32 ref: 00007FF600AE8C70
FreeLibrary.KERNEL32 ref: 00007FF600AE8C7F

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: CloseCreateErrorFreeHandleLastLibraryThread_invalid_parameter_noinfo
String ID:
API String ID: 2067211477-0
Opcode ID: 2bf2d8e4056023ef3a5b5264bbcf8491965b7124c54493676a6e58e8f064e49f
Instruction ID: 60a4be4ff66c8408ab3ed512b191b580a606bd99ac3f86c31ae991995f93f3a7
Opcode Fuzzy Hash: 2bf2d8e4056023ef3a5b5264bbcf8491965b7124c54493676a6e58e8f064e49f
Instruction Fuzzy Hash: CC215037A0A782A5EE54DFA5A810079A3A4AFC9B90F344535DE4D8779EEF3CE4408710

Function 00007FF600AC3E30 Relevance: 6.1, APIs: 4, Instructions: 120threadnetworkCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF600AC3E51
send.WS2_32 ref: 00007FF600AC3F43
send.WS2_32 ref: 00007FF600AC3F90
GetCurrentThreadId.KERNEL32 ref: 00007FF600AC3FBA

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: CurrentThreadsend
String ID:
API String ID: 302076607-0
Opcode ID: 1d5fac0907bdd9d84bc34d83d8396e4accfe818cb4c73ff339665f4c5f5d32ef
Instruction ID: 9a74ff7a79920ea545516d447fa45bd635a582f83e9b1a22b47fa371ce6bdc7a
Opcode Fuzzy Hash: 1d5fac0907bdd9d84bc34d83d8396e4accfe818cb4c73ff339665f4c5f5d32ef
Instruction Fuzzy Hash: E451B133A04B4697EB149F25E44476AB7B0FB84B84F258838CB498BB1ADF38E5528340

Function 00007FF600AC37A0 Relevance: 6.0, APIs: 4, Instructions: 26COMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FF600AC37DD
CancelIo.KERNEL32 ref: 00007FF600AC37EA
closesocket.WS2_32 ref: 00007FF600AC37FA
SetEvent.KERNEL32 ref: 00007FF600AC3804

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: CancelEventclosesocketsetsockopt
String ID:
API String ID: 852421847-0
Opcode ID: 3e6bea74e94700dfcc8d9d47a61c466b5b5c0e1f507d80d6be11655914b66227
Instruction ID: 174738c10df9f47991fda5abdbb8ded6601a79c3214cc08a615d3ad794de3444
Opcode Fuzzy Hash: 3e6bea74e94700dfcc8d9d47a61c466b5b5c0e1f507d80d6be11655914b66227
Instruction Fuzzy Hash: 4AF04632604A8196DB149F65E45432AB330FB88BA4F204335CBAC87BA8CF39E0658740

Function 00007FF600ACDC4D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00007FF600ACDCA0
CloseHandle.KERNEL32 ref: 00007FF600ACDE27

Strings

%s_bin, xrefs: 00007FF600ACDC95

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: CloseHandlewsprintf
String ID: %s_bin
API String ID: 3088109604-2665034546
Opcode ID: 244c7580eec467afa70b9ee0c9a979b889a49d4b076565b89eb80eb5a3343fb4
Instruction ID: 8346425306e4a587d8ee30acc65ed2f744c101747b0037849368470f75e53f09
Opcode Fuzzy Hash: 244c7580eec467afa70b9ee0c9a979b889a49d4b076565b89eb80eb5a3343fb4
Instruction Fuzzy Hash: 3E51D363B19A96A1EF61DB25C014BB92365EF89B44F668536DA0E877CAEF3CD401C301

Function 00007FF600ADA220 Relevance: 4.7, APIs: 3, Instructions: 181memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,00000000,?,00007FF600ADAAD9,?,?,?,?,?,?,?,?,?,00007FF600ACD242), ref: 00007FF600ADA3A4
VirtualFree.KERNELBASE(?,?,00000000,?,00007FF600ADAAD9,?,?,?,?,?,?,?,?,?,00007FF600ACD242), ref: 00007FF600ADA42E
VirtualProtect.KERNEL32(?,?,00000000,?,00007FF600ADAAD9,?,?,?,?,?,?,?,?,?,00007FF600ACD242), ref: 00007FF600ADA495

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: Virtual$Protect$Free
String ID:
API String ID: 3866829018-0
Opcode ID: f0e3e3619a435ed4c6f8b5a79368ecdee668cb236449d597bacc64a0fa136902
Instruction ID: 6d971eeb0e756ea5cca5683ac21ddab3b9845c313fad12c2a529dd8c32f552dd
Opcode Fuzzy Hash: f0e3e3619a435ed4c6f8b5a79368ecdee668cb236449d597bacc64a0fa136902
Instruction Fuzzy Hash: 2F61F0B7B1865196EB20CF57A400AA877A1FB24B80F945032DF4B87B49CF3DE950C701

Function 00007FF600ADC6E0 Relevance: 4.6, APIs: 3, Instructions: 79stringCOMMON

Download Yara Rule

APIs

GetSystemDefaultLangID.KERNEL32 ref: 00007FF600ADC723
DeviceIoControl.KERNEL32 ref: 00007FF600ADC773

Part of subcall function 00007FF600ADC640: WideCharToMultiByte.KERNEL32 ref: 00007FF600ADC675
Part of subcall function 00007FF600ADC640: WideCharToMultiByte.KERNEL32 ref: 00007FF600ADC6B0

lstrcpyA.KERNEL32 ref: 00007FF600ADC7F2

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: ByteCharMultiWide$ControlDefaultDeviceLangSystemlstrcpy
String ID:
API String ID: 3058672631-0
Opcode ID: d44846b71ec048a98a3cb0e9568e6036a274ee5c34c58920ad56b60fc8d534b8
Instruction ID: 8e4f5f0bfaeb8d92cd690b9bc4fa19f672226de3664e08419555226f0f916ad8
Opcode Fuzzy Hash: d44846b71ec048a98a3cb0e9568e6036a274ee5c34c58920ad56b60fc8d534b8
Instruction Fuzzy Hash: B831A732A0C68295EB20DB51E4443BEB3A5EB89790F644135EF9E8778ADF3DD405C740

Function 00007FF600ACC9B0 Relevance: 4.5, APIs: 3, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF600AC61E0: InitializeCriticalSectionEx.KERNEL32 ref: 00007FF600AC6231
Part of subcall function 00007FF600AC61E0: GetLastError.KERNEL32 ref: 00007FF600AC623B

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF600ACC7D4), ref: 00007FF600ACC9DA
GdiplusStartup.GDIPLUS ref: 00007FF600ACCA0F
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF600ACC7D4), ref: 00007FF600ACCA27

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: CriticalSection$EnterErrorGdiplusInitializeLastLeaveStartup
String ID:
API String ID: 2723390537-0
Opcode ID: c1fce392dff7f0e0a1fd8d320c51b28cecfe9cf3d04554c50c1a4421144027e9
Instruction ID: 14f338c06af95e550a115beed41dc970ccf1f6828e58b4184f3c7b20bc7424d8
Opcode Fuzzy Hash: c1fce392dff7f0e0a1fd8d320c51b28cecfe9cf3d04554c50c1a4421144027e9
Instruction Fuzzy Hash: 45018C33A08B819AE7009F15E40436AB3E5FB84B81F990035EB8E83759CF3CD095CB40

Function 00007FF600AE8B18 Relevance: 4.5, APIs: 3, Instructions: 27threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF600AEEE88: GetLastError.KERNEL32(?,?,00002C1F5E3C02FD,00007FF600AE8DA5,?,?,?,?,00007FF600AF27E6,?,?,00000000,00007FF600AEA69B,?,?,?), ref: 00007FF600AEEE97
Part of subcall function 00007FF600AEEE88: SetLastError.KERNEL32(?,?,00002C1F5E3C02FD,00007FF600AE8DA5,?,?,?,?,00007FF600AF27E6,?,?,00000000,00007FF600AEA69B,?,?,?), ref: 00007FF600AEEF37

CloseHandle.KERNEL32(?,?,?,00007FF600AE8CC5,?,?,?,?,00007FF600AE8B09), ref: 00007FF600AE8B53
FreeLibraryAndExitThread.KERNEL32(?,?,?,00007FF600AE8CC5,?,?,?,?,00007FF600AE8B09), ref: 00007FF600AE8B69
ExitThread.KERNEL32 ref: 00007FF600AE8B72

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrary
String ID:
API String ID: 1991824761-0
Opcode ID: a30104ba4f4f868018fa850f0c9dce139a3884833968d360b0db499d9868783c
Instruction ID: 702a6772c332ae35be194ad5e1c1c6709e6fd9d08b2d40f6d902eee2521b4c5a
Opcode Fuzzy Hash: a30104ba4f4f868018fa850f0c9dce139a3884833968d360b0db499d9868783c
Instruction Fuzzy Hash: ABF06263A086C261FE549B60944427C2369AF40B79F3C0735C63C863DEEF3DD8458340

Function 00007FF600AC3DA0 Relevance: 3.0, APIs: 2, Instructions: 41timeCOMMON

Download Yara Rule

APIs

SleepEx.KERNEL32 ref: 00007FF600AC3DCD
timeGetTime.WINMM ref: 00007FF600AC3DF1

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: SleepTimetime
String ID:
API String ID: 346578373-0
Opcode ID: a07444b426276808b022deff05d84a514b99e0a0f66664c5b3036afdf0babcf4
Instruction ID: a1224700c879f6655f0974f02c26d37778c4de5190714239fcc89a1c11d13b84
Opcode Fuzzy Hash: a07444b426276808b022deff05d84a514b99e0a0f66664c5b3036afdf0babcf4
Instruction Fuzzy Hash: D3018C23B1864197EB644B64E28877C27A0FB48B84F55AA34C75A877DACF3CD5E5C700

Function 00007FF600AE8AA8 Relevance: 3.0, APIs: 2, Instructions: 31threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF600AE8AB6
ExitThread.KERNEL32 ref: 00007FF600AE8ABE

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: 41641528019013f9ff929c92362d335c34901b889fac2650327ddb4de509bf94
Instruction ID: 07f8d172124500f3a92f0385092eefa545be442997e1a5448278d4ffb4e01203
Opcode Fuzzy Hash: 41641528019013f9ff929c92362d335c34901b889fac2650327ddb4de509bf94
Instruction Fuzzy Hash: FCF0B423E5A68296EF04BBB1944917D1254AF54B40F340434D90DC739BEF2CE4458310

Function 00007FF600ADDFB8 Relevance: 3.0, APIs: 2, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF600ADDFE8
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF600ADDFEE

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 8afa6a4327cd587ea362fe0c4f5b4bf1e5e9001c34c8a508c9f4177e13cca725
Instruction ID: 8d40c1fa34ac979a5a2907ffffa5ca6091646dd961596b02d3b1c80aa32b625e
Opcode Fuzzy Hash: 8afa6a4327cd587ea362fe0c4f5b4bf1e5e9001c34c8a508c9f4177e13cca725
Instruction Fuzzy Hash: 16E0BD42E1D10B65F92823AA241A9B820800F4D7B0F381B32EE7FC83CBBD1CA4A58151

Function 00007FF600AEE95C Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,?,?,00007FF600AF6862,?,?,?,00007FF600AF6BDF,?,?,00000000,00007FF600AF7025,?,?,?,00007FF600AF6F57), ref: 00007FF600AEE972
GetLastError.KERNEL32(?,?,?,00007FF600AF6862,?,?,?,00007FF600AF6BDF,?,?,00000000,00007FF600AF7025,?,?,?,00007FF600AF6F57), ref: 00007FF600AEE97C

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: a2b1b4d253dc9b48524949a201526306b0bcc39bf10aa9e0b1341fdbb23a067c
Instruction ID: 67afb938143cf4ed2abf297740e2c84c334dd55cc57d9a10b09a488f76bb4790
Opcode Fuzzy Hash: a2b1b4d253dc9b48524949a201526306b0bcc39bf10aa9e0b1341fdbb23a067c
Instruction Fuzzy Hash: DCE0C212F0924363FF58ABF2A84407916949F84701F705434CD0DC739BFE3CA8408310

Function 00007FF600ADA0E0 Relevance: 2.6, APIs: 2, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,?,?,?,67452301), ref: 00007FF600ADA1AC
SetLastError.KERNEL32(?,?,?,?,?,67452301), ref: 00007FF600ADA1F2

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: AllocErrorLastVirtual
String ID:
API String ID: 497505419-0
Opcode ID: e8cc5ead388a834f61713ab96b6f627611700b567b2c89878f21a98ade30cb92
Instruction ID: b496e5604856f9164fbbc1bedc5cdf5bf8918cb12c26afa1c748af680c4f038d
Opcode Fuzzy Hash: e8cc5ead388a834f61713ab96b6f627611700b567b2c89878f21a98ade30cb92
Instruction Fuzzy Hash: BF316D73B0498196DB14CB16E844669B7A1FB54B88F148036EF4E87759DE38D481C701

Function 00007FF600AC1730 Relevance: 2.6, APIs: 2, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00007FF600AC1796
VirtualFree.KERNELBASE ref: 00007FF600AC17CA

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 17a02dcf2f47f10d7a08db77411b6b44ca6662cc7d290d042544fe107c4b0b33
Instruction ID: 38f7d2a0295a977df80ac134d5308fec6ce06e88f4975e782b8711bfaa712dff
Opcode Fuzzy Hash: 17a02dcf2f47f10d7a08db77411b6b44ca6662cc7d290d042544fe107c4b0b33
Instruction Fuzzy Hash: 2321793271864196D724CB6AF48052AB7B1FB85B84B244535EB9ED3B19DF3CE4818B44

Function 00007FF600AC1670 Relevance: 2.6, APIs: 2, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00007FF600AC16C4
VirtualFree.KERNEL32 ref: 00007FF600AC16FE

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 4c8156205564e744c18fa944b02d568327434d479cf77dfe2f9176b33a9ea29c
Instruction ID: 6acc73834029f8e6376055c7ee34be909fe7cc94e348b00626f9abba52ab13a3
Opcode Fuzzy Hash: 4c8156205564e744c18fa944b02d568327434d479cf77dfe2f9176b33a9ea29c
Instruction Fuzzy Hash: C8110832B28A4182EB05CF36E440529A3A5FF89BC0B244531EA4ED775DEF3CD891CB40

Function 00007FF600ADE0E0 Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF600ADDD80: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF600ADDD94

__scrt_release_startup_lock.LIBCMT ref: 00007FF600ADE177

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: __scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 2217363868-0
Opcode ID: df8c2cae6130cff53013dc258be4a77fac826802f49534194485c90f58f48bf0
Instruction ID: 4b4bee55ba523bd7b70bf273d928fb73ebf507613189c792b7caee0d63e44146
Opcode Fuzzy Hash: df8c2cae6130cff53013dc258be4a77fac826802f49534194485c90f58f48bf0
Instruction Fuzzy Hash: A6314A23A0914365FA10FB6494513B92395AF95784FA4003AEE4FCB3EFDE6DE4458310

Function 00007FF600AC1000 Relevance: 1.5, APIs: 1, Instructions: 16networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00007FF600AC1022

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 2276b2cfde0ec166953e0ec75e850ce31f8cbc4b3846b0cdc97fb7f8133b5954
Instruction ID: 34be0697f95ec8502534e9acb865cadd06da0f1d07f896aa3067a87e8ee9253f
Opcode Fuzzy Hash: 2276b2cfde0ec166953e0ec75e850ce31f8cbc4b3846b0cdc97fb7f8133b5954
Instruction Fuzzy Hash: 99E04F36B05545EAE611EB64D4450B47365FB58340F504132E98D8379ADF2CE515CB00

Function 00007FF600ACDE3F Relevance: 1.3, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF600ADDFB8: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF600ADDFE8
Part of subcall function 00007FF600ADDFB8: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF600ADDFEE

Part of subcall function 00007FF600AE8A40: _invalid_parameter_noinfo.LIBCMT ref: 00007FF600AE8A66

CloseHandle.KERNEL32 ref: 00007FF600ACEF19

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: Concurrency::cancel_current_task$CloseHandle_invalid_parameter_noinfo
String ID:
API String ID: 1286571413-0
Opcode ID: c6d68c6bbe32cbf81c792a0b4ad5dedd764ab29200c0bf5c6bb2578c3c869653
Instruction ID: 758d80fc8c7f0696c906199f4b400430e5db4a429d09dffb2d503d3098b95849
Opcode Fuzzy Hash: c6d68c6bbe32cbf81c792a0b4ad5dedd764ab29200c0bf5c6bb2578c3c869653
Instruction Fuzzy Hash: 7731BCB3A08B91A1E768DF14E4146EE7765FB88B44F62403AEB0E8738ACF38D551C344

Function 00007FF600AEF070 Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF600AF27CD,?,?,00000000,00007FF600AEA69B,?,?,?,00007FF600AEC873,?,?,?,00007FF600AEC769), ref: 00007FF600AEF0AE

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 016c47a342e12657c725cebeaa7b4028c5a2c41f1cbc7a3001cbfc12b323d78a
Instruction ID: 2d739f4b4072fd965805345a739b6c49a62d2dfe189f800bdd12468bff333713
Opcode Fuzzy Hash: 016c47a342e12657c725cebeaa7b4028c5a2c41f1cbc7a3001cbfc12b323d78a
Instruction Fuzzy Hash: 0BF03053F4D6836AFE646BA2584167612849F857A0F380730DD2EC63CFFE2CE4818215

Function 00007FF600ACEED0 Relevance: 1.3, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF600AE8BE0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF600AE8C0B

CloseHandle.KERNEL32 ref: 00007FF600ACEF19

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: CloseHandle_invalid_parameter_noinfo
String ID:
API String ID: 1071934762-0
Opcode ID: 6a7d53c689feae9ae0328117cfd99eda37d466c79035ccfc82de7d7785a1b7c7
Instruction ID: d3c71b3a7d46db9eca8349cdc7dd05ae8b2cc0019612698d4df789010ff5ecfa
Opcode Fuzzy Hash: 6a7d53c689feae9ae0328117cfd99eda37d466c79035ccfc82de7d7785a1b7c7
Instruction Fuzzy Hash: C1F0E223E0C54151F7249B55A4003BE6251BFC4B94F14043AEE0EA77CBDD3CE0538740

Non-executed Functions

Function 00007FF600AC9480 Relevance: 68.5, APIs: 29, Strings: 10, Instructions: 221libraryloaderinjectionCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32 ref: 00007FF600AC94F6
CreateProcessA.KERNEL32 ref: 00007FF600AC9559
GetCurrentProcess.KERNEL32 ref: 00007FF600AC9567
OpenProcessToken.ADVAPI32 ref: 00007FF600AC957C
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF600AC959A
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF600AC95E2
OpenProcess.KERNEL32 ref: 00007FF600AC95FB
LoadLibraryA.KERNEL32 ref: 00007FF600AC9625
GetProcAddress.KERNEL32 ref: 00007FF600AC9635
LoadLibraryA.KERNEL32 ref: 00007FF600AC9646
GetProcAddress.KERNEL32 ref: 00007FF600AC9656
LoadLibraryA.KERNEL32 ref: 00007FF600AC9667
GetProcAddress.KERNEL32 ref: 00007FF600AC9677
LoadLibraryA.KERNEL32 ref: 00007FF600AC9688
GetProcAddress.KERNEL32 ref: 00007FF600AC9698
GetCurrentProcess.KERNEL32 ref: 00007FF600AC96A2
GetProcessId.KERNEL32 ref: 00007FF600AC96AB
GetModuleFileNameA.KERNEL32 ref: 00007FF600AC96DF
VirtualAllocEx.KERNEL32 ref: 00007FF600AC9715
WriteProcessMemory.KERNEL32 ref: 00007FF600AC973C
VirtualProtectEx.KERNEL32 ref: 00007FF600AC976F
VirtualAllocEx.KERNEL32 ref: 00007FF600AC978E
WriteProcessMemory.KERNEL32 ref: 00007FF600AC97B8
VirtualProtectEx.KERNEL32 ref: 00007FF600AC97E4
CreateRemoteThread.KERNEL32 ref: 00007FF600AC9807
Sleep.KERNEL32 ref: 00007FF600AC981A
VirtualProtectEx.KERNEL32 ref: 00007FF600AC983E
VirtualProtectEx.KERNEL32 ref: 00007FF600AC9862
ResumeThread.KERNEL32 ref: 00007FF600AC986B

Strings

ExitProcess, xrefs: 00007FF600AC964F
SeDebugPrivilege, xrefs: 00007FF600AC9593
WaitForSingleObject, xrefs: 00007FF600AC9691
Kernel32.dll, xrefs: 00007FF600AC961E, 00007FF600AC963B, 00007FF600AC965C, 00007FF600AC967D
%s%s, xrefs: 00007FF600AC9511
h, xrefs: 00007FF600AC94DD
Windows\System32\svchost.exe, xrefs: 00007FF600AC94FC
WinExec, xrefs: 00007FF600AC9670
@, xrefs: 00007FF600AC9777
OpenProcess, xrefs: 00007FF600AC962E

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: Process$Virtual$AddressLibraryLoadProcProtect$AllocCreateCurrentMemoryOpenThreadTokenWrite$AdjustDirectoryFileLookupModuleNamePrivilegePrivilegesRemoteResumeSleepSystemValue
String ID: %s%s$@$ExitProcess$Kernel32.dll$OpenProcess$SeDebugPrivilege$WaitForSingleObject$WinExec$Windows\System32\svchost.exe$h
API String ID: 3040193174-4212407401
Opcode ID: 6fd3f4fde48d0361eb2d5c202ab323ad8a247f6fe0c7ba3ad29a459755052d7c
Instruction ID: e1ac2017ca29a8b51c8ba424f06270ae27095a65d0c04194408532ef5e933021
Opcode Fuzzy Hash: 6fd3f4fde48d0361eb2d5c202ab323ad8a247f6fe0c7ba3ad29a459755052d7c
Instruction Fuzzy Hash: AEA16172B08B8299E7218F61E8147FA23A8FF89788F504135DA4E97B69DF3CD245C744

Function 00007FF600ACADB0 Relevance: 63.3, APIs: 30, Strings: 6, Instructions: 286stringclipboardfileCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,00000000,00000000,00002514,00000000,00000000,00000000,00007FF600AC7A51), ref: 00007FF600ACAE08
GetTickCount.KERNEL32 ref: 00007FF600ACAE0E
GetTickCount.KERNEL32 ref: 00007FF600ACAE25
OpenClipboard.USER32 ref: 00007FF600ACAE33
GetClipboardData.USER32 ref: 00007FF600ACAE3E
GlobalSize.KERNEL32 ref: 00007FF600ACAE53
GlobalLock.KERNEL32 ref: 00007FF600ACAE63
wsprintfW.USER32 ref: 00007FF600ACAECE
WaitForSingleObject.KERNEL32 ref: 00007FF600ACAEE0
CreateFileW.KERNEL32 ref: 00007FF600ACAF14
SetFilePointer.KERNEL32 ref: 00007FF600ACAF3C
lstrlenW.KERNEL32 ref: 00007FF600ACAF47
WriteFile.KERNEL32 ref: 00007FF600ACAF6A
CloseHandle.KERNEL32 ref: 00007FF600ACAF73
ReleaseMutex.KERNEL32 ref: 00007FF600ACAF80
GlobalUnlock.KERNEL32 ref: 00007FF600ACAF9B
CloseClipboard.USER32 ref: 00007FF600ACAFA1
GetForegroundWindow.USER32 ref: 00007FF600ACAFBB
GetWindowTextW.USER32 ref: 00007FF600ACAFD8
lstrlenW.KERNEL32 ref: 00007FF600ACB00E
GetLocalTime.KERNEL32 ref: 00007FF600ACB021
wsprintfW.USER32 ref: 00007FF600ACB074
GetKeyState.USER32 ref: 00007FF600ACB153
lstrlenW.KERNEL32 ref: 00007FF600ACB1A0
lstrlenW.KERNEL32 ref: 00007FF600ACB1C1
wsprintfW.USER32 ref: 00007FF600ACB211
wsprintfW.USER32 ref: 00007FF600ACB22F
lstrlenW.KERNEL32 ref: 00007FF600ACB2A7

Strings

%s%s, xrefs: 00007FF600ACB207
[, xrefs: 00007FF600ACAEC2
[, xrefs: 00007FF600ACB05C
%s%s, xrefs: 00007FF600ACB21B
%s%s, xrefs: 00007FF600ACB24D
[esc], xrefs: 00007FF600ACADFC

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: lstrlen$wsprintf$ClipboardFileGlobal$CloseCountTickWindow$CreateDataForegroundHandleLocalLockMutexObjectOpenPointerReleaseSingleSizeSleepStateTextTimeUnlockWaitWrite
String ID: [$[$%s%s$%s%s$%s%s$[esc]
API String ID: 3669393114-972647286
Opcode ID: 0ba4a650500777e326fb2fa0ba1ce122045bb19d315cab67db3075d848846471
Instruction ID: f9633507daaeafdf70e29b1af14e22aa30d0bc12e743c0e0e2778f5d6e49d8ad
Opcode Fuzzy Hash: 0ba4a650500777e326fb2fa0ba1ce122045bb19d315cab67db3075d848846471
Instruction Fuzzy Hash: B1D1DE22A0C642A6FB209B65E8046FA73A4FF85784F604532D95EC37AEDF3DE548C710

Function 00007FF600ACD410 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 385stringtimeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00007FF600ACD437
wsprintfW.USER32 ref: 00007FF600ACD47F
lstrlenW.KERNEL32 ref: 00007FF600ACD4C5
lstrlenW.KERNEL32 ref: 00007FF600ACD4E6
lstrlenW.KERNEL32 ref: 00007FF600ACD4F9
lstrlenW.KERNEL32 ref: 00007FF600ACD58D
lstrlenW.KERNEL32 ref: 00007FF600ACD5AC
lstrlenW.KERNEL32 ref: 00007FF600ACD5BF
lstrlenW.KERNEL32 ref: 00007FF600ACD649
lstrlenW.KERNEL32 ref: 00007FF600ACD65C
CreateEventA.KERNEL32 ref: 00007FF600ACD7AD

Strings

p1:, xrefs: 00007FF600ACD4EF
t1:, xrefs: 00007FF600ACD652
%4d.%2d.%2d-%2d:%2d:%2d, xrefs: 00007FF600ACD471
o1:, xrefs: 00007FF600ACD5B5

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: lstrlen$CreateEventLocalTimewsprintf
String ID: %4d.%2d.%2d-%2d:%2d:%2d$o1:$p1:$t1:
API String ID: 2157945651-1225219777
Opcode ID: 8e5e4238cfe7c353d5852bfc473442a04ad693366b72332548162b2e4d4925fd
Instruction ID: 563a2f7e859bbd341f782b9009563034e683d61a61d6c4cf0f49cdcfaebc634f
Opcode Fuzzy Hash: 8e5e4238cfe7c353d5852bfc473442a04ad693366b72332548162b2e4d4925fd
Instruction Fuzzy Hash: 67F1F463B18692A6EB209F65D8407BD23A1FB44B88F214635DA4E97B9EDF3CE541C700

Function 00007FF600AC9900 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 118libraryloaderfileCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00007FF600AC9935
GetProcAddress.KERNEL32 ref: 00007FF600AC9948
GetProcAddress.KERNEL32 ref: 00007FF600AC9976
FreeLibrary.KERNEL32 ref: 00007FF600AC99A7
CreateFileW.KERNEL32 ref: 00007FF600AC99D4
GetProcAddress.KERNEL32 ref: 00007FF600AC9A1C
WriteFile.KERNEL32 ref: 00007FF600AC9A66
CloseHandle.KERNEL32 ref: 00007FF600AC9A7E
Sleep.KERNEL32 ref: 00007FF600AC9A91
GetProcAddress.KERNEL32 ref: 00007FF600AC9AA1
FreeLibrary.KERNEL32 ref: 00007FF600AC9ABC

Strings

MSIE 6.0, xrefs: 00007FF600AC9959
InternetOpenUrlW, xrefs: 00007FF600AC996C
wininet.dll, xrefs: 00007FF600AC9923
InternetCloseHandle, xrefs: 00007FF600AC9A97
InternetOpenW, xrefs: 00007FF600AC993E
InternetReadFile, xrefs: 00007FF600AC9A12

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: AddressProc$Library$FileFree$CloseCreateHandleLoadSleepWrite
String ID: InternetCloseHandle$InternetOpenUrlW$InternetOpenW$InternetReadFile$MSIE 6.0$wininet.dll
API String ID: 2977986460-1099148085
Opcode ID: 067ce2f794736821cf202725aa30ed0aa3c92a2ab4f8812fc9fc05c1c4d827d7
Instruction ID: 0d99021946635283c3f9f8aa471156a1d0794dc378adf9d2cd4f7b48d46aefc4
Opcode Fuzzy Hash: 067ce2f794736821cf202725aa30ed0aa3c92a2ab4f8812fc9fc05c1c4d827d7
Instruction Fuzzy Hash: 6B410627A08642A6EB20DB51B904BBA77A0FF89BD4F644130CE5E47799DF3CD005CB00

Function 00007FF600AD0DA0 Relevance: 27.3, APIs: 18, Instructions: 322clipboardsleepmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF600ADD26C: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF600ADD289
Part of subcall function 00007FF600ADD26C: std::locale::_Setgloballocale.LIBCPMT ref: 00007FF600ADD2AC
Part of subcall function 00007FF600ADD26C: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF600ADD341

Part of subcall function 00007FF600AD15A0: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF600AD15B9
Part of subcall function 00007FF600AD15A0: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF600AD15DE
Part of subcall function 00007FF600AD15A0: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF600AD1608
Part of subcall function 00007FF600AD15A0: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF600AD16A2
Part of subcall function 00007FF600AD15A0: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF600AD16B2
Part of subcall function 00007FF600AD15A0: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF600AD16D7
Part of subcall function 00007FF600AD15A0: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF600AD1701

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF600AD0FE2
lstrlenW.KERNEL32 ref: 00007FF600AD1005
Sleep.KERNEL32 ref: 00007FF600AD1065
OpenClipboard.USER32 ref: 00007FF600AD107B
GetClipboardData.USER32 ref: 00007FF600AD108A
GlobalLock.KERNEL32 ref: 00007FF600AD109B
GlobalUnlock.KERNEL32 ref: 00007FF600AD10B6
CloseClipboard.USER32 ref: 00007FF600AD10BC
CloseClipboard.USER32 ref: 00007FF600AD10D8
OpenClipboard.USER32 ref: 00007FF600AD1100
EmptyClipboard.USER32 ref: 00007FF600AD110A
GlobalAlloc.KERNEL32 ref: 00007FF600AD1122
GlobalLock.KERNEL32 ref: 00007FF600AD1133
GlobalUnlock.KERNEL32 ref: 00007FF600AD115D
SetClipboardData.USER32 ref: 00007FF600AD116B
CloseClipboard.USER32 ref: 00007FF600AD1171
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF600AD11FE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF600AD1204

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: Lockitstd::_$Clipboard$GlobalLockit::_$Lockit::~_$Close_invalid_parameter_noinfo_noreturn$DataLockOpenUnlock$AllocEmptySetgloballocaleSleeplstrlenstd::locale::_
String ID:
API String ID: 1851032462-0
Opcode ID: 3dc2591f054965ba17c19e7eb8a1a5c0391eaf4d51c1fc91c888d0fc922051e0
Instruction ID: 0981ec946159db07081914a86b7144dc5bfe4c264f7b7ff31d311e667455c6bf
Opcode Fuzzy Hash: 3dc2591f054965ba17c19e7eb8a1a5c0391eaf4d51c1fc91c888d0fc922051e0
Instruction Fuzzy Hash: 66D17063B09A86A6EA109B65E4442BD7361FF84B94F244636EE5E8779EDF3CE440C700

Function 00007FF600AF8824 Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF600AF8872
_invalid_parameter_noinfo.LIBCMT ref: 00007FF600AF8EDE
_invalid_parameter_noinfo.LIBCMT ref: 00007FF600AF9054
_invalid_parameter_noinfo.LIBCMT ref: 00007FF600AF9312
_invalid_parameter_noinfo.LIBCMT ref: 00007FF600AF9532
_invalid_parameter_noinfo.LIBCMT ref: 00007FF600AF976F
memcpy_s.LIBCPMT ref: 00007FF600AF984A
memcpy_s.LIBCPMT ref: 00007FF600AF98F5
memcpy_s.LIBCPMT ref: 00007FF600AF99C4

Strings

1#INF, xrefs: 00007FF600AF899B
1#IND, xrefs: 00007FF600AF895F
1#QNAN, xrefs: 00007FF600AF898B
1#SNAN, xrefs: 00007FF600AF8982

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 8a8cdf450ad9da4e3e91848c83b2fc9670f44cdb81e1e9276785e569651f6bed
Instruction ID: 417783b34237f83eb57a677cbfff3503d0a4da7e423e90aad03f76d73501b832
Opcode Fuzzy Hash: 8a8cdf450ad9da4e3e91848c83b2fc9670f44cdb81e1e9276785e569651f6bed
Instruction Fuzzy Hash: EDB2E173A582829BE7658EA4D4407FD77A9FB54388F605135DA0D97B8EDF3CAA00CB40

Function 00007FF600AD0880 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 129registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF600AD08F0
RegQueryValueExW.ADVAPI32 ref: 00007FF600AD096F
lstrcpyW.KERNEL32 ref: 00007FF600AD0AF2
RegCloseKey.ADVAPI32 ref: 00007FF600AD0B04
RegCloseKey.ADVAPI32 ref: 00007FF600AD0B12

Strings

%08X, xrefs: 00007FF600AD0A8D

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: Close$OpenQueryValuelstrcpy
String ID: %08X
API String ID: 2032971926-3773563069
Opcode ID: 32c954eb57fda164b81f0150aeb248f5c32c45763a12c98c87c6a1606aaef6c8
Instruction ID: e44c0c8d4cd24666d0d1e8e504a1a4ebe4662db91acf4f53ae7a0c70c8353f85
Opcode Fuzzy Hash: 32c954eb57fda164b81f0150aeb248f5c32c45763a12c98c87c6a1606aaef6c8
Instruction Fuzzy Hash: 5B516E62648AC1A5E770CB25E4447ABB360FB85794FA04136DB8D83BAEDF3CD544CB08

Function 00007FF600AF797C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF600AEED10: GetLastError.KERNEL32(?,?,?,00007FF600AF7113,?,?,?,00007FF600AEF444,?,?,?,00007FF600AE843F,?,?,?,00007FF600AE66E3), ref: 00007FF600AEED1F
Part of subcall function 00007FF600AEED10: FlsGetValue.KERNEL32(?,?,?,00007FF600AF7113,?,?,?,00007FF600AEF444,?,?,?,00007FF600AE843F,?,?,?,00007FF600AE66E3), ref: 00007FF600AEED34
Part of subcall function 00007FF600AEED10: SetLastError.KERNEL32(?,?,?,00007FF600AF7113,?,?,?,00007FF600AEF444,?,?,?,00007FF600AE843F,?,?,?,00007FF600AE66E3), ref: 00007FF600AEEDBF

TranslateName.LIBCMT ref: 00007FF600AF79E6
TranslateName.LIBCMT ref: 00007FF600AF7A21
GetACP.KERNEL32(?,?,?,00000000,00000092,00007FF600AED778), ref: 00007FF600AF7A68
IsValidCodePage.KERNEL32(?,?,?,00000000,00000092,00007FF600AED778), ref: 00007FF600AF7AA0
GetLocaleInfoW.KERNEL32 ref: 00007FF600AF7C5D

Strings

utf8, xrefs: 00007FF600AF7B84

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: ErrorLastNameTranslate$CodeInfoLocalePageValidValue
String ID: utf8
API String ID: 3069159798-905460609
Opcode ID: ed249922890c5a667d77dbf9e0f0f5ff4edc5bc12cc14daec0a02a097362d650
Instruction ID: 337a1c48eb1f153cc9621260e780ba20ad2f265b1f50c847d470d4d4b21cdba8
Opcode Fuzzy Hash: ed249922890c5a667d77dbf9e0f0f5ff4edc5bc12cc14daec0a02a097362d650
Instruction Fuzzy Hash: 47918933A4C782A5EB24AFA1D8412BD22A8EB45B80F644131DE4D8778AEF3DE552C740

Function 00007FF600AF83C4 Relevance: 10.7, APIs: 7, Instructions: 172COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF600AEED10: GetLastError.KERNEL32(?,?,?,00007FF600AF7113,?,?,?,00007FF600AEF444,?,?,?,00007FF600AE843F,?,?,?,00007FF600AE66E3), ref: 00007FF600AEED1F
Part of subcall function 00007FF600AEED10: FlsGetValue.KERNEL32(?,?,?,00007FF600AF7113,?,?,?,00007FF600AEF444,?,?,?,00007FF600AE843F,?,?,?,00007FF600AE66E3), ref: 00007FF600AEED34
Part of subcall function 00007FF600AEED10: SetLastError.KERNEL32(?,?,?,00007FF600AF7113,?,?,?,00007FF600AEF444,?,?,?,00007FF600AE843F,?,?,?,00007FF600AE66E3), ref: 00007FF600AEEDBF

Part of subcall function 00007FF600AEED10: FlsSetValue.KERNEL32(?,?,?,00007FF600AF7113,?,?,?,00007FF600AEF444,?,?,?,00007FF600AE843F,?,?,?,00007FF600AE66E3), ref: 00007FF600AEED55

GetUserDefaultLCID.KERNEL32(00000000,00000092,?,?), ref: 00007FF600AF8534

Part of subcall function 00007FF600AEED10: FlsSetValue.KERNEL32(?,?,?,00007FF600AF7113,?,?,?,00007FF600AEF444,?,?,?,00007FF600AE843F,?,?,?,00007FF600AE66E3), ref: 00007FF600AEED82
Part of subcall function 00007FF600AEED10: FlsSetValue.KERNEL32(?,?,?,00007FF600AF7113,?,?,?,00007FF600AEF444,?,?,?,00007FF600AE843F,?,?,?,00007FF600AE66E3), ref: 00007FF600AEED93
Part of subcall function 00007FF600AEED10: FlsSetValue.KERNEL32(?,?,?,00007FF600AF7113,?,?,?,00007FF600AEF444,?,?,?,00007FF600AE843F,?,?,?,00007FF600AE66E3), ref: 00007FF600AEEDA4

EnumSystemLocalesW.KERNEL32(00000000,00000092,?,?,00000000,?,?,00007FF600AED771), ref: 00007FF600AF851B
ProcessCodePage.LIBCMT ref: 00007FF600AF855E
IsValidCodePage.KERNEL32 ref: 00007FF600AF8570
IsValidLocale.KERNEL32 ref: 00007FF600AF8586
GetLocaleInfoW.KERNEL32 ref: 00007FF600AF85E2
GetLocaleInfoW.KERNEL32 ref: 00007FF600AF85FE

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: Value$Locale$CodeErrorInfoLastPageValid$DefaultEnumLocalesProcessSystemUser
String ID:
API String ID: 2591520935-0
Opcode ID: 22d8bcddac7133f8b6f7a06d5e5334a0f8ea8210c2b9d064d69f21135d6cdb9b
Instruction ID: a88ef4668d114637495405cd269997642c46e5108cd33c680e11089e12509b04
Opcode Fuzzy Hash: 22d8bcddac7133f8b6f7a06d5e5334a0f8ea8210c2b9d064d69f21135d6cdb9b
Instruction Fuzzy Hash: CA716923B48602AAFB609FA0D8506BD23A8BF48B44F644135CA1D9779AEF3CE445C350

Function 00007FF600ADE66C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF600ADE688
RtlCaptureContext.KERNEL32 ref: 00007FF600ADE6B5
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF600ADE6CF
RtlVirtualUnwind.KERNEL32 ref: 00007FF600ADE710
IsDebuggerPresent.KERNEL32 ref: 00007FF600ADE764
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF600ADE781
UnhandledExceptionFilter.KERNEL32 ref: 00007FF600ADE78C

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 045e81cc47e066d153aaaf5b50bd9fe289779446efb159575806e036ae1ed661
Instruction ID: 3a07e6042e6960d907289daac910c9ef5df40abfddd1dea34e9d75a690d9fc82
Opcode Fuzzy Hash: 045e81cc47e066d153aaaf5b50bd9fe289779446efb159575806e036ae1ed661
Instruction Fuzzy Hash: 75310A73609B819AEB609FA0E8407FD7364FB84744F54443ADA4E87B9AEF38D648C714

Function 00007FF600ACE36A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

OpenEventLogW.ADVAPI32 ref: 00007FF600ACE397
ClearEventLogW.ADVAPI32 ref: 00007FF600ACE3AA
CloseEventLog.ADVAPI32 ref: 00007FF600ACE3B3

Strings

Application, xrefs: 00007FF600ACE36A
System, xrefs: 00007FF600ACE382
Security, xrefs: 00007FF600ACE376

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: Event$ClearCloseOpen
String ID: Application$Security$System
API String ID: 1391105993-2169399579
Opcode ID: 1bb91c5c2b3888595093d95bda04c9b415b5dc93057c8244563c58f3f028a90d
Instruction ID: 4839f70704e79755e5f28ba35552b839f9067cf4365811a4ebcd642059098270
Opcode Fuzzy Hash: 1bb91c5c2b3888595093d95bda04c9b415b5dc93057c8244563c58f3f028a90d
Instruction Fuzzy Hash: 94F0F437A0DF4195EA15CB15F840675A3A4FF89764F240435CD4E83769EF3DD1968704

Function 00007FF600AE3D0C Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF600AE3D85
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF600AE3D9D
RtlVirtualUnwind.KERNEL32 ref: 00007FF600AE3DD8
IsDebuggerPresent.KERNEL32 ref: 00007FF600AE3E11
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF600AE3E1B
UnhandledExceptionFilter.KERNEL32 ref: 00007FF600AE3E26

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: fa8f028e9fcd13a2b73484911b7de9c78ca1ddcb2e97266c57a75bc76a24fdd2
Instruction ID: f0802e4d3a69a77f8d3c7f9e795bf066429c7251e1517ffe972d55107c3606c2
Opcode Fuzzy Hash: fa8f028e9fcd13a2b73484911b7de9c78ca1ddcb2e97266c57a75bc76a24fdd2
Instruction Fuzzy Hash: 6A318133608B81A9DB60CF65E8442BE73A4FB88754F640136EA9D87B99EF3CD545CB00

Function 00007FF600AF4190 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF600AF41DC
FindFirstFileExW.KERNEL32 ref: 00007FF600AF42E6

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: 68b5c0f69695cefe4d2b1cac7d4572eefde3aab897b1af24f4d9a3b1cd0a2181
Instruction ID: 34985d2652c28801194a078a52200528839f5f7a3713f398d8b285d1a00eae4c
Opcode Fuzzy Hash: 68b5c0f69695cefe4d2b1cac7d4572eefde3aab897b1af24f4d9a3b1cd0a2181
Instruction Fuzzy Hash: B1B1D823B5869251EA60DBA5E4002BA6395FF48BD4F644231EE5D9BBCFEF3CE4418300

Function 00007FF600ADC82C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF600ADC88D
IsDebuggerPresent.KERNEL32 ref: 00007FF600ADC8A5
OutputDebugStringW.KERNEL32 ref: 00007FF600ADC8B6

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00007FF600ADC8AF

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: DebugDebuggerErrorLastOutputPresentString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 389471666-631824599
Opcode ID: 6ee909605b01ed677f0d258b83eb54f87cb27d04152a024ec70f484db7e8edcc
Instruction ID: 74ac651e01b1d61ff9adeb9b66627f24b8a2a3fdafe54fc982272c6ef43ce277
Opcode Fuzzy Hash: 6ee909605b01ed677f0d258b83eb54f87cb27d04152a024ec70f484db7e8edcc
Instruction Fuzzy Hash: AB112833A14B42AAF7449B62D6547B932A4FF44355F644135CA4E83B9AEF7CE074C710

Function 000000018004CBA8 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000000018004CBD4
GetCurrentThreadId.KERNEL32 ref: 000000018004CBE2
GetCurrentProcessId.KERNEL32 ref: 000000018004CBEE
QueryPerformanceCounter.KERNEL32 ref: 000000018004CBFE

Memory Dump Source

Source File: 00000000.00000003.2179097870.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2091618542.00000001800A4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2179082431.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2179132878.000000018006A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2179132878.0000000180077000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2179183910.000000018009C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2179196781.000000018009F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.3868202191.0000000180088000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_0DrqlQ4JfZ.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: f43c5c384dd62e127aff23c3300620b55bf120581340eb66dff6dc6593971a8f
Instruction ID: 335ea6a06d10f4d8781396ceb673bb2c692713a1181adefcbf3dbf2c25eb2b35
Opcode Fuzzy Hash: f43c5c384dd62e127aff23c3300620b55bf120581340eb66dff6dc6593971a8f
Instruction Fuzzy Hash: A6111832714F088AFB409B60E8543A933A4F75D798F444E21FA6D867A4EF78C2A88340

Function 00007FF600AEB5F0 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF600AEB656
memcpy_s.LIBCPMT ref: 00007FF600AEB681

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: a3a34dc7f104a5757306e0e4006adbba08ef9a00a3e13a0073f806107d450ba3
Instruction ID: 7c5b9e8f46d8d3b80e5eccaa9c55165236a297c2fde447fe034caf53b56c7865
Opcode Fuzzy Hash: a3a34dc7f104a5757306e0e4006adbba08ef9a00a3e13a0073f806107d450ba3
Instruction Fuzzy Hash: D9C1E673B296C697EB24CF19A04866AB791F784B84F548134DB4A83B49EF3CE801CB40

Function 00007FF600AF7E40 Relevance: 4.7, APIs: 3, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF600AEED10: GetLastError.KERNEL32(?,?,?,00007FF600AF7113,?,?,?,00007FF600AEF444,?,?,?,00007FF600AE843F,?,?,?,00007FF600AE66E3), ref: 00007FF600AEED1F
Part of subcall function 00007FF600AEED10: FlsGetValue.KERNEL32(?,?,?,00007FF600AF7113,?,?,?,00007FF600AEF444,?,?,?,00007FF600AE843F,?,?,?,00007FF600AE66E3), ref: 00007FF600AEED34
Part of subcall function 00007FF600AEED10: SetLastError.KERNEL32(?,?,?,00007FF600AF7113,?,?,?,00007FF600AEF444,?,?,?,00007FF600AE843F,?,?,?,00007FF600AE66E3), ref: 00007FF600AEEDBF

Part of subcall function 00007FF600AEED10: FlsSetValue.KERNEL32(?,?,?,00007FF600AF7113,?,?,?,00007FF600AEF444,?,?,?,00007FF600AE843F,?,?,?,00007FF600AE66E3), ref: 00007FF600AEED55

GetLocaleInfoW.KERNEL32 ref: 00007FF600AF7EAC

Part of subcall function 00007FF600AF3FCC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF600AF3FE9

GetLocaleInfoW.KERNEL32 ref: 00007FF600AF7EF5

Part of subcall function 00007FF600AF3FCC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF600AF4042

GetLocaleInfoW.KERNEL32 ref: 00007FF600AF7FBD

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: InfoLocale$ErrorLastValue_invalid_parameter_noinfo
String ID:
API String ID: 1791019856-0
Opcode ID: 47a608bb907d4de4290f427b339ca80dcd83f241fa12a378f23bb4634d50531a
Instruction ID: eb66dd609985536e76dd692a927b8f364e9b90ca50467adbc69f3fd253778ad8
Opcode Fuzzy Hash: 47a608bb907d4de4290f427b339ca80dcd83f241fa12a378f23bb4634d50531a
Instruction Fuzzy Hash: 5D619A33A48642AAEB348F61E4402BD73A9EB84B40F608135DB9EC779ADF3CE555C700

Function 00007FF600AF0FB0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,?,?,?,?,00007FF600AED94A), ref: 00007FF600AF1024

Strings

GetLocaleInfoEx, xrefs: 00007FF600AF0FCC, 00007FF600AF0FDD

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: 3b61ae466ef5758e0e9e9450f631c2e40b05ac649b5573246797acb4bca5b173
Instruction ID: 3a7b6df51792e41a7053ffe8af4b2fe38030909e85774577d0e78fa418e34d07
Opcode Fuzzy Hash: 3b61ae466ef5758e0e9e9450f631c2e40b05ac649b5573246797acb4bca5b173
Instruction Fuzzy Hash: 3E01A222B08A81E5E7009B96B4401B6B764AF85BD0F684035DF4D83B5ECF3DD9418340

Function 00007FF600AF3A00 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF600AF3C4F
RaiseException.KERNEL32 ref: 00007FF600AF3C60

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 122b1925bd55db41e804c5b079ebde0f01de1123b2666aa23313b6dae26d6c44
Instruction ID: c09a788b1ad0cc8be4651bf46b07ff56d4be0f535c4626a99dd8972d66841538
Opcode Fuzzy Hash: 122b1925bd55db41e804c5b079ebde0f01de1123b2666aa23313b6dae26d6c44
Instruction Fuzzy Hash: 87B15B73604B898BEB15CF29C84636C7BA4F784B88F258931DA5D877A9CF39D552C700

Function 00007FF600AE75E0 Relevance: 2.8, Strings: 2, Instructions: 350COMMON

Download Yara Rule

Strings

, xrefs: 00007FF600AE774E
, xrefs: 00007FF600AE7990

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 551e646fd59d23c1ee018d61c48a67f2a52f50f5278fc9195615cae8faf456cd
Instruction ID: 9b51804ecfe7763f9c5d7b73b74a69d397364aab498f9e0aba6dc0fe59263e88
Opcode Fuzzy Hash: 551e646fd59d23c1ee018d61c48a67f2a52f50f5278fc9195615cae8faf456cd
Instruction Fuzzy Hash: 2BE1A277A0C6C292EB688E29805057D33A0FF55B88F345235DA5E8779AFF2DE851C740

Function 00007FF600AEF950 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

gfff, xrefs: 00007FF600AEFADA
e+000, xrefs: 00007FF600AEFA5D

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: a347cb712251c494c0ac76841d0ca458a250c6be9a7c463d0ead6691c264c289
Instruction ID: 00bf89e1f7bd4e7dd7885253954ca08ebf7bf62aa25ed4c1d9ada2ebad8a73f1
Opcode Fuzzy Hash: a347cb712251c494c0ac76841d0ca458a250c6be9a7c463d0ead6691c264c289
Instruction Fuzzy Hash: 04515963B182C69AE7258E35E8107697B91E745B94F68C231CB9C8BBCBEF7DD4448700

Function 00007FF600AEA798 Relevance: 1.9, APIs: 1, Instructions: 373COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32 ref: 00007FF600AEA8E0

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: 773e53d09e5455f04dc57cd524f4ca394a315c5928bf5f5768ba6214c405212f
Instruction ID: 9e740e8b8b24e01937e74c8ad32dcd117f54d7d7dec1a5555c2cf7f63e7b0a33
Opcode Fuzzy Hash: 773e53d09e5455f04dc57cd524f4ca394a315c5928bf5f5768ba6214c405212f
Instruction Fuzzy Hash: CA127A23A08BC196E751CF2895543F973A4FB69748F259235EA9D87797EF38E184C300

Function 00007FF600AF5FD4 Relevance: 1.8, APIs: 1, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e22158b38decd8d90c74f2f99d25a665006446744f2e1b5a41cef00b0dd0ad41
Instruction ID: 5c07785a6599f1130f4c1a50e5bb61ea483c4ddc3a018828b45c76d1cfe5f045
Opcode Fuzzy Hash: e22158b38decd8d90c74f2f99d25a665006446744f2e1b5a41cef00b0dd0ad41
Instruction Fuzzy Hash: 0CE13D33A04B8196E720DBA1E4416FE67A4FB94788F504636DF9D93B9AEF78D245C300

Function 00007FF600AC2E50 Relevance: 1.8, Strings: 1, Instructions: 571COMMON

Download Yara Rule

Strings

[RO] %ld bytes, xrefs: 00007FF600AC3450, 00007FF600AC35BB

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID:
String ID: [RO] %ld bytes
API String ID: 0-772938740
Opcode ID: 4874844c38418d14ede67d35d8ec1f57646d452b183219fb2a06a3d7a21df842
Instruction ID: fbbcdd6a7c9dcc37e7c72026b65451132410bebde90855fe5e5658d7d56503f5
Opcode Fuzzy Hash: 4874844c38418d14ede67d35d8ec1f57646d452b183219fb2a06a3d7a21df842
Instruction Fuzzy Hash: 0542AC336093C59FC328CF28E4406AE7BA0F755B48F148539DB8A87B4ADB38E955CB51

Function 00007FF600AF8088 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF600AEED10: GetLastError.KERNEL32(?,?,?,00007FF600AF7113,?,?,?,00007FF600AEF444,?,?,?,00007FF600AE843F,?,?,?,00007FF600AE66E3), ref: 00007FF600AEED1F
Part of subcall function 00007FF600AEED10: FlsGetValue.KERNEL32(?,?,?,00007FF600AF7113,?,?,?,00007FF600AEF444,?,?,?,00007FF600AE843F,?,?,?,00007FF600AE66E3), ref: 00007FF600AEED34
Part of subcall function 00007FF600AEED10: SetLastError.KERNEL32(?,?,?,00007FF600AF7113,?,?,?,00007FF600AEF444,?,?,?,00007FF600AE843F,?,?,?,00007FF600AE66E3), ref: 00007FF600AEEDBF

Part of subcall function 00007FF600AEED10: FlsSetValue.KERNEL32(?,?,?,00007FF600AF7113,?,?,?,00007FF600AEF444,?,?,?,00007FF600AE843F,?,?,?,00007FF600AE66E3), ref: 00007FF600AEED55

GetLocaleInfoW.KERNEL32 ref: 00007FF600AF80F0

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: ErrorLastValue$InfoLocale
String ID:
API String ID: 673564084-0
Opcode ID: fd4313f3ed39529f0e214070d5eb9b22141959494d17c08f529f82dcba2f0cc7
Instruction ID: e0aa62d035172697d3d496896697b372ffeb036f4c2e8087fbb9bb8325d5af31
Opcode Fuzzy Hash: fd4313f3ed39529f0e214070d5eb9b22141959494d17c08f529f82dcba2f0cc7
Instruction Fuzzy Hash: C5318033B4868296EB24DB61D4413BA73A4FB88780F648635DB8DC738ADF3CE5028700

Function 00007FF600AF7CD8 Relevance: 1.6, APIs: 1, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF600AEED10: GetLastError.KERNEL32(?,?,?,00007FF600AF7113,?,?,?,00007FF600AEF444,?,?,?,00007FF600AE843F,?,?,?,00007FF600AE66E3), ref: 00007FF600AEED1F
Part of subcall function 00007FF600AEED10: FlsGetValue.KERNEL32(?,?,?,00007FF600AF7113,?,?,?,00007FF600AEF444,?,?,?,00007FF600AE843F,?,?,?,00007FF600AE66E3), ref: 00007FF600AEED34
Part of subcall function 00007FF600AEED10: SetLastError.KERNEL32(?,?,?,00007FF600AF7113,?,?,?,00007FF600AEF444,?,?,?,00007FF600AE843F,?,?,?,00007FF600AE66E3), ref: 00007FF600AEEDBF

EnumSystemLocalesW.KERNEL32(?,?,?,00007FF600AF84C7,00000000,00000092,?,?,00000000,?,?,00007FF600AED771), ref: 00007FF600AF7D76

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystemValue
String ID:
API String ID: 3029459697-0
Opcode ID: 15ac7d5427dd9fc22c9c1f247fbd5354b0666d540418ec543f069a2b87512e20
Instruction ID: 4b79002df2861675a470c8b63bcff065dad7673cb2b481f2e7e2eff0289ea12c
Opcode Fuzzy Hash: 15ac7d5427dd9fc22c9c1f247fbd5354b0666d540418ec543f069a2b87512e20
Instruction Fuzzy Hash: 1F112463A0C6459AEB248F55D0806BC77A5FB80FA0FA48135C629833CADE38D6D1CB40

Function 00007FF600AF8290 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF600AEED10: GetLastError.KERNEL32(?,?,?,00007FF600AF7113,?,?,?,00007FF600AEF444,?,?,?,00007FF600AE843F,?,?,?,00007FF600AE66E3), ref: 00007FF600AEED1F
Part of subcall function 00007FF600AEED10: FlsGetValue.KERNEL32(?,?,?,00007FF600AF7113,?,?,?,00007FF600AEF444,?,?,?,00007FF600AE843F,?,?,?,00007FF600AE66E3), ref: 00007FF600AEED34
Part of subcall function 00007FF600AEED10: SetLastError.KERNEL32(?,?,?,00007FF600AF7113,?,?,?,00007FF600AEF444,?,?,?,00007FF600AE843F,?,?,?,00007FF600AE66E3), ref: 00007FF600AEEDBF

GetLocaleInfoW.KERNEL32(?,?,?,00007FF600AF803A), ref: 00007FF600AF82C7

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: ErrorLast$InfoLocaleValue
String ID:
API String ID: 3796814847-0
Opcode ID: 02c8055d8d650acd3e8a74c68ff88f338c75fb4c0e3c19cf7d436b4e0503b1ee
Instruction ID: 1d0af5610975a245954734123006acd69f4b6358a31ccc4814063d38ffc8fec5
Opcode Fuzzy Hash: 02c8055d8d650acd3e8a74c68ff88f338c75fb4c0e3c19cf7d436b4e0503b1ee
Instruction Fuzzy Hash: 13115C33F5855293E7748765F04067E6264EB40BA4F748331D66D8B7DAEF2DD8818300

Function 00007FF600AF7DA8 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF600AEED10: GetLastError.KERNEL32(?,?,?,00007FF600AF7113,?,?,?,00007FF600AEF444,?,?,?,00007FF600AE843F,?,?,?,00007FF600AE66E3), ref: 00007FF600AEED1F
Part of subcall function 00007FF600AEED10: FlsGetValue.KERNEL32(?,?,?,00007FF600AF7113,?,?,?,00007FF600AEF444,?,?,?,00007FF600AE843F,?,?,?,00007FF600AE66E3), ref: 00007FF600AEED34
Part of subcall function 00007FF600AEED10: SetLastError.KERNEL32(?,?,?,00007FF600AF7113,?,?,?,00007FF600AEF444,?,?,?,00007FF600AE843F,?,?,?,00007FF600AE66E3), ref: 00007FF600AEEDBF

EnumSystemLocalesW.KERNEL32(?,?,?,00007FF600AF8483,00000000,00000092,?,?,00000000,?,?,00007FF600AED771), ref: 00007FF600AF7E26

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystemValue
String ID:
API String ID: 3029459697-0
Opcode ID: 5727eb7e919169bab7f3b731904feba02bf0749f82d0e8f83876c19ff70cc26c
Instruction ID: 9c8f974e1de1b64bb0c00300534a8bc1ec03b0f11d0509c3b9a86da40d1ababd
Opcode Fuzzy Hash: 5727eb7e919169bab7f3b731904feba02bf0749f82d0e8f83876c19ff70cc26c
Instruction Fuzzy Hash: 2901F573F0C2815AE7204B95E4407BD76A5EF407A0FA48232D228873CEDFBC98858700

Function 00007FF600AF0AD8 Relevance: 1.5, APIs: 1, Instructions: 32COMMONLIBRARYCODE

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(?,?,00000000,00007FF600AF0F7F,?,?,?,?,?,?,?,?,00000000,00007FF600AF7328), ref: 00007FF600AF0B27

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 0f058bcf8847595df1816a53f4d47a97cac47f7a866e7bb19b671d0c18a11263
Instruction ID: 1cd469a2b5ca652b6befd6234cf4f0cc2c5dc4e0a38dadb3f0b7f09d86206ab4
Opcode Fuzzy Hash: 0f058bcf8847595df1816a53f4d47a97cac47f7a866e7bb19b671d0c18a11263
Instruction Fuzzy Hash: 8DF03C72B08B41A3E704DB55E8905A96366FB997C0FA48035EA5ED736ADF3CE460C340

Function 00007FF600AEF4BC Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF600AEF7FE

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: 91511e75055787009b36da5e0b5904dd2b35cdbec92fe664924b5d59d9c2ed42
Instruction ID: 54ae7dabb6a1ccdf0bcb246c28db0c28a6a84e82e2f671fa400318392c3709d2
Opcode Fuzzy Hash: 91511e75055787009b36da5e0b5904dd2b35cdbec92fe664924b5d59d9c2ed42
Instruction Fuzzy Hash: 97A15863B097C69BEB21CF29A4107A97B91EB50B84F258132DE4D8779AFE3DD502C701

Function 00007FF600AE684C Relevance: 1.5, Strings: 1, Instructions: 241COMMON

Download Yara Rule

Strings

, xrefs: 00007FF600AE6A2E

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 5fb6afdc90124b9ccfbc1fc7428f51e6266c183c57cc2358b46b47bb293d3794
Instruction ID: 14b278ff459b05d1ed8b697310997947ab9d65f51e9bd38451c713f41b327b78
Opcode Fuzzy Hash: 5fb6afdc90124b9ccfbc1fc7428f51e6266c183c57cc2358b46b47bb293d3794
Instruction Fuzzy Hash: 73B16C73A0878595EB648F29C05427C3BB0F769B88F385536CA4E8739AEF39D841D705

Function 00007FF600AF29E4 Relevance: 1.4, APIs: 1, Instructions: 137COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF600AF2A89

Part of subcall function 00007FF600AF0A28: HeapAlloc.KERNEL32(?,?,00000000,00007FF600AEEEEA,?,?,00002C1F5E3C02FD,00007FF600AE8DA5,?,?,?,?,00007FF600AF27E6,?,?,00000000), ref: 00007FF600AF0A7D

Part of subcall function 00007FF600AEE95C: RtlFreeHeap.NTDLL(?,?,?,00007FF600AF6862,?,?,?,00007FF600AF6BDF,?,?,00000000,00007FF600AF7025,?,?,?,00007FF600AF6F57), ref: 00007FF600AEE972
Part of subcall function 00007FF600AEE95C: GetLastError.KERNEL32(?,?,?,00007FF600AF6862,?,?,?,00007FF600AF6BDF,?,?,00000000,00007FF600AF7025,?,?,?,00007FF600AF6F57), ref: 00007FF600AEE97C

Part of subcall function 00007FF600AFA24C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF600AFA27F

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: ErrorHeapLast$AllocFree_invalid_parameter_noinfo
String ID:
API String ID: 916656526-0
Opcode ID: 211458dcc4182629a49dfa16bd233c2fd01fa5b79e8a7313d1c8d1c4e015e553
Instruction ID: 0c07d5449f7fa827eb89f3bcf2ea84a99925c151895e55bec758b63c4fe2db61
Opcode Fuzzy Hash: 211458dcc4182629a49dfa16bd233c2fd01fa5b79e8a7313d1c8d1c4e015e553
Instruction Fuzzy Hash: F441B823B4964361F670AE9668517BAA788BF957C0F644535EE8DC778FEE3CE4008700

Function 00007FF600AD9330 Relevance: .7, Instructions: 678COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9d3e26cd520c0d7484bca21c75386a0081201fe8f2cf936fcf25e5b7a4aa551
Instruction ID: a7a30075035b44d613dd04ddede2e682b0dd088178aaa4cd19c1d5e17e16c0bf
Opcode Fuzzy Hash: f9d3e26cd520c0d7484bca21c75386a0081201fe8f2cf936fcf25e5b7a4aa551
Instruction Fuzzy Hash: 6722CEB7B3805047D36DCB1DEC52FA97692B7A5348748A02CFA07C3F45EA3DEA458A44

Function 00007FF600AD79D0 Relevance: .4, Instructions: 369COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dbab6f601d912f7832fe87e6cb8010b159b99cec89eaaed4f22644e13967388
Instruction ID: 61ec0c2ab39dc35306d2240668fe5313624ac844d8edcde5832e7c5fda5ab42a
Opcode Fuzzy Hash: 2dbab6f601d912f7832fe87e6cb8010b159b99cec89eaaed4f22644e13967388
Instruction Fuzzy Hash: 6CC1ED73B186919BDB09CF26E95056DB792BBC4BD0B65C135DE4A47B89EE3CD801CB00

Function 0000000180001000 Relevance: .4, Instructions: 368COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2179097870.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2091618542.00000001800A4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2179082431.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2179132878.000000018006A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2179132878.0000000180077000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2179183910.000000018009C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2179196781.000000018009F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.3868202191.0000000180088000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_0DrqlQ4JfZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 872fd2783583b3cd762f827bdf0a68bc7e37a8f8e8274d1aa2e2fae5feacd2de
Instruction ID: 1cf1c2553b0555ee6ea91e657742496aa9e8a1338f503d70c1e054abea576052
Opcode Fuzzy Hash: 872fd2783583b3cd762f827bdf0a68bc7e37a8f8e8274d1aa2e2fae5feacd2de
Instruction Fuzzy Hash: 11E11E23A2ABD085E7239F3D44097982B919FE37B4F5EC309FA75267E2E7258149C311

Function 00007FF600AE71DC Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e5dc7f97a53f24eb071f4a4c5281cd4cfcae3ea760a8a1df74637965631acf6
Instruction ID: f56ffc6484b203fa1afb2221d9f94248afa52c73bcd378e83e666e686666e70a
Opcode Fuzzy Hash: 3e5dc7f97a53f24eb071f4a4c5281cd4cfcae3ea760a8a1df74637965631acf6
Instruction Fuzzy Hash: BAD1C123A0C683A6EBA9CE29945027D27A0EB45B48F345235DE4D877DAFF3DE841D740

Function 00007FF600AED5C0 Relevance: .3, Instructions: 310COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: ErrorLastNameTranslate$CodePageValidValue_invalid_parameter_noinfo
String ID:
API String ID: 4023145424-0
Opcode ID: 21e64ea7c375e93a6d3691ec49e9bdd76ef4fc5f4d0d1dcdba5dc2295bd766ac
Instruction ID: 2441e02af497bd6e0e547dd0067f7b30d741c825ec54d30773a8b932eef76ec5
Opcode Fuzzy Hash: 21e64ea7c375e93a6d3691ec49e9bdd76ef4fc5f4d0d1dcdba5dc2295bd766ac
Instruction Fuzzy Hash: E0C1C467A086C6A5EB609B6298107BA67A4FB94788F604035DE8DC7BCEFF3CD545C700

Function 00007FF600AF73EC Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: ErrorLast$Value_invalid_parameter_noinfo
String ID:
API String ID: 1500699246-0
Opcode ID: d774b1686d68766547d9d0affe500116b26f703ac014ee2f743871d76f2ddb8c
Instruction ID: 7c41158baa6a6c03a7491303c94e71bc0671e429f89aa155313221b46756df60
Opcode Fuzzy Hash: d774b1686d68766547d9d0affe500116b26f703ac014ee2f743871d76f2ddb8c
Instruction Fuzzy Hash: 73B1E223A4C646A2EB64DFA5D411ABD33A5EB84B88F604231DA49C77CEDF3CE541C740

Function 00007FF600AE64C8 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cf611d711d996cef35472e7504a5935af8ed11963d98eb5a37693ba2286e55b
Instruction ID: 477f3fb14dac67de2e68da22f1d2084bd206724aafa261768b462f1b57cabb80
Opcode Fuzzy Hash: 9cf611d711d996cef35472e7504a5935af8ed11963d98eb5a37693ba2286e55b
Instruction Fuzzy Hash: 3DB190739187859AEB648F29C05027C3BA0E769B88F391935CB4D8739EEF39E841C705

Function 00007FF600AEAF20 Relevance: .2, Instructions: 207COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c771e48c11f0d915594974b4bba5b1cef921b70c42e7a63ac30c42f7e56c6b99
Instruction ID: 8b5bb2feb1fadbd890fe013575d0c871ca0e632d53decdb7122baab9adbdd6d4
Opcode Fuzzy Hash: c771e48c11f0d915594974b4bba5b1cef921b70c42e7a63ac30c42f7e56c6b99
Instruction Fuzzy Hash: 8881C373A14A9196EB60DF65D4953BD23A0FB84BA8F204636EE1DC779AEF38D0418300

Function 00007FF600AEFFD0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c06df77d5c41abf0c9103d11d2ff5cfa312f76e721c7628385afe64dabe37a34
Instruction ID: 634a90144edc17c0c11e0b4edf5538346de0850ffc07b13bed2a83c541accdcf
Opcode Fuzzy Hash: c06df77d5c41abf0c9103d11d2ff5cfa312f76e721c7628385afe64dabe37a34
Instruction Fuzzy Hash: 4481F173A4878196EBB4CF59A44077AAA95FB85794F204235DB8D83B8FDF3DD5408B00

Function 00007FF600AD2FA0 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6f6a1a1a1cf9baf0de81f1e4df80e775a01d7d2970379cd065fadcfc056c7f6
Instruction ID: 63f8fdb2f6266ed99275b4f3344e951384713ad0ddfbaabca5d622bf0b0e6bbf
Opcode Fuzzy Hash: f6f6a1a1a1cf9baf0de81f1e4df80e775a01d7d2970379cd065fadcfc056c7f6
Instruction Fuzzy Hash: 6661F863B18B8952DE208B19E4416B97360F759780F645332EF9E87B59EF3DE280C340

Function 00007FF600AE5A1C Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction ID: 78c3f58421dc1656ec569486a473e2fb323770637bcced58c5ee3455d9e0d61b
Opcode Fuzzy Hash: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction Fuzzy Hash: 8B514777E14A9196E7648F39E05423837A0EB44B5CF344231DA4D9779AEF3AE853C740

Function 00007FF600AE51FC Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction ID: 139aca4dc8ac8c7d9212f6c2a75fa83a1d32a83a3a4ffdde6eda2b45ecd27eff
Opcode Fuzzy Hash: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction Fuzzy Hash: 04519777E18E9192E7648B39D05026837A0EB45BACF344131DE4D9779AEF3AE843C740

Function 00007FF600AE560C Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction ID: adc29118fe33157fc0fbd7e41fa55593235a301b5e44df58c40b8c71615c22c3
Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction Fuzzy Hash: B5516137E18E9196E7248B39E05422837A0EB44B6CF794131CE4D9779AEF3AE853C740

Function 00007FF600AE5408 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6a3dccb135ddd09f63c505db29ff29986bf9dd63497299e7c799fac6b959aa4
Instruction ID: 0b97edaa6040f2ba3bd9461783150a9ff29867b05e77967d2ef8764fe4bfbd4b
Opcode Fuzzy Hash: f6a3dccb135ddd09f63c505db29ff29986bf9dd63497299e7c799fac6b959aa4
Instruction Fuzzy Hash: DF517477E18A9196E7648B39E04423827A1EB54B5CF344131CE4D977DAEF3AE882C740

Function 00007FF600AE5818 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e46230d8c0bb23a9b26f12389beaf27d8e9063d4bba2e4d98de2a57eaa924be5
Instruction ID: 6b42d5bf8fa15991c59ce803bdf1b0d14ec2e927709fac298d38b5246b0e13a5
Opcode Fuzzy Hash: e46230d8c0bb23a9b26f12389beaf27d8e9063d4bba2e4d98de2a57eaa924be5
Instruction Fuzzy Hash: D2516037E18A9196E7648B39E04437837A0EB48B6CF344131DE4D9779AEF3AE842D740

Function 00007FF600AE4FF8 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db363646d287334b7a31293e9082935613ba5dde14aee32d187fc7345eaa1eeb
Instruction ID: 1cce5ae2ad1f5dc4b3db639247ce1465ee739c6bf8fae7a4062ccf3e73106190
Opcode Fuzzy Hash: db363646d287334b7a31293e9082935613ba5dde14aee32d187fc7345eaa1eeb
Instruction Fuzzy Hash: 3E516437E18A9196E7249B39E04472827A0EB45B5DF344131DE4D9779AEF3AEC42C780

Function 00007FF600AEC7BC Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 992bdeb28752ac81bb160f4e9466717d9b532df2d17ea574ae2dd87a94b6b211
Instruction ID: d77b529ce38a5bec26fe0741e16164340a6f3d32cab516bc6eb9a425b4fac95b
Opcode Fuzzy Hash: 992bdeb28752ac81bb160f4e9466717d9b532df2d17ea574ae2dd87a94b6b211
Instruction Fuzzy Hash: 8141E573714A9591EF08CF6AD9241A973A1BB88FD0B599032EE0DD7B59EF3DD4428340

Function 00000001800015A0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2179097870.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2091618542.00000001800A4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2179082431.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2179132878.000000018006A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2179132878.0000000180077000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2179183910.000000018009C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2179196781.000000018009F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.3868202191.0000000180088000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_0DrqlQ4JfZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7410739455344d3f1b4380a3079d3f807bb5113f299baa345570bc9df7def40
Instruction ID: af2ea3f49d7b04ca094969413a2835b0cf2eec1197b490f61ded8962570c81e9
Opcode Fuzzy Hash: a7410739455344d3f1b4380a3079d3f807bb5113f299baa345570bc9df7def40
Instruction Fuzzy Hash: B2F0E5617057099DFEEBC059DE293E22141870C7E7F0CA134ED4E462D5E85E99A88250

Function 00007FF600ADE814 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9500c7797480eaac07bce270d35ebf5893055aa53205c196292c9b063e5a007a
Instruction ID: 3daab7460f454fd132681f402dc7a8385b6cfc7d19a9612cc5fc430018b52409
Opcode Fuzzy Hash: 9500c7797480eaac07bce270d35ebf5893055aa53205c196292c9b063e5a007a
Instruction Fuzzy Hash: 6AA0022394CD43F4E604DB40E95413433B4FFA5700B6D0132C41ECA26A9F3DB540D355

Function 00007FF600AC4C50 Relevance: 33.2, APIs: 22, Instructions: 199windowthreadnetworkCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF600AC4C65
SwitchToThread.KERNEL32 ref: 00007FF600AC4C9D
SetLastError.KERNEL32 ref: 00007FF600AC4CDC
SetEvent.KERNEL32 ref: 00007FF600AC4D17
MsgWaitForMultipleObjects.USER32 ref: 00007FF600AC4D4B
PeekMessageW.USER32 ref: 00007FF600AC4D66
TranslateMessage.USER32 ref: 00007FF600AC4D75
DispatchMessageW.USER32 ref: 00007FF600AC4D80
PeekMessageW.USER32 ref: 00007FF600AC4D97
CloseHandle.KERNEL32 ref: 00007FF600AC4DC4
send.WS2_32 ref: 00007FF600AC4E01
SetEvent.KERNEL32 ref: 00007FF600AC4E18
WSACloseEvent.WS2_32 ref: 00007FF600AC4E2D
shutdown.WS2_32 ref: 00007FF600AC4E49
closesocket.WS2_32 ref: 00007FF600AC4E53
EnterCriticalSection.KERNEL32 ref: 00007FF600AC4E70
ResetEvent.KERNEL32 ref: 00007FF600AC4E7D
ResetEvent.KERNEL32 ref: 00007FF600AC4E8A
ResetEvent.KERNEL32 ref: 00007FF600AC4E97
SetEvent.KERNEL32 ref: 00007FF600AC4F2C
LeaveCriticalSection.KERNEL32 ref: 00007FF600AC4F39
SetLastError.KERNEL32 ref: 00007FF600AC4F79

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: Event$Message$Reset$CloseCriticalErrorLastPeekSectionThread$CurrentDispatchEnterHandleLeaveMultipleObjectsSwitchTranslateWaitclosesocketsendshutdown
String ID:
API String ID: 4058177064-0
Opcode ID: d4a00dac0fba48dd619eb6ba1b780ae101c1c81bf132304460c16c28b79e9ffb
Instruction ID: 78fec828df55a837036574ad6b8532c6c904982d5caea430fa4d248fc62476d3
Opcode Fuzzy Hash: d4a00dac0fba48dd619eb6ba1b780ae101c1c81bf132304460c16c28b79e9ffb
Instruction Fuzzy Hash: 05917E33B08A82A7E7589B25D5546B973A4FF48B40F214935CB6EC379ACF38E4A4C700

Function 00007FF600AD0620 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 140stringprocessCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 00007FF600AD0698
lstrlenW.KERNEL32 ref: 00007FF600AD06BA
wsprintfW.USER32 ref: 00007FF600AD0722
ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF600AD0786
lstrcatW.KERNEL32 ref: 00007FF600AD07C1
lstrcatW.KERNEL32 ref: 00007FF600AD07CE
lstrcpyW.KERNEL32 ref: 00007FF600AD07DC
CreateProcessW.KERNEL32 ref: 00007FF600AD085B

Strings

h, xrefs: 00007FF600AD07E5
%s\shell\open\command, xrefs: 00007FF600AD0714
"%1, xrefs: 00007FF600AD078C
WinSta0\Default, xrefs: 00007FF600AD0813

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: lstrcatlstrlen$CreateEnvironmentExpandProcessStringslstrcpywsprintf
String ID: "%1$%s\shell\open\command$WinSta0\Default$h
API String ID: 1783372451-551013563
Opcode ID: eac3ac33eed5e84588de99090fdd2237e456d1a0e0148cdd7090aa018ec508cf
Instruction ID: 977adc18b242adf8db76e283dfd7ccdf08addf353f2c6a5218a39b7acb7cfc02
Opcode Fuzzy Hash: eac3ac33eed5e84588de99090fdd2237e456d1a0e0148cdd7090aa018ec508cf
Instruction Fuzzy Hash: EB615F33A18B82A5EB20DB61D8406FE3365FB88748F644136DA4E96B9EEF7CD544C740

Function 00007FF600AC4270 Relevance: 21.1, APIs: 14, Instructions: 119networkstringCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FF600AC429F
WSAIoctl.WS2_32 ref: 00007FF600AC42F8
setsockopt.WS2_32 ref: 00007FF600AC431D
setsockopt.WS2_32 ref: 00007FF600AC4342
WSACreateEvent.WS2_32 ref: 00007FF600AC4348
lstrlenW.KERNEL32 ref: 00007FF600AC4355
WideCharToMultiByte.KERNEL32 ref: 00007FF600AC4378
lstrlenW.KERNEL32 ref: 00007FF600AC4390
WideCharToMultiByte.KERNEL32 ref: 00007FF600AC43B3
gethostbyname.WS2_32 ref: 00007FF600AC43C0
htons.WS2_32 ref: 00007FF600AC43ED
WSAEventSelect.WS2_32 ref: 00007FF600AC4413
connect.WS2_32 ref: 00007FF600AC442D
WSAGetLastError.WS2_32 ref: 00007FF600AC443C

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: ByteCharEventMultiWidelstrlensetsockopt$CreateErrorIoctlLastSelectconnectgethostbynamehtonssocket
String ID:
API String ID: 1455939504-0
Opcode ID: 8e08f9f7998c143048245e45366c2262b6845e92db1a87c8a4e60d79f477c7ad
Instruction ID: 9e2bcc1a3d6dbb6f7becb810b1acd656594eab478222064f80455844a06272bc
Opcode Fuzzy Hash: 8e08f9f7998c143048245e45366c2262b6845e92db1a87c8a4e60d79f477c7ad
Instruction Fuzzy Hash: 39516633608B9196D724DF61E84066AB7A5FF88BA4F200235EE9E83B99CF3CD545C704

Function 00007FF600AD15A0 Relevance: 18.2, APIs: 12, Instructions: 153COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF600AD15B9
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF600AD15DE
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF600AD1608
std::_Facet_Register.LIBCPMT ref: 00007FF600AD1688
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF600AD16A2
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF600AD16B2
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF600AD16D7
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF600AD1701
std::_Facet_Register.LIBCPMT ref: 00007FF600AD1777
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF600AD1791
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF600AD17AA
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF600AD17B0

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: abf8e540b54f698cc9b45021eb612f4fee3d5b077170ba2ec9f9a82e9aa791c4
Instruction ID: dea25dd96e8f898f121e52ea9f73e9cc6829cdb58064e32285d98c207dacf599
Opcode Fuzzy Hash: abf8e540b54f698cc9b45021eb612f4fee3d5b077170ba2ec9f9a82e9aa791c4
Instruction Fuzzy Hash: 71516037A48A42B1EA119B15E4441B937A0FB55B90F680233DE5F837AEDF3DE442C740

Function 00007FF600AC46A0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 171networktimeCOMMON

Download Yara Rule

APIs

WSAEnumNetworkEvents.WS2_32 ref: 00007FF600AC46C7
WSAGetLastError.WS2_32 ref: 00007FF600AC46D8
WSAResetEvent.WS2_32 ref: 00007FF600AC4717
WSAEventSelect.WS2_32 ref: 00007FF600AC479C
WSAGetLastError.WS2_32 ref: 00007FF600AC47A7
timeGetTime.WINMM ref: 00007FF600AC47D2
timeGetTime.WINMM ref: 00007FF600AC481D
send.WS2_32 ref: 00007FF600AC4852
WSAGetLastError.WS2_32 ref: 00007FF600AC485D

Strings

, xrefs: 00007FF600AC48F8

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: ErrorLast$EventTimetime$EnumEventsNetworkResetSelectsend
String ID:
API String ID: 957247320-3916222277
Opcode ID: 2310baa555e0df77a8bcfccd4f7fd94b27c56680d13eb448f7d2580fe2531f2f
Instruction ID: 811d00a1de5ea7eb41843dfc039490843d1c306ac68d108197d51c6d58a88a6e
Opcode Fuzzy Hash: 2310baa555e0df77a8bcfccd4f7fd94b27c56680d13eb448f7d2580fe2531f2f
Instruction Fuzzy Hash: 99716B73A08682ABE3608F69D49476977E0FB48B48F254434CB4DC379ACF7DE4858B44

Function 00007FF600AC5A80 Relevance: 16.7, APIs: 11, Instructions: 154networkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF600AC5AC4
WSASetLastError.WS2_32 ref: 00007FF600AC5C69
LeaveCriticalSection.KERNEL32 ref: 00007FF600AC5C73

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeave
String ID:
API String ID: 4082018349-0
Opcode ID: cb0b3ee4ce24505bbac61aa70540e6acda4bbb341cea077ae408a959c4223429
Instruction ID: 71cb31ba803debcf697a89a17712bc47bf019dd718aeca8b0e149ff28ab5933a
Opcode Fuzzy Hash: cb0b3ee4ce24505bbac61aa70540e6acda4bbb341cea077ae408a959c4223429
Instruction Fuzzy Hash: 3961B133B08A42A6E7589B26D444A7E6365FF84B81FA24431DA1EC779ADF3CF495C700

Function 00007FF600AC5090 Relevance: 16.6, APIs: 11, Instructions: 87COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF600AC50F5
LeaveCriticalSection.KERNEL32 ref: 00007FF600AC5107
SetLastError.KERNEL32 ref: 00007FF600AC51DB

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeave
String ID:
API String ID: 4082018349-0
Opcode ID: 31685a7c47cc355b0b84d769594d8f48275261b6e3cd822618b6b5c873848fb6
Instruction ID: 96012c249d5ed9d08f9bf78df26ba8e9d116494389ad54abefecdfadd94d9def
Opcode Fuzzy Hash: 31685a7c47cc355b0b84d769594d8f48275261b6e3cd822618b6b5c873848fb6
Instruction Fuzzy Hash: B131B622B0CA43A6E758AB65988C67A2355FF45B85F390530EA0EC779ACF2CF485C700

Function 00007FF600AD0B40 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 52registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF600AD0B91
RegDeleteValueW.ADVAPI32 ref: 00007FF600AD0B9F
RegCloseKey.ADVAPI32 ref: 00007FF600AD0BAA
RegCreateKeyW.ADVAPI32 ref: 00007FF600AD0BCA
lstrlenW.KERNEL32 ref: 00007FF600AD0BD7
RegSetValueExW.ADVAPI32 ref: 00007FF600AD0BF9
RegCloseKey.ADVAPI32 ref: 00007FF600AD0C04

Strings

VenNetwork, xrefs: 00007FF600AD0B69
Software, xrefs: 00007FF600AD0B73

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: CloseValue$CreateDeleteOpenlstrlen
String ID: Software$VenNetwork
API String ID: 3197061591-1820303132
Opcode ID: b270a5905e67aa2bd04960c5a5af98d5e64a07028cd1629e036b508084a2e799
Instruction ID: b4e0e06779a1d08e8b17281885f5e0c108b0fc08ef4683034b8843a21ed9dff2
Opcode Fuzzy Hash: b270a5905e67aa2bd04960c5a5af98d5e64a07028cd1629e036b508084a2e799
Instruction Fuzzy Hash: 4B216F36608A4096E7108B62E84466AB765FB84BE5F544131DE4D83B69DF7CD149CB04

Function 00007FF600AC5FC0 Relevance: 15.1, APIs: 10, Instructions: 140COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF600AC5FE4
EnterCriticalSection.KERNEL32 ref: 00007FF600AC6004
SetLastError.KERNEL32 ref: 00007FF600AC6016
LeaveCriticalSection.KERNEL32 ref: 00007FF600AC606F

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: CriticalErrorLastSection$EnterLeave
String ID:
API String ID: 2124651672-0
Opcode ID: daa85d6e6a81f6d236355c9ea9004f697aded8e3aa47a9236808cebcd2b51b32
Instruction ID: dce89721d6f9fa625eeceadb1c8cec4f1d2035188c8e7360a1c6080675151fb8
Opcode Fuzzy Hash: daa85d6e6a81f6d236355c9ea9004f697aded8e3aa47a9236808cebcd2b51b32
Instruction Fuzzy Hash: 2451BC33A086429BE764DB15E440A7D77A9FF48B81F268539DE4E8735ACF38E845C740

Function 00007FF600AE4880 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF600AE48C0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF600AE4C88
_invalid_parameter_noinfo.LIBCMT ref: 00007FF600AE4F27

Strings

p, xrefs: 00007FF600AE49CA
f, xrefs: 00007FF600AE49C2
p, xrefs: 00007FF600AE4965
f, xrefs: 00007FF600AE4B0D
f, xrefs: 00007FF600AE4958

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: 338c2a64cdc3021812c5b6ddca5db7159329e9a17ba8d876efc02d9e71b2fbd5
Instruction ID: bee14b354e3d265aa551910236cec708a876acf328cb44af7d69ca9f40bb1455
Opcode Fuzzy Hash: 338c2a64cdc3021812c5b6ddca5db7159329e9a17ba8d876efc02d9e71b2fbd5
Instruction Fuzzy Hash: 84126333A0D1C3A5FB605E14E0546B97669FB88B54FA84135E789877CEEF3CE9808B14

Function 00007FF600AC4080 Relevance: 13.6, APIs: 9, Instructions: 111timenetworkCOMMON

Download Yara Rule

APIs

CreateWaitableTimerW.KERNEL32 ref: 00007FF600AC40C6
setsockopt.WS2_32 ref: 00007FF600AC4165
setsockopt.WS2_32 ref: 00007FF600AC418F
ResetEvent.KERNEL32 ref: 00007FF600AC41DE
SetLastError.KERNEL32 ref: 00007FF600AC420A
WSAGetLastError.WS2_32 ref: 00007FF600AC4216
SetLastError.KERNEL32 ref: 00007FF600AC4228
GetLastError.KERNEL32 ref: 00007FF600AC4241
SetLastError.KERNEL32 ref: 00007FF600AC4253

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: ErrorLast$setsockopt$CreateEventResetTimerWaitable
String ID:
API String ID: 2911610646-0
Opcode ID: 34ebcb83ecca3e20ff49f256afc65ca9a808d404bf61d5c783bec37bfef76818
Instruction ID: 29666b3132a948bd5614a6912aa8d2cf35e06c965d736f9b22dd2687fa58a43a
Opcode Fuzzy Hash: 34ebcb83ecca3e20ff49f256afc65ca9a808d404bf61d5c783bec37bfef76818
Instruction Fuzzy Hash: 91519B73A05A82ABE7148F65E9147AAB3A0FB48345F200534DB4D87BA5DF7DE465CB00

Function 00007FF600AC5D10 Relevance: 13.6, APIs: 9, Instructions: 93timenetworkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,-00000004,00007FF600AC49B9), ref: 00007FF600AC5D5E
timeGetTime.WINMM(?,?,-00000004,00007FF600AC49B9), ref: 00007FF600AC5D95
LeaveCriticalSection.KERNEL32(?,?,-00000004,00007FF600AC49B9), ref: 00007FF600AC5DB5
timeGetTime.WINMM(?,?,-00000004,00007FF600AC49B9), ref: 00007FF600AC5DFA
SetEvent.KERNEL32 ref: 00007FF600AC5E27
LeaveCriticalSection.KERNEL32 ref: 00007FF600AC5E3B
WSASetLastError.WS2_32(?,?,-00000004,00007FF600AC49B9), ref: 00007FF600AC5E52
LeaveCriticalSection.KERNEL32(?,?,-00000004,00007FF600AC49B9), ref: 00007FF600AC5E61
WSASetLastError.WS2_32(?,?,-00000004,00007FF600AC49B9), ref: 00007FF600AC5E73

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: CriticalSection$Leave$ErrorLastTimetime$EnterEvent
String ID:
API String ID: 3019579578-0
Opcode ID: 4019db875c6352495a6e2a967cb07e89537093c69e3cddfa206385f108ce449b
Instruction ID: fd51d2384b618d7fd7801275d7396b9e1f9162597b41d11ec7052fc0cb724b2d
Opcode Fuzzy Hash: 4019db875c6352495a6e2a967cb07e89537093c69e3cddfa206385f108ce449b
Instruction Fuzzy Hash: 9A413933E08A429BE7619B65E44463EB3A5FB84754F250535EA4E83B9ADF3CF9C18700

Function 00007FF600AC5E90 Relevance: 13.6, APIs: 9, Instructions: 77COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF600AC5EAA
TryEnterCriticalSection.KERNEL32 ref: 00007FF600AC5ECB
TryEnterCriticalSection.KERNEL32 ref: 00007FF600AC5EDD
SetLastError.KERNEL32 ref: 00007FF600AC5EF6
LeaveCriticalSection.KERNEL32 ref: 00007FF600AC5F00
LeaveCriticalSection.KERNEL32 ref: 00007FF600AC5F0A

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeave
String ID:
API String ID: 4082018349-0
Opcode ID: bf041e3c240114bd2df664f35279ad8215a3420238d0dd4b213a5f2d55893e77
Instruction ID: 0ffc3bf38874b83124371a21c68657eda573041f144478f1138bbe55230550a3
Opcode Fuzzy Hash: bf041e3c240114bd2df664f35279ad8215a3420238d0dd4b213a5f2d55893e77
Instruction Fuzzy Hash: 0D313B33A18942AAE7948F74D84467D33A8FF44B49F640439EA0EC679ADF3CE499C741

Function 00007FF600AE0EA8 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF600AE0F05

Part of subcall function 00007FF600AE3268: __GetUnwindTryBlock.LIBCMT ref: 00007FF600AE32AB
Part of subcall function 00007FF600AE3268: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF600AE32D0

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF600AE0FDD
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF600AE122B
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF600AE1338

Strings

csm, xrefs: 00007FF600AE1000
csm, xrefs: 00007FF600AE0F1F
csm, xrefs: 00007FF600AE0F86

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: cb5b3d42660800b6706ee9e5169d6ae77bc1ec10b54460efee445a81ffa0bcf3
Instruction ID: 5e7ad3bec540d092a82ea8714684db5a30afe94e0658a7a981f2164621c8e8e4
Opcode Fuzzy Hash: cb5b3d42660800b6706ee9e5169d6ae77bc1ec10b54460efee445a81ffa0bcf3
Instruction Fuzzy Hash: C5D16033A087929AEB20DB6594407AD77A0FB55798F204135EF8D97B9BEF38E191C700

Function 00007FF600AF0B54 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 00007FF600AF0CD0
GetProcAddress.KERNEL32 ref: 00007FF600AF0CDC

Strings

ext-ms-, xrefs: 00007FF600AF0C2D
api-ms-, xrefs: 00007FF600AF0C1A

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: c5e8058506f29389ada01458bdd8bed04f407a28a220f5367f3ecbd3c22801fb
Instruction ID: 9c1bbe404d08794d907a5066668ce21d2cf7747e4ca4b0f05277de2e6936f690
Opcode Fuzzy Hash: c5e8058506f29389ada01458bdd8bed04f407a28a220f5367f3ecbd3c22801fb
Instruction Fuzzy Hash: 59411663B59A02A5FA25CB56A800A762398FF45BD0F654635DD4ECB78FEF3CE4468300

Function 00007FF600ACE01F Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 94filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF600ACE0E9
WriteFile.KERNEL32 ref: 00007FF600ACE119
CloseHandle.KERNEL32 ref: 00007FF600ACE12A
lstrlenW.KERNEL32 ref: 00007FF600ACE135
wsprintfW.USER32 ref: 00007FF600ACE159
lstrcpyW.KERNEL32 ref: 00007FF600ACE168

Part of subcall function 00007FF600AD0620: lstrlenW.KERNEL32 ref: 00007FF600AD0698
Part of subcall function 00007FF600AD0620: wsprintfW.USER32 ref: 00007FF600AD0722
Part of subcall function 00007FF600AD0620: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF600AD0786
Part of subcall function 00007FF600AD0620: lstrcatW.KERNEL32 ref: 00007FF600AD07C1
Part of subcall function 00007FF600AD0620: lstrcatW.KERNEL32 ref: 00007FF600AD07CE

Strings

%s %s, xrefs: 00007FF600ACE152

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: Filelstrcatlstrlenwsprintf$CloseCreateEnvironmentExpandHandleStringsWritelstrcpy
String ID: %s %s
API String ID: 958574092-2939940506
Opcode ID: 9d4b93ecebe44ad3dcfc41bef5c72ffa3e96dd61b2b13565d963145b1ed2cd72
Instruction ID: cad3e4f0fdf290766f1c217d1826aeaa042fa7c780c619c340198664e9048886
Opcode Fuzzy Hash: 9d4b93ecebe44ad3dcfc41bef5c72ffa3e96dd61b2b13565d963145b1ed2cd72
Instruction Fuzzy Hash: 24414B23A18BC692E721CF28D9042FD2360FBA4B48F25A335DB4D56656EF39E2D5C300

Function 00007FF600AC4A90 Relevance: 12.1, APIs: 8, Instructions: 104networkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF600AC4AD0
LeaveCriticalSection.KERNEL32 ref: 00007FF600AC4B20
send.WS2_32 ref: 00007FF600AC4B49
EnterCriticalSection.KERNEL32 ref: 00007FF600AC4B58
LeaveCriticalSection.KERNEL32 ref: 00007FF600AC4B6F
WSAGetLastError.WS2_32 ref: 00007FF600AC4BA9
EnterCriticalSection.KERNEL32 ref: 00007FF600AC4BB9
LeaveCriticalSection.KERNEL32 ref: 00007FF600AC4BFB

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ErrorLastsend
String ID:
API String ID: 3480985631-0
Opcode ID: 223d6e403172c637e9da5f06492e840e62a0238e832c6a19f43c9c4cbc36de86
Instruction ID: f0bc6bf30c6c8f8ddce94a671ff00d31b33bba8b737aa1891301300fc185b147
Opcode Fuzzy Hash: 223d6e403172c637e9da5f06492e840e62a0238e832c6a19f43c9c4cbc36de86
Instruction Fuzzy Hash: CA416A33608B82A6E7548F26E5506AC73A4FB08F98F250535CE1E87B5ECF38E595C704

Function 00007FF600AE9720 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 494COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF600AE9763
_invalid_parameter_noinfo.LIBCMT ref: 00007FF600AE9B50
_invalid_parameter_noinfo.LIBCMT ref: 00007FF600AE9DEC

Strings

p, xrefs: 00007FF600AE988D
f, xrefs: 00007FF600AE9885
p, xrefs: 00007FF600AE9815

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$p$p
API String ID: 3215553584-1995029353
Opcode ID: 42fb3e65d0f17d18353857ebdda260012259b146ac6ef5ada1715a4ca3ec7708
Instruction ID: 6f97070ebb50a65e5ae411c7476f07d4fb31d3b4bc689c019875fd7a3297b0c6
Opcode Fuzzy Hash: 42fb3e65d0f17d18353857ebdda260012259b146ac6ef5ada1715a4ca3ec7708
Instruction Fuzzy Hash: 80126163A0C3D3A6FB249A15E4542BB7656FB40754FA44135E69987BCEFF3CE5808B00

Function 00007FF600AC4470 Relevance: 10.6, APIs: 7, Instructions: 143threadnetworktimeCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF600AC448E
SetWaitableTimer.KERNEL32 ref: 00007FF600AC44C3
WSAWaitForMultipleEvents.WS2_32 ref: 00007FF600AC456D
GetCurrentThreadId.KERNEL32 ref: 00007FF600AC4676

Part of subcall function 00007FF600AC4A90: EnterCriticalSection.KERNEL32 ref: 00007FF600AC4AD0
Part of subcall function 00007FF600AC4A90: LeaveCriticalSection.KERNEL32 ref: 00007FF600AC4B20
Part of subcall function 00007FF600AC4A90: send.WS2_32 ref: 00007FF600AC4B49
Part of subcall function 00007FF600AC4A90: EnterCriticalSection.KERNEL32 ref: 00007FF600AC4B58
Part of subcall function 00007FF600AC4A90: LeaveCriticalSection.KERNEL32 ref: 00007FF600AC4B6F
Part of subcall function 00007FF600AC4A90: WSAGetLastError.WS2_32 ref: 00007FF600AC4BA9
Part of subcall function 00007FF600AC4A90: EnterCriticalSection.KERNEL32 ref: 00007FF600AC4BB9
Part of subcall function 00007FF600AC4A90: LeaveCriticalSection.KERNEL32 ref: 00007FF600AC4BFB

SetLastError.KERNEL32 ref: 00007FF600AC4616

Part of subcall function 00007FF600AC5FC0: SetLastError.KERNEL32 ref: 00007FF600AC5FE4

GetLastError.KERNEL32 ref: 00007FF600AC461C
WSAGetLastError.WS2_32 ref: 00007FF600AC4641

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: CriticalSection$ErrorLast$EnterLeave$CurrentThread$EventsMultipleTimerWaitWaitablesend
String ID:
API String ID: 2807917265-0
Opcode ID: b86a4d89a2a610e9370193a82eb041067802b0227bafa79ad6b9f02f0420e125
Instruction ID: a705cb47a7e345ff913f5e8fad20dc6d37cd8dd7d449397cc02d7ce1d7b88018
Opcode Fuzzy Hash: b86a4d89a2a610e9370193a82eb041067802b0227bafa79ad6b9f02f0420e125
Instruction Fuzzy Hash: 22517133A0864296EB608F259860A7933A4FF09B58F251A35DE2DC77DEDF38E8408704

Function 00007FF600ACB9E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF600ACBA4B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF600ACBA93
_Getctype.LIBCPMT ref: 00007FF600ACBAAB
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF600ACBB63
_Getwctype.LIBCPMT ref: 00007FF600ACBBB1

Strings

bad locale name, xrefs: 00007FF600ACBB86

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: std::_$Lockit$GetctypeGetwctypeLocinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 1386471777-1405518554
Opcode ID: 69cc4a8b7b19662485723bada806c81d00e2c443d81482d7207a293efd463004
Instruction ID: 9ca53561bb9b98608f17477122a2865f465dc1a6153891d104048c6cef457075
Opcode Fuzzy Hash: 69cc4a8b7b19662485723bada806c81d00e2c443d81482d7207a293efd463004
Instruction Fuzzy Hash: 13518823B19B81AAFB14DBB0D4512BC3370EF84748F544535DE8EA6B9ADF38E9568310

Function 00007FF600AD1E10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF600AD1E80
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF600AD1EC8
_Getcoll.LIBCPMT ref: 00007FF600AD1EE0
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF600AD1F6F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF600AD1FC9

Strings

bad locale name, xrefs: 00007FF600AD1FCF

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: std::_$Lockit$GetcollLocinfo::_Locinfo_ctorLockit::_Lockit::~__invalid_parameter_noinfo_noreturn
String ID: bad locale name
API String ID: 3908275632-1405518554
Opcode ID: 003808105e7b261864adc6970d8c37b00b83fd0dc8e90f8d604ba696fd0a2e67
Instruction ID: ace6e69d0dfc6c710c5b5cd229eb5c081a06b9796db948d4730702fbfe6aec3b
Opcode Fuzzy Hash: 003808105e7b261864adc6970d8c37b00b83fd0dc8e90f8d604ba696fd0a2e67
Instruction Fuzzy Hash: 90512823B09A81A9FB10DBB0D4503BC33A5AF89748F644136DE4EA7B9EDF38D5569340

Function 00007FF600AE37CC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF600AE3A7E,?,?,?,00007FF600AE3770,?,?,?,00007FF600AE03A9), ref: 00007FF600AE3851
GetLastError.KERNEL32(?,?,?,00007FF600AE3A7E,?,?,?,00007FF600AE3770,?,?,?,00007FF600AE03A9), ref: 00007FF600AE385F
LoadLibraryExW.KERNEL32(?,?,?,00007FF600AE3A7E,?,?,?,00007FF600AE3770,?,?,?,00007FF600AE03A9), ref: 00007FF600AE3889
FreeLibrary.KERNEL32(?,?,?,00007FF600AE3A7E,?,?,?,00007FF600AE3770,?,?,?,00007FF600AE03A9), ref: 00007FF600AE38F7
GetProcAddress.KERNEL32(?,?,?,00007FF600AE3A7E,?,?,?,00007FF600AE3770,?,?,?,00007FF600AE03A9), ref: 00007FF600AE3903

Strings

api-ms-, xrefs: 00007FF600AE3871

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: bdcdafd802d049a58c0b09305f9ac5b25268f61174ed16779f6a01e1bd42f6da
Instruction ID: e5e61f124ed02f4ce437f6d314e194575d3725c8557fca3cf1f9f1b4f933fed9
Opcode Fuzzy Hash: bdcdafd802d049a58c0b09305f9ac5b25268f61174ed16779f6a01e1bd42f6da
Instruction Fuzzy Hash: C531B823B1AB82B5EE65DB42A40457523D4BF44BA0F690535ED1D8B39AFF3CE545C300

Function 00007FF600AD0C20 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 82processstringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 00007FF600AD0C30
GetFileAttributesW.KERNEL32 ref: 00007FF600AD0CBD
GetLastError.KERNEL32 ref: 00007FF600AD0CCC
CreateProcessW.KERNEL32 ref: 00007FF600AD0D59

Strings

WinSta0\Default, xrefs: 00007FF600AD0CEB
h, xrefs: 00007FF600AD0D39

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: AttributesCreateErrorFileLastProcesslstrlen
String ID: WinSta0\Default$h
API String ID: 591566999-1620045033
Opcode ID: 870f49fa05843601a7de3c6d96955c487a9850f25a13aeef8c58cbc4c90edb6f
Instruction ID: 8acd34f1e2c7090886b1311ff6f5d9e3b3c44ec8462ae5cac314622f5e31dea7
Opcode Fuzzy Hash: 870f49fa05843601a7de3c6d96955c487a9850f25a13aeef8c58cbc4c90edb6f
Instruction Fuzzy Hash: 67315522A087C255D6708B55B5043BA7395FB99790F505335EA9D87B9AEF3CD0948700

Function 00007FF600AEED10 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF600AF7113,?,?,?,00007FF600AEF444,?,?,?,00007FF600AE843F,?,?,?,00007FF600AE66E3), ref: 00007FF600AEED1F
FlsGetValue.KERNEL32(?,?,?,00007FF600AF7113,?,?,?,00007FF600AEF444,?,?,?,00007FF600AE843F,?,?,?,00007FF600AE66E3), ref: 00007FF600AEED34
FlsSetValue.KERNEL32(?,?,?,00007FF600AF7113,?,?,?,00007FF600AEF444,?,?,?,00007FF600AE843F,?,?,?,00007FF600AE66E3), ref: 00007FF600AEED55
FlsSetValue.KERNEL32(?,?,?,00007FF600AF7113,?,?,?,00007FF600AEF444,?,?,?,00007FF600AE843F,?,?,?,00007FF600AE66E3), ref: 00007FF600AEED82
FlsSetValue.KERNEL32(?,?,?,00007FF600AF7113,?,?,?,00007FF600AEF444,?,?,?,00007FF600AE843F,?,?,?,00007FF600AE66E3), ref: 00007FF600AEED93
FlsSetValue.KERNEL32(?,?,?,00007FF600AF7113,?,?,?,00007FF600AEF444,?,?,?,00007FF600AE843F,?,?,?,00007FF600AE66E3), ref: 00007FF600AEEDA4
SetLastError.KERNEL32(?,?,?,00007FF600AF7113,?,?,?,00007FF600AEF444,?,?,?,00007FF600AE843F,?,?,?,00007FF600AE66E3), ref: 00007FF600AEEDBF

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: f2de6421f07b29a90cfdc6310c4a09f0568ac7a9393794dea83b72160e9ddcb3
Instruction ID: ca5835fafb11f5ce55491cfb22e3fd16e0f0addec2200a98a5fe8f173ee3ec91
Opcode Fuzzy Hash: f2de6421f07b29a90cfdc6310c4a09f0568ac7a9393794dea83b72160e9ddcb3
Instruction Fuzzy Hash: E5216D22A0D28362FAA8A361598517953869F887F0F740738E83EC77DFEE2CB4018300

Function 00007FF600AFCF20 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF600AFCF51
GetLastError.KERNEL32 ref: 00007FF600AFCF5D
CloseHandle.KERNEL32 ref: 00007FF600AFCF75
CreateFileW.KERNEL32 ref: 00007FF600AFCFA0
WriteConsoleW.KERNEL32 ref: 00007FF600AFCFBF

Strings

CONOUT$, xrefs: 00007FF600AFCF81

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 459cac5f161fe15dedf5efeb1a5c45af724dbddd491f92cbd2d9a7ab51bbc5e3
Instruction ID: 483544bb4afc4fa7d7418d2852bd4f65de50d6954e48833a773bf8dcd1ab46ff
Opcode Fuzzy Hash: 459cac5f161fe15dedf5efeb1a5c45af724dbddd491f92cbd2d9a7ab51bbc5e3
Instruction Fuzzy Hash: 48119032B58B4196E3508B92E854339B6A4FF89BE4F600234EA6EC77A9CF3CD5148744

Function 00007FF600ACACF0 Relevance: 10.5, APIs: 7, Instructions: 40filesynchronizationstringCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF600ACAD09
CreateFileW.KERNEL32 ref: 00007FF600ACAD3D
SetFilePointer.KERNEL32 ref: 00007FF600ACAD62
lstrlenW.KERNEL32 ref: 00007FF600ACAD6B
WriteFile.KERNEL32 ref: 00007FF600ACAD89
CloseHandle.KERNEL32 ref: 00007FF600ACAD92
ReleaseMutex.KERNEL32 ref: 00007FF600ACAD9F

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: File$CloseCreateHandleMutexObjectPointerReleaseSingleWaitWritelstrlen
String ID:
API String ID: 4202892810-0
Opcode ID: 1770146ed1a2281a067c6a80d48e2834b530e15e6b9c6a9fb3f6106c2579b985
Instruction ID: 8ff4423e6bcbac6e67647aeee76df4977f6ce963e4a2dbe8461e3a21822fa864
Opcode Fuzzy Hash: 1770146ed1a2281a067c6a80d48e2834b530e15e6b9c6a9fb3f6106c2579b985
Instruction Fuzzy Hash: C511517670864296F7109B55F808776B364FF84BA4F644230EA6E437E9CF7CD4498704

Function 00007FF600ACEF25 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 34registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF600ACEF4F
RegDeleteValueW.ADVAPI32 ref: 00007FF600ACEF63
RegSetValueExW.ADVAPI32 ref: 00007FF600ACEF8D
RegCloseKey.ADVAPI32 ref: 00007FF600ACEF9A

Strings

Console, xrefs: 00007FF600ACEF41
IpDatespecial, xrefs: 00007FF600ACEF5C, 00007FF600ACEF70

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: Value$CloseDeleteOpen
String ID: Console$IpDatespecial
API String ID: 3183427449-1840232981
Opcode ID: 227ad8f4b06cdb6b08930102bada313d7f8b98b7889bc09013c0be248a67a942
Instruction ID: 403d818af4fca29162ad105b7702ba9b9ea3700375e3569a228967fbdac86dfb
Opcode Fuzzy Hash: 227ad8f4b06cdb6b08930102bada313d7f8b98b7889bc09013c0be248a67a942
Instruction Fuzzy Hash: 28015B37608E819AE7218F24EC10BA93760EB85BA5F144132CA4E83B5ADF3DD199CB04

Function 00007FF600AC9380 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 26processCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 00007FF600AC9399
GetCommandLineW.KERNEL32 ref: 00007FF600AC939F
GetStartupInfoW.KERNEL32 ref: 00007FF600AC93AD
CreateProcessW.KERNEL32 ref: 00007FF600AC93F0
ExitProcess.KERNEL32 ref: 00007FF600AC93FB

Strings

, xrefs: 00007FF600AC93E4

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: Process$CommandCreateExitFileInfoLineModuleNameStartup
String ID:
API String ID: 3421218197-3916222277
Opcode ID: aa1260efbfd046cd4269c4db6a47a0747b5d48ad13e0b0b72107f694596a2f32
Instruction ID: 0f3e7bfad56261c092565f924b7bf87cf9ea9b2bae26f08133ca4a2b66175f0f
Opcode Fuzzy Hash: aa1260efbfd046cd4269c4db6a47a0747b5d48ad13e0b0b72107f694596a2f32
Instruction Fuzzy Hash: CBF01232658A8196DB608B60F84876AB3A4FB89744F500235D68E87B68DF7CC149CB00

Function 00007FF600AC4940 Relevance: 9.1, APIs: 6, Instructions: 80networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00007FF600AC4964
SetLastError.KERNEL32 ref: 00007FF600AC4977
WSAGetLastError.WS2_32 ref: 00007FF600AC49C8
SetLastError.KERNEL32 ref: 00007FF600AC4A32
WSASetLastError.WS2_32 ref: 00007FF600AC4A3D
GetLastError.KERNEL32 ref: 00007FF600AC4A43

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: ErrorLast$recv
String ID:
API String ID: 316788870-0
Opcode ID: 1bfb22ba95e7e7656d2d5e0fb302539e9b3bee6e0c9b932fa958a4b538105933
Instruction ID: 249940902f810d9187f3e996515c7fa957d3295374d368ca501c34d9910fc615
Opcode Fuzzy Hash: 1bfb22ba95e7e7656d2d5e0fb302539e9b3bee6e0c9b932fa958a4b538105933
Instruction Fuzzy Hash: E2317233A0CA4295EB609F29E45477D63A1EF49B88F650935CA0DC739EDF3DD8848709

Function 00007FF600AE1378 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 320COMMON

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF600AE1516
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF600AE183F

Strings

csm, xrefs: 00007FF600AE145D
csm, xrefs: 00007FF600AE14BF
csm, xrefs: 00007FF600AE153D

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 3523768491-393685449
Opcode ID: f0c8ce6e5c114cb55c7e972b5d7e00f12528d3fa075699b5c4d5ef1c378b05c7
Instruction ID: 3a2fd29174b13c6b9f23de5d31eb28822029177dbecae525034f1d663b039217
Opcode Fuzzy Hash: f0c8ce6e5c114cb55c7e972b5d7e00f12528d3fa075699b5c4d5ef1c378b05c7
Instruction Fuzzy Hash: 95E18E73A087929AE7209F74D4807AD37A0FB45B48F254136EE9D9779BEE38E581C700

Function 00007FF600AC5300 Relevance: 9.1, APIs: 6, Instructions: 63synchronizationtimeCOMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32 ref: 00007FF600AC531C
ResetEvent.KERNEL32 ref: 00007FF600AC5329
timeGetTime.WINMM ref: 00007FF600AC532F
WaitForSingleObject.KERNEL32 ref: 00007FF600AC5379
ResetEvent.KERNEL32 ref: 00007FF600AC5396

Part of subcall function 00007FF600AC4C50: GetCurrentThreadId.KERNEL32 ref: 00007FF600AC4C65
Part of subcall function 00007FF600AC4C50: SwitchToThread.KERNEL32 ref: 00007FF600AC4C9D
Part of subcall function 00007FF600AC4C50: SetLastError.KERNEL32 ref: 00007FF600AC4CDC

ResetEvent.KERNEL32 ref: 00007FF600AC53BD

Part of subcall function 00007FF600AE8BE0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF600AE8C0B

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: EventReset$Thread$CurrentErrorLastObjectSingleSwitchTimeWait_invalid_parameter_noinfotime
String ID:
API String ID: 2235205178-0
Opcode ID: 590f28aa241335ba61f28d79a4cf37bde6970dd5790133cda3c336355218676e
Instruction ID: 0415c23c03e35df748eed51320b9efab8bef59b61ffdb296bfeee9ed266c3567
Opcode Fuzzy Hash: 590f28aa241335ba61f28d79a4cf37bde6970dd5790133cda3c336355218676e
Instruction Fuzzy Hash: D4216B32A08A8196EB508F25E85426A73A4FF88B99F284531EE4DD776ACF38D4818740

Function 00007FF600AEEE88 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00002C1F5E3C02FD,00007FF600AE8DA5,?,?,?,?,00007FF600AF27E6,?,?,00000000,00007FF600AEA69B,?,?,?), ref: 00007FF600AEEE97
FlsSetValue.KERNEL32(?,?,00002C1F5E3C02FD,00007FF600AE8DA5,?,?,?,?,00007FF600AF27E6,?,?,00000000,00007FF600AEA69B,?,?,?), ref: 00007FF600AEEECD
FlsSetValue.KERNEL32(?,?,00002C1F5E3C02FD,00007FF600AE8DA5,?,?,?,?,00007FF600AF27E6,?,?,00000000,00007FF600AEA69B,?,?,?), ref: 00007FF600AEEEFA
FlsSetValue.KERNEL32(?,?,00002C1F5E3C02FD,00007FF600AE8DA5,?,?,?,?,00007FF600AF27E6,?,?,00000000,00007FF600AEA69B,?,?,?), ref: 00007FF600AEEF0B
FlsSetValue.KERNEL32(?,?,00002C1F5E3C02FD,00007FF600AE8DA5,?,?,?,?,00007FF600AF27E6,?,?,00000000,00007FF600AEA69B,?,?,?), ref: 00007FF600AEEF1C
SetLastError.KERNEL32(?,?,00002C1F5E3C02FD,00007FF600AE8DA5,?,?,?,?,00007FF600AF27E6,?,?,00000000,00007FF600AEA69B,?,?,?), ref: 00007FF600AEEF37

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 3654d854b1b7b54d09208102c236c7adbe92e0b1e90858cb6ea83a43bfdf338d
Instruction ID: 23461ea51f3634669604aa84a77155602b03bd4bc0a900f8cda2b2c10d1e2a1c
Opcode Fuzzy Hash: 3654d854b1b7b54d09208102c236c7adbe92e0b1e90858cb6ea83a43bfdf338d
Instruction Fuzzy Hash: F2116D22B1D68362FA68A771655547962565F887F0F744738E83EC77CFEE6CB4018300

Function 00007FF600AEBF30 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF600AEBF55
GetProcAddress.KERNEL32 ref: 00007FF600AEBF6B
FreeLibrary.KERNEL32 ref: 00007FF600AEBF92

Strings

mscoree.dll, xrefs: 00007FF600AEBF4C
CorExitProcess, xrefs: 00007FF600AEBF64

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 69936be9a3c9092073ccdecace5a334f9bb4337f6d94747144cad9e03172cb9f
Instruction ID: e74c6fd30bf521267bc80dfc3251c0751b8d060f2eb58b16e13639618f6eb69a
Opcode Fuzzy Hash: 69936be9a3c9092073ccdecace5a334f9bb4337f6d94747144cad9e03172cb9f
Instruction Fuzzy Hash: 10F0F667B29B02A5EB108B64E84837A6364FF497A0F640235C96EC63F9DF2DD048C710

Function 00007FF600ACEFA3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF600ACEFC9
RegDeleteValueW.ADVAPI32 ref: 00007FF600ACEFDD
RegCloseKey.ADVAPI32 ref: 00007FF600ACEFEA

Strings

Console, xrefs: 00007FF600ACEFBB
IpDatespecial, xrefs: 00007FF600ACEFD6

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID: Console$IpDatespecial
API String ID: 849931509-1840232981
Opcode ID: 428edfecf080eeaca7e0c1c67ef556d191498152a1b600a56db6dc59e929ff35
Instruction ID: 9403e6a9110efdb562a63742bc70f369cbd1e52e39a17d7b34714102025f3e1c
Opcode Fuzzy Hash: 428edfecf080eeaca7e0c1c67ef556d191498152a1b600a56db6dc59e929ff35
Instruction Fuzzy Hash: 63F0F936608DC195E7208B18EC10BA97364EB8476AF100131C91D97B6DEF39D59A8B04

Function 00007FF600AE0778 Relevance: 7.8, APIs: 5, Instructions: 290COMMON

Download Yara Rule

APIs

__AdjustPointer.LIBCMT ref: 00007FF600AE089B
__AdjustPointer.LIBCMT ref: 00007FF600AE08E6

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 95c273c5d9a602b1e514679a9057b242ded82a174dba946a287035d63dc3020a
Instruction ID: dd8957701c26a4f1d86f24f7092fe268f0fc574aa755ad7f6585b82f3c5b88f1
Opcode Fuzzy Hash: 95c273c5d9a602b1e514679a9057b242ded82a174dba946a287035d63dc3020a
Instruction Fuzzy Hash: 8FB1B423E0ABC6A5FA659F119450A396290EF54B84F258436DE8D8778FEFBCE481C740

Function 00007FF600AFC95C Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF600AFC984
_set_statfp.LIBCMT ref: 00007FF600AFC99F
_set_statfp.LIBCMT ref: 00007FF600AFC9BB
_set_statfp.LIBCMT ref: 00007FF600AFC9F7

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 3a9c703ea5aaac55ee3dcba71a43574e980d604707a0521e319b1fc91c9c8b59
Instruction ID: 54fcb516a57197737b2284ab6cfcb75a13d5cdb37a7f11bb4aca57ebc60988a1
Opcode Fuzzy Hash: 3a9c703ea5aaac55ee3dcba71a43574e980d604707a0521e319b1fc91c9c8b59
Instruction Fuzzy Hash: 34117723E9CA0B21F76411AAD79637551596F55370F780A34E6AEC63DFCEAC69404310

Function 00007FF600AEEF50 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF600AE3C9B,?,?,00000000,00007FF600AE3F36,?,?,?,?,?,00007FF600AE3EC2), ref: 00007FF600AEEF6F
FlsSetValue.KERNEL32(?,?,?,00007FF600AE3C9B,?,?,00000000,00007FF600AE3F36,?,?,?,?,?,00007FF600AE3EC2), ref: 00007FF600AEEF8E
FlsSetValue.KERNEL32(?,?,?,00007FF600AE3C9B,?,?,00000000,00007FF600AE3F36,?,?,?,?,?,00007FF600AE3EC2), ref: 00007FF600AEEFB6
FlsSetValue.KERNEL32(?,?,?,00007FF600AE3C9B,?,?,00000000,00007FF600AE3F36,?,?,?,?,?,00007FF600AE3EC2), ref: 00007FF600AEEFC7
FlsSetValue.KERNEL32(?,?,?,00007FF600AE3C9B,?,?,00000000,00007FF600AE3F36,?,?,?,?,?,00007FF600AE3EC2), ref: 00007FF600AEEFD8

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 4047813a2c2501da88736eb8979464a470432fe091b6a2381c64cb1679d0dde5
Instruction ID: 1dafd10a0d9d5c581b481b278b35f555a46ddd90575ecbf139acf39efa71e40d
Opcode Fuzzy Hash: 4047813a2c2501da88736eb8979464a470432fe091b6a2381c64cb1679d0dde5
Instruction Fuzzy Hash: F3115E22F0968262FAA8E365A55157962456F843F0F745338E87EC67DFEE3CF4028300

Function 00007FF600AEEDE4 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00007FF600AF7113,?,?,?,00007FF600AEF444,?,?,?,00007FF600AE843F), ref: 00007FF600AEEDF5
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF600AF7113,?,?,?,00007FF600AEF444,?,?,?,00007FF600AE843F), ref: 00007FF600AEEE14
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF600AF7113,?,?,?,00007FF600AEF444,?,?,?,00007FF600AE843F), ref: 00007FF600AEEE3C
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF600AF7113,?,?,?,00007FF600AEF444,?,?,?,00007FF600AE843F), ref: 00007FF600AEEE4D
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF600AF7113,?,?,?,00007FF600AEF444,?,?,?,00007FF600AE843F), ref: 00007FF600AEEE5E

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: f4b63a2d358e16832ea89596edc1dbf90b4b2fd2f1616095919a36d422ba38cd
Instruction ID: 7c6008e12001cf80539cd741ed7711c0fbf3f98cc9c73a6dd59415d56e93b575
Opcode Fuzzy Hash: f4b63a2d358e16832ea89596edc1dbf90b4b2fd2f1616095919a36d422ba38cd
Instruction Fuzzy Hash: 53110C12E4928372FAA8A261585257912865F49370F781B38E93ECA3DFEE3CB4414341

Function 00007FF600AC56C0 Relevance: 7.5, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF600AC56E5
EnterCriticalSection.KERNEL32 ref: 00007FF600AC56EF
LeaveCriticalSection.KERNEL32 ref: 00007FF600AC56FF
LeaveCriticalSection.KERNEL32 ref: 00007FF600AC5709

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 7d1c33e0fc199dc1a1b2b98ae86d416f77ce0655480dcc5f384a8a26f1c27f0c
Instruction ID: 97441bbd3d4e861781f65229014fcf2690a6b208d1c31e28ec9337ced628f52f
Opcode Fuzzy Hash: 7d1c33e0fc199dc1a1b2b98ae86d416f77ce0655480dcc5f384a8a26f1c27f0c
Instruction Fuzzy Hash: DE11DA32A2894297EB909B65F4943BA6360FF44759F951431EB8F86B59CF3CE4C6C700

Function 00007FF600ACC0C0 Relevance: 7.5, APIs: 5, Instructions: 39COMMON

Download Yara Rule

APIs

DeleteObject.GDI32 ref: 00007FF600ACC103
EnterCriticalSection.KERNEL32(?,?,?,00007FF600ACC094), ref: 00007FF600ACC115
EnterCriticalSection.KERNEL32 ref: 00007FF600ACC125
GdiplusShutdown.GDIPLUS ref: 00007FF600ACC133
LeaveCriticalSection.KERNEL32 ref: 00007FF600ACC140

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: CriticalSection$Enter$DeleteGdiplusLeaveObjectShutdown
String ID:
API String ID: 1513102227-0
Opcode ID: cb3a45266a7c72afb3eef7b31d32061257325c5ad6beb33f20a6e81f88ef5b24
Instruction ID: 5d256b1de6bdd01e7efd196435db05dacac4706ede1665f5b3d14783b2e95049
Opcode Fuzzy Hash: cb3a45266a7c72afb3eef7b31d32061257325c5ad6beb33f20a6e81f88ef5b24
Instruction Fuzzy Hash: 2D115833505B4295EB008F69E84002973B8FF08FA9B284236D65D833AADF38D892C340

Function 00007FF600AC5640 Relevance: 7.5, APIs: 5, Instructions: 26synchronizationsleepCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF600AC5652
WaitForSingleObject.KERNEL32 ref: 00007FF600AC5664
Sleep.KERNEL32 ref: 00007FF600AC566F
CloseHandle.KERNEL32 ref: 00007FF600AC568C
CloseHandle.KERNEL32 ref: 00007FF600AC5699

Part of subcall function 00007FF600AC4C50: GetCurrentThreadId.KERNEL32 ref: 00007FF600AC4C65
Part of subcall function 00007FF600AC4C50: SwitchToThread.KERNEL32 ref: 00007FF600AC4C9D
Part of subcall function 00007FF600AC4C50: SetLastError.KERNEL32 ref: 00007FF600AC4CDC

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: CloseHandleObjectSingleThreadWait$CurrentErrorLastSleepSwitch
String ID:
API String ID: 1535946027-0
Opcode ID: 311de798c0593289d29e071e9f78a1d734eb52b4581ef33c1cbfd426072e5f36
Instruction ID: 235f2f20cbcb86d931c14258c5f041f6c29f8f30a171ea79cf3528e859dd41aa
Opcode Fuzzy Hash: 311de798c0593289d29e071e9f78a1d734eb52b4581ef33c1cbfd426072e5f36
Instruction Fuzzy Hash: A3F0F937A44A4596EB149F79E8541792324FF89F6AF284230DA2E873E9CF38D885C350

Function 00007FF600AE1AEC Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF600AE1B5C
_CallSETranslator.LIBVCRUNTIME ref: 00007FF600AE1BA7

Strings

MOC, xrefs: 00007FF600AE1B70
RCC, xrefs: 00007FF600AE1B78

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 85eb8fbd3e06a99c4afa559b4d80cf249f4e954e0195537aa802c98b0a840f84
Instruction ID: 2e7cd9c67bc8fc78f4a260f4d93923353124795c3f4d6e87b2012021cd0e8304
Opcode Fuzzy Hash: 85eb8fbd3e06a99c4afa559b4d80cf249f4e954e0195537aa802c98b0a840f84
Instruction Fuzzy Hash: 5B91A273A087959AE710DF65D8806ED77A0FB44788F204136EE8D97B5AEF38D195C700

Function 00007FF600ADFD28 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF600ADFD53
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF600ADFDEA
RtlUnwindEx.KERNEL32 ref: 00007FF600ADFE44

Strings

csm, xrefs: 00007FF600ADFDD1

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: c305225e0e2b3a2203a822812f960376c115b044745f784688940b7b0a399dcc
Instruction ID: faedc05094ea298e99e13aebcdf3ae7525bd48ebbc0df0d751951f3f70f7f2d9
Opcode Fuzzy Hash: c305225e0e2b3a2203a822812f960376c115b044745f784688940b7b0a399dcc
Instruction Fuzzy Hash: 7F518E33A19642AEDB14CB15E444A7A7792EB44B88F248136EE4F8779EDF7DE841C700

Function 00007FF600AE206C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF600AE2094
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF600AE217C

Strings

csm, xrefs: 00007FF600AE20B6
csm, xrefs: 00007FF600AE21CE

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 544592ab7251effa554c0990b2f03f08321f7b0f5e6baf8f1fc1d42750b8d711
Instruction ID: d08d17fe3502fea53a9a204c33c7edef949faa4c01e56b42797b2804d877e325
Opcode Fuzzy Hash: 544592ab7251effa554c0990b2f03f08321f7b0f5e6baf8f1fc1d42750b8d711
Instruction Fuzzy Hash: 73517133A082C2AAEB748F1194443A877A8FB55B94F244235DB9D87BDADF3CE590C701

Function 00007FF600AFAA5C Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF600AFAADB
WriteFile.KERNEL32 ref: 00007FF600AFADA3
WriteFile.KERNEL32 ref: 00007FF600AFADE9
GetLastError.KERNEL32 ref: 00007FF600AFAE9F

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: b0a5a2f5e03aa4de9bb2610dcdd396f5b9cdbd820afb8483674e8d26cbad73da
Instruction ID: d071b3207b1458a2cd6170a0501ee1f9b1f9811bd18744fd7513edbaf988adfa
Opcode Fuzzy Hash: b0a5a2f5e03aa4de9bb2610dcdd396f5b9cdbd820afb8483674e8d26cbad73da
Instruction Fuzzy Hash: 7BD1CE73B18A819AE711CFA5D4402FC37BAFB54798B248236CE5D97B9ADE38D456C300

Function 00007FF600AD59A0 Relevance: 6.3, APIs: 4, Instructions: 260COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF600AD5B15
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF600AD5B1B

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 73155330-0
Opcode ID: 8fee3de5b3b2f0071dc3db66fd2bdfdcb24e79f59a02b604d58c203983c7a5df
Instruction ID: d69612731c8dbd17952db8fea987029d55afab17784a3ab096d5c3b28028f6ed
Opcode Fuzzy Hash: 8fee3de5b3b2f0071dc3db66fd2bdfdcb24e79f59a02b604d58c203983c7a5df
Instruction Fuzzy Hash: 0E919163B05A8265EE14DB66D4482BD7361BB08BE0F648632DF6E87BDADF7CD0518300

Function 00007FF600AD7610 Relevance: 6.2, APIs: 4, Instructions: 238COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF600AD79B6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF600AD79BC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF600AD79C2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF600AD79C8

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 12821617f7a64de7d3cb37ac5f3ef33577a0d69585e7a9a316e27e8c0fa45f34
Instruction ID: ea9acbea3fa4aafdaa7aa17250ca1c8db4bb6a8c7168f62d459f11ea52cdf70a
Opcode Fuzzy Hash: 12821617f7a64de7d3cb37ac5f3ef33577a0d69585e7a9a316e27e8c0fa45f34
Instruction Fuzzy Hash: D7B16F63F18B5595EB048BA4D4447AC3372FB08798F605236DE6D67B9EEF78A481C340

Function 00007FF600AFB384 Relevance: 6.2, APIs: 4, Instructions: 219COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00007FF600AFB36F), ref: 00007FF600AFB4A0
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00007FF600AFB36F), ref: 00007FF600AFB52B

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: c0b9c452233083e8ba344db7b85cdb6942af15e1945070f1535423c6b6b64ca2
Instruction ID: 29fc4b0f6b6a94170c15db499d8afd6ccee29295d2d8e30803e4f2a6ad4817f0
Opcode Fuzzy Hash: c0b9c452233083e8ba344db7b85cdb6942af15e1945070f1535423c6b6b64ca2
Instruction Fuzzy Hash: 9E91C363A68652A9F750CFA5D4802BD2BB8AB04B88F744139DE0ED7B9ADF3CD445C710

Function 00007FF600AD8830 Relevance: 6.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF600AD8A74
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF600AD8A80
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF600AD8A86
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF600AD8AE7

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task
String ID:
API String ID: 3936042273-0
Opcode ID: 62b4c31c7c5400ea0ae5361b2cdd4f0e0c1c2a04a61e177b842a2efb8ef1d907
Instruction ID: f5f0c651f1162ef5976d5ee5c0ecb3842b7a0e1c03122d73724f605919739917
Opcode Fuzzy Hash: 62b4c31c7c5400ea0ae5361b2cdd4f0e0c1c2a04a61e177b842a2efb8ef1d907
Instruction Fuzzy Hash: 7A719D63B14B85A5EA04DB25940836C7361EB89FE0F658632DEAD47BDADE7CE580C300

Function 00007FF600ACF160 Relevance: 6.2, APIs: 4, Instructions: 190processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF600ACF1AD
Process32FirstW.KERNEL32 ref: 00007FF600ACF23F
Process32NextW.KERNEL32 ref: 00007FF600ACF333

Part of subcall function 00007FF600AE8A40: _invalid_parameter_noinfo.LIBCMT ref: 00007FF600AE8A66

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF600ACF3FB

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: Process32$CreateFirstNextSnapshotToolhelp32_invalid_parameter_noinfo_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 4260596558-0
Opcode ID: 8f25ca90b910a531810e7f5bf128020c3683582cb0693416a2ac57c12dcd4de1
Instruction ID: 30c8581761e48c4295c252581a9771fa79ebab2e945d343da906eedaac5821fc
Opcode Fuzzy Hash: 8f25ca90b910a531810e7f5bf128020c3683582cb0693416a2ac57c12dcd4de1
Instruction Fuzzy Hash: 4E71D463B08682A5EA209B25D4446BD7362FB85BA0F658732DA7E877DEDF3CD540C700

Function 00007FF600AE95E4 Relevance: 6.1, APIs: 4, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 00007FF600AE963B
GetSystemInfo.KERNEL32 ref: 00007FF600AE9654
VirtualAlloc.KERNEL32 ref: 00007FF600AE96C2
VirtualProtect.KERNEL32 ref: 00007FF600AE96DD

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: Virtual$AllocInfoProtectQuerySystem
String ID:
API String ID: 3562403962-0
Opcode ID: de052ff2da3a860ebe00b2b1188a3b3a24b5d5626fd4b16e4c5629aca21b164b
Instruction ID: 49f3f093b4cba2bcba4ed1464f60d9d89064e73980a0e69977c7e3f1a65ab476
Opcode Fuzzy Hash: de052ff2da3a860ebe00b2b1188a3b3a24b5d5626fd4b16e4c5629aca21b164b
Instruction Fuzzy Hash: C6312A32714A85AEDB20CF31D8547E933A5FB48788F944136EA4D8BB59DF38E645C700

Function 00007FF600AC4F90 Relevance: 6.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF600AC4FAC
LeaveCriticalSection.KERNEL32 ref: 00007FF600AC4FC3
LeaveCriticalSection.KERNEL32 ref: 00007FF600AC504B
SetEvent.KERNEL32 ref: 00007FF600AC506B

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: CriticalSection$Leave$EnterEvent
String ID:
API String ID: 3394196147-0
Opcode ID: 401af7361c6d18c862ea4f071fb6758f38da9ad67756e4e78bac1cd16ae14490
Instruction ID: d19a26356ae7fb1331a2a46868343c85f0bdd19acb7631453c70d630d57d7213
Opcode Fuzzy Hash: 401af7361c6d18c862ea4f071fb6758f38da9ad67756e4e78bac1cd16ae14490
Instruction Fuzzy Hash: 01212B32704B8197D748CF2AE5806ADB3A4FB48B94F544535DB6D83766DF38E4A1C740

Function 00007FF600ADE880 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF600ADE8AC
GetCurrentThreadId.KERNEL32 ref: 00007FF600ADE8BA
GetCurrentProcessId.KERNEL32 ref: 00007FF600ADE8C6
QueryPerformanceCounter.KERNEL32 ref: 00007FF600ADE8D6

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: e05f7aef3380f0f9b3312b24ce1aa7c1f593c40dbd43f636e11a9c4c637e2614
Instruction ID: 21ad170883e6e7fe5a0bbd535a664240723c4271b7056684694b4352f91a2376
Opcode Fuzzy Hash: e05f7aef3380f0f9b3312b24ce1aa7c1f593c40dbd43f636e11a9c4c637e2614
Instruction Fuzzy Hash: 10115236B55F059AEB00DFA0E8542B833A4FB59758F540E31DE6D867A8DF7CD1548340

Function 00007FF600AC3FF0 Relevance: 6.0, APIs: 4, Instructions: 22synchronizationsleepCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF600AC4002
Sleep.KERNEL32 ref: 00007FF600AC400D
WaitForSingleObject.KERNEL32 ref: 00007FF600AC4024
WaitForSingleObject.KERNEL32 ref: 00007FF600AC4036

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: ObjectSingleWait$Sleep
String ID:
API String ID: 2961732021-0
Opcode ID: 83ddd93f6670c03bec4b7f128343a3e6a6daf1263786cfff0f95db90d503808b
Instruction ID: 6cc7df2e1a735fe94ee275ef41c31313fa6536202546e6e8cd4764e54cc8730a
Opcode Fuzzy Hash: 83ddd93f6670c03bec4b7f128343a3e6a6daf1263786cfff0f95db90d503808b
Instruction Fuzzy Hash: F5F0FE72704A449AD7509F79D8542393365EF89B3AF654330CA2D873E9CF38C485C354

Function 00007FF600AE22A4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF600AE22CE

Strings

csm, xrefs: 00007FF600AE22F3
csm, xrefs: 00007FF600AE2462

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: __except_validate_context_record
String ID: csm$csm
API String ID: 1467352782-3733052814
Opcode ID: f15189d2199330c0f402dae8ecdfa2ca81426a1eff024833c44a8ddbe4b12987
Instruction ID: bebdb5f1e8b5052ce902bf395223d7129cdc988a467a7f182c8cf8d70bcb55d6
Opcode Fuzzy Hash: f15189d2199330c0f402dae8ecdfa2ca81426a1eff024833c44a8ddbe4b12987
Instruction Fuzzy Hash: 4B718D73A086C296DB608F2591507797BA4FB04B85F248136DE8D87B8AEF3CD591CB00

Function 00007FF600AE187C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF600AE18DB

Strings

MOC, xrefs: 00007FF600AE18EF
RCC, xrefs: 00007FF600AE18F7

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: ff6c3586205ef54b92cc1381aa76c713ce5aef96bda724e5a14e442f6a8185ef
Instruction ID: cedda488fbdd2d426ece623c46078f4337a923b072e7f3274a43a4e8e9e96498
Opcode Fuzzy Hash: ff6c3586205ef54b92cc1381aa76c713ce5aef96bda724e5a14e442f6a8185ef
Instruction Fuzzy Hash: EC61AF33909BC595E7609B15E4407BAB7A0FB85B94F144235EB9D83B9AEF7CE190CB00

Function 00007FF600AF1F64 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF600AE94E8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF600AE951B

_get_daylight.LIBCMT ref: 00007FF600AF207C
_get_daylight.LIBCMT ref: 00007FF600AF208D

Strings

?, xrefs: 00007FF600AF200D

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 73dd6a1d9a5ad4992f3991f8c36a8220d63358c9d054768064d2836bf5e58140
Instruction ID: a650964f225e0a4c5ade280e3420e7c0b97ee8c425e87d027e4a263602654c3c
Opcode Fuzzy Hash: 73dd6a1d9a5ad4992f3991f8c36a8220d63358c9d054768064d2836bf5e58140
Instruction Fuzzy Hash: 68410A23A48382A5FB6097A5D4013BA6658EB907A4F244235EF5C86BDFDF3CD441C700

Function 00007FF600AE293C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF600AE29E6
_CreateFrameInfo.LIBVCRUNTIME ref: 00007FF600AE2A0F

Strings

csm, xrefs: 00007FF600AE2B0F

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_record
String ID: csm
API String ID: 2558813199-1018135373
Opcode ID: f28967bb51a8388d528e36e8d1b9cbe39d4a27893e421944e70fc0d8e7df8c72
Instruction ID: 4fc942b3ee9e663d34be5389a5ae5e9e24b2e4d044316299db91f22acf716f9e
Opcode Fuzzy Hash: f28967bb51a8388d528e36e8d1b9cbe39d4a27893e421944e70fc0d8e7df8c72
Instruction Fuzzy Hash: C3513F776187819AD620AF25E14166E77A4FB88B90F241135EF8D87B5BEF3CE491CB00

Function 00007FF600AEC224 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF600AEC256

Part of subcall function 00007FF600AEE95C: RtlFreeHeap.NTDLL(?,?,?,00007FF600AF6862,?,?,?,00007FF600AF6BDF,?,?,00000000,00007FF600AF7025,?,?,?,00007FF600AF6F57), ref: 00007FF600AEE972
Part of subcall function 00007FF600AEE95C: GetLastError.KERNEL32(?,?,?,00007FF600AF6862,?,?,?,00007FF600AF6BDF,?,?,00000000,00007FF600AF7025,?,?,?,00007FF600AF6F57), ref: 00007FF600AEE97C

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF600ADE051), ref: 00007FF600AEC274

Strings

C:\Users\user\Desktop\0DrqlQ4JfZ.exe, xrefs: 00007FF600AEC262

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\0DrqlQ4JfZ.exe
API String ID: 3580290477-192714766
Opcode ID: aee35bfe6285ca872dc023e0e85ec8bac6debb86297f70b490d45f268cf6f652
Instruction ID: 66d53f1e342ff3541ffde626bb8e36af9f37376ee54e1b0d1c4dda557ffe4d0d
Opcode Fuzzy Hash: aee35bfe6285ca872dc023e0e85ec8bac6debb86297f70b490d45f268cf6f652
Instruction Fuzzy Hash: 7B419037A08B92A5EB54EF25A4501FDA7A4FF45790F654035EA4E87B8EEF3DE4428300

Function 00007FF600AFB0F4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF600AFB20B
GetLastError.KERNEL32 ref: 00007FF600AFB22D

Strings

U, xrefs: 00007FF600AFB1B7

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 82c14a47abd65dfd2f18e3d0d2973b2ccc07122a063a358567b3cbc0c6ba3651
Instruction ID: 50a30e2047cd295bbf1b9da6ac9275d9e7eb4a75240dc7cb14f72c98864775cf
Opcode Fuzzy Hash: 82c14a47abd65dfd2f18e3d0d2973b2ccc07122a063a358567b3cbc0c6ba3651
Instruction Fuzzy Hash: 3E419F23B28A81A5EB208F65E8543BA67A5FB88794F614131EE4EC7799DF3CD401C750

Function 00007FF600AE02F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF600AC1111), ref: 00007FF600AE0340
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF600AC1111), ref: 00007FF600AE0381

Strings

csm, xrefs: 00007FF600AE036E

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 4e14dd832fb4824443fa8c0aec862097db35212d867c479028c393dfe5930aef
Instruction ID: e8740008868c4fafb06522caba04bdeaff846b24c01fd9de4a6b1fd0c416d1a7
Opcode Fuzzy Hash: 4e14dd832fb4824443fa8c0aec862097db35212d867c479028c393dfe5930aef
Instruction Fuzzy Hash: A1113D33618B8192EB618F25F44426977E5FB88B84F684230EE8C8B769EF7CD551CB00

Function 00007FF600ADA4B0 Relevance: 5.1, APIs: 4, Instructions: 103COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32 ref: 00007FF600ADA4EE
IsBadReadPtr.KERNEL32 ref: 00007FF600ADA5C3
SetLastError.KERNEL32(?,00000000,00007FF600ADAAC9,?,?,?,?,?,?,?,?,?,00007FF600ACD242), ref: 00007FF600ADA5E5
SetLastError.KERNEL32(?,00000000,00007FF600ADAAC9,?,?,?,?,?,?,?,?,?,00007FF600ACD242), ref: 00007FF600ADA603

Memory Dump Source

Source File: 00000000.00000002.3974884221.00007FF600AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF600AC0000, based on PE: true

Associated: 00000000.00000002.3974827166.00007FF600AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974924261.00007FF600AFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974951041.00007FF600B15000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974974715.00007FF600B18000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974997931.00007FF600B1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3975025113.00007FF600B20000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff600ac0000_0DrqlQ4JfZ.jbxd

Similarity

API ID: ErrorLastRead
String ID:
API String ID: 4100373531-0
Opcode ID: 82ac0250d1ecd3177f83757e94cf9be5bc81ee4aab1a059e0fd8dc4cfb57a079
Instruction ID: 7255bfd767804ba9ff5431f6c812553155c9dfad9134c53d0adbb4876c8435b7
Opcode Fuzzy Hash: 82ac0250d1ecd3177f83757e94cf9be5bc81ee4aab1a059e0fd8dc4cfb57a079
Instruction Fuzzy Hash: F0414B63B09B41A6EB108B16E44027973A0FB58B91F194436CF4E87B99DF3CE4A0C311

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Driver: Driver Load, File: File Creation, File: File Modification, Module: Module Load
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 0DrqlQ4JfZ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\kernelquick.sys

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

Windows Analysis Report
0DrqlQ4JfZ.exe

Function 00007FF600AC6370 Relevance: 193.3, APIs: 81, Strings: 29, Instructions: 845
registrystringprocessCOMMON

Function 00007FF600ADB5E0 Relevance: 103.7, APIs: 41, Strings: 18, Instructions: 429
registrylibrarysleepCOMMON

Function 00007FF600ACF410 Relevance: 81.0, APIs: 35, Strings: 11, Instructions: 532
registryprocessfileCOMMON

Function 00007FF600AC72D0 Relevance: 54.7, APIs: 26, Strings: 5, Instructions: 457
COMMON

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre